Over one billions email address/password combos were recently leaked under the name “Collection #1,” suggesting there may be more. When something like this happens, I just take a deep breath and change my passwords on any sites that were affected, and I move on with my day.
Why can I do that? Because I use a password manager that notifies me of the hack and any affected sites. It will then assist me with changing the password in question, and I go back to work. (I also keep track of affected sites using Have you Been Pwned? )
Defense in Depth
Defending against cyberattacks requires a multi-faceted approach. Here’s a quick list off the top of my head. These will be very brief, because I want to focus on the last one.
- Backup your data
- I really don’t understand people that pay ransomware. Why don’t they just restore from backup? Oh, right. They don’t have a backup. Please backup your mobile phone and laptop data. And of course, backup your company’s servers.
- Secure your physical devices
- If someone gets hold of your physical device, all bets are off. Use a strong password on every device you have. If you lose a device and then get it back, do not just start using it again. You need to wipe it clean and re-install everything, because a hacker may have installed a key-logger that could steal the master password to the password manager I’m going to tell you to use in a minute.
- Practice safe-browsing
- Make sure you’re using secure sites if you’re logging in. Check anything you download for viruses. Don’t visit sketchy sites. I know you want to see that latest episode of Star Trek: Discovery and you don’t want to pay for the CBS All Access pass. But downloading a torrent is risky and may have other problems.
- Watch for phishing & other social engineering attacks
- Watch for those emails from companies you do business with that warn you of something and tell you that you need to login and fix it. Login manually to the real site; do not follow the link. (BTW, a password manager fixes this, too, because it won’t enter your password at the wrong site.)
- Use an anti-malware product
- And whatever you happen to pay for, also run some free checkers once in a while. (I run a malwarebytes free scan whenever it comes to mind).
- Use multi-factor authentication whenever you can
- The more important the account is, the more important it is that you use MFA. Also, one of your “important” accounts it the email address that you use everywhere. Make sure that account is protected with MFA. That way someone can’t hack it, and then use it to reset all your passwords.
- Use a unique password for every single site where you login
- And finally we come to the biggie. Make sure you do not reuse passwords on the sites you do business on. If any of them are hacked, you’re vulnerable everywhere that email address and password have been reused.
- Doing this without a password manager is impossible if you have more that a few accounts. (I have 329 accounts in Dashlane, my password manager.)
Please use a password manager
I don’t know how anyone doesn’t use a password manager. It makes things so much more secure and so much easier. How often do you see the words secure and easier in the same sentence?
I chose Dashlane years ago for a unique combination of features that I no longer remember, but there are other password managers like 1password and Lastpass that are quite popular as well. They use one master password to give you access to all your encrypted passwords.
In the “How is Dashlane safe?” article, they have several answers.
- They enforce strong passwords on your Master password, and if you lose it, you’re toast. So don’t do that. But honestly, if you’re using it regularly, you will be typing in that password many times a day, so I don’t know how you would forget it.
- Your Master password is never stored on their servers. Even though they support multi-device syncing, your master password is never stored on their servers.
- All data is encrypted locally w/AES-256 encryption.
- They use AWS servers for added security
- They continually audit their system for vulnerabilities.
No security system will ever be 100%, but I say NONSENSE to those who think that keeping passwords in your head is more secure than a password manager. How exactly is a typical user, who has dozens of online accounts, supposed to create a unique password for each account and store it in their head?
The average user is going to use the “remember password” feature of their web browser, and that’s not secure at all.
Like I said, use a password manager so that when you’re hacked, all you have to do is change one password. But please, someone leave a comment about how password managers are less secure than your brain.
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technical Architect at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.