Secure your employees' lives
I have been delivering some security architecture work and programme security to a client on a sensitive programme. Recently I was chatting to some members of the team and realised that some of them might appreciate some help with securing their personal digital lives. As this was a potential attack vector into the programme I saw it as a way of helping me by helping them. This was all given as advice for their personal life and none of it was mandatory. It was given with the health warning that it was not to encourage the team to use home computers for business (which was against policy for obvious reasons).
The key messages are don't reuse passwords and use strong passwords.
A good place to go if you want to hack someone's e-mails is haveibeenpwned. Troy Hunt runs this service by gathering all the data breaches ever released and making them searchable for users to check. Here you can see if your email and password has been released as part of a data breach and for free Troy will monitor your email address and tell you if it is ever breached. An attacker will find the breach, download it, and find your email address and try the password. They will also try minor variations of the password because they know some people just change a digit or two. They can also add the name of the service.
But I have so many accounts to remember
I recommend the use of a password manager for all your passwords. This way you can use a different password for every service. There are three real options here.
1. This works but is the most time consuming.
2. If you are an Apple user for everything the IOS Key chain is good. Google Chrome is less platform specific (ie you can have on a Windows computer at home and on your phone). This makes life easier than carrying around a notebook which you could lose. Chrome and Keychain are a bit fiddly to get the password if it cannot automatically put it in for you.
3. The easiest method you have to pay for and that is a Password Manager such as 1Password. Other Password managers are available, some are better than others. 1Password syncs across all your devices so you can access all your passwords and enter them easily without too much hassle. 1Password has also integrated with haveibeenpwned to tell you if any of your passwords appeared online.
How do I make a secure password to secure my password manager?
XKCD have really nailed this in this cartoon:
Hopefully this has been useful.