After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But, thereís a better way. With the right password management habits, you wonít need to change all your passwords every time you hear about an online attack.
Changing all oneís passwords wonít hurt, but it is cumbersome. Not only that, itís a Band-Aid fix that stops short of offering a stronger and more long-term solution, says Sean Sullivan, Security Advisor at F-Secure Labs. Data breaches are the new reality, and itís no longer a question of if it happens to you, but when. Sullivan says rather than being told to change all their passwords, consumers need practical advice worth following. So when the next breach is disclosed, they will be in control and will only need to change those passwords they know are affected.
ďThe dirty little secret of security experts is that when thereís a data breach and they recommend to Ďchange all your passwords,í even they donít follow their own advice, because they donít need to,Ē says Sullivan. ďUnless I find out about a breach with a specific account, I donít worry about my passwords. Thatís because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.Ē
So what are the successful strategies to avoid the hassle of changing passwords constantly? Sullivan points out a few key things:
Diversify to reduce your risk. Segregate your accounts by creating separate email addresses for different functions. For example personal, professional, financial. That way if one email is broken into, it wonít compromise all your other information too. ďWhy not have a separate email address for your financial accounts? Then donít give that address to anyone but those financial institutions,Ē Sullivan says. A bonus: if you get banking-related email in your personal account, youíll know immediately that itís not legit.
When possible, use a different username than your email. Some services let you pick a unique username other than your email. When possible, itís good to take this option as itís that much more info a hacker needs to know. And use two-factor authentication when available.
Use a unique password for each online account. Using the same password to access different accounts is rolling out a red carpet for hackers. If a password for your Facebook account is stolen, criminals can hop over to your email and other accounts and try the same password there.
Donít give online accounts any more data than is absolutely necessary. The less that is there to be compromised, the better.
If you are notified about a breach to a specific account, change that password. This goes without saying.
Changing your account password habits may take a little effort, but in the long run itís easier and less stressful than having to change all passwords after news of every breach. And itís worth it to keep your personal data and online identity safe. Sullivan suggests starting small, taking care of one account at a time and building up until all your passwords are handled.
ďThis is the post-PC issue people need to worry about because all their accounts are in the cloud,Ē Sullivan says. ďThere are two types of people in the world: Those that manage their accounts well, and those who are going to be in a world of trouble. Which group do you want to be in?Ē
For more information about passwords read Passwords: Real-world issues, tips and alternatives and Dealing with Passwords.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.