How much of your personal and professional life is managed through online accounts? A lot, right?
If you’re like me, you like to spend time binge-watching shows on Netflix or Hulu, do online banking, online shopping, and stay in contact with distant friends and family through e-mail and maybe a social media account or two. With all these usernames and passwords to keep track of, it’s super convenient and easy to use one or two passwords across all your online accounts. But this practice is dangerous and could very well wind up being the end to your online privacy, individuality, and financial security.
In this short blog post, I will highlight some of the dangers of reusing your passwords across your accounts and what you can do to make yourself more secure in an increasingly spooky world.
As a security consultant, my job is to assess the security processes and controls of computer networks inside organizations through vulnerability assessments and penetration tests. Part of my day-to-day is spent trying to gain authorized access to accounts and services, most often in the form of guessing passwords.
You may be surprised at how easy it is to guess passwords when considering the hometown of a user, their birth year, or their favorite sports team. The reality is, it’s simply not enough to change the numbers at the end, the season, your favorite four digit number, or substitute letters for special characters.
Reusing similar passwords across multiple accounts often results in data breaches and account takeovers. In the information security industry, this is known as credential stuffing.
Credential stuffing is an attack where computer hackers will scour data breaches for usernames, e-mail addresses, and passwords, and then use that breached data to gain unauthorized access to your accounts.
You need to do more, and I’m here to tell you what you can do.
If you are feeling curious, visit haveibeenpwned.com (it’s safe, I promise) and enter your e-mail address. This website will let you know if your accounts have been exposed during a public data breach. This site also has a notify section that lets you monitor your e-mail address. If your e-mail address later turns up in a data breach down the road, you’ll be notified, and you should promptly generate another strong password.
To stop the dangers of password reuse, a nifty piece of software called a password manager can help.
Simply put, a password manager is exactly as it sounds, a manager for your passwords. The idea is to create a virtual vault where you store all of your passwords and sensitive data. Access to that vault is granted only by entering a very strong, unique, and memorable master password.
Now you might be wondering: isn’t using a password manager sort of like putting all your candy in one pillowcase? After all, like candy, passwords are precious. If you’re like me, I treat my passwords like I enjoy my candy bars, all to myself and each bite more delicious and unique than the last.
Here are two excellent reasons why using a password manager is much safer and helps protect your online accounts and digital life:
In popular password managers like LastPass, Keypass, or 1Password, incredibly strong and unique passwords are generated for you. This not only protects your accounts from hackers trying to guess your password, but also from data breaches.
Remember, hackers don’t always need to steal your passwords from you. They can locate or generate passwords themselves and use your password against you or somewhere else you’ve used it.
“All your candy in one pillowcase” is actually a self-imposed fallacy! In addition to using a password manager, you should also use two-factor authentication (2FA) for sensitive accounts and services like your corporate passwords, online bank accounts, primary e-mail, and social media accounts. 2FA is a way to provide additional verification for devices and accounts you treasure.
For example, when I log into my online bank account, I enter my username and password, after which I receive a text message with a 6-digit PIN from my bank. I then use that PIN as my secondary password to get access to my bank account. So even if a hacker somehow gets access to your password, they would not have access to the second form of authentication! 2FA can take different forms too, such as a text message, a hardware security token, or your second password can be generated with secure software.
Just as you wouldn’t relinquish all your Reese’s Cups or Snickers bars to a single trick-or-treater, you shouldn’t reuse all your passwords on a single website or online account. Employing the time-tested and bellyache preventive measures of ensuring that each trick-or-treater is only allowed one candy bar per unique costume, a password manager ensures that you only employ one unique password per online account.
If I haven’t convinced you to stop reusing passwords and instead using a password manager and enable 2FA where possible, the following articles may nudge you in the right direction: