At Addicott Web, our focus is helping Jewish non-profits, and in particular, supporting synagogues grow and thrive online. A key part of our work focuses on digital security. Recently, we sat down Andrew J. Cohen, vice president for technology strategy and operations at Hillel International to discuss his take on the latest synagogue website security challenges — including why most passwords are not sufficient, why hackers know more about you than you may think, and why a password manager may be in your future.
This interview has been lightly condensed for clarity.
The number one thing synagogues need to do is ensure that users are using strong, randomly-generated passwords when logging into the synagogue’s website or any other online service. Also, enable two-factor authentication for every service — if it’s available. In combination with setting strong, randomly-generated passwords, my second major recommendation, is to use a password manager, like LastPass or 1Password.
We’ve all established certain online habits over the last 20 years that we’re fine at first, but are no longer sufficient because hackers are exploiting our habits. Ten years ago, it was fine to create a password that was a dictionary word with a couple of characters added or create a password that replaced the vowels with like an @ sign for an “a” and a 3 for an “e,” but the hackers now know we do that. So, hackers can run those combinations very quickly.
Reusing passwords is a huge problem. It’s not uncommon for people to be using the same password on dozens, if not hundreds, of websites. So, if that one site’s password database is breached, those passwords get trafficked on the dark web. Subsequently, those hackers try to log in using those breached passwords on other websites. Every website needs to have a unique password that is only used on that website. The only way to effectively and conveniently establish secure passwords is to use a password manager.
Although websites commonly ask you secret questions as a second protection against a leaked password, this approach is often not sufficient. The hackers often know the answers to your secret questions because they have already stolen them from another site. They probably know your mother’s maiden name, your first dog’s name, the name of the first person you ever kissed. It’s just a matter of connecting all the dots. If it falls into the wrong hands they can use that information against you. The only approach is to use fake responses and store the false answers in your password manager.
Day-to-day, most of the online attacks that we’ve seen at Hillel haven’t been motivated by anti-Semitism. They are mostly financial schemes. It’s not typically anti-Semitism, although we do get our share of ugly emails. The attacks that we’ve seen against Hillel staffers, our websites, and our systems have mostly been seeking to steal money.
But, that being said, we also know that anti-Semitism is on the rise. The ADL has documented this quite clearly, so we have to be vigilant. Unfortunately, there’s also been some very ugly incidents in the real world, and we’re not keeping our eyes open if we don’t recognize that acts in the physical world have connections with the online world.
The first thing they should do is change the password associated with the email. It’s not necessary for the users to change their email address.
The standard recommendation used to be for users to change their passwords every month or every 90 days. But that’s no longer true. NIST, the National Institute of Standards and Technology in the U.S., no longer recommends that people change their passwords all the time, as it was inadvertently encouraging behavior where users would create weak or predictable password patterns. It’s better for people to create long passwords or password phrases that they can remember, even if they change it less often. Of course, you should always change a password for a website or system has been breached.
That’s a hard question. Obviously, you want to make the information about your staff available and you want to make it easy for people to find you, but I recommend that you don’t publish individual email addresses for all employees. In our case, we removed all of our staff email addresses from Hillel’s website because we realized that anti-Semites were mining those email addresses to send ugly messages to our entire staff in one step. An alternative to publishing all email addresses is to create a web contact form that people fill out or to use a catch-all email address like info@ or hello@.
No, I think it’s essential to help tell the story of the organization. People want to see photos and social media, in particular, depends on photography of people to really carry the emotion and the impact of what the activity or event really is, so you can’t really get away from that. I do think that there are special considerations to take. For example, some members might not allow their photos to be used based on their work in government, in security, or another reason. But, as a precaution, do not identify individuals in the photos on public pages unless they are members of your leadership. This is particularly true for minors.
The address is a must. It’s impossible to hide. Unless you have taken extraordinary steps to remove your synagogue’s address from Google Maps’ database, it’s available to the general public. What do the anti-Semites want? They want us to be invisible. They want us to be scared. They want to make it harder for people to figure out where to go and be with Jews and pray and be in a community. So, I would never advise a Jewish organization to not publicize their location or phone number. But there are simple security steps like not publishing your entire staff directory, and having a single main phone number.
I think people need to take ownership of their online behavior. We wish we all lived in a world where we didn’t have to lock our cars and our houses but unfortunately we do. That’s how it is when it comes to internet security. You can’t be on the internet and not keep security in mind. But there are tools that are making it easier, so for example, there’s tools that will tell you if you use a password manager it will automatically tell if your password has been breached recently and it will prompt you to change the password.
Rather than feel defeatist, take ownership and reach out. If you’re not comfortable with technology, connect with friends and family who are, and realize that our old habits and behaviors are no longer good enough. Take ownership of your online identity. But most importantly, we should not exist in the shadows. As Jews, it is right to stay visible and be seen.
Andrew J. Cohen oversees the digital strategy and information technology teams in support of Hillel professionals across the movement. Equally adept in technology platforms and design thinking approaches, he has nearly 20 years of experience balancing business considerations with user needs. Learn more about Hillel International.
Want to know more about how your synagogue can stay safe online? Don’t hesitate to reach out and we’ll help keep your website secure.