Category: Best Practices

It’s no secret that cyberattacks can happen to any business, and we should all be suspicious of messages from unfamiliar senders appearing in our email inboxes.

Related: Deploying human sensors

But surely, we can feel confident in email communications and requests from our organization’s executives and fellow coworkers, right? The short answer: Not always

The reason is the rise in business email compromise (BEC) schemes. This type of targeted phishing or whaling (executive-level) attack tricks email recipients into believing someone they know and trust is asking them to carry out a specific financial task. Here are a few examples of how these insidious campaigns use the power of human relationships to defraud businesses via email:

Scenario 1. A CFO receives an urgent email request from the CEO asking her to pay a supplier invoice immediately. The CFO commonly carries out such tasks and arranges a wire transfer using the account information provided on the invoice. In actuality, the request is coming from a BEC fraud ring, and the payment details direct the funds to an account controlled by the attackers.

Scenario 2. An HR benefits manager receives an email from the department VP asking him to purchase gift cards for a new employee rewards program. The email specifies that the HR manager should include the codes associated with each card, which the scammer behind the scenes then sells online for cash or cryptocurrency.

Scenario 3. An accounts receivable rep receives an email from a C-Suite executive asking for the company’s most recent Aging Report. If the rep complies, the attacker now has a list of customers who owe the company money.

Wilson

It tells him how much the customers owe, when the payments are due, and the terms. The attacker also has the rep’s email signature. The attacker then creates a look-alike domain and contacts each customer on the report explaining that all future payments should be sent to a new bank account.

Planned attacks

BEC is a growing concern, and attackers have taken full advantage of the upheaval the COVID-19 pandemic has caused to ramp up their efforts. These campaigns are hard to spot because the perpetrators have done their homework to make emails appear completely legitimate, from the formatting to the language, to the type of request being made.

Today’s BEC attempts aren’t the easy-to-spot, typo-laden phishing campaigns of the past. For starters, attackers leverage social engineering tactics and information gleaned from websites and social media profiles to determine employees’ working relationships and connections.

They can also include personal details in messages, so the recipient doesn’t think twice about the message or request. On top of this, internal employee-to-employee email is rarely scanned, meaning BEC-driven access can go undetected.

Fraudsters prey on the target using the killer combination of trust, authority, and urgency. Businesses large and small can be the target of a BEC campaign because at the end of the day, most of us are trusting souls ready to help others. We would never expect someone we know and work with to scam us, much less defraud our organization.

BEC attacks don’t get the media attention of ransomware incidents and records theft, but they are far more prevalent and costly overall. In its most recent BEC report, the FBI estimated such attacks cost enterprises more than $1.8 billion in annual losses during 2020, resulting from 19,369 incidents. Although it’s possible for funds to be recovered, the cost of business disruption can be significant.

Prevention is the cure

We need to put a stop to this all-too-common attack vector.

As with any type of cyberattack, prevention is the best strategy. Employee awareness training is an important first step as most people aren’t familiar with BEC attacks. Training can include simulation so employees can learn to spot phishing or whaling exploits before blindly completing requests or clicking on links.

DMARC email authentication is also helpful to prove the sender is legitimate, and two-factor authentication (or multi-factor authentication) can reduce the risk an email account is compromised. Likewise, as these scams typically seek a transfer of funds, tighter accounting controls to verify legitimacy are crucial, as are identity-based phishing defenses that can recognize BEC in its varied forms.

About the essayist: John Wilson is senior fellow, threat research, at Agari by HelpSystems. He works with businesses of all sizes to prevent financial loss from BEC campaigns and help them achieve peace of mind in a fast-changing cybersecurity landscape. 

Cyberattacks preceded Russia’s invasion of Ukraine, and these attacks continue today as the war unfolds. As the United States and other nations condemn Russia’s actions, the odds of Russian cyber actors targeting the U.S., allied countries, and businesses steadily increases.

Related: Cyber espionage is in a Golden Age

These Russian cyber actors are government organizations and include other parties who take their orders from the Russian military or intelligence organizations – while not technically under government control. Additionally, there are also Russian cybercrime organizations that are not state-sponsored but are allowed to operate.

