Internet security is shockingly bad.

LastPass Breach

Early in 2022, hackers breached LastPass’s defenses. LastPass kept the details pretty close to the vest, but finally announced the attackers succeeded in stealing the password vault. To make matters worse, it turns out that LastPass only encrypts the passwords – the remaining information is in plaintext. This includes URLs, usernames, and so forth.

Take note – this is about as close to the worst-case scenario as you can get. The passwords were encrypted using each individual’s master password, which, according to LastPass (and there is absolutely no reason to trust them), is not stored in the password vault. However, given today’s powerful computing options, it may not be long before hackers crack some or all the encrypted contents.

Because of this unmitigated disaster, I changed all my passwords on all online accounts – roughly 400 of them. During the weeklong process, I learned some interesting – and disturbing – facts about the state of security online.

My observations about Internet Security

• An alarmingly small number of sites have implemented 2-factor authentication (2FA) of any kind. Out of the 400 sites in my sample, less than 10% provided 2FA as an option.
• Of those that have implemented 2FA, most hide the option deep within hard-to-find settings, and the methods they provide are not even close to consumer friendly.
• A few sites (less than I expected) still use one or more questions to bypass password entry. Since most people answer “honestly”, the answers are often easily researched using a quick Google search.
• Virtually every site used email to bypass password (and 2FA) entry.
• Most sites used SMS to bypass security.
• A substantial number of sites (10% or so) restricted password length to 12, and one restricted it to 8.
• Some sites didn’t allow special characters in passwords.
• For many sites, the method to do a simple password change is obscure and difficult to find.
• A few sites supported login by emailing or SMS messaging with a link. In these instances, no password was required (or even supported).
• Many sites did not include a recovery method of any kind to cover the possibility of a user losing their phone/phone number.
• Those sites that provided backup codes rarely required users to download those codes and didn’t adequately explain their purpose.
• There is no standard for 2FA. With a few exceptions, every site implemented it differently, including authenticator, SMS, USB key, Secure key, biometrics (very rare).
• Out of 400 sites, less than 10 provided any means for deleting the account and its associated data besides contacting their support department.

Conclusions

Website security is a basic, expected function of any entity on the internet. Yet most of the sites I visited would get a failing or barely adequate grade.

EMAIL IS THE MAIN VULNERABILITY TO INTERNET SECURITY, perhaps second only to human laziness or error. If hackers compromise your email account, it’s game over.

PHONES ARE ANOTHER HUGE VULNERABILITY. Users typically (in my experience) don’t spend a lot of effort to secure their phones. Many don’t even do the minimum of requiring a PIN or thumbprint for access. If hackers compromise your phone, chances are hackers can gain access to most, if not all, of your online accounts.

How can Website Security be Improved?

• Strong password requirements, including special characters.
• No limits on the length of passwords.
• 2FA, allowing for several methods of authentication, including SMS, authenticator, and biometrics.
• If they provide backup codes for 2FA, require users to download them and provide instructions on their use and secure storage.
• Websites must abandon the use of security questions to bypass password entry. It’s too easy to research the answers to these questions.

Best practices for users

• Use a reputable password vault. I recommend Sticky Passwords because they store the password vault locally on your machine. There are many other options.
• Use the strongest, longest (at least 20 characters) passwords allowed by the website.
• If available, set up 2FA. Most websites include a way to download fixed codes in case you use your phone – download those.
• Use a different password for every website.
• If possible, use a unique email address or login for every website.
• Store your 2FA backup codes and a backup of your password vault on two encrypted USB flash drives (mirror images of each other in case one goes bad). Store these in a secure location such as a bank deposit vault. Update them occasionally.
• If the website uses security questions, make up the answers instead of being factual. Store these answers in your password vault or in an encrypted spreadsheet. (Keep a copy of this on the encrypted USB flash drives mentioned above).
• Do not enter any personal data on any website beyond what you need to achieve your goals.

I’m sure I’ve forgotten or missed a few things.

What is your experience with dealing with user security on the internet?

— I am a ghostwriter and write about cybersecurity, leadership, AI/ML, AR/VR, the Metaverse, leadership, and how to use LinkedIn to promote yourself. If you like what you see and want to see more: send me a connection request or view my profile, then click Follow and the bell (🔔)!

If you need a book or articles written, or your LinkedIn profile optimized, send me a message so we can set up a time to discuss. I am also a cybersecurity technical writer and can help your business write the policies and procedures you need to improve your security and satisfy your auditors.

richardlowejr