Earlier today we learned that yet another large trade of significant user data was made in Russia's criminal underworld. According to the original report from Reuters over 270 million unique emails and passwords were given away, many corresponding to logins for email services like Google, Yahoo, and Microsoft.
Currently we cannot be sure if this data is new data or old data from past breaches, but the thought alone of passwords leaked from major email accounts triggered quite a bit of chatter from sites around the web like Gizmodo. Add to that, May 5th is actually considered #PasswordDay and the twitterverse is a-buzz with chatter about changing passwords and becoming more cyber secure. You can join the Twitter live chat using #chatstc or tweet @seedspark your own #PasswordDay tips and tricks. For now though, lets get into why passwords for your email account are so important and why you should change them reguarly and how you can remember to do so!
- Why are passwords for email accounts most important?
- Why should you change passwords?
- How can I remember to change my passwords?
- What makes a great password?
1. Why are passwords for email accounts most important?
Quite simply, all your password reset links will be sent to your email account. Additionally, sensitive information like billing statements and medical records are now being sent via email rather than via the USPS. Imagine if you handed me your email password to gmail right now, how long would it take for me to gain access to your bank logins? How about your social media accounts? Because email serves as a hub of digital activity for many people we recommend changing this password with a 90 day frequency, and turning on features like multi-factor authentication when available. Multi-factor authentication can mean several things, but in most email settings, the user experience will be that if a login attempt is made from an unrecognized browser, a security code texted to your cell phone will be required to go any further.
2. Why should you change passwords?
There are several reasons why password rotation is critical. First, given the amount of accounts you likely have in cyber space now, its not a matter of if your information will be part of a hacking attempt, but when. Hackers don't always get away with the important stuff, there are impressive intrusion detection measures taken by large companies, but nonetheless, you should assume you are under attack. Hackers when not nation-state sponsored and not activists i.e. Anonymous) usually do this to make money! Once they have the data, it is likely to be sold to another party or posted to a site in exchange for money. The data is only as good as the amount of unique usernames and passwords that have not been changed yet. You can exclude yourself from being a victim of any hack that happened before your last password rotation. So, even thought Sony's Playstation was hacked several years ago, if you have update your gaming and media credentials you have essentially scrubbed yourself from being useful to those with the old list. Change your passwords every 90 days!
3. How can I remember to change passwords?
I get it, you have 100+ accounts across social, email, banking, work, home care professionals, media viewers etc. So how can you remember to change them? There are two primary ways.
First, set a calendar event for yourself to repeat quarterly and have it list out your current accounts. This is like spring cleaning, it won't be enjoyable, but its better than spending thousands of dollars trying to recover your identity after someone has sold it to an illegal alien who is now working at the grocery store and receiving health benefits under your name.
Second, you may elect to use a password vault that reminds you to change your password reguarly. Here are a few you can try:
- Last Pass
- Dashlane 4
4. What makes a good password?
To understand what makes a good password, it is helpful to understand what the easiest methods of attack are for a hacker to gain access to an account.
The easiest method of attack is social engineering. Social engineering is the practice of guessing a password based on things they can learn about you as they view your social profiles, talk to you on the phone, or see you in a store. Your kids names on the back of your suburban with your family last name on the license plate? Yea, you better not use those kids initials to login to your bank account, sister. Your birthday is on facebook today? I hope you didn't use your 3 initials and your birthday as a password to your email. Was your wedding day in the newspaper? Hope your anniversary isn't the key to your digital kingdom. The lesson here, don't use personal info that is readily available in public as a private password, even in shorthand.
The second easiest method is what is called brute-force. Hackers have tools to guess a password over and over again until they have exhausted all permutations. The longer the password, the less likely brute force can work, because it is exponentially harder to compute all possible combinations of characters. The more variance you have from alpha to numeric, to special characters, that much harder for guessing schemes and technical computation scripts.
Here are some pointers:
- Go for 14 characters or more
- Try a passphrase instead of a password. Instead of "67Ford!" try "iL0VEmy674RD" or instead of "Beach1234" try "imisstheB3@CHinWinter"
- Vary between letters, numbers, and special characters
- Change the password every 90 days
- Don't write your password down on paper that hangs around your desk or could be left behind at an airport!