Whether or not your password was leaked by LinkedIn, eHarmony or Last.fm recently there is an important lesson to be learned. Three, actually.
Lesson 1: You are responsible for your own security
As demonstrated by recent events, you just can’t rely on websites to protect your information. Even if they are doing the best job possible, all precautions are flawed as they were designed by flawed, imperfect people. Eventually those flaws will be exploited. So you must do your part to mitigate the damage that may occur as a result of such an event. Lengthy, complex passwords are important, I’d go so far as to say mandatory, but if your password is stolen along with 6.5 million others, length and complexity becomes irrelevant.
Lesson 2: You need a unique password for each site
While at the time of this writing I can find no definitive answer as to whether email addresses were leaked along with the passwords or not, at some point this will happen. When it does it will be followed immediately by someone using those email address / password combinations on thousands of high value sites. If your info was leaked and you are using the same password for multiple sites, guess what? It won’t be long before they find and access your other accounts.
That’s why you need a unique password for each site. To limit the damage.
You need a way to manage those passwords
OK, you accept the need for unique passwords, but it’s just too hard to remember them all. And keeping passwords in an Excel sheet or Word doc isn’t very secure.
You could try Alex Wawro’s method as described in his piece for PCWorld entitled “How to Build Better Passwords Without Losing Your Mind”. It is fairly simple and highly effective. In short, you create a master or base password and tweak it for each site using a simple formula. Read his article for specific details.
Where it fails me is in two places. First, some sites require password changes as regular intervals. This makes his method useless. Second, I have over 200 sites where a password is required and using his formula results in duplicate passwords for me.
So if the Wawro method doesn’t work what’s the solution?
Use a password manager
Really, if security is important to you, if you follow best practices for passwords and if you have more than just a couple sites you need to log in to, the best solution is a password manager.
I have been using one for several years now and would be lost without it. It keeps track of all my site credentials and stores them using strong encryption. The data cannot be decrypted without a key and that key is not kept anywhere but in my head. I use a very long, complex yet easy to remember password not unlike Alex Wawro suggests. So, even if my data were stolen it would be virtually useless without the master key.
A master key such as “ThisIsMyPa55w0rd!#^&” is pretty easy to remember. The phrase is “this is my password” with “5” replacing “s” and “0” replacing “o” and a couple symbols added to the end. At 20 characters long, with a mix of upper and lowercase, number and symbols it is, for all intents and purposes, unhackable.
Just for fun I used Gibson Research Corporation’s calculator and came up with these results.
All possible combinations of a password this size and complexity:
3,622,996,024,341,650,240,846,169,344,922,329,517,120 – or – 3.62 x 1039
Time required to exhaust all possible combinations:
- Assuming 1,000 guesses per second: 1.15 thousand trillion trillion centuries.
- Assuming one hundred billion guesses per second: 11.52 million trillion centuries.
- Assuming one hundred trillion guesses per second: 11.52 thousand trillion centuries.
Simply put, not going to get hacked.
As far as password managers, I happen to use Roboform. It does a great job of organizing, it syncs to multiple devices, recognizes the site and lets me log in with just a click and has a bunch of other nice features that make it my favorite. But there are others out there that may better meet your specific needs or budget. One of them is LastPass and they have recently put up a few pages that let you see if your password is one of the ones recently leaked. You can visit that site here.
One note, if your password comes up as leaked it does not mean it was really your account. Someone else may have been using that same password. I’ll bet at least two people used “12345678” as their password.
Lesson 3: A layered approach
There is no single solution that will prevent security breaches from occurring. As long as there is money to be made by stealing information there will be people trying to steal it. Eventually they will find an exploit. So you need to do your part and companies need to do their part to make the effort more difficult and less rewarding. This type of layered approach, strong, unique passwords for you – better encryption, methodology and monitoring for them, will minimize the fallout from the next leak. And yes, there will be a next one.
Your turn. Are you using a password manager? Do you have a better solution? Let me know in the comments section.