Latest KFC account breach got you feeling “deep fried”?

The recent attack on Kentucky Fried Chicken UK’s loyalty system is another reminder that account management remains one of the more important controls for everyday consumers of Internet-based services. In an email that may have left many customers feeling “extra-crispy”, KFC warned 1.2 million members to change their passwords. 

This news comes at the same time results of a recent survey of password usage from ReportLinker revealed that “123456” and “password” remain for the fifth year among the top five passwords used. The survey sheds some potential light of a possible cause of this seeming disconnect from reality. It states, “fifty-five percent of respondents reported they feel their data is safe from hackers, even as two-thirds agree cyberattacks are more of a threat now than they were five years ago.”

With the news of account breaches becoming almost commonplace, it is a wonder why so many of us assume a lackadaisical approach to account security. A recent study from National Institute of Standards and Technology (NIST) suggests this most likely isn’t because of widespread apathy but rather people may be suffering from “security fatigue”. One study participant seemed to sum up the study’s results by saying, “I get tired of remembering my username and passwords.”

I liken this to the modern-day head in the sand syndrome - sticking one’s head in their Instant Messenger feed and never looking up – which is more dangerous than you might think at first, especially if you live in Ohio, which saw a 124 percent increase in pedestrian fatalities during the first half of 2015 which seems to be loosely tied to an increase of using cell phones while walking. 

But I digress.

As consumers, we have little affect over the vulnerabilities and threats of the Internet based services that we use; however, we can affect the exposure these risks pose on other areas of our lives. Here are a few tips:

First, if you do nothing else, guard your primary email account the same way you take care of your most prized possession. Many of us have several email addresses that we use but generally we use one as the primary one when signing up for online services. If evildoers are able to gain access to this account, then they can request password resets for any other account. Your primary email account is the gateway to all other aspects of your online identity. If possible, use two-factor authentication where the email service accepts your standard password and then sends a text message with a special code. While the US National Institute of Standards and Technology (NIST) may be deprecating this practice due to concerns over potentially hijacking VOIP communications, alternate solutions are not exactly available at this time.

Second, do not use the same userid for each account. I know it’s tempting. You spent three months thinking of the perfect moniker that no one else will ever think to use. But if I know your favorite Internet handle is Cuddles4Lif3 then I know how to find you, or better yet, tools like maltego have an easier time tracing your online footprint. I know, there are plenty of services that use your email address as the login ID – the same email address that the service will then use to forward you a password reset… in these cases there is nothing that you can do. Wherever possible try to be discrete.

Third, do not use the same password for different accounts. A study by BitDefender showed that 75 percent of people use their e-mail password for Facebook. If an evildoer is able to gain access to one password, then they can use that password across multiple accounts (which is easier to do if all of your account IDs are Cuddles4Lif3). 

Fourth, AND FOR HEAVENS SAKE, do not use “password” as your password. This is akin to not only leaving your front door unlocked but to dragging all your possessions out of your house, putting them on the front lawn, and posting a sign that reads “Gone on Vacation”. Passwords should be difficult to guess but easy to remember. Don’t worry about all those special characters and numbers – password strength is generated from entropy (or unpredictability), so combining four dissimilar words that are easy to remember but nearly impossible to guess will add the requisite length and randomness necessary.  Who can guess (or forget) a password like: “Flaming bruschetta halitosis Monday?”

And in closing…

Of course there are online services that will help you sort through these account management nightmares and help track these myriad maze of user accounts and passwords. Lastpass and RoboForm are two that tend to show up on most reviews including a recent review by PCMag.