Back in 2010 I wrote about improving your online personal security, which included some tips and tricks to consider to reduce your risk – one of which was to consider using a password manager.
Password Managers provide an encrypted storage vault to keep all of your username/password combinations for the different websites in a single place. Firstly this is helpful so that you don’t forget the passwords and need to constantly use the password reset functionality that websites provide. However, most importantly – because you’re absolving yourself of the need to remember the passwords, it allows you to use unique, highly complex passwords for every website.
The statistics on password reuse and complexity are frightening. The majority of us use the same very limited set of passwords over and over again on different websites. The passwords used most are things like ‘password’, ‘love’, simple dictionary words or a pattern of numbers like 12345. When hackers go out to attack a website, they can literally walk through passwords like the above using brute force tactics like an unlocked door.
By setting unique, highly complex passwords for each website – firstly your password is infinitely harder to crack but more importantly, if your password does get cracked or a website you use gets hacked and passwords are stolen – the hackers can only get into that one website, not any other websites you might use such as your internet banking.
To clarify, high complexity passwords will be at least 10 characters long, use lower and upper case letters, numbers and symbols such as ‘AdD7Dc&@ds*!1_8’.
Why Now?
This month it was announced that a core cryptography library named OpenSSL, used by approximately 2/3 of all websites on the internet that use Secure Sockets Layer (SSL), more commonly recognised as HTTPS in your browser address bar, have been vulnerable to undetectable attack for the last two years via an exploit named Heartbleed.
Of course the likelihood that your particular password or private information were compromised as a result of this exploit are quite remote, however it should serve as a stark reminder that despite the fact that industry wide security technology is peer reviewed and heavily scrutinized – the software engineers and cryptographers writing it are still only human and as such, fallible.
What Next?
Go and install a password manager such as LastPass, it is free to use and if you pay a whopping $12/yr – you can install it on every computer, laptop, tablet and phone you own so that you’re never left high and dry without your passwords.
Once installed, your next job is to allow it to import all of your stored account information on your computer. This part of the process is going to scare you, as it will import dozens or in my case hundreds of pieces of account information.
Remember, if the password manager could extract all of your account details, so could a virus, trojan or malware and send it off to some nefarious hacker on the other side of the world. Make sure you allow the tool to delete all of your stored passwords on your computer at the same time, just so that doesn’t happen in the future.
After it has imported all of your stored accounts, in the case of LastPass there is functionality for it to audit or perform a security scan against the account information. This is the next scary part, you thought you were doing an okay job with your passwords – let’s be realistic, you and I both know that we both sucked at it.
Now start going through your most important accounts first and change the passwords that they use to a unique, highly complex passwords. In case you were wondering how to generate strong passwords, LastPass has a password generator within it that you can configure with various options to increase/decrease the complexity of the passwords.
Each time you update the password to a shiny new hard to guess password, your online security is improving, one password at a time!