Large breaches of username and password combinations are becoming far more frequent. In the past few years we’ve seen users of LinkedIn, Dropbox, Adobe, Myspace, and now Yahoo! fall victim to hacks of username and password databases.
You’re probably thinking “What do I care if someone can get into my Myspace account. I haven’t touched it in 8 years.” Well, who cares indeed? Unless, of course, you’ve used that same email address and password combination somewhere else.
Hackers that get their hands on these password dumps don’t use them to log into Myspace and send friend requests. They take the databases and try the username and password combinations against other services like Amazon, financial websites, and Gmail.
So if you’re still using that same Gmail password from 4 years ago, and you used that same password for LinkedIn you are very much exposed and in danger of having your digital life taken over. Keep in mind that these breaches usually happened long before news of them was made public, so there’s no telling who got popped yesterday.
Some Accounts Are More Important That Others
Bad guys know that you use your Gmail account for everything. If you forget your Amazon password, you do a password reset. Since Amazon knows you by your email address, they send a message there and bing bang you’re back into Amazon. In this case, your Gmail is a “Key Master” password. If this account becomes compromised, bad guys can utilize password resets to gain access to other websites you use. Most of us have the same email account associated with our banking, shopping, and social media accounts. Apple IDs are another example of an important account, due to your numerous Apple devices being tied in and controlled by a single account. These “Key Master” accounts must be kept on a unique and complex password in order to keep yourself safe.
So What Can We Do About This?
Use two-factor authentication anywhere possible. Some services will send you a text with a unique code whenever you log into a new device. Others have mobile-apps specifically for the purpose of having a second authentication factor. This goes a very long way toward keeping these individual accounts safe.
Our number 1 recommendation, though, is to use a password manager. Password managers are applications that run on your computers and mobile devices and will perform two major functions: They can generate crazy complicated passwords for your and they can keep them in a safe place for your easy access. on your workstation, they’re pretty seamless and generally save you time. They can add some additional steps when logging into websites on your mobile device for the first time, but the small inconveniences are paid back in spades considering the security gained. iPhone users can use their thumbprint to unlock their password vault, which makes things very easy.
The two most popular password managers are 1Password and LastPass. Both of them have their virtues, and either will get the job done. LastPass has a free version which will sync your password database to all of your devices. Second Son has experience with both, and would be happy to help you get set up.
I’m Not Going To Do That…
OK, so you don’t want to deal with a password manager. There are still some small things you can do that can have a big impact on whether or not you get popped. Having a unique password for every single service goes a long way to protecting yourself. I know you’re thinking “how the heck can I remember 50 different passwords and which website they belong to?” Well, the easiest way would be to have one primary password that you change slightly based on the website you’re visiting. If your password is “Fido123” why not make your Facebook password “Fido123FB” and your Bank of America password “Fido123BOA”. Sure, this may seem easy enough to guess, but remember we’re trying to keep the easy ones away. Hackers taking advantage of these data breaches are using automated tools to try known email/password combinations, they’re not going to catch a simple pattern of changes like this. If you’re worried about someone targeting you and guessing your passwords then a password manager is absolutely your best bet.
OK, if you’re still not convinced you’re probably not reading this far, but I’m going to give it one last shot.
Imagine waking up and finding that your iPhone is locked. The screen has a message with an email address and a demand for $50 in order to unlock the phone. Well, if you use “Find my iPhone” and your Apple ID gets hacked this possibility can become reality.
Lastly, this website keeps track of all major email/password database dumps and will tell you if your email address has appeared in any of them. If it has, its highly recommended that you change any common passwords with that service. https://haveibeenpwned.com/