Put your hand up if you use the same password across multiple online accounts?
99% of the internet just put their hands up.
Firstly, let’s cover off why using the same password is such a bad idea.
Your username and password are a combination that you give to a provider. The provider uses that combination to grant you access to their platform.
These days, usernames are typically an email address and passwords are set by the user (you).
As your email address is publicly known, it’s pretty obvious that if someone guesses your password they can quickly get access to your system.
But what if you’ve created a SUPER strong password?! Nobody will ever guess it, therefore you’re secure. Right?
Yes! It’s improbable that anyone will guess a strong password like ‘iDon’tLikeCheeseAndBaconRolls!‘
But what if the provider you use has weak database security? Meaning that someone can easily guess the password for their entire user database… containing your SUPER strong password.
It then doesn’t matter if your password is strong at all – it’s known and now compromised.
What happens next?
If an attacker knows your username/password combination they will use an automated system that tried to log into thousands of online systems.
Emails, banking, photos, backups…. the whole lot will be compromised in a matter of seconds.
As of September 2019, the most likely impact of this will be to extort you over a long period of time. So you may not know immediately whether you’ve been compromised or not. The attacker will simply sit in your system waiting for banking details to arrive, invoices you’re sending… whatever.
How do I know if I’ve been compromised?
Head over to our Aussie mate’s website https://haveibeenpwned.com/ – you can see if any of your email accounts have ever been in a breach. Don’t be too alarmed – most people have been involved in a breach. In 2016 LinkedIn had a security breach that included 164 million email addresses AND passwords being exposed.
To make things worse – that 2016 breach occured in 2012 however the data remained out of sight for 4 years until it was offered up for sale.
If passwords are so easily compromised, why are we using them in the first place?
Computer passwords were first created in 1960 at MIT. They had developed a central computer that all researchers had access too. It was elegantly named the Compatible Time-Sharing System or CTSS.
However the system used a single disk file and common mainframe so one of the researchers introduced the idea of passwords. Researchers could only access their own files while using their 4 hours a week of computer access… yep, when computers were big enough to fill a room it was tough to get access time!
But the idea of a password was nothing new. In fact, they even date back to ancient Rome, “where an elaborate system of ‘watchwords’ was deployed that shares many of the characteristics of contemporary passwords.” And even back then enemy troops were trying to crack passwords to gain an advantage.
These days passwords are stored as “hashes” to provide more layers of security. A Hash is a ‘one-way function’ which is a mathematical operation that easy to perform but very difficult to reverse.
How do I protect myself?
Setting a strong password
As you’ve read, setting a strong password is only part of the puzzle. But in order to start somewhere, either use a random password generator OR for passwords you need to remember consider using a ‘passphrase’, which is basically a sentence stitched together.
Here’s one to get you going: DidYouKnowthatthisisalongpassword?!
3 top security tips for you to do to keep your accounts secure
Now that we understand exactly what can happen if your password falls into the wrong hands, there are a few things you can do to help keep your accounts secure.
- Use a Unique, Secure Password for Everything – a unique, secure password for every account is the best way to keep a hacker from getting in. This way, even if an account is compromised, the hacker can’t use that information to attack you. Most browsers come with a tool to generate a random password.
- Use a Password Manager – A password manager stores all of your passwords in an encrypted file and allows you to access them whenever you need them.
- Use Multi-factor authentication (MFA) – Wherever possible, setup MFA so that even if your password is compromised they’ll need your phone to still access your system.
Or if you don’t have the time, inclination or just can’t be stuffed learning any of this stuff – call a professional who can do it for you!