Change Your Password… And Do So Often
It really hasn’t been a good week for passwords, has it? LinkedIn, Last.fm and eHarmony suffered security breaches that resulted in millions of passwords being compromised. Ouch!
First and foremost, before you read on, change your password if you haven’t already.
CIOs and IT admins immediately advised employees to change their LinkedIn passwords, particularly those with corporate accounts, but I wonder how many employees were also told to change other online, social and email passwords as well. I also wonder how many users who don’t read the tech press are aware of what happened, let alone took steps to change their passwords.
With the proliferation of social networking sites, both for business and personal users, many users are deploying the same passwords across multiple sites and services, including their webmail services. Such an approach places online profiles and sensitive data at risk of theft or abuse by third parties, should one or more services suffer a login data breach. Users have become comfortable with creating passwords for everything they do online, so much so that they often forget to pay attention to the type of password they choose or its complexity.
In light of the password breaches this week, here are a few tips (and a reminder) to keep in mind when creating and changing passwords:
1. Change your passwords regularly
Changing passwords regularly is highly recommended; preferably at least once a month. In an office environment it is often the case that users cannot re-use a password if it has been used once in the previous 12 months. Although this may be too much for a home user, changing your passwords every so often will help to keep you safe online.
2. Do not use the same password on every site
Avoid using the same password for every single website or subscription. If you have a problem remembering all of them, write them down and keep the document in a safe place, not in everyday public view. Security experts do not recommend writing down passwords but it’s a better option than having one password for everything. Do not save the document on your computer with an easy filename such as ‘password list’ or stick a yellow note under your laptop with your login password (and yes, people do that).
3. When you re-use passwords, at least use a different password for your email account
Many Internet users are tempted to use the same password for all logins. As a minimum, users should have a password for their email account that is separate from all others. Your email address contains much of the information an intruder would need to hack your other accounts, as many web sites and services use a person’s email address as their login username. Passwords for your banking services – including sites such as PayPal – and sites where your credit card number is on file, should also be unique. If you use the same password for many sites and one is compromised, you are most vulnerable on sites where an intruder could actually steal money or order merchandise and charge it to you.
4. Use passwords with a secure length and construction
A good password is at minimum seven characters long and has letters, numbers and non-alphanumeric characters, such as “&” and “%” in it. Avoid using common names or simple passwords such as ‘1’ or ‘abc’ – the simpler the password, the easier it is to crack. To create a secure password that is still easy to remember, you might consider using a phrase, with words linked by non-alphanumerics. An example would be “My%dog%spot%likes%treats.” Substituting the zero for letter “o” is another trick: “My%d0g%sp0t%likes%treats.” Choosing a pattern of keys on the keyboard rather than words is another possibility: “zaq12wsx”, however, patterns should be easy for you to remember and not as simple or as obvious as “123qweasd”.
5. Avoid logging into sensitive websites such as banking or PayPal over public networks
Do pay particular attention when accessing sites over public networks. Malicious operators can capture traffic on a network in a public place and steal data such as login information. If you must connect to the internet on public machines or using an open Wi-Fi network, always log out and do not click ‘OK’ if asked if you want the browser to remember your login information. Always clear the cache, browser history and temporary files when you have finished. That will remove some traces of your activity from prying eyes.
Relying on this advice alone will not guarantee full protection against a data theft or hacking attack, but in conjunction with general best practice will help to reduce risk considerably. Remember, you should generally only access websites, software and services you trust, and should also ensure the computer you access from is as secure as possible by installing all critical software patches, using a firewall and running up-to-date antivirus software.
Like our posts? Subscribe to our RSS feed or email feed (on the right hand side) now, and be the first to get them!
About the Author: David Kelleher
David Kelleher is Director of Public Relations at GFI Software. With over 20 years’ experience in media and communications, he has written extensively for business and tech publications and is an editor and regular contributor to Talk Tech to Me.
Oh the pain! I hate changing several my passwords. I end up having to reset my passwords because I don’t remember my new passwords. And who can remember every password for multiple sites? I bank with five banks, have a PayPal account, am signed up with all popular media sites (LinkedIn included) and two corporate email accounts and three other personal ones.
But, I need to do it. And so does everybody else.
If you have a different password for every site, then you only have to worry about one at a time in case of compromise. Now obviously for some of us, that’s asking you to remember dozens of passwords, which may not exactly be ideal. The suggestion of keeping at least the email and banking passwords unique is a great start, but any site that you have sensitive identification or financial content contained in should be unique as well. Depending on how thorough you are filling out profiles, this should be extended to social networks.
I know how it feels, Samantha. I got this tip from an article somewhere or from a comment on this blog. I really can’t quite remember where nor can I remember exactly how it was phrased. But, it went something like use a password that is relevant to the site but is still difficult to decipher by others.
It is much like putting a password on a social media site like “whereIm33tfri3nds”. Long enough and have diverse characters and yet it is highly improbable for most people to get it. Same with bank accounts, too. I ‘m sure you a purpose of each bank account and you can come up with at least two words that are relevant to that purpose for you to use as a password. Made sense?
Passwords
- my advice never less than 8 characters preferably 10 or more.
- one or more upper case characters / special characters
- two or more numerics
- use a memorable word or phrase e.g. christmas and enter it as Chr1$tm4$ where i = 1 s= $ a = 4
I’m not sure if it’s prudent to do this but this technique has worked for me. I have two words and four number combinations that I just kind of rotate from time to time in all of my accounts. It’s easier for me that way.
It works like this. An example of two words are happy and beautiful. Of course, those words should hold meaning to you so you’ll remember them. The number combinations could be (as an example): 6578, 31011, 75849, 2094. Those numbers should hold meaning to you, as well. Just don’t choose birthdays. A combination of birthdays or anniversaries would be better. You can rotate your passwords like this:
word1#combi1, word1#combi2, etc.
word2#combi2, word2#combi2
You have a big list of combinations you can chooose from. See what I mean?