You’ve probably heard of some of the biggest data breaches. In 2013, 3 billion Yahoo! users had their account data stolen, including their passwords, birthdays, and phone numbers. Dropbox, LinkedIn, Evernote, and Tumblr have all been affected by data breaches as well.
If you received an email from one of these companies advising your to change your password, then do so. If you’ve used the same password for other accounts, then be sure to change them too. In some cases, the leaked passwords were encrypted and unlikely to be compromised, but it’s still a good idea to change them out of caution.
How Serious Are Data Breaches?
Sometimes, it can be hard to tell how serious a data breach is. Hackers don’t immediately log into the affected accounts and post “gotcha” notices your profile. They’re more likely to sell the stolen data on the Dark Web, and it may not be used to break into anyone’s account for years. Only rarely do hackers access passwords in plain text; usually, they’re hashed or salted.
What are “hashed” passwords? Security experts apply various levels of encryption to user data. According to Wired, hashes are “random-looking strings of characters into which the passwords have been mathematically transformed to prevent them from being misused.” In other words, a security-conscious website will store passwords in an indecipherable form.
However, these hashes can vary in strength and complexity. Some hashed passwords can be cracked relatively easily, while others would require immense computing power to break. They may also be “salted,” or sprinkled with random bits of data to further mix things up. Since it can be hard to know how well any site maintains its user data, your best protection is to use strong passwords of your own and update them regularly.
Another way that hackers acquire passwords is through phishing, or sending an email that appears to be from a legitimate site and asks you to enter or reset your password.
This is how hackers gained access to the personal emails of John Podesta, one of Hillary Clinton’s campaign managers, during the 2016 election. A spoofed email that appeared to be from Google warned him that someone had tried to access his account and that he needed to update his password immediately. But instead of going directly to Google, one of his aides clicked the URL in the email, which led to a site maintained by Russian hackers instead.
If you receive an email like this and you’re unsure if it’s legitimate, don’t click the link; log into your account as you normally would and change the password from there.
How to Create A Strong Password
There are several tricks for coming up with a strong password, and not every expert will give you the same advice — but there are some standards that nearly all experts agree on. Let’s look at passwords that use letters, numbers, and symbols first.
First, make sure your password is at least 12 characters; anything less is too easy to break. There’s no harm in going longer, depending on how often you’ll be typing it. Keep in mind that some characters are easier to type on a keyboard than on a mobile device.
Second, use a variety of numbers, symbols, and capital and lower-case letters. Avoid using obvious replacements (such as $ for an S) or putting all the numbers and symbols at the end. Try to mix it up, and use a pneumonic device or sentence to help you remember it.
If you like, you can use a site like Password Meter to test the strength of your password. (Just don’t type your actual password into a password meter like this – they aren’t all secure!)
Try out various combinations of letters and symbols to see which ones make your password stronger. Some sites require you to use a minimum amount of numbers or symbols, and will refuse to let you use a password that they consider too weak for their standards. You can use a Secure Password Generator and tell the program exactly how many letters, numerals, and other symbols you want to include.
The Random Word Method
There are, however, some security experts who recommend a different system altogether. A popular comic by xkcd shows how a string of four randomly-generated words can be as strong as, or even stronger than, a traditional alphanumeric password. To be effective, the four words have to be truly random and no make no grammatical sense.
You can generate a phrase directly at xkcx, or use a list like this one to create a multi-word passphrase using dice. A phrase like “correct horse battery staple” may not make any logical sense, but it’s easier to remember than a string of randomly generated characters.
Have a system for coming up with passwords in advance — and maybe even have a few unused ones ready to go — so you don’t have to come up with them on the spot every time you sign up for a new account. That’s when you’re most likely to be lazy and use the first thing that comes into your mind. If you have to cheat and use a simple one — because you’re in a hurry, or on your mobile device — change it to a more secure one as soon as you get home.
If all of the above sounds daunting, or you just can’t be bothered to create and remember dozens of passwords, don’t worry – there is a solution. More and more people are switching to password managers, which not only do all the work for you, but also include lots of extra security features to help button up other loose ends.
Password managers generate strong passwords, store them securely, and let you access them on multiple devices. In fact, you’ll never even have to look at most of your passwords, since your password manager can automatically fill in log-in forms for you.
The Three Best Password Managers
LastPass is one of the largest passwords managers in the market. It operates in the cloud and can be deployed by users via a browser extension or a mobile app.
