Should I be concerned about the news that Russian hackers have stolen a large number of passwords? And if so, what should I be doing?
This question was answered on Aug. 6, 2014. Much of the information contained herein may have changed since posting.
If the reports are accurate, a Russian gang has apparently pulled off the largest known hack of private internet information ever.
Hold Security of Milwaukee claims to have discovered a global compromise of over 1.2 billion usernames and passwords from roughly 420,000 websites, including 500 million email addresses.
The websites range from Fortune 500 companies, to household names and lots of very small sites, so you should assume that your credentials have been sold to other hackers already.
The good news is that with that many accounts being stolen, the chances of your accounts being the first to be exploited are pretty low. That means you have time to change all your passwords before a criminal attempts to use the stolen credentials.
This, once again, underscores the importance of not using the same password on all your online accounts. Hackers will automatically try using your username and password on every major website because they know that so many of you still make this huge mistake.
Since at this point, there is no way to know for sure if your credentials have been stolen, you should assume that they have and act accordingly.
In any case, this is a great wake-up call that you should use to strengthen your password protection by doing the following:
1. Change all your passwords and make sure that every online account has its own password. To make this more manageable, consider using a password manager.
2. Longer, easy to remember passwords are more secure than short complicated passwords. Aim for at least 15 characters, but make it easy to remember. For example, “I Hate Passwords!” is much more secure than “A8y@q7P1” and much easier to remember.
3. Make sure your e-mail account has a very strong password. Your e-mail account is the gateway to all your other accounts. Remember that when you forget a password, the reset message gets sent to your e-mail account making it really easy for the bad guys to take over if they get in.
4. Make sure you have a passcode setup on your mobile devices. Mobile devices are more easily lost or stolen and if you don’t have a passcode to keep strangers out, they have direct access to your e-mail account.
5. Do a search of all your old e-mails for the word “password” and delete any messages that provide information on what accounts you do have. If a hacker does gain access to your e-mail account, they will immediately search for clues of the accounts you do have so they can quickly exploit them.
6. Turn on two-factor or two-step authentication. Virtually every sensitive online account you have has this feature, but you must turn it on in the settings. When activated, your smartphone becomes part of your security fence. Whenever a site detects that you’re signing in from a new computer or device, it sends a special code via text message to your phone to verify that it’s you. This way, even if a hacker acquires your username and password, they won’t be able to get in without your phone in their hands.
Passwords are the gateway to your digital life and with every breach they become more vulnerable, so don’t take this lightly.