ANOTHER DAY, another data breach and this one appears to be one of the most significant in recent memory–over a billion usernames and passwords now in the possession of some Russian hackers. Although a very interesting take on this exploit at The Verge calls into question whether said quantity of personal data was actually “hacked” or merely acquired from other criminals, the fact remains that the data is out there, and yeah, there’s probably a reasonable chance that your info is in there somewhere.
What many of us find particularly frustrating about these escapades is that the names of the sites that were compromised are usually not released for days or even weeks after the hacks occur, in the event that a site remains vulnerable after the hack is disclosed. This was the case with the recent Heartbleed bug, where many Web site operators were unconscionably slow to inform their users as to whether their sites needed patching, had or had not been patched, and exactly what information could been compromised.
In the end, we’re all left thinking, “What can I do, or what should I do, to protect myself?” Well, there isn’t much we can do to prevent these kinds of exploits, but there are two things we can do to minimize the potential risk. One is to use “strong” passwords (“un9Ayg3I1oN8” as opposed to “password”) on the Web sites that we frequent, and the other is to use unique (and strong) passwords for each site. Using strong paswords alone wouldn’t have helped much with this specific exploit, but using unique passwords would.
WHY? BECAUSE hackers know that most of us use the same 2-3 passwords for all the sites we visit. So if they capture just one, along with your email address, they may well have a way in to many of your other online accounts–some of which may contain a lot more personal information than just your name and email.
Now there’s a very good reason why–in spite of all the warnings we get each time a Web hack is publicized–most of us use the same 2-3 passwords for everything, and that’s because in order to use them, we must be able to remember them. Even working with only a few passwords can be challenging, and we’ve all had those moments wherein we type in what we think the password is, then what it might also be, then what we think it is but with an initial cap, etc. Were we all to employ strong passwords, even if they were not unique to each site, we would certainly fail at most of our login attempts.
That’s where password managers come in. Some are programs that reside on your computer; some are Web sites that store the passwords for you. Some are bare-bones and some are amazingly full-featured. But the one invaluable service they all perform is they enable you to use strong, unique passwords by remembering them for you and regurgitating them on demand. You have only to remember one “master” password to unlock the rest.
THE KEY WORD here is “enable.” It would be a truly marvelous thing were a password manager to vist all the sites you frequent, change your password on each one to something infinitely more robust like “Nim2ceWg8O9q,” and then repeat that action every three months. In the real world, of course, accomplishing that requires a little more “elbow grease,” if I may borrow an idiom from my parents’ generation.
Even with the assistance of a password manager, you must take the following steps to update your sites with a strong and unique password:
- Log in to the site with your current (presumably weak) password.
- Locate the area of the site where you can update your password.
- Enter your current password in the “Current Password” or “Old Password” field.
- Enter a much stronger one in the “New Password” field (most password managers will generate this for you).
- Apply the password change using the “Save,” “Update, “Apply” or similarly-named button below the password fields.
- Make sure the password manager updates its record for the new password (most do this automatically, or at least semi-automatically).
- Repeat for the remainder of your sites.
DON’T GET ME wrong–I don’t mean to give the impression that password managers aren’t worth the trouble. I use a password manager, and I feel they are extremely useful and truly the only practical way to employ strong and unique passwords across multiple Web properties. But they still require an investment of time and thought to allow them to safely and effectively “manage” your passwords.
So if this latest exploit has you thinking that it might be time to stop using “password123” for the majority of your Web accounts, you would be well-advised to employ some form of password management. Just be prepared to spend a few hours or more working up a little elbow grease in the process.
I don’t feel comfortable shilling for one developer over another, but I will say that my personal preference is 1Password from AgileBits. My one gripe is that it’s on the expensive side, but it’s generally regarded as the best one out there.
And your favorite Mac-friendly password manager is…?