If you live in South Africa, there's a good chance you have been a victim of theft.
We know the thief is the person in the wrong. But that doesn't mean we do nothing. We recognise the risk, and we take precautions. We lock our doors. We install burglar bars or an alarm system. Our cars have tracking devices.
Our personal information is the cyber-equivalent of our possessions. And, like our cars and our TVs, it can be stolen. We need to recognise the risk and take precautions.
Passwords are like underwear
How many passwords do you have?
You might have one or more for work. Then there is internet banking. And your private email. And social media. And every place you shop online. And SARS. And your home WIFI. And your medical aid. And the site where you registered to vote, and where you paid your traffic fine. Not to mention your cell phone PIN. And your bank card PIN.
We all know our passwords must be strong. That, like our underwear, we must change them often and keep them secret. Some systems remind us to change our passwords. But what about the rest?
You've (almost certainly) been pwned
If you've never heard the word "pwned" before, it's got nothing to do with pawn shops (or porn shops). It is an obscure geek term that means someone has gained illegal access to or control of you.
It's likely that one of your passwords has been exposed during a data breach. The list of breaches is long, and on the rise. LinkedIn, Yahoo and Facebook have all had breaches.
And there have been plenty of breaches in South Africa. In 2017, the Master Deeds database exposed millions of records, including ID numbers. In 2018, the ViewFines breach exposed the records of 934,000 SA drivers. A few weeks later, Liberty Life had a huge breach. And in August 2020, the Experian data breach risked the personal information of 24 million South Africans.
You can check if your details have been exposed at Troy Hunt's website: haveibeenpwned.com.
Your brain is a very bad password manager
That is a direct quote from one of Troy Hunt's blog posts. And it's true. The only way you can remember your passwords is if they are shorter, meaningful and you don't have too many of them. Which, by definition, means they are not strong.
Let's be honest: password management is work.
Try a real password manager
A password manager is a program where you store details of your logins and passwords. It encrypts the information in a secure vault. You only need to remember one password: to open the password manager.
A good password manager generates strong passwords for you. It can check if any of your passwords have been pwned. Most password managers have mobile and desktop versions, so you can sync across your devices.
Somebody will argue about the risks of a password manager. But that risk is much smaller than the risk you run when you use weak passwords on dozens of sites. According to the UK National Security Centre, password managers are a good thing.
The title of Troy Hunt's blog post sums it up: Password managers don't have to be perfect, they just have to be better than not having one. Do yourself a favour: read the article. He also offers an interesting perspective on a non-tech solution: a password logbook.
There are plenty of good free password managers. It only takes a few minutes to download and install one.
Unfortunately, you still have to do the work. At first, I only used a password manager to store my passwords. I still often chose passwords that I could remember. Then I had to change all my passwords after one was pwned, and that took a lot of time.
It's not just the hacker
It's easy to blame the hacker. Sometimes it's easy to blame the user. But developers also have an important responsibility. They need to make sure that their code has strong burglar bars and a working alarm system. So keep an eye open, because in the future we will offer a series of emails about web application security.