With the recent report that a Russian criminal organization has gained access to, or stolen, about 1.2 billion username & passwords, it's more important than ever to review the strength, unpredictability, and security of your most vital password protected accounts.
We don't mean to be alarmists however. Yes, the sheer number of stolen or compromised accounts looks to be astronomical. However, it is important to remember that everyone has a number of websites and accounts that all need user names and passwords to access and the number of possibly impacted individuals significantly decreases. Just a quick survey of my personal password manager entries shows well over 325 user name and password combinations. While I may be somewhat of an extreme case, if you divide the 1.2 billion accounts by my password manager total then only 6 million users are affected. Seems a bit more manageable than a billion now, right?
Manageable or not, the security of your passwords and accounts could be in jeopardy. Now is the time to consider how you use and protect your passwords and how you can keep them out of the hands of criminal organizations. To help, we have gathered our four best tips and a few links to previous blog articles that will help define the best strategy for password security going forward.
The first step to increasing the complexity and security of your passwords is to know what you are working with. How many of your accounts use the same user name and password combinations? Does your recovery email address use the same password as your associated accounts? Are you using a simple password scheme across multiple accounts?
The most significant risk to your password security is reused passwords. During your audit, make a note of all reused passwords and schedule a change. Next, look at the general pattern of your passwords. Are they variable with little to no repeatable patterns, of if you use a scheme is there more than 2 to 3 parts of the scheme (including variability); an easily recognizable pattern or scheme can be figured out by a competent hacker with the right tools, so why make it easy on him?
One of the simplest ways to complete your audit (and keep your sanity) is to use a password manager. Once all of your password-protected accounts are gathered in one area, recognizing the repeats and schemes is relatively simple.
A good password will normally include a random assortment of letters (capitalized or not), numbers, and symbols with no discernable pattern or reason for existing in that configuration beyond its use as a password. The problem with a password of this complexity is that the password is equally as hard to remember, as it is to break.
A good password manager will not only remember your complex passwords for you, but will facilitate in the creation of new passwords, is accessible on multiple devices and operating systems, and has an easy to understand organizational structure. There are a number of password managers on the market today and many are free. I have experience with LastPass and feel quite comfortable with its use and availability across multiple platforms and devices.
Not all password-protected accounts are created equal. There are significant differences between a throwaway account at an online pizza delivery joint and your retirement fund or bank. The impulse for many people is to create an easy to remember password because these critical accounts are used often. That is the trap so many of us fall into. When auditing these important accounts, like banks, email, cell providers, cloud storage accounts, and ISP accounts, take special care to create individual, variable, and randomized passwords.
As an added layer of protection for your most important accounts, be sure to take advantage of two-step authentication. Two-step authentication is a process that requires your username and password as well as a algorithmically created code using a dongle or text message sent to your personal cellphone. This extra layer of authentication can prevent the loss of vital accounts in the event of a security breech.
The last step in securing your accounts and passwords is hidden inside your email account. Have you ever forgotten a password or username and asked to have the information recovered? Did you delete that email and make sure it was gone? Probably not.
Your email is a virtual treasure trove of usernames and passwords for old accounts and little used services. If you are like many people who use the same password across multiple accounts, then access to your email can open up many of your accounts to theft and vulnerability. Perform a search for the keywords "password" and "username" and then delete any results as you find them.