Since the LinkedIn password breach is in the news again I thought I’d take a little time and remind everyone to check your passwords. Not your Windows passwords. Your other passwords.
In case you missed it, the LinkedIn password breach happened in 2012, and this week about a 100 million previously unreleased email addresses and passwords became available for purchase. The asking price for this list is around $2200.
Even if you don’t have a LinkedIn account you should keep reading. LinkedIn is only one of many, MANY sites that have been breached and there will be more over time.
First things first
The first thing you should do is visit https://haveibeenpwned.com to see if your information has been leaked. Just type in your email address and you’ll know in a few seconds.
Second… click on the “Notify Me” link on the above page. That way you’ll get an email if your address is ever leaked in the future.
Make sure you check and subscribe all your email addresses (personal and business).
Note – there is an option for businesses to have their entire email domain monitored. If you need help setting that up please contact us.
If your address has been leaked you will see which sites were breached. Change those passwords immediately.
About your passwords
If you are like most people, your passwords are weak and you use the same password everywhere; Amazon, GMail, eBay, your wireless account, your banking site, etc.
Don’t do this!
A weak password can easily be hacked. If it’s hacked (or leaked) and you use the same password everywhere then every account is compromised.
Just accept that at some point your account information is going to be hacked or leaked. Start with that premise. Even if you weren’t part of the LinkedIn password breach it’s almost certainly just a matter of time before you fall victim to another breach.
Use unique passwords. Every site should have its own password so if one site is compromised the rest won’t be.
Use strong passwords. 20 random characters is a good size – upper and lower case letters, numbers and special characters (%$^#@!). Ex.: $4sYP!VP2&7c4ppmd82N
Turn on 2 Factor Authentication (2FA) on every site that supports it. When 2FA is turned on you need to sign on with your email (or username) and password. Then there’s a second step where the site either sends you a text message or uses a Smartphone app called an Authenticator which generates a random code that you must put in to complete the login process.
Many sites support 2FA now and more are adding it. What makes it such a strong security measure is that even if someone gets your email address and password they still need your phone for the code. And those codes expire in as little as 15 seconds. Far too short a time to be guessed.
Get a password manager
I am sure you’re thinking that unique, complex, 20 character random passwords are going to be impossible to remember. You’re right. So you will need a password manager to, um, manage them.
I can recommend a few such as Roboform, Dashlane, Keepass, Lastpass and 1password. Some are free and some are paid. They’re all good. The free ones usually offer a paid version that has extra features such as syncing across multiple PCs and app versions for Smartphones and tablets. I like the paid features and they’re really affordable so that’s what I use.
Of course, you’ll need to password protect your password manager. Again, a strong, unique password should be used. For this I prefer a pass-phrase that you can remember.
A pass-phrase is a password except it is not completely random. The random example above, “$4sYP!VP2&7c4ppmd82N”, can’t be easily remembered. But a pass-phrase like “489PushPull!!!UpDown” or “My password is 1000 times better than your PASSWORD!!!” is strong, complex and easy to remember.
Don’t write your password down and leave it somewhere that isn’t secure. It’s the key to unlock all keys so use your best judgment. The best way to store it is by memorizing it. Set your password manager to ask for it at least once a day. After a week the odds you’ll ever forget it are pretty slim. If you must, write down a hint. If your pass-phrase is “489PushPull!!!UpDown” just write down “489…!!!…”. You’ll remember the rest.
If you have any questions feel free to use the comments section below.
- How to change your LinkedIn password
- How to turn on 2FA – LinkedIn
- See what sites support 2FA
- Have I Been Pwned?
- Roboform Password Manager
- Dashlane Password Manager
- 1Password Password Manager
- LastPass Password Manager
- KeePass Password Manager
- Strong Password Generator
- GRC’s Password Test -note that this test only tests the size and complexity of your password. The password “password123” will score fairly high but is easily hacked.