Each of these organizations performs cyber operations for various reasons. The Russian government, military, and intelligence service may wish to achieve some operational effect, for example, disrupting the power grid or interfering with telecommunications infrastructure, which may be part of a larger war plan. Some Russian cyber actors may gather intelligence while others are financially motivated.

Cybercrime is big business as global losses to ransomware are projected to reach $42 billion within the next two years.The economic sanctions that many nations have put in place to influence Russia will most likely trigger an increase in the illicit business of cybercrime to help offset losses to what was legitimate trade.

Cyber attack targets

Russia isn’t the only cyber actor increasing its pace of cyber operations during this time. While the world focuses on Ukraine, other state actors have increased actions to penetrate government and private sector organizations. While you might think that these actors are interested in government and defense information, their operations prove they are interested in much more – including software development and information technology, data analytics, and logistics.

Boian

Your company’s intellectual property may be a target – and don’t think you are not just because you aren’t associated with defense contracting. Cyber actors are commonly after intellectual property or revenue.

Although there’s no one magic solution to eliminating cyberattacks and cybercrime risks, there are steps you can take to reduce the chances of becoming a victim. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has started a campaign to increase awareness of these risks to U.S. businesses called #ShieldsUp.

The efficacy of hygiene

Many of their recommendations are basic cybersecurity hygiene that require minimal effort to implement but can dramatically reduce your risk:

•Ensure all software (operating system and applications) are updated and patched. Enable auto-update features if available.

•Educate your employees on threats and risks such as phishing and malware.

•Enforce strong passwords and implement multi-factor authentication (MFA) — by educating users about using a unique password for each account and enforcing higher security for privileged accounts (administrators, root).

•Segment or isolate portions of your network that are critical to your business, process, or store sensitive information

•Configure all IT systems with hardened profiles that only allow network services essential to your business function; harden or eliminate the use of protocols such as RDP and SMB.

Accounting for humans

While all these technical steps to reduce the risks of cyberattacks are valuable, the step that’s often overlooked or underfunded is the one that can be the most impactful – employee awareness. Implementing a culture of security and empowering employees to report suspicion of abnormal activity on information systems is key to stopping these threats early.

Not all cyberattacks take advantage of a user and result in penetration of your system. Still, the most common infection vectors are through a user – clicking a link, browsing to a page, sharing their password, or choosing a weak password. Therefore, educating your employees about the importance of security to your network is critical. Enabling employees to be your first line of defense can boost security and reduce risks.

In addition to the best practices above, it’s prudent to also have plans and procedures in place if a cyberattack is successful. These procedures will not only help get your business back up and running more quickly, but are critical to staying compliant with state or federal regulations requiring the reporting of cyber incidents. Just as businesses focus on resiliency and disaster recovery, they must also consider a cyberattack or incident that can cripple their product and/or revenue.

As the world watches the events in Ukraine, cyber incursions by hostile actors will continue across the globe. These threats will continue to plague businesses and our personal lives for the foreseeable future. Instead of falling into the trap of thinking you won’t be a target or have nothing of value for cyber attackers, take these steps to address and prepare to defend against these risks.

For more details on how to harden your IT infrastructure to ransomware attacks, consult the CISA and Multi-State Information Sharing and Analysis Center’s Ransomware Guide.

About the essayist: Don Boian is the Chief Information Security Officer at Hound Labs, Inc., which supplies ultra-sensitive, portable marijuana breathalyzer technology. He  worked at the National Security Agency for 30 years on defensive and offensive cyber operations, and most recently served as CISO for a large regional bank.

APIs have become a security nightmare for SMBs and enterprises alike.

Hackers don’t discriminate based on the number of employees or the size of the IT budget. The same types of security risks impact businesses, whatever their size.

Related: Using employees as human sensors

Day in and day out, small-to-medium businesses are targeted by cyberattacks. They are often unaware of the risks they take on, which can include hacking, fraud, phishing, and more. A primary culprit of these attacks is the lack of understanding of application programming interfaces, or APIs.

