These cybersecurity tips from a former hacker can make you 98% less vulnerable: 'You're raising the bar'
We all want to think that we're doing enough to keep our personal and financial information safe from hackers when we go online.
But nearly 300 million people were affected by 1,862 corporate data breaches last year in the U.S. alone, according to the nonprofit Identity Theft Resource Center. Past studies from the University of Maryland show that hackers launch attacks roughly every 39 seconds.
Knowing how to repel those online "threat actors" before they gain access to your information and financial accounts starts with knowing how hackers think. That's why some companies turn to Kevin Mitnick for cybersecurity advice.
Mitnick is a former hacker who spent five years in federal prison after being convicted of wire fraud and other crimes in 1995. For the past two decades, he's been a computer security consultant whose firm, Mitnick Security Consulting, advises clients from government agencies to Fortune 500 companies like Microsoft.
Personal cybersecurity often boils down to "a balance between security and convenience," Mitnick says. Most people are aware of some of the basic steps they should take to keep their data safe, but as soon as they inconvenient to regularly follow, people get sloppier — leaving a potential window of opportunity open for hackers.
"The more security a consumer wants, the more inconvenient it will be," Mitnick tells CNBC Make It.
From simpler tactics, like getting a better handle on your laundry list of account passwords, to more advanced options — including one that Mitnick says could improve your chances of evading hackers by 98% — the cybersecurity expert lays out several tips for the average person looking to beef up their online security and avoid getting hacked.
Where to start: Manage your passwords
"For consumers who aren't technical wizards or information security consultants, the first thing where people make mistakes is in constructing their passwords," Mitnick says.
If you feel like you have an endless list of passwords to remember, you're definitely not alone. The average person has more than 100 different online accounts requiring passwords, according to online password manager NordPass.
The simpler your passwords are for you to remember, the easier they are for hackers to guess, especially if you've ever had information leaked online in a data breach and you regularly reuse passwords for multiple different accounts.
That's why using a free password manager app — he suggests LastPass or 1Password — "is an absolute must," Mitnick says. The app can securely store all of your passwords, or even generate new ones, and can only be accessed by a single master password.
Given that, you should pick a master key that's particularly difficult to crack. "That password for your master password to unlock should be at least 25 characters or more," Mitnick says.
Try using a simple, full sentence, like "Today, I Went To The Beach," with each word capitalized and spaces in between before ending with a punctuation mark and possibly a number. "It's easy to remember," Mitnick says. And, even more importantly, he adds, "it's going to be very difficult for an attacker to compromise through brute force."
Password managers can also remind you to stop reusing passwords for multiple accounts, a lazy practice that Mitnick says can give hackers a leg up in accessing your information.
"What attackers do is they find credentials in data breaches," he says. "And, then because people tend to reuse passwords, the threat actors will try that password, or variations of it, because usually you can identify people's patterns in choosing passwords and guess them that way."
More advanced options: Multi-factor authentication and physical keys
Several big tech companies are working toward a passwordless future. Those include Apple, which has expanded its Passkeys feature so you can use a fingerprint or facial recognition to access apps and accounts on many Apple devices.
You may also be familiar with multi-factor authentication, which most financial institutions or tech companies already use in some form. That's when your bank sends a code over text or email to verify your identity when you're logging in.
That authentication processes can still be compromised, Mitnick says. Malware could let hackers see your texts and emails, and simple phishing attacks could help a hacker gain your trust, leading you to directly send them your account information.
For two-factor authentication that is not "phishable," Mitnick recommends using encryption software like FIDO2 or WebAuthn. They can be paired with a physical security key, like a Yubikey, which resembles a USB drive that plugs into your computer. The encryption is unique to you and your device, and can only be unlocked with a PIN and the physical key itself.
Mitnick calls physical security keys "the highest security level" when it comes to signing into your online accounts. The option is already supported by a variety of major tech platforms and services — including Google, Amazon, Microsoft, Twitter, and Facebook.
Even so, it's not always foolproof: Those platforms still typically allow you to log in through alternative methods, like multi-factor authentication, if you don't have your security key on you.
An even more advanced option that 'raises the bar 98%'
If you're extremely serious about keeping your financial information safe from hackers, and you're willing to spend additional time and money to do so, Mitnick suggests buying a separate computer or tablet specifically for logging into your financial accounts or other sensitive accounts and data. He also recommends using a separate password manager just for that device.
You can use a relatively cheap device, too: Chromebooks start at around $250 and are currently safer from malware and other viruses than most devices, Mitnick says.
All of this sounds extremely "inconvenient," Mitnick admits. But these extreme steps do increase your chances of evading hacking attempts.
"You're raising the bar like 98%," he says.
Your best tool: Awareness
Your best defense against getting hacked might be your own ability to recognize when a malicious actor is trying to get you to send them your account information.
"The number one way that bad actors compromise targets is through phishing attacks. And they're very clever," Mitnick says.
Mitnick's firm regularly performs simulated phishing attacks for corporate clients to ensure that employees are familiar with the latest and most prevalent tactics. Some common phishing scams claim to be from a bank or tech service you subscribe to, and which falsely claim you need to take some sort of urgent action or else face dire consequences. You might be asked to follow a link or enter in your account information and passwords, accidentally handing them over to a hacker.
Be vigilant and only click on links, or enter your information, when you're absolutely sure it's safe to do so, Mitnick says.
"The rules should be you never download anything unless you're expecting it or you ordered a piece of software, and ... never click a link and put your username and password in something that you didn't initiate," he says. "That's a simple rule set that people should have."
Sign up now: Get smarter about your money and career with our weekly newsletter
If your passwords are less than 8 characters long, change them immediately, a new study says
These are the 20 most common passwords leaked on the dark web — make sure none of them are yours