So how do you keep up? Our Technical Director Simon Jones has a few tips on how to do just that.
This week eBay has become the latest in a line of major websites who have been hacked, exposing sensitive login data. They follow companies such as LinkedIn, Tesco, Adobe and pretty much the entire web who have been vulnerable to the Heartbleed SSL bug for the past two years.
The problem is compounded by the fact most people don’t use different passwords for different accounts, for the simple reason they can’t remember them.
We’re not designed to remember dozens, let alone hundreds of complex passwords. So we re-use the same ones, or store them somewhere pretty unsafe such as a text document on our computer or, shock horror, post-it notes often stuck next to the thing that the password secures!
We also have to trust websites to store our passwords securely, something which definetely doesn’t happen a lot of the time even when it should. So having separate passwords for important accounts is more important than ever.
Passwords are basically broken, but unfortunately so far no-one’s come up with anything better.
The best option we currently have is to use a password manager to store all your passwords.
The idea of a password manager is to store sensitive login information in an encrypted data file which is then unlocked by one master password. When you go to login to a website, you can use the password manager to auto-fill the login details for you. All you have to do is enter your master password to unlock the password manager. It goes without saying that your master password really needs to be unique and secure.
Commercial services exist out there such as the excellent 1Password and LastPass, there also are open source options such as KeePass. 1Password have a neat feature called Watchtower that alerts you to recent websites that have been compromised, reminding you to update your password.
With a password manager you can easily have strong, unique passwords for each and every account without having to worry about remembering them.
What actually makes a good password?
There are lots of different opinions on what makes a good password, but it’s also important you can memorise your password. There’s no point having a 20 character password of random letters and digits if you can’t remember it without writing it down! Some best practise, yet sensible, security tips appear below:
- Use a long-ish password, ideally 8 or more characters long
- Help create a longer password by using spaces
- Try to include at least one of the following types of characters: upper-case, punctuation such as ! % £
- Don’t just use English dictionary words followed by a number
- To help you remember start with a few different words that have some meaning to you (but are not directly related to eachother) and try to mix the characters up or introduce new characters to make the password more unique
If you use a password manager service then you only need remember one of these of course, so it’s all a bit easier! 1Password also has a few useful tips on creating a decent password.
Some passwords really, really matter. The most important one is your email account. Since passwords to other services can often be reset via email, it’s really important your email is secure.
Many websites offer two-step authentication. This means when you login from a different computer, or do something important like reset your password, then a second step must be taken in order to continue. This usually takes the form of a SMS text message to your mobile phone number which you need to use to continue.
Two-step authentication is a great idea and I strongly recommend you enable this on any services that offer it. A few popular ones are listed below.
When websites are hacked
When an announcement comes from a company such as eBay that passwords have been compromised, then you need to change your password urgently. There are even services out there, such as haveibeenpwned.com from security expert Troy Hunt, where you can see whether your account has been comprimised.
In summary be safe, use a password manager, and I hope the many research projects that are looking into alternatives to the humble password come up with something better in the near future!