In honor of Change Your Password Day, we'd like to talk about why it's so important to start taking better control of your personal information. Strong passwords are important, so why do most people pick such lousy ones? For many, the risk of weak passwords isn’t tangible enough to justify the effort of changing their practices, so let’s start out by taking a look at data breaches and what’s happening to our valuable personal information.
Why is this such a big deal?
Lately, it seems like we can't even make it through an entire week without the media reporting on a major new security incident -- and that’s just a small fraction of the total number of incidents that actually occur. By mid-2014, over half a billion records were compromised in just six months; an all-time high according to DataLossDB
. Of course, these are just the incidents we hear about, with many more left unreported or, worse, undetected.
An increasing trend when online assets are hacked is for the culprits to publicly release the data, a particular favorite of those we often refer to as “hacktivists." I happen to maintain a free service that lets you search and receive notifications when your compromised account is dumped publicly called Have I been pwned?
The service already has 175 million records. All of these usernames, passwords and other personal data are now floating around unprotected on the Internet. Increasingly, your private data is becoming public data.
What does it mean for me?
What happens if your username and password for a particular website is disclosed? One risk is that those credentials are then used to compromise other systems. For example, a few years ago people who had accounts hacked on the Gawker website suddenly started tweeting about Acai berries
. In a nutshell, when you use the same password for several sites, it only takes one compromised service to put all of your other accounts (with the stolen password) at risk, especially when many websites don’t apply appropriate levels of cryptographic storage for sensitive data.
Can't I just make my password longer and less obvious?
Well, yes, but you'll want to go a bit further than that. Clearly unique passwords are important but we’re also told (quite rightly) that it’s important to have long passwords that aren’t predictable. This creates somewhat of a conundrum because we all have an increasingly large array of online accounts, and now we need to remember what strong, unique password we used on which site. Or do we? Is your memory really the right place to store your complex passwords?
Once you accept that passwords should be unique and strong (as random as possible), your brain won't likely keep up. Some people are fond of “pass phrases” where they take a sentence and use that as a password…right up until the website doesn’t allow spaces in the password, or demands that it includes a number, punctuation characters, or strictly numbers (like when it has to be a six-digit PIN). Password managers solve this problem.
What's so great about a password manager?
Some years ago, I wrote about how the only secure password is the one you can’t remember
and that advice remains just as valid today. The role of a password manager is to act as a vault that protects your credentials and like a vault in the physical world, it has numerous features to keep your assets secure. A good password manager leverages strong encryption algorithms to protect the data stored within it. It also verifies your identity before you’re able to access any of the passwords, for example by you providing a single “master password” or in some cases, authenticating biometrically say via touch-identification on an iOS device. A good password manager also makes your credentials available across devices so that it doesn’t matter if you’re on your phone or your tablet or your PC, you always have access to the information required to log on to your online assets.
Can you recommend a reliable, trustworthy password manager?
There’s an increasing array of passwords managers available including the very popular LastPass
and the free, open source KeePass
. My personal favourite remains 1Password
for its ability to easily synchronize data across my devices via a number of different cloud services -- and the fact that the creator of the program, AgileBits, never holds my keychain (the file containing all my passwords). While on my PC, I log into websites with a quick keyboard shortcut and enter my master password. On iOS, I authenticate with my thumbprint and the password is automatically filled in on the website I’m visiting.
I can't remember most of my passwords, and I literally have hundreds. They’re all randomly generated for me and are dozens of characters long -- I couldn’t be happier! There are still a very small number of passwords that I commit to memory, as I use them frequently and I may not have access to 1Password when I need them (for example, when first logging onto my PC), but for the most part they’re entirely nonsensical.
Like many people, my accounts have appeared in hacked systems in the past and they almost certainly will again in the future. However, when it happens to me, the risk is isolated to that one system using a unique password.