SMBs and enterprises alike have been struggling with APIs as a mechanism for information security. According to Forbes, “the first half of 2018 was marked by an increase in API-related data breaches, with the 10 largest companies reporting the loss of 63 million personal records.”

These types of attacks can allow hackers to steal massive amounts of sensitive data, disrupt operations, and even take down websites. To protect against these attacks, businesses need to implement a wide range of strong API security measures such as authentication, authorization, encryption, and vulnerability scanning. The sheer number of options has a direct impact on the budget.

The fact that there are so many different APIs is the main challenge for enterprises when it comes to API security. Storing authentication credentials for the API is a significant issue. This can be compounded by certain enterprises using the Internet of Things (IoT) that don’t have good security.

Sitbon

Companies are realizing that they have to keep putting out fires on personal devices, leaving them vulnerable to attacks. The other issue with APIs is that once one is compromised, it’s likely that all of your accounts are affected because whoever does gain access will just use your username and password to log in to other sites, apps, etc.

The threat that API security breaches pose to enterprises should not be taken lightly. A breach should always trigger a comprehensive crisis communication plan involving the board, C-suite, and other stakeholders. This communication plan should specify how governing bodies will stay informed should there be a data breach as well as.

As you can see, handling API security is a tedious operation, none the less expensive, even for enterprises. But big budget enterprises can mitigate similar breaches, while SMBs can barely spare a budget for them, thus making them an easy target for similar attacks.

For the most part, SMBs believe that they’re small targets and are unlikely to be attacked, but that’s really not true. We see high numbers of attacks against SMBs. Hackers aren’t looking for buckets of cash.

SMBs  tend to be the target of common criminals. In some cases, they’ll start with a specific target in mind and work their way up to attempting to breach that specific target, but in other cases, it’s very opportunistic. It’s really about finding the easiest target to penetrate or a low-hanging fruit.

However, in recent years, we can see that SMBs are increasingly using cloud-based services to manage many areas of their information technology. These services used to be enterprise-only solutions.

At the same time, the same goes for cybersecurity, where SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), and penetration testers which help organizations identify and resolve security vulnerabilities are readily available to SMBs, as well as enterprises.. used to be solutions aimed at those businesses.

However, solutions such as BLST (Business Logic Security Testing) that provide automatic penetration testing at a budget price are increasingly used. These are tools that cans continuously scan APIs; security vulnerabilities can be accurately identified and located, allowing development and security testing to detect and remediate vulnerabilities more quickly.

In conclusion SMBs are at a disadvantage when it comes to API security because they often don’t have the same level of security resources as larger enterprise size businesses. Hackers know this and often target SMBs because they’re an easy target. However, nowadays, solutions that were commonly used by enterprises are more commonly used by SMBs, and the price is reasonable.

About the essayist:  Nathan Sitbon is a penetration tester at BLST Security which supplies technology that finds broken logic in your API and maps it, with an easy-to-use & integrated platform.

Log4j is the latest, greatest vulnerability to demonstrate just how tenuous the security of modern networks has become.

Log4j, aka Log4Shell, blasted a surgical light on the multiplying tiers of attack vectors arising from enterprises’ deepening reliance on open-source software.

Related: The exposures created by API profileration

This is all part of corporations plunging into the near future: migration to cloud-based IT infrastructure is in high gear, complexity is mushrooming and fear of falling behind is keeping the competitive heat on. In this heady environment, open-source networking components like Log4j spell opportunity for threat actors. It’s notable that open-source software vulnerabilities comprise just one of several paths ripe for malicious manipulation.

By no means has the cybersecurity community been blind to the complex security challenges spinning out of digital transformation. A methodical drive has been underway for at least the past decade to affect a transition to a new network security paradigm – one less rooted in the past and better suited for what’s coming next.

