How to keep your passwords safe and secure – The Washington Post

Setting hard-to-guess passwords and then remembering them later isn’t easy, and even the best of us mess up.
SolarWinds, which builds IT management software for customers including the U.S. Department of Defense, blamed an intern after a critical company password was leaked online. The password was “solarwinds123.”
Good password habits are like any good habit; easier said than done. Unfortunately, the stakes are getting higher as security disasters get bigger and more frequent. Giant breaches at T-Mobile, web host GoDaddy, trivia game DailyQuiz.me and gas provider Colonial Pipeline happened just this year. More apps, more accounts and more passwords create more opportunities for theft. Meanwhile, human nature stays the same: “123456” is the most-used password in the world.
“You have to laugh to keep from crying,” said JD Sherman, CEO of password manager company Dashlane.
In that spirit, Dashlane released a roundup of 2021’s worst password catastrophes. Facebook made the list for a breach that exposed the phone numbers, birth dates, email addresses and locations of 533 million people. So did Netflix, LinkedIn and bitcoin for their association with an online data dump that included more than 3 billion email-password combinations, which could represent 70 percent of global Internet users.
Once your password is part of a breach, hackers try it on different sites and services to try to unlock more accounts in what’s called a “stuffing” attack. Reusing passwords or going with daredevil options like “solarwinds123” make you — and often your workplace — more vulnerable. But that doesn’t mean all this password drama is deserved.
Don’t be that employee: How to avoid ransomware attacks at work
“We have too many passwords today as a consumer,” said Josh Yavor, chief information security officer at cybersecurity company Tessian. “If you think about all the different things you have to log in to, the number is just way too high for anyone to be able to keep track of all the different passwords and do the right thing every single time.”
Data from Dashlane shows the average person online has more than 200 accounts that require passwords.
The password fatigue is real, but don’t let it stop you from making some small changes to protect your accounts, your wallet and your identity. Here are six easy things to do today:
During his days as a penetration tester helping companies find and eliminate paths hackers could use to break in, Yavor once gained access to 20,000 corporate accounts in less than an hour simply by plugging in the default password the accounts came with, he said.
If you take only one step to better protect your accounts, make it this: Retire that trusty old “qwerty” password and reset any defaults.
Reusing passwords across accounts makes all of them less safe. For instance, if you use the same password for Netflix and Chase Mobile, a data breach at Netflix could put your bank account at risk.
Passwords shouldn’t draw on details from your life. You may think that no one could guess your child or pet’s name when all it takes is a quick visit to Instagram or LinkedIn to figure it out.
When coming up with on-the-fly passwords, people’s minds tend to gravitate toward the same themes. Tessian found that 21 percent of people use predictable cues like their favorite football teams or birthdays. A survey by Microsoft indicated 15 percent of people use pets’ names. That’s why it’s better to avoid passwords with any real significance. Make them long (think longer than 12 characters) with plenty of numbers, letters and special symbols. Ninety-six percent of password-related cyberattacks involve passwords with fewer than 10 characters, and 76 percent involve passwords with fewer than six, according to Microsoft.
“But why would anyone care to spend time guessing my password?” you might be asking. Even if you think you’re not high profile enough to be the target of a cyberattack, don’t let that little-old-me syndrome keep you cycling through insecure passwords. Hackers spend time trolling for easy targets, and some make use of automated password-guessing in what Yavor calls a “spray and pray” approach.
Coming up with passwords is like leaving your car in a mall parking lot, Sherman noted. Most thieves are just hunting for unlocked doors and rolled-down windows.
An exposed password may provide the kick in the pants you need to clean up your password act.
Apple notifies you if one of your saved passwords has appeared in a breach. On an iPhone, go to Settings -> Passwords -> Security Recommendations and change any passwords that are putting you at risk. For passwords you’ve allowed Google to save, go to passwords.google.com -> Go to password checkup -> check passwords. (Note: It’s easy to leave yourself logged into Google on someone else’s computer, so I’d recommend a different method of storing passwords.)
