24-Jun-18 – Any entrepreneur or road warrior hears some new horror tale about hacks, scams, and identity thefts just about every other week. These are usually credible, peer-to-peer conversations rather than media scare stories. Most recently, I’ve heard half a dozen versions of complaints and some serious instances of financial losses based on the porous and insecure nature of hotel and airport WiFi.

In fairness, these providers couldn’t make it any clearer or disclose the risks more directly on their websites. These are not the usual disclaimers buried in the Terms & Conditions.

Unfortunately, we don’t really have much in the way of connectivity choices when we’re on the road. You can carry your own hotspot or use your phone and run down your battery, but the vast majority of us aren’t going to do that. So, the trick is to figure out what you can do, realistically and practically, to protect yourself.

As we’re forced to rely more and more on third-party-provided WiFi, and it becomes increasingly ubiquitous, the scale of the security problems and the prospective losses are only going to continue to grow. And honestly, if it’s not happening to a family member or a relative, we’ve gotten so accustomed to these commonplace tales of woe (and worse) that we tend to dismiss them as the risks of the road.

In addition, I must admit that we stupidly assume – and often think smugly to ourselves – that the victims must have been lazy, sloppy, or careless, and that this kind of stuff could never happen to us. Until it does. And then, of course, it’s too late.

If you can’t control the WiFi, try to control your passwords

My humble suggestion is that now’s the time to start thinking about how to be smart about the situation before you must be sorry. My thought is simple – if you can’t control the pipes, try to control and protect your passwords.

Yes, I know that you’ve heard this lecture a million times before and yet most of us are too “busy,” too lazy, or too uninformed to invest the modest amount of time that it takes to substantially boost the odds in your favor. In this context, I’d say that being too busy is, in fact, just another word for being lazy.

There’s not much I can do to help anyone unwilling to help themselves. It would take about an hour to follow a few basic steps to improve your password protection while it can take weeks to repair and try to restore your credit and financial identity if you get hacked. You should take the time to do the math.

And, for now, I’m just going to focus on the facts of life these days and then you can decide how to proceed.

First, the guys on the other side are getting smarter, faster, and a lot nastier. They’re growing in numbers, the hacks are easier to accomplish, and they’re better equipped – especially because the tech and capital requirements to take your money are trivial.

In addition, ploys and scams are spreading and being shared across markets and even countries at a very rapid rate because of the increased communications and connections across the dark web.

Second, we suckers continue to make it easier and easier for the bad guys to break in. The most frequently used password today is still 123456. Fifth on the list is 111111 and #8 is password.

It takes most brute-force hacking programs less than a few seconds, according to a recent survey, to figure out any password of six characters or less – and more than 40 percent of all passwords today are six characters or less.

Other very popular passwords are equally infantile, including: qwerty and 123123.

And more than half of us use the same password on multiple sites, so once the hackers are in, they can move quickly from site to site.

And finally, the middlemen – hosting services, connectivity providers, social platforms, etc. – aren’t doing jack to help us help ourselves by requiring us to be smart about our personal security. They don’t care if you get ripped off if you can always get right back on their service or network with the least possible friction and in the shortest amount of time.

Every six months, some of these services make you change your password, but they don’t insist upon or enforce even the most basic complexity requirements.

Use a password manager

What should you do? The best and smartest thing to do is to use a password manager/vault, a single location for all your passwords that requires only remembering one password – hopefully one with a minimum of eight characters that include a number, letter, capital letter, and symbol.

There are several players in the space, but Keeper Security has one of the biggest user bases and is the best for my money because it provides both individual and enterprise-level solutions. More importantly, Keeper Security employs a zero-knowledge approach, which means that the site has no idea what’s in your vault or any ability to get at it.

You spend less than an hour and build an Excel spreadsheet with all your stuff – which you probably already have – and then it’s imported into your Keeper vault and the next time you visit one of your regular sites, the Keeper system will automatically supply the appropriate sign-in data.

Adopt two-factor authentication

The next best thing to do is to bite the bullet and adopt two-factor authentication. I admit, 2FA can be a pain in the butt on a plane or if you’re not connected somehow, but otherwise it’s as easy as pie. This is another simple way to deploy an additional layer of protection and just requires that you take an extra minute to enter a security code sent to your phone to confirm that it’s you trying to get into your site.

For sure, this is an essential fix for your primary social media sites because they are the connectors and links to many other sites where you use Facebook Connect or something similar for Twitter to sign into a bunch of third-party sites.

Biometric security such as facial recognition and fingerprint readers, which are also 2FA, are becoming more prevalent, too, but that’s a subject for a future column. Right now, a password vault and a 2FA are quantum leaps in de-risking your online exposures and a very small price to pay – in terms of time and treasure – to avoid major headaches.

(Left) In this depiction of Two-Factor Authentication (2FA), a user logs into an account with their usual password. An authenticator app the user has installed on his or her mobile phone generates a second, temporary password, which the user also enters.

And, if you’re like everyone else and somewhat intimidated by the length of your password list, or never heard of Excel, at least work on the top five sites you visit all the time and get those fixed and protected.

It’s a 99/1 world in terms of anyone’s web activity – we go to the same, very few, places almost all the time – so if you at least pay attention to the most important sites, you’ve got a fighting chance of dodging a bullet.

But the smart money is still on the hackers and it’s not really a question of if, it’s just a question for most of us of when. I’d rather be safe than sorry.