A Maryland woman woke up and saw something fishy on her cellphone. Nilsu Goren found someone using her Uber account for a ride in Moscow.
"I've actually never been hacked in my life. That's why I never thought it would be at this personal level," she said.
But hackers do get very personal. Just like millions of people each year, Goren's username and password were stolen by cybercriminals.
Hackers are more likely to succeed, if your passwords are weak. So here's how to take control of your digital security.
The best passwords are unique and very long, according to Ted Harrington, an executive partner at Independent Security Evaluators (ISE). The Baltimore-based cybersecurity company hacks into their clients' Internet of Things, before the bad guys do.
WUSA9 spoke with Harrington before ISE launched into its annual hacking contest during DEFCON, an annual cybersecurity conference where the world's best hackers come together.
Harrington's advice is to make sure your passwords are not easy to remember by anyone, including yourself.
UNIQUE and LONG Passwords
Unique passwords indicate you're NOT using the same passwords across all of your online accounts. So for example, your online banking, mortgage and social media accounts should be different.
"Unique is important because of the way attackers work," said Harrington. Hackers are going to try using a username and password on multiple websites. So if you use only one password for everything, a hacker may be successful on multiple websites.
Very long passwords indicate you're making it harder for a hacker to figure out your password. For every extra character you add to your password, it exponentially increases the difficulty for hackers.
"Always utilize the maximum number of characters allowed for a password," said Harrington.
If a password can have up to 20 characters, you should create one with 20 characters.
Still, it is unreasonable to expect one person to memorize and safeguard multiple, unique passwords with up to 20 characters.
So Harrington offers a piece of counterintuitive advice: "The most effective way to manage passwords, is to have them NOT in your memory, but stored in some way."
Users should use an online password manager like LastPass or LogMeOnce. The password manager generates and stores unique passwords for you.
You just need to manage one unique password to access the password manager.
What if your password manager gets hacked?
Harrington offers a solution so the hackers lose.
Request the password manager to generate a password. Then, in your head, come up with an easy-to-remember word, like 'Green.' Add that word to every password generated by your password manager.
Even if the hacker gets into your password manager, the passwords would still need the last five characters that you have easily memorized.
Two-Step Authentication
Another way to "significantly" thwart an attack is to set up two-step authentication when logging into your accounts. Additional steps increase the likelihood the hacker won't be able to succeed.
"Multi-factor authentication is one of the important revolutionary advances in consumer-grade security in years," said Harrington. "I can't overstate how important and effective it is."
In a two-stop authentication process, you may need to put in a website-generated PIN along with your password. The extra step will help identify you as the legitimate person to gain access into your online account.
A hacker is less likely to have both your password and access to your cellphone at the same time. So when logging on, you'll have to put in your password AND a PIN that has been sent to your cellphone.
Two-step authentication is an option you choose to turn on for each of your websites. But Harrington thinks it's a must-do.
"It so significantly narrows [the chance of] an attacker being successful. It shouldn't even be an option NOT to have it," Harrington said.