Password managers — applications that generate, save and automatically fill in unique, hard-to-guess passwords — can alert you to compromised passwords, too. And speaking of password managers …
Here’s what to do if you’ve been hacked
A password manager will solve a bunch of your password security problems in one swoop.
Just add the manager app — we’ve recommended Dashlane, 1 Password and LastPass — to your mobile device, or sign up on its website. The tool will start saving the passwords you use to log in, generating hard-to-guess passwords when you sign up for new sites and automatically inserting your passwords into log-in forms. You can even have it save your name, address and credit card info for faster sign-ups and checkouts.
As far as setup, you’ve got a choice: Either turn on your favorite album and spend a few hours inputting the passwords to the sites you visit most often, or just start going about your business and auto-save passwords as you use them.
In a saner world, everyone would have just three passwords to keep track of, Tessian’s Yavor said: your phone, email and password manager. Memorize those passwords to keep them safe, and choose a manager with zero-trust architecture, or encryption technology that prevents the company from knowing the very information it stores.
We’re all familiar with the sacred password notebook sitting next to the desktop computer. There’s also the password safe, the password Google doc, the password saved email draft and my mom’s favorite: the password list in the smartphone notes app.
If you opt to store your passwords yourself rather than using a manager, there’s no real winning, Yavor said. You can avoid digital theft by writing passwords in an analog notebook or slip of paper, but then that list is liable to be lost, stolen or — in his case — eaten by golden retrievers.
Of course, you can keep your passwords safe from canines and other acts of God by storing them somewhere digital. But then you’re opening yourself up to potential cyber theft.
Whatever you choose, know what risks you’re taking, and give a password manager some serious thought.
Two-factor authentication means a person has to authenticate their identity in two different ways before gaining access to an account. By enabling two-factor, you prevent hackers from breaking in if they’ve only gotten their hands on your username and password.
Traditionally, two-factor has involved a text message sent to your phone with a numeric code to input. If you know the code, that means you have your phone, so the app or site can trust that you’re really you.
But that method leaves you vulnerable if somebody gets their hands on your phone. If you want some password hygiene extra credit, take a couple seconds to download an authenticator app. These connect to your accounts and ping you when somebody tries to log on. Then, the app gives you some second piece of info that authenticates your identity and lets you sign in. Google, Microsoft, Twilio and ID.me all make authenticator apps you can access from different mobile devices. Just type “authenticator” into an app store and download one of these options.
Help Desk is a new destination built for readers looking to better understand and take control of the technology used in everyday life. Meet the Help Desk team.
Go deeper: Tech in Your Life | Tech at Work | Your Data and Privacy | Internet Access | What’s New | Ethical Issues
Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android
Ask a question: Send the Help Desk your personal technology questions.

source

Share:

More Posts

Market Research

Pulse Surveys

Turn feedback into action

Our survey platform makes it easy to measure and understand feedback so you can drive growth and innovation

Pulse Handshak

Pulse Handshak

Collaborative online survey tool for the market research industry. Remote assisted surveying just like face-to-face interviews. Here interviewers can talk to the respondent over the web-console without the need for any other communication channel and share the same Q're with responses and click actions.

Pulse FE

Pulse FE

Pulse Field Expert or Pulse FE is the main platform for both offline and online survey at softofficepro.com. It is robust and used by hundreds of clients over tens of years with millions of responses. Do it once Q're and deploy on both offline devices (android) and online forms makes it a great cost effective platform for any kind of responses

Pulse Ultimate

Pulse Ultimate

Pulse Ultimate is targeted for tracking studies and retail audits. An offline survey system offering extreme field control including processes like data quality check, back-check, rework, comparison with previous wave data etc. helps to get the best results on a day-to-day basis

Pulse LS

Pulse LS

Use a managed Limesurvey and our expertise for creating complex forms and token based user management. Use optional mailing system to send survey invitation to each participant and track progress of the response status. Industry standard SPSS / R output supported