This is not a proper password manager.
We all do it. Between the web apps that you want to have (Gmail, Facebook, Twitter) and the ones you need to have (Outlook, online banking, insurance), it's natural to want to keep things simple by having a handful of passwords that are easy for you to remember and use over and over again. In a recent survey, more than 55% of users admitted to recycling passwords (often in combination with the same username).
There are problems with that. First, chances are that your password isn't very hard to crack. Even a minimally acceptable "strong" password should have at least 8 characters, numbers, letters, and symbols without having any complete words or names. Sorry, but "123456" just doesn't cut it (because it was the most common password used in 2013).
Second, no matter how secure your password is, if it gets stolen, lost, or hacked, every single website that uses that password is now vulnerable.
Do something about it!
Every week, there's a new story about a major vendor or website that gets hacked with millions of customer emails and passwords getting stolen (interactive chart of the world's largest data breaches). But it’s far more likely that passwords will be stolen through carelessness or a phishing exploit, where you type your password in the wrong place.
Regardless of where the data was stolen, hackers will try those credentials (i.e. email/password combinations) on high-value sites like email services or online banking websites. Recycling passwords means that hackers could access any and all of your more sensitive accounts.
When it comes to passwords and credentials, you can vastly improve your online security by following a few best practices.
- Update your accounts with complex and (more importantly) unique passwords
- Save all your passwords securely in a password manager
- Be aware of mobile apps and web apps where you set up cross-authentication
For more, check out the post 8 Easy Tips for Better, More Secure Passwords on this blog.
Update your accounts with complex and (more importantly) unique passwords
There are several approaches to strong or complex passwords (e.g. totally random, long keyword phrases, mnemonics), but it’s actually more important to have unique passwords for each web app or website. That way, if you are ever compromised, you limit the potential damage.
Mnemonics can be easy for you to craft, but hard to re-use. For example, pick a memorable sentence, make an acronym and swap in some numbers: "Soup is good food" becomes "SIGF". Vary the sequence: "s1Gf" Now add a variable for the site, like the last letter of the domain. For Twitter, that would result in "s1GfR". You'll want at least eight (8) characters, and you'll want upper and lower case values plus numbers, but you get the idea. If you prefer to generate random passwords, here are a few free online tools.
Save all your passwords securely in a password manager
Once you’ve created your unique passwords, save them in a password manager. Why are password managers important? Because you are much more likely to follow Rule #1 if you have one. Just be sure to choose a good one. Most modern browsers will save form data and passwords, but this is often the most dangerous thing to do. Avoid using the browser to store your credentials, because standard browsers are easily compromised. It’s not even very convenient when you consider how many different devices you might use to access your web apps.
You’re better off with a centralized location in the cloud, where you can access your credentials from any device. Centralized password managers should also give you the ability to securely share accounts without giving out the actual password, e.g. a joint checking account or a corporate Twitter account.
Be aware of cross-authentication and tokens
Many apps will use another service like Facebook or Google+ for their authentication instead of a password, usually with a token. This can be convenient for you, but it also gives the provider access to your profile and network, which you may not want. Cross-authentication can also be a risk if you lose your mobile device or forget to log off because that one app can be the entry point for many others.
Also, tokens can be very tricky, since web apps will often continue to honor old tokens, even if you change the password. While some web apps will allow you to revoke access to existing tokens, many do not.
This is a real risk. There have been a number of recent data breaches and exploits that expose users' credentials. And even if your credentials haven’t been compromised, there’s a good chance that someone else has the same password (500 Adobe users had “dinosaur” as their password at the time of the massive breach in 2013).
If you use Silo to manage unique usernames and passwords, you also get the benefit of secure and private browsing from a variety of devices. But even if you don’t, you should still re-think your password system. Changing your data now and keeping it unique across websites will at least minimize the damage if an account is compromised.