CBSN

What the Houston Astros hack can teach you about cybersecurity

Baseball isn't typically a place to go for lessons on cybersecurity. But this week, America's pastime taught us a little something we'd all do well to remember.

While looking into a hack of the Houston Astros' internal database reported last week, FBI investigators focused on a group of employees from the St. Louis Cardinals' front office. According to The New York Times, whoever accessed the network appeared to have done so by logging in as either Astros general manager Jeff Luhnow or one of his top advisers, Sig Mejdal, both of whom were previously with the Cardinals.

"The intruder or intruders examined the Cardinals' network and determined the passwords that Mr. Luhnow and Mr. Mejdal had used when they were with the Cardinals. Using those passwords, they gained access to the Astros' network," the Times reported.

The moral of the story is clear, and shouldn't be news to most people: It's not a good idea to reuse passwords.

Using the same password to log into different sites, or at different jobs, means that a hacker only has to guess your password once to gain access to multiple accounts.

It's a basic rule of cybersecurity, and yet one that gets ignored over and over again as the number of logins and passwords we need to remember each day grows increasingly hard to keep track of.

That's why password managers such as LastPass were invented. The breach at that company last week (which it says did not compromise users' encrypted passwords) only underscored the importance of using unique passwords for every site and app -- including your password manager.

Rules to stop breaking

"As a consumer you have to realize that those that are going up and trying to steal our identity are looking for the weakest link," cybersecurity expert Michael DeCesare, president and CEO of ForeScout Technologies, told CBS News.

Paying attention to the little things can make an outsized difference in keeping your information safe.

Lesson number one: Be password smart. Don't reuse the same password for multiple accounts, and don't choose a password that's easy to guess.

"Over 20 percent of the world's passwords is the word 'password,'" said DeCesare, laughing, but not joking. "If you're even one percent better than the mass population, (hackers) are probably not going waste a lot of time trying to come after you."

That means introducing numbers and symbols into your passwords to make them more unique. The further you get from the basic "dictionary" passwords, which hackers can guess by running through a list of common and predicable strings and full words, the better your chance of evading attack.

Often, digital wrongdoers can trick you into doing their dirty work for you. Phishing is a basic and widespread technique by which attackers get you to click on a link in an email that downloads malware onto your computer, often giving them undetectable access to your machine and the data stored on it.

In more sophisticated so-called "spear phishing" scams, hackers will use information about you to make the email seem more personal and legitimate, for instance referencing a recent Facebook post to make the sender seem like a friend.

Be wary of emails that ask you to click on links. The easiest way to avoid a phishing scam is: Just don't click.

Finally, DeCesare says, be careful where you surf.

"More often than not it's common sense," he said. "If you're in a Starbucks, if you're in an airport and you're on a public Wi-Fi, don't go onto your bank. ... Go check Facebook, go check Twitter, check your email." But stay away from the sensitive accounts that could be most valuable to a hacker looking for something to steal.

Of course, there are a lot of things that banks and stores need to do to protect their customers' data as well. But no amount of security infrastructure is going to make up for a weak password or other sloppy slip-ups.

  • Amanda Schupak

    Amanda Schupak is the science and technology editor at CBSNews.com