After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But, there’s a better way. With the right password management habits, you won’t need to change all your passwords every time you hear about an online attack.
Changing all one’s passwords won’t hurt, but it is cumbersome. Not only that, it’s a Band-Aid fix that stops short of offering a stronger and more long-term solution, says Sean Sullivan, Security Advisor at F-Secure Labs. Data breaches are the new reality, and it’s no longer a question of if it happens to you, but when. Sullivan says rather than being told to change all their passwords, consumers need practical advice worth following. So when the next breach is disclosed, they will be in control and will only need to change those passwords they know are affected.
“The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” says Sullivan. “Unless I find out about a breach with a specific account, I don’t worry about my passwords. That’s because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.”
So what are the successful strategies to avoid the hassle of changing passwords constantly? Sullivan points out a few key things:
Diversify to reduce your risk. Segregate your accounts by creating separate email addresses for different functions. For example personal, professional, financial. That way if one email is broken into, it won’t compromise all your other information too. “Why not have a separate email address for your financial accounts? Then don’t give that address to anyone but those financial institutions,” Sullivan says. A bonus: if you get banking-related email in your personal account, you’ll know immediately that it’s not legit.
When possible, use a different username than your email. Some services let you pick a unique username other than your email. When possible, it’s good to take this option as it’s that much more info a hacker needs to know. And use two-factor authentication when available.
Use a unique password for each online account. Using the same password to access different accounts is rolling out a red carpet for hackers. If a password for your Facebook account is stolen, criminals can hop over to your email and other accounts and try the same password there.
Don’t give online accounts any more data than is absolutely necessary. The less that is there to be compromised, the better.
If you are notified about a breach to a specific account, change that password. This goes without saying.
Changing your account password habits may take a little effort, but in the long run it’s easier and less stressful than having to change all passwords after news of every breach. And it’s worth it to keep your personal data and online identity safe. Sullivan suggests starting small, taking care of one account at a time and building up until all your passwords are handled.
“This is the post-PC issue people need to worry about because all their accounts are in the cloud,” Sullivan says. “There are two types of people in the world: Those that manage their accounts well, and those who are going to be in a world of trouble. Which group do you want to be in?”
For more information about passwords read Passwords: Real-world issues, tips and alternatives and Dealing with Passwords.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.