Even the most complicated passwords are no longer enough to protect consumers and businesses from the rising tide of online breaches and hacking, state and federal experts said Thursday during a public forum at Sacramento’s downtown public library.
The event, organized by the National Cyber Security Alliance, was part of a multi-city tour urging people to use two-step authentication and other security measures, where available, when logging in to Gmail, Facebook and many other websites that retain and store personal data.
Two-step authentication requires a user to enter a username and password, and then register a second form factor – such as a smartphone – where a PIN code can be delivered to authenticate the log-in.
"This is a powerful tool that can make a big difference in protecting big pots of our personal information. The downside is there’s a little friction – it takes a little longer," said Joanne McNabb, director of privacy education and policy for the California Attorney General’s Office.
A growing number of major websites are offering two-factor authentication. A comprehensive list of those that do and don’t is available at https://twofactorauth.org/.
The National Cyber Security Alliance recommends using a passphrase as the foundation of a strong password. Choose an easy-to-remember phrase of at least nine words you’ll remember, such as, "the Seattle Seahawks will win the Super Bowl again." Then take the first letter of each word – case sensitive – and meld them into a password. Use numbers and symbols too, if possible. So the password in this example would be: "tSSwwtSB2."
Then, since many people use the same password for multiple websites, affix one letter to the password indicating the site it’s used. For Gmail, the password would be "tSSwwtSB2g." For Bank of America, it would be tSSwwtSB2BA.
"The single most important thing you can do as an individual is to protect your email account. I’ll say it again: The single most important thing you can do is to protect your email account," said FBI special agent Wes Drone, the InfraGard coordinator in Sacramento.
If a hacker can take other your email account, Drone said, he or she can take over everything else because today email accounts are basically used to authenticate who we are to other online services, such as PayPal, Facebook and banking accounts. An intruder can simply use the password reset feature.
The best way to protect an email account is to use multi-factor authentication, Drone said.
Other speakers at Thursday’s event were Michele Robinson, California’s chief information security officer; Dr. Isaac Ghansah, a computer science professor at California State University Sacramento; Gary Almond of the Better Business Bureau of Northeast California; and Governor’s Office of Emergency Services Director Mark Ghilarducci.
Ghilarducci said state and federal government is working together closely to detect and deter threats. He said stronger laws and enforcement are needed, along with more training for K-12 and university students about how to best protect their online data.
Ghilarducci reiterated that Gov. Jerry Brown will be issuing an executive order on cybersecurity guidance this year. A state cybersecurity task force has been meeting for nearly two years and is working to provide recommendations of its own.
Private sector engagement "is absolutely critical," Ghilarducci said.
"That means even that the software you buy — your security software — is as robust and capable as possible. How computers are built and how that software is integrated all has to come together so that we’re all on the same page," Ghilarducci said.