We Need to Talk About Passwords

December 15th, 2016

The news that Yahoo has suffered a hack that potentially affecting one billion user accounts should be a wake-up call to all internet users that don’t have a system in place to manage passwords. Companies like this are prime targets for hackers and these breaches no degree of security is absolutely watertight. Huge attacks on core internet facilities are only becoming more common.

Many users are aware of the importance of choosing unique passwords, but continue to use the same one for most websites. A 2013 poll from Ofcom showed that up to 55% of users admitted using “the same password for most, if not all, websites”.

Breaches are inevitable

Users need to accept the idea that it’s no longer a case of ‘if’ but ‘when’ their accounts will be compromised. If this happens, the impact of the breach varies depending on the information that’s exposed.

The major problems occur when hackers use acquired credentials to access other accounts linked to the same email address. Assuming the same password has been used, they can try and exploit any number of services a user has registered with.

The scale is exacerbated when you consider passwords that are shared between active and dormant accounts. Many users may not be aware that an old account they have used has been accessed, let alone fully understand the repercussions.

Managing your passwords

Everyone knows you should use a unique password for each online account they use. The recommended advice circulated over the past few years has revolved around using sentences and passphrases to generate secure passwords that are memorable. Good advice, though the effectiveness of how these passphrases are used in the real world is debatable.

As someone who has to generate many passwords, I found this approach to be unworkable. Firstly, I found I may not be able to remember the phrase associated with the website. Secondly, if/when I needed to change that password (account reset/service breached) it became tricky to remember the new password or the variation.

For me, the solution was 1Password. There are lots of password managers out there and they don’t tend to be free, but I would highly recommend investing in one if you can. $2.99/month or $64.99 for a lifetime subscription isn’t much to spend to significantly improve the security of all of your online accounts in a single move. They will not only generate endless secure passwords on demand, but also make it quick and painless to review and update old ones.

One significant benefit of 1Password over other tools is that the passwords aren’t stored on their servers. This means that if 1Password were to be hacked, your passwords wouldn’t be vulnerable.

For important accounts, it’s also worth enabling two-factor authentication. This is unnecessary for some of your accounts, but for core services such as email or social media, it’s pretty crucial. It’s now considered best practice to use app-based or physical two-factor authentication after the vulnerabilities of SMS/phone-based 2FA were discovered. If you’re concerned about dormant accounts, services such as deseat.me can help you find and remove these.

Protect your accounts

Adopting a password manager and deactivating old accounts won’t stop web services being hacked or completely remove the possibility of account information being accessed, even if two-factor authentication is enabled. However, in the event of accounts being breached in future, it will prevent the hackers from being able to easily access other accounts you have.

The final bit of advice: if a service provider is hacked and advises you that a password change is not necessary, ignore them and do it anyway.