Screenshot: Gracie Films
This week, password manager Dashlane analysed ten years’ worth of passwords from public data breaches. The big lesson is, don’t reuse passwords. Not even a little, not even with a “formula”. Password formulas are easy to hack. And even your bullshit accounts deserve strong, unique passwords.
[referenced url=”https://www.lifehacker.com.au/2018/05/password-formulas-dont-fool-hackers/” thumb=”https://i.kinja-img.com/gawker-media/image/upload/t_ku-large/ma9fvujmsnccjbu82f8z.jpg” title=”Password Formulas Don’t Fool Hackers” excerpt=”Every time we write about passwords on Lifehacker, a few readers share their secret formula for creating passwords. According to Ryan Merchant, senior manager at the password manager Dashlane, those formulas are easy to hack.”]
If you’ve reused passwords from any of these 284 hacked sites, including MySpace, LinkedIn, Adult Friend Finder, 8tracks, and Adobe, any bored hacker could try those exposed passwords on your other accounts. (In many of these breaches, the leaked passwords were still encrypted. But some of the encryption was so weak that hackers were still able to decrypt short or common passwords.)
So don’t reuse passwords on multiple sites and services.
“But,” you say, “I only reuse my password on my bullshit accounts!” Really, you’d be fine with all your “bullshit” accounts getting exposed at once, just because your old Hotmail account got hacked? Are all those accounts really so “bullshit”?
Anything with your credit card info isn’t a bullshit account
If logging into a certain account lets you spend money, you should probably put that behind a strong password. If you just made a one-time login to ThinkGeek, and you used the same password as your old AIM account, you made it easy for a stranger to mail themselves official Young Han Solo jackets on your dime.
Do you really want to replace your credit card and do all the attendant paperwork just because you used the same password on Nordstrom Rack and 9GAG?
Anything with your social identity isn’t a bullshit account
If you logged into some trendy social media site with your bullshit password, and then that trendy social media site ended up being Twitter, it’s probably time to change it. Maybe you won’t be embarrassed when your account DMs all your friends with spam links! Maybe your aunt is too smart to fall for a scammer messaging her from your hacked account! Maybe the hacker will get more retweets than you!
Seriously, have some self-respect and get a new password for each of your social accounts.
Dashlane senior manager Ryan Merchant points out that personal info in one account can be used to access your other accounts. This mostly matters if someone is specifically targeting you, but it’s one way that a small breach can turn into a big one. So even those truly bullshit accounts are useful to someone targeting you for identity theft.
Anything you don’t want to delete isn’t a bullshit account
If handling all these old accounts sounds exhausting, delete them. (AccountKiller has specific instructions for deleting most online accounts). But if you have too much emotional attachment to delete an account, then you have too much attachment to let it get hacked.
This is all easier if you have a password manager. And yes, some day maybe a password manager could get hacked. But so far, all of our major recommendations have a much better track record than sites like AOL, Yahoo and LinkedIn. And a life without memorising passwords is a life with less stress.
Comments
10 responses to “Why Even Your Bullshit Accounts Deserve Strong Passwords”
You don’t need a password manager, and in fact you’re probably better off NOT using a password manager. Why? Well the obvious problem is if you’re using a laptop then if it’s lost/stolen there goes all your passwords. A simple paper notebook (ah good old analogue methods) where you write down passwords works well. Sure, it could be stolen too, but if you leave it in your desk then someone has to physically break into your house and then steal a non-descript looking notebook. Of course, you will need to remember your passwords if you’re using your laptop while out and about in that case…
And despite what this article says I still believe we have bullshit accounts, I think the key point of the article is that you need to be careful determining whether it’s genuinely a BS account or not. Since I put made up junk data into a lot of the accounts I create (fake birthday, address etc) I’m not too concerned about scammers using that info.
Hey if having an analogue notebook to store your passwords works for you, well done. Personally, password managers sit in that sweet spot of convenience and security. Not completely secure but good enough. How do you come up with your passwords to put in your notebook? We are generally terrible with coming up with “random” passwords.
Like I said, the password manager is fine but a problem if the PC it’s on is lost, damaged or stolen. Unless you use an online one (as @djbear suggests) but I wouldn’t trust that for other reasons.
As for passwords, well whether you use a notepad or a password manager app the creation process can be the same. You don’t need to remember the passwords so you can make them anything. Literally a huge string of gibberish numbers and letters. No need for an algorithm just bash away at the keyboard and see what comes out. “AKNJI$Df78yserilt8jhgv879w34ht” there you go, there’s a new one.
Or use real phrases but long ones. Do you think any hacker will guess, or password cracker will brute force “great green gobs of greasy grimy gopher guts” if you use that as a password? And if you do some simple letter-number and letter-special character swaps it’s even less likely.
Note: I don’t use either of those passwords 😛
How does that work?
My password manager (Lastpass) encrypts and stores all the data in the cloud. It does not store anything on my local machine. If you using a password lockers that encrypts and stores in only on one source your asking for trouble.
And I would never trust a cloud based password storage app since you then have other issues.
Oh I can’t access that password app because their site is down becomes “oh hey I can’t access anything I want to use because I don’t remember the password”. And that’s before you get into the security concerns.
And what happens when you lose that notebook you wrote your passwords on or spill a drink on it?
I mean we could go in endless loops. No method is 100% fool proof. I just like mine 🙂
*shrugs* of course. And if you want you can write down your password in two notebooks.
Your turn 😉
Being serious, I just dislike the over-reliance on the cloud. We’re continually seeing stories about security issues – data being stolen from companies that should do better, or outages (bloody Telstra a week ago or the NAB on the weekend are good examples). So personally I’d rather not rely on the cloud for things that don’t *need* the cloud.
Well lastpass at least has the cloud covered if they go offline. The encrypted data is also stored locally on your machine and you can export it in the event the servers go down.
And if they were hacked they wouldnt be able to do anything with the data because lastpass only stores the encrypted data. Nothing else.
https://lastpass.com/support.php?cmd=showfaq&id=1376
I did a lot of research before signing up to lastpass so i could be confident in their service.
Fair enough. That sounds a lot more robust than some of the solutions.
Set yourself a rule, if the site doesn’t support multi-factor authentication, don’t register with it. And if the account already exists, revisit it and, while you’re there changing your password, see if there’s now an option to set up two-factor authentication or similar.
Multi-factor authentication may not be unbreakable, but it’s a helluva lot better than a reused password.
I also have a rule for online shopping, if a merchant site won’t let me checkout without registering all my details with them I simply move on to another seller. There’s literally no need for, say, a bookseller to know my date of birth and mobile phone number let alone store my credit card details.