Log4j bathes light on a couple of solidifying developments. It reinforces the notion that a new portfolio of cloud-centric security frameworks must take hold, the sooner the better. What’s more, it will likely take a blend of legacy security technologies – in advanced iterations – combined with a new class of smart security tools to cut through the complexities of defending contemporary business networks.

I’ve recently had several deep-dive discussions with cybersecurity experts at Juniper Networks, about this. The Sunnyvale, Calif.-based networking systems supplier, like any number of other established tech giants, as well as innumerable cybersecurity startups, is deeply vested in seeing this transition through to the end. Here are key takeaways:

Messy co-dependencies

It’s ironic that open-source software is steeped in altruism. In the early days of the Internet, coders created new programs for the sake of writing good code, then made it available for anyone to use and extend, license free. However, once the commercial Internet took hold, developers began leveraging open-source components far and wide in proprietary systems.

Open-source vulnerabilities in enterprise networks have since become a massive security blind spot. Log4j was preceded by JBoss, Poodle, Shellshock and Heartbleed. These were all obscure open-source components that, over time, became deeply embedded in enterprise systems across the breadth of the Internet, only to have a gaping vulnerability discovered in them late in the game.

Log4j, for instance, is a ubiquitous logging library. Its rather mundane function is to record events in a log for a system administrator to review and act upon, later. Log4Shell now refers to the family of vulnerabilities — and related exploits — unearthed last December by a white hat researcher at Alibaba, the Chinese equivalent of Google. Left unpatched Log4Shell vulnerabilities present easy paths for a threat actor to take full control of the underlying system.

The bigger picture, says Mike Spanbauer, security evangelist at Juniper Networks, is that enterprises to this day continue to deploy open-source components often without consistent rigor of lacking the formal infusion of security quality assurance coding practices. Gaping security holes regularly get discovered by hackers – both white hat and black hat – engaged in probing randomly for soft spots.

Expediency and cost savings drove commercial adoption of open-source components in the early days of the commercial Internet. And the very same mindset persists today, perhaps even more so, as companies increasingly rely on open-source software to keep pace, observes Kate Adam, Juniper Network’s senior director of security product marketing.

Adam

“This is an established practice that’s now influencing in a new way due to how the business environment has shifted,” Adam says. The intensely competitive cybersecurity talent market is partly to blame here. Companies increasing reach for off-the-shelf open-source components, Adam says, to some degree because of the scarcity of skilled coders, especially those steeped in security.

“Some enterprises never use anything open-source and always do everything themselves, but that’s a massive undertaking, and they’re in a tiny minority,” she says. Indeed, according to the Linux Foundation, as much as 80 percent of the code in current applications is open source, often buried deep.

Log4Shell illuminated the security snarls and tangles created by software co-dependencies that, in many organizations, have congealed into a chaotic, indecipherable mess. Here’s how Spanbauer describes what this looks like — from the perspective of an enterprise’s IT and security teams.

“How a given open-source library works in a specific app can be a mystery because arbitrary parties contributed pieces of coding that may or may not have been documented,” he says. “This makes for very flexible, very agile code, but there is also an absence of the data that you need for your security models — to determine how to best protect the assets you’re responsible for . . . This is the current state of affairs for practically every organization, almost without exception. And these types of co-dependencies are here to stay. They’re now the norm and security teams must assess and manage the risk of these stacks.”

Legacy tech’s role

Log4Shell actually contributes to progress in this sense: it heightens awareness, which should help accelerate the transition to a much-needed new security paradigm. Many more Gordian-knot issues that need to be dealt with, to be sure. Complex and evolving cyber risks need to be resolved, for instance, when it comes to securing human and machine identities, tightening supply chains, mitigating third-party risks, protecting critical infrastructure and preserving individuals’ privacy.

Emerging frameworks, like Zero Trust Network Access (ZTNA,) Cloud Workload Protection Platform (CWPP,) Cloud Security Posture Management (CSPM) and Secure Access Service Edge (SASE) aim to help mitigate this spectrum of intensifying risks. Frameworks like these serve as guideposts. The task at hand is to steer the center of gravity for securing networks to the Internet edge, where cloud-centric resources and services increasingly reside.

