Security Tip: Passwords
Use Different Passwords or a Password Manager
Over the past two months, LinkedIn, eHarmony, and LastFM have all experienced serious breaches and the passwords users set for these sites were taken by hackers. And these were just the large sites where the breaches were well publicized. Such exposures are by no means rare.
If youâ€™re like most people, chances are you use the same password for many different sites. So if you had an account at any website that has had a password breach like those above, simply changing your password on the hacked site isnâ€™t enough. Every other account that uses the same password is vulnerable too. Hackers know that people re-use passwords on multiple sites out of convenience and will try using your stolen password on other popular web sites, especially email and financial sites. The best thing you can do to protect your accounts is to not use the same password for all your online accounts – break things up a little. Here are some guidelines from Executive Director of Information Security Quinn Shamblin:
Have a unique, completely unrelated password for each of the different types of sites. If you do this, and that one password gets compromised, you only need to change it on other sites of that type.
- Email – Have one password to access your email and donâ€™t use that password anywhere else. (Your email account give bad guys a roadmap to your life, telling them where and how to attack.)
- Banking – Have one password to access your bank account. Donâ€™t use that password anywhere else. (This is direct access to your money, so it needs strong protection.)
- Credit card sites and PayPal – You can share this password among various credit card sites, but donâ€™t use this password for other types of sites and donâ€™t have it be the same as your bank or email password. (While this is one layer removed from your money, credit card fraud is a huge business and very attractive to the bad guys.)
- Sites to which you have saved your credit card information (Amazon, etc).
- Social Media Sites – Have a different password for these than for your general sites (below). You donâ€™t want a breach on a general site to put your personal information at risk. (Social sites are great avenues for the bad guys to learn about you, perhaps finding the answers to the security questions that some sites use when you reset your passwordsâ€¦)
- Low-security sites – Have a generic password that you use for sites that require a password, but on which you save no personal information. (If one of these is breached, you donâ€™t need to panic, you can change the passwords on your own time.)
Managing all those passwords can be challenging, so you should consider using an online password management tool. Such tools allow you to store and encrypt multiple passwords in the tool, but you only have to remember one password to access them. This type of utility allows you to use a different password for every site and dramatically improves your security. The passwords can be very strong, but you donâ€™t have to remember them. The tool itself requires a password, but once you type it in and then go to a website, the tool enters that siteâ€™s password for you. So a breach of one site doesnâ€™t jeopardize your information on other sites, since each site has a different password. Quinn recommends â€œstand-aloneâ€ password managers (as opposed to built-in managers offered by some Web browsers) such as KeePass, Password Safe, or 1Password, which are free for users. LastPass 1.72 Premium ($12 per year) is PCMag’s Editors’ Choice for password managers and it works across Windows, Mac, and Linux machines.