Stories are all over the news that Russian hackers have amassed a database of at least 1.2 billion (with a ‘b’) usernames and passwords. We still do not know what websites the hackers managed to compromise; what the hackers will do with them; or even if the reports are true. Whatever the impact of this threat, it reminds us that password breaches have happened in the past and will always continue to happen in the future.
In the normal course of using the Internet, we trust websites to protect our credentials. Instead we need to take steps to protect ourselves. Here are a few things you can do today to stay safe:
- Update your accounts with complex and (more importantly) unique passwords: There are several approaches to strong or complex passwords (e.g. totally random, long keyword phrases, mnemonics), but it’s actually more important to have unique passwords for each web app or website, even if they aren’t super complex. We wrote about the dangers of recycling passwords here. If you do this and one of your sites gets compromised, you limit the potential damage.
I like to use a mnemonic, which is really easy to craft and is an easier way to eliminate re-use. Pick a memorable sentence, make an acronym and swap in some numbers: "Soup is good food" becomes "SIGF". Vary the sequence: "s1Gf". Now add a variable for the site, like the last letter of the domain. For Twitter, that would result in "s1GfR". You'll want at least eight (8) characters, and you'll want upper and lower case values plus numbers, but you get the idea. Instead of this, you can also generate random passwords for each web app, but then you’ll want to take advantage of the next piece of advice: use a password manager.
- Use a password manager: Once you’ve created your unique passwords, save them in a password manager. Be sure to choose a good one and avoid using the browser to store your credentials because traditional browsers are easily compromised. In fact, it’s safe to say that you should shut off the browser’s default feature of saving passwords for sites. You’re better off with a centralized manager in the cloud, where you can access your credentials from any device. Centralized password managers should also give you the ability to securely share accounts without giving out the actual password, e.g. a joint checking account or a corporate Twitter account.
- Be aware of cross authentication and tokens: Many apps will use another service like Facebook or Google for their authentication instead of a password, usually with a token. This can be convenient for you, but it also gives the provider access to your profile and network, which you may not want. Cross-authentication can also be a risk if you lose your mobile device or forget to log off. That one app can be the entry point for many others. Finally, web apps will often continue to honor old tokens, even if you change the password. While some web apps will allow you to revoke access to existing tokens, many do not.