Every week in the news there’s a report of a data breach of a website: exposing personally identifying information (PII), financial details like credit cards, bank accounts, etc, and passwords. The matter is further compounded when most folks use the same password for many different things. As such, even if the data breach was for an innocuous site or perhaps one you no longer use – your information can be used in what’s called a “credential stuffing attack” where info from one or more data breach is used in attempt to log in to other sites.
So, how do we stay safe? The goal of this post is to offer some best practices towards that end. You may have heard an old saying “locks only keep out the honest”, which is to say that no method or combination thereof, is absolutely 100% foolproof, but diligence will greatly reduce your risk. In short – don’t make yourself an easy target.
The first step is good password practices. A strong, and unique password for every site/app/etc. We’ll talk more in a bit about what makes a strong password, but first to stress the importance of unique passwords. As discussed above, breaches of one source can be leveraged to attack other sites, and the fastest way to thwart that is to use unique passwords for each site. Isolating the possible extent of any data breach to the site it originated from may still yield some damage, it will keep your entire online persona from being compromised. If you’ve never struggled with identity theft – it’s a nightmare no one should ever have to face.
The most commonly used passwords are things like 12345678, password, target123, asdfasdf123, qwerty…you can see the patterns easily enough. Why do we use such inanely simple passwords? Because passwords are a pain, every site has different requirements for length, special characters, numbers, capitalized letters, etc. Worse yet some of them actually make you change your password periodically (plot twist, this is actually a good thing – more on that later), and may not allow you to reuse previous passwords. How is one to keep up with all these things? Password managers (herein after “PM“). Full stop. Not post-it notes, not notepad/text documents on your phone/computer, not databases you save in google docs… It doesn’t even have to be a fancy third party application/service, as your devices probably have something built in. iOS/mac has keychain, browsers will save passwords, other native options exist for all platforms. If you want to go above and beyond the built-in, a third party PM can offer many additional features, not the least of which is cross platform access. While I personally use many apple products, sometimes I need to log in to something on a PC, or a streaming device, etc. Recommendations on good PM – I personally like bitwarden, they offer a family account that works well for my family as we share a folder for streaming services where any family member can access the latest netflix password. Regardless of which PM you choose, at a minimum it should be secured itself by a strong unique password. Most will offer simpler touch/face ID or other such mechanisms to save you from having to type said password as often for daily use. To that end, creature comforts make all the difference in efficacy – if the system is too cumbersome, it won’t get used. Autofill from context means you don’t have to open the PM itself every time you want to retrieve a password. It should ultimately be fairly fluid with some minor variations from your previous, less secure practices.
So, we’ve covered the why, now as promised: strong passwords. Good news, if you’ve adopted a PM, you probably already have the means to generate strong passwords. Browsers, native keychains, and PM’s today will suggest strong passwords, and then help you store the same for safe keeping. Don’t use commonly used passwords, as mentioned above. For most sites, a string of random letters, numbers, special characters, and capitalization will suffice, albeit next to impossible to recall and a pain to try to type in if you’re not copying/pasting from a PM. If its a site or application you need to be able to recall or type manually, use a combination of words separated by numbers and special characters – example: Beachball#4Optimism8@Timid. Much simpler than “;390sger;mi$%*7toij” if you’re trying to log in to netflix in a hotel! In addition to commonly used passwords, many people use common password patterns, which can also make things easier for a would be hacker. Most common pattern – capitalized word, followed by a number, topped with a cherry of special character. That is what the site/app asked for after all, so why not? Many folks use words that are associated with them – a pets name, favorite sports team, etc that can be easily guessed based on knowledge of the person or by scouring their social media and other clues. Same goes with numbers – often being based on birthdays or other significant dates, so don’t use those either. Switch up the pattern you use from one password to the next, use random words not associated with interests. If you use a PM, it can handle allay the guesswork of making sure you have a secure password, and store it for future use.
tl/dr: don’t reuse the same password – ever, use strong passwords that aren’t easily guessed
Leave a Reply