Standout features include:
- Robust free plan
- Auto-generated passwords
- Ability to set the default length of auto-generated passwords
- Alterns for weak or old passwords
- Can change passwords automatically on popular sites
- Two-factor authentication
Of the three password managers discussed here, LastPass is the cheapest ($2/mo), and most of its features are available for free, including its mobile app, so you can access your passwords anywhere you go.
One important thing to note, here, though, is that LastPass has been the target of minor hacks and/or vulnerabilities in the past. They have good security, and no passwords have ever been compromised (as far as I know), but because they are so large, it would stand to reason that they get attacked more often than most.
1Password is another popular password manager that runs on all operating systems except Linux. Unlike LastPass, it doesn’t operate completely on the cloud; it saves passwords locally but allows for syncing through the cloud.
Standout features include:
- Stand-alone software for desktops in addition to a browser extension and an app
- 24/7 support with paid plans
- Ability to restore deleted passwords within a year
- Two-factor authentication
- Travel mode to keep passwords secure when crossing boarders
There aren’t any free plans available with 1Password. You can only get paid plans, and they start around $3/mo.
Dashlane is the last of the big three. Aside from being a password manager, it also functions as a secure digital wallet. Like 1Password, it relies on local storage to save sensitive information but allows for cloud sync.
Standout features include:
- Digital wallet functionality
- Can also encrypt sensitive documents
- “Identity dashboard” gives you an overview of your online security
- Dark web monitoring and alerts
- Can encrypt your activity on unsecure wifi networks
Dashlane does offer a free plan, although it’s likely not quite as robust as LastPass’s. It’s paid plans start at $3/mo and go up to $10/mo.
Are Password Managers Secure?
Are there any security risks to storing all of your passwords in the same place? Yes and no. In order to protect your passwords, you’ll rely on a master password, which gives you access to your password vault. If your master password were stolen, then theoretically a hacker would have access to all of the rest of your passwords.
However, password managers have several layers of protection built-in. Since their business model depends on security, password managers have incredibly strong encryption and never store your master password in plain text. They may also require you to receive a code via an SMS message when you log in from a new device or location.
The other risk is that you’ll forget your master password — and for security reasons, password managers don’t make it easy to reset your account. Dashlane warns its users that if they lose they master password, they won’t be able to unencrypt their data. And 1Password says that, if you’ve tried all of their recovery options and “you’re sure you’ll never remember your Master Password, delete your 1Password data and start over.”
It isn’t the end of the world, but it means that you’ll have to reset the passwords on all of your accounts manually. And if you lose access to the recovery email address linked to those accounts, it could be a major headache. In short, don’t lose your master password!
Dual-Factor Authentication & Biometrics
Another strategy that more and more sites are incorporating is dual-factor authentication, which requires an additional step beyond typing in your username and password. You might be familiar with this process if you’ve ever had to receive a log-in code via text message, or click on a link via email to verify that yes, it is actually you trying to access your account.
Why Use Dual-Factor Authentication?
This extra step can be annoying if you don’t have your phone handy, but it’s a surefire way to reduce the likelihood of hackers accessing your account. Even if they managed to obtain your password from a data breach, it’s unlikely that they would also have access to your phone or your email address. Dual-factor authentication is optional on sites like Facebook, Google, and Twitter — but if you haven’t already, it’s a good idea to turn it on.
Dual-factor authentication is especially important if you use a password manager. If you try to log into your LastPass account from a new laptop, for example, you’ll immediately receive a push notification on your phone asking you to “Approve” your log in attempt.
There are also stand-alone apps like Authy and LastPass Authenticator you can use to generate one-time log-in codes for a variety of sites. This is a good alternative to receiving a code via text message if you’re traveling abroad and won’t be able to receive an SMS. Both the Authy app and LastPass Authenticator allow you to verify your identity with a fingerprint, if you have a smartphone that allows fingerprint recognition.
Fingerprints and Other Biometrics
In fact, some experts predict that biometrics, such as fingerprints and facial recognition, will replace passwords in the near future. After all, it’s harder to fake a person’s voice or facial characteristics than it is to guess their password. Microsoft enabled this option with Windows Hello, which lets you sign into your Windows device using a face, iris, or fingerprint scan.
If that all sounds a bit overwhelming, don’t stress out. There’s a site called Turn On 2FA that will walk you through the steps to enable 2-factor authentication on dozens of websites.
Remember, the goal isn’t to make logging into your accounts so complicated that you dread using your computer. You just need to set up a system that work for you. If you use them right, then these tools will make accessing your data harder for hackers but easier for you.