Weak or compromised passwords are among the biggest threats to online security and privacy. Once cyber criminals get hold of your password, they can not only use it to break into your account but sell it to other criminals – often through the “dark web,” making you a sitting duck for multiple attacks, sometimes over the course of years. And you’re especially vulnerable if you’ve used the same password for more than one account.
Thieves have access to storehouses of stolen passwords, often harvested from data breaches. These passwords can be stored and distributed for years, which is why it’s important to periodically (perhaps once or twice a year) change your passwords even if you’re not aware of having been involved in a breach (often you have no clue).
Google has a partial solution. On Safer Internet Day, Google released a Chrome browser extension called Password Checkup that checks to see if any of your recently used passwords were detected in a data breach.
The extension, which works with all your non-Google accounts, looks for usernames and passwords you use and compares them against a list of over 4 billion credentials that Google knows have been compromised. If there’s a match, the extension “will trigger an automatic warning and suggest that you change your password,” according to a Google blog post. Google already offers this level of protection for your Google accounts.
Once installed, you’ll see the Password Checker logo in the extension area of Chrome, to the right of the URL bar. If you click on it, it will tell you if any of your recent passwords were detected in a data breach.
Using security tools like Password Checkup is a good practice, but it’s not enough.
You need to have strong, unique and secure passwords for all of your accounts.
Of course you want very strong passwords for sensitive accounts like online banking and health sites and apps, but you should also have strong security on your email accounts, social media and other services.
Weak, compromised or shared social media accounts can be used by criminals or just online vandals to impersonate you, embarrass you or even commit cyber crimes in your name. The same is true with email accounts, but they can also be used as a gateway to your other accounts. Most “forgot password” resetting systems involve sending a link to your email. So, once thieves have your email password, they may be able to get into other accounts as well.
So, you should do all you can to have strong, unique, and private passwords that you don’t share with others, including close friends. Anyone at any age can be victimized but children can be drawn to password sharing, as an act of friendship. Kids should be reminded that friends can become ex-friends and that passwords should never be shared except, perhaps, with their parents.
Seniors are another vulnerable group. While most seniors are fully aware of risks and are careful, there are some who because of diminished capacity or a lack of technology experience may be subject to manipulation. That’s why my nonprofit, ConnectSafely.org, wrote the Senior’s Guide to Online Safety, free at connectsafely.org/seniors.
An important tool to increase security is two-factor authentication, also called multifactor authentication. This is similar to the way an ATM card works – something you know and something you have. In most cases, two-factor authentication involves telling the service your mobile phone number and having them text you a code to your mobile device whenever someone tries to log into your account from a new device. If it’s you, you simply type in that code and you’re in. But anyone without access to your phone is out of luck. Google, Apple and Microsoft give you the ability to simply approve a log-in from your phone without typing in a code.
It’s also important to have a strong and easy to remember password that’s at least slightly different for each site or app. That sounds like a tall order, but it’s pretty easy to accomplish. Think of a phrase like “I met Sally Johnson at Lincoln High School in 1994” and use the first letter of each word, capitalizing when appropriate adding the year and symbol, so your password might be “ImSJaLHSi$94.”
But that’s the basic password. For each of your sites, add some letters like Ge for Google or Fk for Facebook, or whatever you can remember. Another option is a long phrase that you can remember, again mixing letters and numbers.
You should always change your password if you think you may have been caught up in a data breach and should also change it periodically, perhaps on Safer Internet Day which is always on the first or second Tuesday of February.
Also, consider using a password manager like RoboForm or LastPass. These apps will fill in your passwords for you. Just be sure to create a strong password for your password manager account and steal all your passwords.
It’s OK to write down your passwords, but put the piece of paper in a drawer, not in front of your computer.
You’ll find more password advice at ConnectSafely.org/passwords.
Larry Magid is a tech journalist and internet safety activist.