Do you remember your password? If the answer is "yes," there could be a problem.
After a major retailer hack many years ago, I decided to take a look at my digital presence. I asked: "How many websites did I sign up for?". Well, the number exceeded 600 !
I won't disclose on how many sites I reused passwords, as it’s nothing to be proud of :) It took me over six months (!) to painstakingly update each site with a new password or to close the accounts. In some cases I couldn't even close the accounts. The "right to be forgotten" doesn't exist in the US, so the decision to delete a defunct account is totally up to web site owner.
"Credential stuffing" is a real thing and keeps causing heartaches for security personnel. Simply put, t's when bad actors try to reuse known, typically hacked, passwords. Apparently, even after *multiple* headlines and warnings, some people did not change their passwords.
Imagine bringing these habits to a work setting. If your company enforces solid security practices - great, you'll likely be required to adhere to basic password rules. But no password policy can stop from reusing passwords from other websites.
So, what’s next? If you are convinced that now is the time to harden your digital access security, I suggest the following:
- Adopt a password vault (or password manager). How ? Look up "password manager review" in your favorite search engine and choose any of the top 5. They are usually decent and these apps usually offer more perks than just a secure storage of your passwords.
- Install it on your major devices (laptop, tablet, phone) and make sure that the password manager/vault is synched across all of them. Consider getting a family version.
- Prepare for the long run. You have hundreds of accounts to review. Changing passwords, registering them in the vault, testing and validation will take considerable effort and discipline. It's not a one-day deal. I would set aside 15 minutes per day just for this.
- Let your password manager app generate your passwords. Any password that you create and remember (like your cat's name, your child's name, date of birth, city, favorite song or car etc.) is probably public info and could be guessed. And btw, adding a few digits to your favorite guessable password doesn't increase its security posture by much.
- Oh, important: Never bypass your password manager/vault when you create or change accounts. Make it part of your new routine.
None of the above is new. Security folks live by this. Maybe it's time to actually do it. "Mother of all breaches" calls for it. :)
Comments