I work in IT and often have to deal with security issues. Based on that, you’d think I’d have my act together better than average when it comes to personal online accounts. And you’d be right, to a certain extent. I’ve always been more careful than average with account passwords and use MFA (multi-factor authentication) when it’s available. (MFA is when the site sends you a text or email with a code you need to enter to continue, or requires you to get a code from a separate authenticator app.)
But better than average can still be problematic. For example, while I mostly avoided the trap of using the same password everywhere, years ago before password managers were widely available, I followed a formula for determining my password for particular sites. It worked reasonably well, but on one particular site, the formula just happened to produce an easily guessable password.
Using a formula for passwords has a vulnerability similar to using the same password everywhere, in that it can make you reluctant to break the pattern. In the case of this particular site, I reasoned that it had MFA by default, so I was safe. Big mistake. One that burned me a few weeks ago.
It turned out that if the site had ever had MFA on by default, it had been discontinued at some point. It had an MFA option, but not one I knew about or had turned on. So the MFA I was leaning on wasn’t there, and the password was easy to guess. I was probably lucky the account hadn’t been compromised years earlier.
After dealing with the consequences, I decided I needed to clean up my act. I’ve used the randomly generated strong passwords from my password manager for the last few years, but hadn’t gone back and fixed old accounts, something I’ve been correcting for the last few weeks.
The reason I’m mentioning this is statistics show most people are still trying to remember their passwords, and as a result 70% use the same ones on multiple sites, and some (21%) still use the same password everywhere. Statistically that means many of you fall into these groups. If so, I have some recommendations for you to consider.
- Use a password manager.
- Use the password manager to generate and keep track of strong unique passwords for every site.
- Turn on MFA (multi-factor authentication) when it’s available.
Chances are you’re probably already doing 1, using a password manager, since the major browsers have built-in ones. There are also separate more full featured password managers out there. A lot of people I work with swear by LastPass, which to use well now requires a license, but I also know someone happily using Bitwarden, which is free.
Yes, using a password manager does mean that your passwords are now stored somewhere. But all of the good managers encrypt them in such a manner that the people who produce the manager have no access. That doesn’t completely remove the risk, but at this point it’s a risk that is far less than the one incurred by using easily guessable passwords, or the same password on several sites. With the password manager you only have to remember one strong password (ideally backed up by MFA) for accessing the manager itself.
The trick is once you’re doing 1, is to remember to do 2. I largely was doing this through attrition. Every new account I signed up for had a strong randomly generated password. But I had never gotten around to going through all my old accounts. If you’re like me, you have hundreds. Doing them all at once is pretty overwhelming. After being burned, my solution has been to take care of the crucial (mostly money related) ones first, then gradually do a few of the others each day.
When changing passwords, it pays to keep this strong password generator site handy. All of the password managers will take a shot at generating passwords if you let them, but some sites (mostly banking and utility ones in my experience) are persnickety about what they’ll accept, and having the ability to control which characters go into the password can help.
(I’ve also found it a good idea, when dealing with these types of sites, to temporarily hold a copy of your old password in a text editor, in case the site rejects your new password but the password manager saves it anyway. In most cases, you’ll need that old password for subsequent change attempts.)
Strong passwords make your accounts far more secure. But they may not help in cases where the site has a data breach. And data breaches happen all the time, so much that they don’t always receive the coverage they should in the news. Chances are, if you have a lot of accounts, and haven’t changed your passwords in a while, your information is included in a breach. For example, Twitter had one earlier this year.
You can check to see if your accounts are in a known breach on the Have i been pwned site, recommended by a lot of reputable sources. (I have no reason to distrust the site, but I recommend checking your email and passwords in separate incognito browser sessions.) Most of the password managers also have checks in place to warn you when a password has been compromised in a breach, as well as a scanning feature to preemptively check.
Of course, these are the breaches that are known. It’s disturbingly common for breaches to exist for years before they’re discovered. And realistically most of us don’t have the time to stay on top of this.
Which is why 3, turning on MFA everywhere it’s available, is crucial. (Did you know that both WordPress and Twitter have this option?) MFA by itself dramatically reduces the chances of an account getting compromised, since it now requires a hacker to not only guess or acquire the password, but somehow get through the second factor. Just don’t make the mistake I did, and lean too heavily on it. 1 and 2 remain crucial.
At least while the password remains our primary method of authentication. Given all the problems with passwords, there’s a lot of interest in developing passwordless authentication mechanisms. Some services, like Uber (who also had a breach not that long ago), appear to have dispensed with passwords altogether and only support authentication through SMS. This is probably more secure, but I’m not wild about that still being the only authentication mechanism. (Phone numbers can be hijacked via sim card hacking.)
Anyway, I thought I’d share my experience and the painful lessons learned. I know it can seem overwhelming, but trust me, it won’t be nearly as overwhelming as dealing with a compromised account, particularly if money or your identity is involved.