A topic that I always cover in Security Awareness training sessions is the scary term “password reuse”. This term refers to using the same password for multiple accounts. Time Warner was the first to experience a major breach in 2016. They had 320,000 user IDs and passwords compromised. It is unclear if this was an actual breach of a Time Warner system or the result of a phishing scheme, targeting Time Warner clients or something else. If the credentials were acquired by a phishing attack, targeted directly against Time Warner clients, it strongly highlights the important issue of password reuse and the reason you must always check every link that is embedded in an email.
To check embedded links, you should put your mouse over the link and a small popup will indicate where that link is going to take you. Make sure you look at the whole link. Often times, the first part of the link will look legitimate, but the last part is the most important. Look at the part of the link before and after the last period in the domain name. If you get an email from timewarnercable.com, it might look like accountverification.timewarenercable.com, or it may look like timewanercable.com.yourhacked.net/xx.html. Note that the part before and after the period in the domain name is “yourhacked.net”. This is the site you will be taken to, and a phony page that looks legitimate will be displayed. When you log into this site, you are giving the bad guys your user ID and password.
Example of hovering mouse over link to determine destination.
The bad guys are always trying to steal credential information. They know that most of us are lazy, and we tend to use the same passwords over and over again. It is likely that the password used for your Time Warner account is the same password for your bank, online shopping and work. Once they have a set of credentials, the user becomes a person of interest. Through information that we voluntarily share through social media, it is not hard for the bad guys to learn a lot about us, and use the newly acquired credentials to place fraudulent purchases or raid our bank account.
If you are a business owner, you should also be concerned because often time, employees will use the same passwords they use for personal accounts at work, and now the bad guys are just a half a step away from breaching your network. Business owners should have a policy and employees should be trained not to use personal passwords on work computers.
One way to manage many passwords is with a password manager. One of the better password managers out there is KeePass, which can be downloaded at KeePass.info. It is available for Windows, Mac, Android and iPhones. A very effective way to manage multiple KeePass information is to keep the database in a cloud solution such as OneDrive, DropBox, Box, etc. While many fear keeping all your passwords in one file and then saving that file in the cloud is dangerous, I suggest that this is a better solution than password reuse. I also strongly suggest that you use a very strong passphrase to protect your KeePass file. It should be at least 20 characters long, and don’t use this password for anything else. After all, that is why you are using a password manager.
