Just a friendly reminder: it’s time to change your passwords, if you haven’t done so recently. In case you haven’t heard, online services and sites of all kinds, from Facebook and Netflix to GoToMyPC and Carbonite are forcing password resets for some users due to a rash of account intrusions. These aren’t hacks in the traditional sense, as the cybercriminals are gaining access not through breaking into the websites themselves, but through using data obtained from prior data breaches — most specifically, the 2012 LinkedIn breach which was revealed last month to have been far larger than any initial reports speculated. Whether your favorite websites have sent emails indicating you need to change your password or not, now is a great time to add changing your passwords to your summer to-do list and check it off. Need to know more? Keep reading.
One stolen password could be the key to unlocking your online kingdom
If you are guilty of reusing passwords or sticking to the same password for years on end, then chances are, at least one of your trusty logins has already been exposed in some data breach or another over the years. In fact, you can find out whether an email account or username has been part of a well-known breach by searching for it on the website haveibeenpwned.com, which tracks known databases of stolen user data from many of the top data breaches. If you are guilty of reusing passwords, it’s okay to admit it — we’ve all reused a password or two in the past — but sticking to this behavior is a quick ticket to misery, as it’s one of the primary ways cybercriminals crack people’s online identities.
Consider this scenario: you have used the same password for your email account for years, and you also use it for other accounts that you use frequently, such as Netflix and Amazon. If a hacker gains access to one of these accounts, they can easily try to brute-force their way into your other accounts by trying that same password in conjunction with your username and/or email address until they strike gold. And that’s another important thing to keep in mind — your username matters just as much as your password choice, since it’s easy to discover all of your online accounts if they all utilize the same name. Even if you haven’t reused passwords when it comes to highly sensitive accounts, such as your online banking, access to your email enables hackers to request password resets and instantly take over those accounts, as well. Identifying passwords you’ve reused and changing them so none are the same is the first step toward making your online life more secure.
Take advantage of two-factor authentication where possible
We’ve written about the positives of two-factor authentication before, but it is worth repeating. Think of it like one of those chain locks you can add to enhance the security of your front door; even if someone were to get a copy of your house key, if the chain lock is enabled, they aren’t getting through. Two-factor authentication usually takes the form of a text message or phone call sent to your designated phone with a unique, one-time-use code that you have to input after providing your username and password before you’re able to access your account. Most websites have incorporated this security measure, and you can double-check whether your favorites are using it (and find out how to set it up) at the Two Factor Auth List website.
Make it count when choosing new passwords
Although it might come as a surprise to some, every year when the worst passwords list is revealed, we see just how many people leave themselves incredibly unprotected online. It isn’t just “regular” people who are guilty of it, either — after the LinkedIn breach, it was discovered that Facebook CEO Mark Zuckerberg’s social media accounts were hacked because he was using the password “dadada.” Changing your passwords is the first step, but you should also ensure that you are changing them to a security key that will be difficult for hackers — and their sophisticated programs — to crack. It used to be that simply creating a six-to-eight character password that incorporated at least one capital letter and one numeral was sufficient, but these days many websites require at least one special character (such as * and #) and allow users to input passwords between 12 and 20 characters (or longer!).
A long, strong password incorporates multiple special characters as well as numbers and capital letters. One tip is to use a phrase you’ll remember and substitute numbers to stand for letters (such as 3 instead of E) or randomize capitalization. You can also often use spaces within your passwords, so don’t pass up the opportunity to add complexity by doing that. Need help coming up with and keeping track of all your new passwords? A password manager such as LastPass may be helpful, and goes one step farther by ensuring your passwords and other credentials are kept securely encrypted, never needing to be typed out by you (which protects them from keylogger programs). There are also websites you can utilize which will generate random passwords for you to use.
Watch out for spoofed password reset emails
Unfortunately, where there’s smoke, there’s fire and where there’s a legitimate security issue, there are scammers looking to take advantage of people. Many people have received emails from various companies in the past weeks urging them to reset their passwords. While an awful lot of these are legitimate emails, it is possible for scammers to try and fool you with fake phishing emails disguised as real password reset emails. A good rule of thumb is to resist clicking on links when you receive an email, instead opting to navigate to the website and try logging in from there. If the site in question has already reset your password, you might not be able to log in, but that will help you know for sure that the email you received is legitimate and contains safe links.
It’s likely this won’t be the last of the password resets we see this summer, so staying one step ahead of hackers by changing all of your passwords now is a great way to lessen your stress. To learn more about keeping yourself and your identity secure online, visit our identity theft protection blog.