I have written plenty about passwords over the last few years but I still have people happily telling me they use the same, single password for everything – a fact only made worse when the follow up comment is along the lines of, “..and I can’t be done with complex passwords.”
Good passwords are essential. A recent BBC Technology article (well worth a read, available here) makes the point succinctly;
“Security expert Troy Hunt, who maintains a database of hacked account data, said picking a good password was the “single biggest control” people had over their online security.”
Ensuring your password cannot be guessed is a vital first step. We do, however, need to do much more to protect our on-line existence.
Recent years have provided countless examples of high-profile data breaches resulting in the stealing of millions of records including usernames and passwords. For all of us it is more a case of when, rather than if, some of our own details will make it into criminal circulation.
In some cases the stolen data included passwords which were not encrypted well (or at all) by the data holder. In these cases the criminals have been able to access the password regardless of how complex it may have been. If that same password and username/email combination is used across multiple sites (e.g. Facebook, Amazon, PayPal, your email account, etc.) you are a single on-line company breach away from digital disaster.
We can protect ourselves effectively in a couple of ways;
1 – don’t use the same password across multiple sites
2 – do use different usernames/emails across multiple sites if possible
The password option is something we can all do. One can still have a complex password which forms the basis upon which a random (or well hidden) variation can be added for each different site ensuring no two passwords are identical. A further step is to use a password tool to generate and manage complex, random passwords. These options are covered in more detail in previous articles.
The ability to use multiple email addresses requires a little extra spending either side of around £20 a year. I own a .co.uk domain which I use outside of work and have it configured so that any emails sent to the domain are delivered to my private email account.
If I sign up to a store on line I have the option of using the store name as the first part of the address, e.g. halfords@mydomain.co.uk or currys@mydomain.co.uk, etc. Any compromise would only reveal a username and password related to that site which would be useless anywhere else.
A useful by-product of this is that if I receive any junk or phishing email to one of these addresses which has not come from the original store, I can make a reasoned guess that the holder of that address has had a data breach so can take the opportunity to change the associated password.
Managing multiple usernames and passwords requires time and effort but the prolonged use of a single, favourite password is too great a risk to take. Varied passwords and, where possible, varied email usernames offer significantly higher levels of protection in our on-line world.
If you have questions or want assistance with your on-line security, please get in touch on 0118 976 7111.