This trend is well underway, and the handwriting is on the wall for many costly cybersecurity tools and services that were first installed 20 years to protect on-premises datacenter: obsolescence is on the near horizon. That said, a couple of prominent legacy technologies seem sure to endure as security cornerstones, moving forward. I’m referring to Security Information and Event Management (SIEM) systems and to firewalls.

SIEMs failed to live up to their hype in the decade after they were first introduced in 2005. Then about five years ago SIEMs got recast as the ideal mechanism for ingesting event log data arriving from Internet traffic, corporate hardware, mobile and IoT devices and cloud-hosted resources — the stuff of digital transformation.

This rejuvenation of SIEMs coincided with the emergence of advanced data analytics tools that could make more effective use of SIEM event logs; system orchestration became streamlined, human behavior got factored in and incident response became automated.

As cloud-hosted processing power and data storage have gained more traction, the role of on-premises data centers has declined. Yet legacy protections for on-premises data centers continue to predominate. The unhappy result: cyber exposures — and successful network breaches – have continued to scale up.

Log4Shell is just the latest reminder that gaping security holes lay dormant everywhere, just waiting to be discovered and exploited, in both the cloud and on-premises environments. Consider how ransomware has thrived in the transitional environment we’re now in, and how cyber espionage and cyber warfare have come to factor into geopolitical power struggles.

“Having the requisite technology to protect the data center and the edge actually is not enough, in and of itself,” Adam observes. “It’s now vital to be able to see the entire environment and respond to anomalies in near real time. SIEMs have become so popular because they pull everything together through logs.”

Visibility is vital

Where is this all taking us? New security frameworks, like ZTNA, CWPP, CSPM, and SASE are the blueprints for networks where the event logs ingested by SIEMs get put to higher uses detecting and responding to legitimate threats. This will come to fruition on smarter platforms using automated tools, including advanced firewalls.

Firewalls predate SIEMs. Firewalls arrived on day one of companies connecting their networks to the Internet. While a SIEM unit ingests incoming traffic for analysis, a firewall filters traffic flowing in and out of a network.

The earliest firewalls filtered the tiny packets of data exchanged between applications, allowing only the packets that met certain criteria to pass through. This became the basis for blacklisting traffic originating from known bad IP addresses and for restricting employees from connecting to malicious webpages.

Next Generation Firewalls (NGFW) came along in approximately the same time frame as the earliest SIEM systems. NGFWs could conduct deeper, much more detailed packet filtering and soon began taking on more advanced functionalities. NGFWs today can enforce security policies at the application, port, and protocol levels – often detecting and blocking the stealthiest malware from slipping into a network.

The evolution of firewalls, in fact, has never really slowed down and is continuing apace. Firewalls today come in an array of form factors; they’re available as an on-premises appliance, they can be set up to run virtually, or they can even be delivered as a subscription service.

Spanbauer

“You can’t protect what you can’t see,” Spanbauer says. “Visibility is the key. Companies today, at a minimum, need a way to accurately detect potentially malicious events in a highly complex environment, one that’s only getting more complex. When it comes to visibility, a SIEM helps me see as much data as possible, and a firewall helps me to enforce policy and ensure the accuracy of my verdicts. It’s vital to eliminate any false positives, otherwise I’d just be adding to the chaos and creating more work for teams to investigate.”

SIEMs and firewalls clearly will remain at the core of bringing machine learning and leading-edge analytics to bear in the data-rich environment we’re in. “These legacy technologies are going to have a place for a very long time to come — helping companies to more effectively manage this transition and to limit the chaos as much as possible,” Adam says.

It’s logical for SIEMs and firewalls to play ever larger roles in automating detection and response tasks as part of helping enterprises cut through the complexity and calm the chaos — and materially raise the bar for network security.  I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

 

Some 96 percent of organizations — according to the recently released 2021 Cloud Native Survey — are either using or evaluating Kubernetes in their production environment, demonstrating that enthusiasm for cloud native technologies has, in the words of the report’s authors, “crossed the adoption chasm.”

