A client confessed to me yesterday that one of their key login passwords is “password.” I was dumbfounded. I sometimes forget, because I’ve been talking about security with clients for so long, that the most basic password management remains a widespread problem.
“I don’t have anything very important”, “I’m not interesting”, or “I don’t have anything I’m worried about protecting” are all things I’ve heard from clients, friends, and family members. Being interesting certainly makes the payoff better for an attacker, but it is not required to be a victim of one and to suffer, at the very least, significant embarrassment.
I regularly receive emails and texts from contacts that are the result of one of their accounts or devices being compromised. Even if you manage to pick good passwords and protect them yourself, they can become involved in a data loss at some website–it happens all the time. My main email address has been involved in account breaches at 10 different companies since 2008. I created this list by using Firefox Monitor, a tool provided by the Mozilla Foundation to help people protect their privacy. You can do a one time search or you can subscribe and they will send you alerts when a new breach is reported that might involve you.
While we should definitely hold these companies accountable for their lousy security practices, do not count on them to protect us. They just want to sell stuff, they don’t care very much and even if they do, there is a strong incentive to keep everything they know about us. That’s a topic for another day. Let’s return to the immediate problem of personal account security.
You have probably received one of the phishing/extortion emails going around lately, (if not, check your spam) and seen a password you may have used in some place once upon a time (or maybe it’s still a current password). I hope you have changed that password now. You should not reuse passwords anywhere. The passwords that escape into the wild like that are typically retrieved by these scammers from one of the lists that been built from breaches like the ones I mentioned above. This provides a great illustration of why you should not reuse passwords even if they are “good” ones.
Let’s imagine you reuse a password for some websites and for your email. If one of those websites is compromised, you may not know for months. During that time your email and password combination could circulate in various places and be used to access your email, looking for useful information for identity theft, or using that email account to trigger password resets for your online banking or any number of other things. Even if your exposure is lower than that, those accounts could be used to send embarrassing spam or to try to scam your friends. You may have received such messages from friends whose accounts have been compromised.
It’s not about being interesting or having something worth stealing. These days, there is a least reputation on the line. No one wants to be the person who sent some scam or spam to all their contacts. These attacks are almost all automated. They simply work lists of leaked email/password pairs and try them on accounts or use dictionary lists of popular passwords. This is why many services use Captchas to try to prove humanity, but they’re not perfect either.
Change any reused passwords. Really. Do it now.
How to keep track?
Fortunately there are many tools to help you do that. There are online and app-based services like lastpass, 1password and dashlane. They all have free tiers and so you can test them out before you opt in. The free tier might also be good enough for you. I have not used any of those, but they seem credible. The risk of a service like those is that they are a big target.
I have also used the Blackberry password keeper, which is available on Android these days, but it won’t do you any good on your computer. Day to Day, I make use of the password management built into Firefox. However, I use a strong master password so they can’t be cracked using brute force and I don’t put my highest security passwords into it. I keep my financial passwords in my head. I suspect the password management in Edge, Chrome and Safari is probably good too, but I haven’t tested it and confess I’m a little suspicious of the hegemonic control of Apple, Google and Microsoft, though I use their products nearly every day.
If you feel suspicious too and want to keep control in your own hands, then I recommend KeePassX, a cross-platform tool that I have used and recommended for years. It is slightly less convenient than the networked tools above, but puts full control in your hands and on your device. No corporation, just coders working for the common good.