Cybercrime is a multibillion-dollar racket that affects corporations and individuals alike, but there are a few simple steps everyone can implement to protect against it.
"If you're a target, which honestly most companies are, then you really have to depend on taking some basic measures," says Kyle Lady, a research and development engineer with Duo Security.
Tech Insider spoke with Lady recently about how hackers infiltrate systems and what the best methods are for stopping them. Here's what he recommends.
Use passwords with at least 14 characters that can't be found in the dictionary.
The 25 worst passwords of 2015 include entries like "123456," "football," and "password," and these can all be easily guessed by an attacker. And we're not talking about a hacker typing in different passwords until they get it right; most have software that can guess hundreds and thousands of passwords a minute.
So it's best to use something much stronger. "If I can find your password in a dictionary, so can an attacker," Lady says.
Lady recommends using a password with at least 14 characters (he uses at least 24) which has a number of uppercase and lowercase letters, and symbols in it. A password like "SYd#2n3l_!p4ss" - that has no real meaning and plenty of symbols to throw off a hacker - is going to be a lot better to use. But even using a phrase, like "this password security thing works," is going to be stronger than most.
"It's going to be real hard [for an attacker]," Lady said. "Someone is going to expend a lot of resources just to guess that password by trying over and over."
But there's also a problem for the user: Memorizing that password full of hard-to-remember characters.
Use a password manager so you won't have to remember all of them.
A password manager like LastPass or 1Password can securely store all of your passwords for everything from your email to bank account in one spot, so you don't need to remember each one. Which is great, since Lady recommends using different passwords for your various accounts.
Instead of coming up with a strong password filled with various symbols and letters yourself, most password managers can generate very strong passwords for you, encrypt them, and keep it on file, "so you don't have to have them written down," Lady says.
Then, you only need to come up with one really strong master password.
Turn on two-factor authentication and your account will remain secure even if your password is hacked.
"Even weak passwords aren't the end of the world, if you're using two-factor authentication," Lady says.
Two-factor authentication is becoming standard for password security. With two-factor, a user enters their password, then goes through a second round of screening, usually by entering in a code they received in a text message. For the most part, this second step would stop most hackers in their tracks, since they'd have to steal your phone in order to proceed.
"It's becoming a standard option, but most people don't enable it," Lady says, noting that most people are too lazy to do so. You can usually find two-step authorization in your account settings. It's available on Facebook, Twitter, Gmail, Snapchat, and a ton of other services - just make sure you actually turn it on.
Be especially wary of emails asking you to do something, or phone calls about the security of your accounts.
About 91% of targeted cyber attacks begin with a "spear-phishing" email, a trick designed to get a specific person to click on a link, give up their password, or download malware. These types of emails are designed to look like the real thing, and are really hard to judge at first glance.
A scammer might email saying your PayPal account has been hacked, and you need to update your password. But once you click the link, you are actually giving them your password, not changing it. Lady says the key is to make sure you are on a legitimate page like paypal.com, and not a scam site with an address like www.paypalsecurity.xyz.
"If there's any doubt in your mind, essentially, trust but verify," Lady said.
The same goes for suspicious phone calls. Hackers often use "social engineering" to convince a person to help them. So it's important to remain skeptical of calls from people claiming to be customer service representatives, since most companies don't call out, and almost all will never ask for passwords.
"I could be tech support with a cell phone in ten minutes and go around asking for passwords," Lady said.