Many security guidelines recommend changing your passwords every 90 to 190 days and anything between that. However, changing them too frequently might be not only a waste of time but also an inconvenience. Also, knowing human nature, we will change the last letter or a number wrongly, thinking that this is enough.
This happens mainly in organizations that enforce mandatory password change. It is almost an official procedure of which an I.T. department does not have a clue?
I did it myself, and I bet that you often experienced this while switching on your computer in the morning to find out that you have to change your password.
However, I do not want to discuss the companies policies. Instead, I want to look from the perspective of a normal internet user, someone like myself.
OK, so how often should you change your passwords?
Personally, I only change my passwords if I think that the service provider’s data has been compromised. Currently, there is no legal obligation on data controllers to report breaches of security. However, many chose to do so, and typically news like this spreads very quickly.
One way to find out about the latest companies or organizations affected by the data security breach is to visit the Weekly Threat Report on the National Cyber Security Centre website.
Although I prefer the NCSC Twitter account where you can sign up for the weekly newsletter, that way, you do not have to remember visiting the site every week (please let me know if you are aware of a similar service operating in the US).
If the service you have an account with has been compromised, go on and change your password. In most cases, hackers steal a vast amount of data which requires time to process. So go there and change the password before they have a chance to access your account!
General Data Protection Regulation (GDRP).
From 25 May 2018, new rules are being introduced under GDRP (General Data Protection Regulation), which states that the breach notification is mandatory if it may result in a high risk to the rights and freedoms of the person. You may read more about it here.
I believe this is fantastic news, especially after a recent example when Uber concealed a hack that affected 57 million customers. It took a whole year for them to reveal this publicly.
Do you have an online account that has been compromised?
Visit Have I Been Pwned (HIBP), type your email address, and don’t panic as I did when I used the service for the first time. An account I had with Adobe was a part of one of the largest single breaches of customers accounts ever.
The site is free, so go there, type your email address, and if you were affected, don`t panic. Some breaches listed on the website go back years, and there might be a chance that you already changed your password after the incident happened. However, if you are unsure, change them for peace of mind.
Using the same password for multiple accounts.
I cannot overstate the importance of using different passwords for each online account you have.
Let’s consider the following example.
My Adobe account was among 38 Million stolen in the 2013 data breach. I changed my password immediately after the Adobe press release but imagine the consequences of having my password exposed. Enormous password lists ending up on Dark Web for anyone to view.
And what do they do with it?
They will try to use the password and email to log in to other services. Hackers hope that I used the same password for all or some of my accounts.
They do not know what other accounts I have but let’s be honest, 90% of us will have a Facebook, Twitter, or Google+. If I used the same password on all those accounts, they could take control of my whole online life within a few minutes.
How to keep track of passwords safely?
According to a study performed by Dashlane, a company behind a highly successful Password Manager, an average person in the US has over 130 online accounts registered under one email address following by the UK with 118.
The average number of accounts registered to one email address in the UK is 118, and the USA is 130.
And this is just the beginning. The study continues, and the predictions are alarming, estimating that by 2020 the average person will own no less than 207 accounts!
Can you imagine managing all those logins and passwords? I know the pain; I was there myself. At least once a week, I tried to log in to some account just to realized that I forgot the password. The “I forgot my password” option had become my primary way of using those accounts! Absolutely Crazy!
Password Managers to the resque.
Before I list the most commonly used Password Managing software, consider other common Password Solutions for a minute.
Long before Password Management software was invented, we kept our secrets on the piece of paper.
An Adobe breach opened my eyes to the dangers of waiting for me on the web. So I decided to start using a Password Manager.
After reviewing a number of them, I eventually purchased a Sticky Password Manager. Then I changed every single password for every online account I ever had, creating unique, more complicated passwords for each of them.
I control over 60 accounts with my Password Manager, and I do not know the password to any of them. This is an amazing thing about Password Managers; they will allow you to create long, highly complicated passwords which you do not have to memorize.
Setup Two Factor Authentication.
Two-factor authentication, or 2FA, is a two-step verification where a user, apart from his password and login, must provide the third piece of information, usually in the shape of a token.
The 2FA considerably reduces the risk of losing control over the account. However, the attacker will still need that additional piece of information to log in to your account successfully.
Go and check your online services if they offer two-factor authentication and if they do, set it up now. Of course, you will need a mobile app to generates the codes for you. Fortunately, I listed the most popular applications below.
Download Authenticator app.
Use one of the apps below to set up Two-Factor Authentication. Both applications are free, and they will allow you to generate the temporary codes for your online accounts second step verification when you sign in.
The Google Authenticator app is the most popular application of this type for Android and iOS devices. If possible, set 2FA on all your accounts and use this app to generate codes for you every time you sign in to your online account.
It is simple to use. Just press add and scan the barcode displayed for you on the screen or type the key provided to you by your service. From now on, you will need this additional piece of information together with your login and password to access your account.
As much as I like Google Authenticator, there is one big issue with it. It does not provide any data backup feature or data migration. So if I lose or damage my phone, I am pretty much screwed, and I will have a hard time resetting my accounts.
The Duo Mobile is a bit more advanced than Google Authenticator. You can still have your passcodes generated for you, but it also supports push notifications, a type of authentication where you receive a login request directly to your phone. This type of authentication is called Duo Push.
Although Authy is the last on my list, it is still an excellent application. It does not only generate tokens for 2FA, but it also provides a backup solution and synchronization between other devices.
Similar to Duo Push, Authy also supports push notifications and is called OneTouch. I tried this option on my Pinterest account, and I have to admit that I was impressed.
Unlike Duo Mobile, Authy will store an encrypted backup of your data on their secure cloud service. According to Authy, their Cloud backup service uses the same algorithms as Bank and even NSA. However, personally, I am not the biggest fan of this solution, and I like to have full control over my sensitive data, and that for me usually means to store it locally.
I have to admit that I have not decided yet which application to use, so I am using them to see which one I like. I will update this post accordingly.
At the end of the day, it does not matter which application you install. The most important thing is that you take action and set Two-Factor Authentication on all accounts where possible.
Use the option in your Password Manager to set expiry dates for your passwords and change them on those dates.
Staying Safe Online requires an effort and is only up to you if you take the challenge.