In light of this week’s breaking news story about a massive security breach in which more than a billion (eek) passwords from close to a half-million websites are now in the hands of a Russian hacker ring, it’s time for a refresher on how to make strong passwords. .
We covered 5 simple tips for making strong passwords a couple years back during the big Zappos security breach–the one that now looks like a little “oopsie” compared with this one.
They bear repeating, so here they are:
1. Change your passwords. Now.
As for which passwords to change? Let’s go ahead and say all of them. Think banks, online retailers, financial services, email, utilities, cloud services and social networks–and any sites that might have any info saved from your financial sites. Evidently the hackers didn’t discriminate between big and little sites, so it could be some indie retailer where you once created an account two years ago that was compromised. That’s the thing that got me spending a couple of hours making changes yesterday.
2. Familiar words = good for life, bad for passwords
It used to be that people would create passwords using familiar words like their kids’ names, pet names, or husband’s birthday, which is almost like handing over your information to a hacker wrapped up in a bow. Completely random letter and number sequences are better, but we know that they’re not only challenging for you to remember, they’re not all that hard for hackers to crack. Many spam bots are programmed to spit out random letters and numbers just like that.
The best tried and true method for a strong password is to generate string of common words that only have meaning to you, like your favorite ice cream flavor, college nickname and favorite shoe designer put together. Alternatively, think of a sentence that you can remember and use the first initial from each of the words. Then add in a number that you’ll remember and get a cap letter in there too–and ideally a character like !#$%& (though different sites allow different characters to be used). This makes your passwords tough to hack and hopefully easy to recall, which is the perfect combination for those of us with mom brain.
And I’d like to add that while I’m always the first to complain about small websites that won’t allow you to create a password they deem “weak,” that they’re doing it for your own good. And theirs. If you enter a password that’s not hitting the “strong” requirements, go back and rework it until that thing is green as a shamrock.
Experts recommend using different passwords everywhere–though realistically we know that’s a hassle. Especially for those of us with mommy brain.
Easier might be to use one set of passwords with variations (see below) for the retail sites you frequent, and a totally different set of passwords with variations for financial institutions like credit cards, banks, and investment accounts. Those are the places you really don’t want someone getting access.
4. Use variations on a theme
Some people do manage to have 100 totally different passwords for every single website that requires them, especially if they’re using password generating services. For the rest of us, a great trick is to come up with variations on the theme–change up the order of the words or numbers for different sites. Like perhaps your Zappos password is like your Facebook password, but one ends with a Z and the other with an F. Amazon ends with an A and so on.
5. Write it down somewhere safe
Keep track of all your passwords on a protected cloud site or on a Google doc so you always have access to it if your accounts are compromised (though of course you want to change those passwords too, if there’s a breach like the one today); then it’s simple to go down the list and make changes where you need to. Even better: Record them manually somewhere safe, like a Password Log Book or your own binder or journal. We’ve yet to hear of hackers making their way into the sketchbook in your desk drawer.
Another way to keep track of all these crazy letter-number-character combos that aren’t supposed to read like English (or Russian for that matter), you may need need more help in that department. We’ve recommended the Cozi Vault app which is a highly user-friendly, simple service that can store your existing passwords, or automatically generate a highly secure one that’s different for each site. Set it to lock immediately after use and your encrypted info is as good locked in a real vault.
I’ve also heard absolutely fantastic things about the award-winning 1Password App (above) for your desktop, iOS device, or Android phone. They’ve got a ton of smart features and even a pretty fantastic new service that can alert you to possible security breaches before the media does. I think after this week’s news, I’m going to invest in it.
This is not an issue that’s going away; the Heartbleed bug was only a few months ago, the Target credit card breach a few months before that, and now….this. Since I don’t think any of us are going to wean off our online shopping habits, cut our credit cards, or ditch our Paypal accounts any time soon, the least we can do to protect ourselves is to stop using passwords like PASSWORD. You with me?
Before you panic, so far it seems the hackers are using the passwords to send spam, not to compromise financial accounts.