Password Best Practices
How many passwords do you need to access all your online service providers? If the answer is one--you're flirting with danger!
Passwords are the primary security safeguard when it comes to protecting our accounts from unauthorized access. To be effective, they have to be difficult to guess, but easy for us to remember: two mutually incompatible conditions. Since we have to remember them to be of any use, we tend to favor the easy half of that equation.
This is where we put ourselves at risk. I asked the students in my class to list all the on-line services they regularly interact with and then asked them to identify all the ones that share the same password, or a slight variation of that password.
If you're like them, your entire online identity is only as strong as the weakest security practices of one of those on-line providers. And some of those practices can be very weak indeed.
It is not at all uncommon for password dumps to regularly appear on sites like pastebin.com. When they do, cyber thieves will immediately test them against popular sites like Gmail, Hotmail, Facebook, Twitter, Instagram, Paypay, etc., etc. Recently, Brian Krebs posted an article on his blog (krebsonsecurity.com) about a thousand-fold increase in fraudulent tax returns at the state level. Turbotax attributes this to cyber crooks using passwords that were exposed from one site and were reused by their legitimate owners across a multitude of other sites, including their Turbotax accounts.
The solution is to use unique passwords for every online account. It's like the watertight bulkheads in a ship. If one is breached, the damage is limited to that single account.
But now we're back to our original dilemma, i.e., how do we remember them all? The solution is to use a password vault like Keepass or Lastpass. The vault saves all your user names and passwords to an encrypted database, either on your hard drive (Keepass) or in the cloud (Lastpass). You only need to remember the password that opens the vault. These products make it possible to create, store, manage, and use separate passwords for each account.
Of course, there are trade-offs between a local copy of your file and a cloud-based copy. And if someone were able to get your vault password, they would have access to all your passwords. But realistically, most people are at greater risk of having their password breached by one of the many service providers they interact with rather than having their password vault hacked. To mitigate that risk, you need unique credentials for each account, and password vault software will make that possible.