A hard habit to break
It’s your email. It’s your documents. It’s your banking, your music, photos and all your contacts. It’s your personal, oft’ times sensitive information that’s at risk, and the chance of it falling into the wrong hands multiplies by magnitudes if you reuse the same password to manage your online accounts.
Reusing the same password with multiple online services is a common bad habit. It’s dangerous because once one account is compromised, a domino effect can occur, compromising many of your accounts. We’re going to help you break the bad password habit for good.
Bad habits put your data at risk
The bad guys target businesses online and businesses are continuously shoring up their defenses in response to the latest attack. Still, it seems like we’re regularly hearing about new breaches from high-profile companies and with those breaches, the bad guys pull out reams of personal information about customers including in some cases, passwords.
Those are just the big companies. What may be scarier is the fact that cyber-criminals know that many small and mid-sized companies do not take the same measures a bigger company takes to prevent security holes. This, combined with the fact that people are inclined to re-use the same password on multiple sites makes the small and medium-sized good targets; passwords acquired can be the narrow end of the wedge that gets bad guys access to all your stuff. Businesses with fewer than 250 employees accounted for over 30 percent of attacks in 2014.
Think about that. Now think about how many times you’ve used that same played-out password when quickly creating an account. After the possible consequences of that sink in, you may want to check haveibeenpwned.com to see if you’ve been compromised. Just input your email address and it’ll tell you if your account details have been compromised and on which sites.
Be sure to come back and follow the three simple steps that follow so you can get some sleep tonight.
Three simple steps to security
Step one: Get a password manager
Choose a password manager application that’s secure and will work across multiple platforms, like 1Password or LastPass. It will free you from having to remember all the passwords you’re about to change in step two. You’ll only be responsible for remembering one master password… which, we must point out, should absolutely not be stored in your note apps, documents, or email. If you need to write it down, a safe or safety deposit box should have the only copy.
When you’re asked to set up your master password, choose one that contains numbers, special characters, and both upper and lowercase letters. Make it something you’ll remember, but something that no one else could ever guess. Single word passwords like names or dictionary terms are weak. Three or more unrelated words strung together with a special character between them are best. For instance, “Pink*Flamingos2Gold*Conversion” is a strong password where “Kermit” isn’t. While “Password123!” conforms to common requirements for a secure password, it is anything but.
This hopefully doesn’t need to be said: definitely don’t use your name, your kid’s name, your birthday or anything that could be guessed with a little creeping.
Step two: Reset passwords
Go on a password resetting spree. Make a night of it. Include a bottle of wine. You’re adulting here. And because you’re a responsible adult, you’re not going to get drunk and change all your passwords to “incorrect” so when you sober up and realize you forgot your password, the computer reminds you by saying, “your password is incorrect.”
Because that would defeat the purpose.
Instead, you’re going to use a different password for each and every login, including social networks, email, banking, even remote access and VPN apps. Your password manager might offer to generate them for you automatically. Even better if you’re offered the option to set up 2FA (Two-factor authentication). It might seem like a hassle because it’s a little more time consuming, but a growing number of apps and sites are implementing it, especially places where you store sensitive information (ex. Evernote). 2FA is stronger too, so it’s wise to use it whenever possible.
Step three: Separate your personal and work email
If you haven’t previously done so, set up a personal email account separate from your work-related email. For reasons that are probably obvious, you shouldn’t sign up for non-work related accounts using your work email address, but just in case you have in the past, you might want to take some time to change your email with those accounts now. And while you’re at it, unsubscribe from any newsletter, advertisement or mailing list that’s not related to your job. Also, be aware of password recovery processes. If you have one email account set up as the recovery email for another email service, a breach of one could potentially compromise the other. If it’s a primary account where password recovery emails are sent from third-parties, it could quickly spiral out of control. It would really suck to face the ire and contempt of your boss and coworkers (and possibly the public) if you were responsible for a breach of data due to your shoddy password practices.
That’s all, folks
That’s it, the rest is just a matter of being safe going forward. Be smart about it. Don’t give passwords to shared accounts to anyone online via text, chat or email — it’s always best to divulge sensitive account information face-to-face or in a private call. Keep your phone/laptop/tablet locked with separate passwords because it’s impossible to have them on your person at all times.
Be conscientious when using public computers. Computers at schools and libraries make perfect targets for key-loggers because they’re usually insecure and used by many throughout the day, so do not log into your accounts while using them. In such a situation, use a service like Guerilla Mail or AirMail that provide disposable email addresses to gain brief access to data or trial periods in order to prevent unnecessary ties to your personal or work accounts, thus minimizing the impact if the security of that public computer or business fails.