Yesterday morning, I got an email message from the brilliant site created by security expert Troy Hunt, HaveIbeenpwnd, informing me of a problem with a service I haven’t used in a long time, 123RF, a clipart and illustrations library: the site suffered an intrusion that managed to take over the email addresses, user names, IP addresses, names, passwords (in principle encrypted), telephone numbers and physical addresses of more than 8.5 million users.
First point: this can happen to anyone. It is not even evidence that this site, 123RF, had bad security practices: practically any site is vulnerable if someone invests the necessary resources and time. This happens all the time, and the thing to do is simply to be prepared for when it happens.
The problem with this type of intrusions is that, generally, the stolen information ends up on several easily accessible sites in the dark web, allowing anyone to download the file and then try to access accounts on other sites belonging to the many reckless people who still recycle the same password for different services or who use easy to guess rules to generate them.
A problem? Not for me. The password I was using at 123RF was generated by my password manager, LastPass, which I never knew (or wanted to), and of course, it wasn’t used anywhere else. In the event I might want to use 123RF again, I went onto the site, changed my password, and put in another, equally impossible to remember: 25 characters with numbers, letters and symbols, that would take a computer something like a hundred octillion years to figure out 🙂 criminals trying to try to use the previous password elsewhere would fail. As long as quantum computers are not in common use, I can sleep at night. If only I could solve all my problems so easily.
What do you know about your passwords? The first thing should be that all those absurd rules about replacing an “E” with a “3”, an “A” with a “4”, etc. don’t work. Today’s cybercrooks are much smarter. If you are going to start creating your own passwords, which I don’t advise, at least take a look at the recent research of this group of Carnegie Mellon scientists. If you want to know how long it would take a criminal to figure out your password, check out this chart, or enter it on this page, which claims not to save it or share it with anyone.
The second thing you should do is enter the email addresses you usually use on HaveIbeenpwned, which will tell you how many data dumps it’s on, and then not only change the passwords of these sites if they were services you used regularly, but also, think about whether you have recycled these passwords for other services (and if so, change them too). I’ve been using HaveIbeenpwned for a while now: I’m even using the feature that allows you to enter your email and get a warning when new security violations are made public, and I haven’t gotten any spam as a result. The latest versions of some browsers also warn when you enter a password on a site if that password has already been exposed or when you try to use the same password on several sites, and invite you to change it. If so, listen to them.
If you run an organization and are still following the classic rules for periodically changing passwords, stop now: all you are doing in terms of security is confusing your workforce, who will probably resort to writing their password down on a post-it stuck to their computer screen. You are not going to improve your company’s cybersecurity with these practices.
If you’re going to take your internet security seriously, then sign up for a password manager. There are many articles out there on which are the best to use, some of them are free. This way, even if the security of your password manager was breached, the criminals would only take away a useless list of encrypted passwords. From then on, you will only have to remember one password, so just make sure you choose that one well. I would also recommend choosing a password manager with a version for smartphone, and that you spend around an hour when you have installed it browsing all the services you use regularly and not so regularly to register them, as well as changing all the passwords you have for other new ones generated by the manager, which can be very long and impossible to remember or guess.
If you don’t want to use a separate password manager, you can use the one offered by most browsers. It’s not the best option, nor the most comfortable if you use several browsers, nor the safest, but it’s definitely better than using nothing or your cat’s name.
In any case, use the tools I have provided links for to at least diagnose your security level. We spend a lot of time online and shouldn’t allow criminals to test our security. Doing things right costs very little. Think about it.
Oh, and one final piece of advice: Even if, as is probably the case with most of the internet-savvy people reading this on Forbes, you think your security practices are good enough, think about your friends and family. It is often older people who still use extremely weak passwords or just one password for everything. Better safe than sorry.