Blog

Do you have a favorite password? Maybe three? I do.

Here’s the thing though: Data isn’t safe, especially when you spread it around. Security usually isn’t a concern until it has to be, and even then it’s easy to miss something. Just ask Equifax–they just lost 143 million Americans’ social security numbers. Companies get hacked *all the time*.

How many accounts do you think you have? Facebook, Google, Yahoo, Skype, Instagram, Snapchat, Uber, Amazon, Netflix, Target, PayPal, bank, credit cards? the pizza shop down the street? and on and on. Now, how many separate passwords do you have across all of those?

Less? Probably less.

That’s the problem with passwords.

The moment any one of those gets hacked, that username and password are vulnerable. Over 4 billion logins already are. Maybe you don’t care about your old MySpace or LinkedIn account getting hacked–they can have it. But where else do you use the same info? Gmail? PayPal? If they got into your email, what else could they get into?

There’s a funny term for this, ‘credential stuffing’. Bad People get their hands on a list of usernames and passwords, and then they go through every other website and service they can find, testing those valid logins to try to find other sites you use. Because the fact is many people *do* use the same login info everywhere they go.

I’ve seen this first-hand. A specialty brand we work with saw a huge number of login attempts to their site recently. The attackers tested over 200,000 logins, and a handful of those actually worked. Over the next few days the company had a rash of fraud orders: legitimate customers were suddenly placing orders with their saved credit cards, and shipping them overseas. The company’s fraud systems caught everything, and the charges were reversed, but that didn’t make it any less of a problem for the people affected.

These days, the only secure password is one that’s never seen the light of day.

Forget about the old rules, like ‘pick a password with mixed-case letters and numbers’, or ‘pick a word and add ! at the end to make it extra strong’. People follow patterns, and patterns can be guessed. Forget about password strength meters. What might have taken a year to guess last decade could be a second now. And forget rotating passwords, since most people just change one password a little bit each time they’re forced to anyway. Most password policies have good intentions but don’t actually help.

More to the point, it doesn’t matter how strong or special of a password you have if it’s one of those 4 billion passwords that has already been leaked. Hackers can just go through that list of known passwords and try them all.

Instead, use each password once, and only once. Generate it randomly. Make it long. Set it, save it, then forget it forever.

‘But saving passwords is a bad idea!’ … well, yes and no. Remembering one password and reusing it everywhere is worse.

Nowadays there are whole companies dedicated to saving your passwords for you, and they’re pretty good at it. Find a password manager that will sync across your devices, like 1Password or LastPass. Or use Chrome’s password storage, if you have to. Any of those will encrypt the data so it can’t just be stolen. Instead of having one password you use everywhere, you’ll have a separate password for each thing, but you’ll only need to *remember* one, your master password, to unlock the rest.

Just, please, don’t use the same passwords for email and financials as anything else. If you can remember those on your own, more power to you.

And while we’re here, since email lets you recover accounts for so many other things, set up 2-factor authentication to protect your email. Almost all major providers (gmail, yahoo, hotmail, …) support it.

Fun links:
1Password: https://1password.com/
LastPass: https://www.lastpass.com/
Check for how many acounts you’ve had hacked: https://haveibeenpwned.com/
Check if a password is known to be used: https://haveibeenpwned.com/Passwords
If you process passwords, NIST’s 2017 password guidelines: https://pages.nist.gov/800-63-3/sp800-63b.html#sec5
And shout-out to XKCD, who called all of this years ago: https://xkcd.com/792/