Today we will review the best ways to keep your accounts safe. The cardinal rule is very simple to follow: use a different password for every single account you own. Sounds impossible? We will look at ways to make this happen without erasing the milk from your mental shopping list. But first, let’s find out if somebody knows your password.
Does Somebody Know Your Password?
Last year was a record year for hackers. Here is a short list of some of the high profile companies which were directly targeted:
- U.S. Department of Justice
- Internal Revenue Service
- Snapchat
- Verizon
- Yahoo
- Hotmail
- Gmail
- Dropbox
These organizations saw millions of accounts’ login information stolen during security breaches just in the past year. Very often these logins were sold and could be found on the DarkNet.
Does somebody know your account information? Is your password to Yahoo circulating on the Internet? Sometimes it is difficult to tell as hacked companies are notoriously reluctant to reveal their failures. Even if hacking exploits are acknowledged by their victims, the sometimes vague notices sent to the end user may go unnoticed in an overflowing inbox.
One impressive website Have I been pwned (pronounced owned, pwned is gamer lingo for defeated) will check your email against their database of compromised accounts.
If your account is found there, you should change your password right away.
A Single Password Means All Your Accounts Are At Risk
We know it is easy to use a single password across different websites. But this means that if any one of these sites are compromised, all your accounts are at risk. Besides your bank account password, your email password is probably your most important password. It is very often the key to retrieve and unlock access to all your other accounts.
“With a single password, if any one of your accounts is compromised, all your accounts are at risk”.
The Nightmare Scenario: How Did My Account Get Hacked?
Because websites often require an email address as a username, if you use your email password to sign up on another website, you are jeopardizing the safety of your email account. Say you sign up for supergreatdiscountdeals.net with your email address and the same password as your email address. You use the site once to get a coupon, quickly forget all about it and move on.
A few months later, supergreatdiscountdeals.net gets hacked. You may or may not be informed about it but now someone has your login information to the site. The first step a hacker will take is test if the account combination email + password matches that of the email address which is registered. There is clearly very little that interests them from your supergreatdiscountdeals.net account but your email account is a lot more valuable to them.
To prevent hackers from leap-frogging from one account to all your other accounts, the best method is to create a different password for each website. With the right methods, it is remarkably easy as you will see below.
How To Create An Infinite Number Of Passwords
We explored in our very popular article the best method to create a password that works for everything. It is based on an algorithm of your choice which creates a password for each website you visit.
Here is an example of a very simple algorithm:
Color + Number + Tree + Special Character + First 4 letters of a website
This will render the following password for supergreatdiscountdeals.net:
Red1920Willow.supe
Which will be different from your Yahoo account password:
Red1920Willow.yaho
If one account is hacked, its login information cannot be used on the other website.
You can use this special password sauce recipe and make it your own. In particular, you might want to switch the letter choices for the website (every other letter of a website for example) so it is more difficult to identify the string at the end.
With such an algorithm, you can create a unique password for every website you visit. So how will you remember all these passwords?
Do Not Save Your Password In Your Browser
A word of warning, never save your password in your browser!
It is so tempting to have your browser manage your passwords. Once the popup suggests it, all it takes is a quick click on Save and at your next visit, your password will be there. Unfortunately it is also extraordinarily easy to see your password behind the asterisks as demonstrated in the animation below:
If you store your passwords in your browser, any person who has physical access to your computer could quickly remove the asterisks obfuscating the characters and by doing so unmask your password. Don’t click Save, click Never!
Note: do you think you know how to see your saved password in your browser?
Write your guess in the comment section below.
So how should you manage an almost infinite number of passwords?
How To Manage Many Different Passwords
Besides applying the password algorithm every time, my secret weapon is LastPass password manager.
LastPass is a small browser extension which saves your username and passwords on the LastPass server and retrieves them as needed. Locked behind a master password, your passwords will not appear unless you want them too.
LastPass also includes other very useful features such as the ability to log you in automatically to a website or remembering multiple logins for a single site. Granted, it doesn’t work for all websites, but for 90% of them, it does a stellar job.
Do Not Give Your Password Away
I want to end this article by warning you about giving your password away in a phishing attack. Phishing is an attempt to obtain information by disguising as a trusted website. Those attacks have become more refined. In the following example, an embedded image showing the picture of an attachment from Google Drive in Gmail links out to a fake sign-in with Google page which records email address and password:
This is the closest I’ve ever come to falling for a Gmail phishing attack. If it hadn’t been for my high-DPI screen making the image fuzzy… pic.twitter.com/MizEWYksBh
— Tom Scott (@tomscott) December 23, 2016
You can protect yourself from these phishing scams by keeping an eye on the security of a website (typically depicted in the URL address bar as a green lock).
Otherwise, once again LastPass is a great vigilante. By keeping track of logging domains, it would not have given out your credentials to the fake website.
If you have more tips to keep your account secure, let us know by leaving a comment below!