Related: The targeting of supply-chain security holes

It’s easy to understand why a cloud-native approach elicits such fervor. By using flexible, modular container technologies such as Kubernetes and microservices, development teams are better equipped to streamline and accelerate the application lifecycle, which in turn enables the business to deliver on their ambitious digital transformation initiatives.

However, despite cloud-native’s promise to deliver greater speed and agility, a variety of legitimate security concerns have kept IT leaders from pushing the throttle on their cloud-native agenda.

According to the most recent State of Kubernetes Security report, more than half (55 percent) of respondents reported that they have delayed deploying Kubernetes applications into production due to security concerns (up 11 percent from the year prior) while 94 percent admitted to experiencing a security incident in their Kubernetes or container environment in the past year.

It’s clear that until we can deliver security at the same velocity in which containers are being built and deployed that many of our cloud-native aspirations will remain unfulfilled.

Cloud-native requirements

Traditionally, developers didn’t think much about application security until after deployment. However, as DevOps and modern development practices such as Continuous Integration and Continuous Delivery (CI/CD) have become the norm, we’ve come to appreciate that bolting security on after the fact can be a recipe for future application vulnerabilities.

Security must be ‘baked in’ rather than ‘brushed on’—and this current ethos has given rise to the DevSecOps movement where security plays a leading role in the DevOps process. However, it’s not enough to simply shoehorn these practices into the dynamic cloud-native development lifecycle.

Sivasankaran

Because traditional enterprise network security relies on static firewall rules that can only be updated in maintenance windows after a change approval process, securely developing and deploying applications in an automated way will not work in dynamic cloud environments where rules and policies are constantly in flux.

For this reason, most cloud environments come with built-in concepts like security groups and container service meshes that provide a way to control how different parts of an application share data with one another. While such methodologies might work well for simple applications, they lose their effectiveness as soon as you make a connection to or from various regions, clouds or technology stacks. For example, there is no interoperability between different cloud vendors’ security groups or different Kubernetes clusters.

Being cloud-native demands an approach that provides control and visibility across the entire application development lifecycle. A modern cloud-native security approach should tick the following three boxes:

•Dynamic: The ability to dynamically express and administer policies for controlling network traffic both to and from a Kubernetes pod should be considered table stakes, especially as software is being deployed across multiple cloud environments.

•Granular: Secure controls must extend to the ‘pod level’ of a container, not just the cluster level. A software-defined approach makes it easier to dispense granular access controls based on pre-defined policies that connects users to authorized functionality rather than simply at the network level.

•Unified: Slicing cloud-native security across multiple point solutions leaves you with a partial view. A unified policy engine should be omnidirectional and able to manage user-to-resource access (for both traditional and cloud native applications) and resource-to-resource access (in cloud native development environments).

Cloud-native Zero Trust

A Zero Trust security approach, which applies the principle of least privilege access, assumes there is no clearly defined network perimeter. Because it’s software-defined, policies can be easily applied to systems, applications and users alike.

As one of the original vendors in the Zero Trust access market, Appgate has a long history of success in helping our customers ensure secure access as they migrate more of their applications and workloads to the cloud. To support them as they grow their cloud-native development initiatives, we recently introduced new Kubernetes access control capabilities for our flagship Appgate SDP product.

By deploying Appgate SDP natively inside a Kubernetes cluster as a “sidecar”—a helper application of sorts that runs alongside an application container in a Kubernetes pod—Zero Trust principles can be universally applied throughout the cluster, while providing fine-grained, differentiated access controls on a per-pod basis, thereby delivering greater control over service-to-service access.

This effectively limits the potential attack surface and makes it more difficult for an attacker to escalate privileges in the event of a network compromise.

Organizations gain a single unified policy engine for Zero Trust access that enables them to control user-to-resource access (i.e., for remote user access) and resource-to-resource access (i.e., for containerized workloads) to streamline management and reduce complexity. This allows them to protect all users (remote, onsite and hybrid), all resources (traditional, cloud-native and legacy applications) and all environments (cloud, hybrid, multi-cloud and on-premises) with one solution.

