Image credit: Christiaan Colen/Getty
No doubt you've Googled yourself at least once to see what comes up (or to see what embarrassing photos and blog posts you need to purge from the web before your boss finds them). While doing a search for yourself might yield some predictable results -- your LinkedIn page, any mentions of you in the local paper, obituaries for other people with the same name -- a conversation with a friend on the topic of data breaches led me to search for something I rarely need to find: my own iCloud email address. That search brought me to a sketchy-looking blog post filled with information one would rather not have online, namely, usernames and passwords. If, like me, you thought your security hygiene was under control, that quick search might be a rude enough awakening to inspire you to take a few steps toward further protecting your personal data.
One Weak Password Can Break Your Security Chain
The username and password combo I found when searching for my email address belonged to an old streaming service I used in 2015. While I'd since cancelled the service, I was both concerned about what other personal data was floating out in the ether, and embarrassed I'd been compromised by a password I'd always meant to retire.
The password was used for more than just an HBO subscription. In the past I'd used it for bank accounts, social media pages, and other sites I knew I'd want to try out for a bit, usually with a slight change to the original each time. While I wasn't alone in my compromised state (the list included dozens of now-defunct accounts), the fact remained I was still a potential victim. It was the weak link in my data security chain, one that needed to be replaced with something more robust, and capable of protecting me.
Ditch the Old Password
Before you begin creating permutations of that one passphrase you've hung onto since college, know this: you're doing passwords wrong. (And if your password is a series of phrases rather than a string of characters with numbers or symbols, you need a new way to create passwords.) First, you should rid yourself of the compromised password as soon as possible, as well as all the slightly-altered versions you use for different accounts in an attempt at securing them from attackers.
While you're at it, you should look at your most-frequented accounts to see which passwords need an update.This is where password managers come in. Besides keeping track of (and in some cases creating) your secure passwords, these services can also do an initial assessment to tell you if your passwords suck. More on those below:
Get a Password Manager Already
Not using a password manager is basically begging for trouble. Password managers not only make it easy for you to generate strong passwords for all of your accounts, but their integration into your web browser through extensions, or your smartphone with a companion app, makes it easy to get access to your personal information wherever you are, all while keeping your private info secure.
With a password manager, you can ditch the old method of trying to remember passwords for every site, or writing them down on a post-it you stick behind your computer monitor (such a bad idea, by the way). While I use 1Password ($US35 ($45) per year), other options like LastPass ($US24 ($31) per year) and KeePass (free) exist and offer their own unique features in addition to easy password management.
You don't have to change them all at once; I change about one to two passwords every other day, which makes the process less intensive but also, obviously slower. If you've got the time, you should create new, updated passwords for as many accounts as you can, as quickly as you can. Better to be secure than sorry.
Enable Two-Factor Wherever You Can
Add another layer of security to your accounts after you change your password by employing two-factor authentication. Forms of two factor authentication include entering single-use codes sent via SMS message when you attempt to login, or randomly generated codes from a two-factor authentication app, like Authy or Google Authenticator, you enter after your login attempt. Both methods help prevent people who have obtained your login information from actually getting into your account, primarily because they lack access to your phone's text messages and apps.
Enable two-factor authentication on email accounts, financial accounts, social media profiles, or any site that stores your personal information, like a cloud storage service or online retailer. A good rule of thumb to follow when dealing with sites that don't employ some form of two-factor authentication is to use a secondary or spam-specific email address.
Unsubscribe (Within Reason)
Your email address gets around a lot more than you might think. All those newsletter emails, discount codes from your favourite underwear vendor, and last-minute deals from some store you shopped at three years ago all have your email address. And not everyone keeps it as secure as you'd like to believe.
You should probably know that your mileage may vary when it comes to unsubscribing and reducing email trafficked to your inbox. More reputable sites may honour the sacred "Unsubscribe" button, but emails from less than ideal senders often include unsubscribe buttons to confirm you read their email, and, well, send more garbage to your inbox.