What’s your password and when was the last time you changed it?
It’s time to take your Pa$$w0rD strategy seriously.
Watch me explain the origins of this post in a short 2.5 minute video recorded at the Mercer Defined Benefit Roadshow in Manchester.
I want to really scare you into changing your online behaviour. Head to a website called haveibeenpwned and either enter your email address or your password and see what happens next.
The site is legit and has been run by fellow Aussie Troy Hunt for the last 5 years. He painstakingly adds all of the information that is in the public domain from all the major data breaches that have occurred
Latest count on the site shows 345 sites and over 6.8 billion accounts have been hacked (or “pwned” for sale – hence the name) and Troy has added the breached data into a database and allows you to securely see if your password has been breached.
If you do this today, you will more than likely see that your “favourite” password you have been using for years has been compromised and perhaps you will consider taking password security seriously.
What’s your password?
I used to have just 3 passwords for all of the sites I used:
A short1
A LonGer0ne
A muchLong3RandH4der2guezz one
(to be clear these were not the actual passwords!)
I used the short one on websites I visited infrequently, the longer one on more important sites and the much longer one on banking sites and sites where my personal information needed to be kept secure.
The best password is one so long and complex you can’t remember it
That was until almost exactly 12 years ago when I decided to get serious about my passwords. I’ve used a variety of password managers over the years, starting off with Sticky Password in 2007 and just in the last 2 months I have changed from LastPass to 1Password.
I did this primarily because 1Password has a direct integration into the haveibeenpwned website and is able to check which of my sites and passwords is vulnerable from within the app.
When I ran the “Watchtower” feature inside 1Password the results shocked me. Even though I had been using a password manager for 12 years, my password hygiene was poor. I had hundreds of reused passwords on multiple sites, weak passwords and 438 that were included in the haveibeenpwned website.
It was time to get serious about my passwords.
I’ve just spent the best part of 3 weeks cleaning up my online life with the help of 1Password, and have reduced the number of sites with a password from around 1300 to just under 800. The shot above was taken before the cleanup.
This exercise involved using 1Passsword to check each and every site and changing every password. I’ve never seen so many “forgot my password” buttons before! Not surprisingly in the last 12 years many of these sites have stopped running so I was able to have a massive digital clean up.
Why use a password manager?
Using a password manager means that EVERY site has a unique and LONG password assigned to it – one that I could never remember such as :#s=JA=i%:Pyxg+8DT.^ <– yes that is an example of a strong password that 1Password can generate for you instantly.
The role of a password manager is to keep track of all the passwords and then I need to just remember 1 master password (hence the name 1password) to access the password vault.
You can use a password manager like 1Password on all of your devices. On your desktop, when a password or login screen appears, the job of 1Password is to automatically fill the fields so you can log in without having to remember the password.
The passwords are securely synced so you can also use the app on your phone and tablet. iOS 12 now has a deep integration with most major password managers meaning logging in on your mobile device is a breeze (and you can link it with TouchID or FaceID for added security each time you request a password for a particular site.
A password manager has saved me so much time and streamlined my digital life – I would not be without one.
Both LastPass and 1Password allow me to use an additional level of security – the Duo security 2-factor push integration so that my master password is useless if breached without my phone and the 2 factor code. It goes without saying that all the passwords are encrypted and 1Password have published their security methodology and also have a whitepaper outlining what they do to keep your passwords safe. This is the sort of transparency to allow me to trust one app with all my digital secrets.
A neat feature 1Password also provide is an “Emergency Kit”. This allows you to print out the way to access your vault in case of emergency. I have provided this for safekeeping with someone I trust so they have access to all my sites in case something happens to me (or my equipment is stolen).
If you do nothing else today – head to haveibeenpwned to scare yourself that your passwords (and possibly your email address, login details etc) are out there being sold, and commit to having a dedicated password strategy.
If nothing else, you don’t want your personal information (or your company’s secrets) splashed all over the internet, so it is up to you personally to be part of the security solution, and not rely on what your company or school provides in in terms of firewalls or gateways.
It is no longer a case of if you are going to have your personal details stolen, it is a case of when.
You need to get serious about password security TODAY!
Go on – head to haveibeenpwned now! It will scare you into action BEFORE your password gets hacked.