Patching and praying isn’t enough
A few weeks back I received a message from a website (where I have ordered a few things in the past) alerting me that someone had tried to reset my password, and if it wasn’t me, I should notify them and take various steps to secure my account.
It was not me, so I reported it, then I double-checked that my old password still worked, confirmed that since the attempt no one had ordered more stuff from them on my account, and I changed my password and set up two-factor authentication. Two-factor authentication is a step beyond the simple user name and password combination, usually involving using your cellphone. In order to make changes to your account, a person needs to log in with the user name and password, and then enter a confirmation code which the site sends you in the form of a text message to the phone at the time you make the request. This makes it very difficult for someone who has stolen your password to do nefarious things with your account, because they don’t have access to your phone.
A week or so later I received another such message from yet another internet web service that I almost never use. Again, I hadn’t requested a reset, so presumably someone was trying to hack me. This service didn’t offer two-factor authentication, and it wasn’t a place where one could spend money, so I just changed my password.
And then it happened again, this time at a big service owned by Microsoft, and this time the warning included additional information: the person who had tried to change my password had done so, according to Microsoft, from an IP address in Russia. Well, there are a lot of hackers in Russia, so that probably shouldn’t be a surprise.
This site offered two-factor authentication, so I set it up, changed passwords again, et cetera.
Then this week it all became clear: Russian Hackers Amass Over a Billion Internet Passwords
Lots of web services require you to use an email address in order to set up an account. The reason for this is that if you forget your password to the service, you can make a reset request, and they’ll send a link to the address you used so you can get back in. Most people use one email address for all of these sign-ins, and they use the same password everywhere, because remembering dozens of different passwords is difficult.
I use a program called 1Password, which has the ability to generate a separate password for me for every place I need one, stores the passwords in an encrypted database, and lets me access those passwords from either of my Macs, my iPhone, my iPad, or my Windows laptop (and if I owned an Android device, they’ve got that covered, too). Since 1Password has plug-ins for all of the major browsers, it’s really easy to use.
Anyway, this is my plug to say that if you don’t have something like 1Password, you really, really should. Mac OS X has similar functionality built into the operating system, now. Pretty much every browser in the world will store passwords for you, and some of them have a secure password generation feature built in. And you do need more than just storage. Having the computer generate a different password for each site is a bit more secure that you trying to generate a new password, because 99% of the time when humans are told to think up a new password they do something like take the old password and add numbers, such as
1 2 3 or something easy to remember (and really easy for someone to guess or a hacking script to generate).
I highly, highly recommend 1Password, myself, but there are other options: Lifehacker: Five Best Password Managers or Top Ten Reviews: 2014 Password Management Software Product Comparisons.
But again, I can personally vouch for 1Password.