Cloud-native application development brings enormous capacity for innovation and efficiency gains for many organizations. By embedding Zero Trust security principles into the process, we can realize the full potential of cloud-native.

About the essayist: Jawahar Sivasankaran is the President & COO of Appgate, a supplier of secure cybersecurity solutions for people, devices, and systems based on the principles of Zero Trust security.

It can be a real hassle to keep track of the passwords you use. So many people use the same combination of username and password for every account. However, this isn’t a good idea. In fact, it’s terrible.

Related: Kaseya hack exacerbates supply chain exposures

You see, these days, many data breaches could be traced back to people using the same password across multiple accounts. And once the bad guy finds his way in, especially logging into your email, it is game over. From there, it’s easy to reset the pass code for almost all of your accounts when the bad guy controls your email too.

All it takes is a cracker to find this password, and now every account you have is compromised. And finding that password is even easier. Some studies show as many as 40 billion records were compromised in 2021. Many of those records are passwords.

At ProtectNowLLC.com, we have a tool that has access to over 12 billion compromised records where you can search your username aka your email address to find out if your username and associated password have been compromised on a variety of breached accounts.

Thankfully, there is an easy solution: use a password manager. I’ve had a password manager in place since 2004. At this point I probably have close to 700 different online accounts. And I might know the password for maybe five of them.

The rest, only my password manager knows the password which I can easily look up. But I’ve never committed them to memory. Most people say “what if the password manager gets hacked” while this might be a valid concern, it’s not a concern of mine.

The low hanging fruit isn’t a password manager getting hacked, it’s people reusing the same passcode across multiple accounts and those credentials being available on the dark web. But, if you don’t want to use a password manager because you’re afraid the password manager is going to get hacked, you can also do the following:

Creating a Unique Password

Siciliano

Research shows that the best passwords are 14 characters long. Those that are shorter than that are easier to figure out. If a site doesn’t let you create a password that is 14 characters, it is possible to adapt it. Password managers do a very good job of creating/generating long strong unique complicated passcodes.

First, make a list of all of the sites you have a username and password for, and then put those sites into categories. For example, all of your sites for social media would be in a category, all of your email sites together, all of your banking sites together, and all of your shopping sites together.

Then you want to create a password that is eight characters. This will serve as the first part of any other password that you create. For example, the first eight characters might look like this:

CM&@t*yZ

Next, remember your categories? You will create a three-character password that is significant to those. For instance:

•Social media sites – SM#

•Email sites – &eM

•Shopping sites – $h0

•Banking sites – 8aN

So, this gives you 11 characters of the recommended 14-character password that you want to use. Now, you need three more characters, and that would be specific to the site. So, let’s say you are creating a password for your bank. This is made up like the following:

Eight-character + three-character password (category) + three-character (site)

So, for your bank, it would look like this:

CM&@t*yZ8aNp$X

This is a very difficult password to guess, and for many people, easier to remember. But it’s not easy for everyone to remember. There is a solution, but first, keep this in mind. When you have to change your password, you can keep the final six characters and just change the first eight.

Now, how can you remember the first part of the password? One way to do this is to simply write it down and store it in a safe place. However, don’t keep it near your computer. Another thing you can do is to create a phrase that will help you remember.

Here’s an example. Let’s say our phrase is “My brother asked me for bread and salt.” If you take the first letter for all of the words, it would be this:

MBAMFBAS

This could be your eight-character first part…and you can make it more secure by making some swaps:

M3@MFBA$

This still makes the password very difficult for a hacker to guess but makes it easier for you to remember. You can use the same method, of course, for the smaller parts of the password.

Honestly, if you’ve got even this far in this article, congratulations to you. You must be some weird math savant with an elephants memory. Frankly, the above gives me a headache. Like I said in the first three paragraphs, it’s best to just use a password manager and forget all of this work, but if you don’t want to, this method works pretty well.

About the essayist. Robert Siciliano is CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

(Editor’s note: This article was originally posted on LinkedIn.)