Security Tip: Passwords

Use Different Passwords or a Password Manager

Over the past two months, LinkedIn, eHarmony, and LastFM have all experienced serious breaches and the passwords users set for these sites were taken by hackers. And these were just the large sites where the breaches were well publicized. Such exposures are by no means rare.

If you’re like most people, chances are you use the same password for many different sites. So if you had an account at any website that has had a password breach like those above, simply changing your password on the hacked site isn’t enough. Every other account that uses the same password is vulnerable too. Hackers know that people re-use passwords on multiple sites out of convenience and will try using your stolen password on other popular web sites, especially email and financial sites. The best thing you can do to protect your accounts is to not use the same password for all your online accounts – break things up a little. Here are some guidelines from Executive Director of Information Security Quinn Shamblin:

Have a unique, completely unrelated password for each of the different types of sites. If you do this, and that one password gets compromised, you only need to change it on other sites of that type.

• Email – Have one password to access your email and don’t use that password anywhere else. (Your email account give bad guys a roadmap to your life, telling them where and how to attack.)
• Banking – Have one password to access your bank account. Don’t use that password anywhere else. (This is direct access to your money, so it needs strong protection.)
• Credit card sites and PayPal – You can share this password among various credit card sites, but don’t use this password for other types of sites and don’t have it be the same as your bank or email password. (While this is one layer removed from your money, credit card fraud is a huge business and very attractive to the bad guys.)
• Sites to which you have saved your credit card information (Amazon, etc).
• Social Media Sites – Have a different password for these than for your general sites (below). You don’t want a breach on a general site to put your personal information at risk. (Social sites are great avenues for the bad guys to learn about you, perhaps finding the answers to the security questions that some sites use when you reset your passwords…)
• Low-security sites – Have a generic password that you use for sites that require a password, but on which you save no personal information. (If one of these is breached, you don’t need to panic, you can change the passwords on your own time.)

Managing all those passwords can be challenging, so you should consider using an online password management tool. Such tools allow you to store and encrypt multiple passwords in the tool, but you only have to remember one password to access them. This type of utility allows you to use a different password for every site and dramatically improves your security. The passwords can be very strong, but you don’t have to remember them. The tool itself requires a password, but once you type it in and then go to a website, the tool enters that site’s password for you. So a breach of one site doesn’t jeopardize your information on other sites, since each site has a different password. Quinn recommends “stand-alone” password managers (as opposed to built-in managers offered by some Web browsers) such as KeePass, Password Safe, or 1Password, which are free for users. LastPass 1.72 Premium ($12 per year) is PCMag’s Editors’ Choice for password managers and it works across Windows, Mac, and Linux machines.