6 reasons you need to change your password right now
Nobody likes spending their free time coming up with unique, cryptographically sound passwords using numbers and symbols – or at least, nobody I would like to meet.
But that’s why it’s so important. Passwords are dull. Entering your password into a website is one of the most tedious parts of your day as it is: it’s even worse if you have to type a 15-character long mix of upper- and lower-case letters. Just having your browser remember a single password is much, much easier. While people who use the password “123456” and “password” are the lowest-hanging fruit, alarmingly, you’re probably not that much tougher a mark to hit.
Here’s why you should change your password right now.
Your information is likely already out there
Okay, here’s a wake-up call for everyone who thinks it won’t happen to you. It probably already has – and it wasn’t your fault. The password process has two points – you entering it, and the website receiving it – and there are plenty of places that have been hacked in the past few years. Off the top of my head: Yahoo, Dropbox, AdultFriendFinder, LinkedIn and Yahoo again. And all of those were in 2016.
“But I don’t use any of those services,” I hear you cry. Okay, here’s a little experiment:
- Open a new tab and go to www.haveibeenpwned.com
- Enter your email addresses into the box.
- Stare in horror at the screen at how many times your email addresses show up in leaked data.
Don’t feel bad. My passwords have been stolen in no less than seven hacks (Last.fm, Yahoo, Tumblr, Nexus Mods, Paddy Power, LinkedIn and Trellion, since you ask).
And these are just the hacks that are known about. There’s almost certainly plenty more that haven’t come to light and possibly never will…
Just changing a hacked password won’t keep you safe
“Big deal,” you say. I followed Yahoo/Tumblr/LinkedIn’s instructions and changed my password right away. Nothing happened.
“Nothing happened yet” would possibly be more fitting. The trouble is that most people reuse their passwords, and hackers know this. There’s software available that will almost instantly test the stolen email address and password combos in websites across the net. Once a sufficient bundle of working passwords for a site is found, they’ll be sold in bulk on the dark web.
Your login information is pretty cheap
Considering the havoc having your login details stolen can cause, it’s pretty disappointing to learn how little someone has to pay for the information. Back in 2015, McAfee’s Hidden Data Economy report revealed that while logins for bank accounts with a decent amount of money in could go for up to $700, your PayPal password could be had for as little as $20, and your Netflix password could be worth just 55 cents.
The impact can be worse than you think
Despite all of this, there’s a mindset that thinks “who cares?” If my account is hacked, the thinking goes, I’ll just reset the password. Job done.
It’s not always as simple as that. On a recent episode of the Reply All podcast (an excellent show that delves deep into internet culture), the hosts discover a particularly underhand Uber hack, where one of the presenters was locked out of his account while someone in Russia continued to charge rides to him. Not only is Uber incredibly hard to get on the phone, when he finally managed to get through to somebody, they claimed his account had never existed, despite the money-sapping evidence to the contrary.
Uber was eventually able to reclaim the account via a screengrab of the ride notification, pinning the journey to the thief, but that’s not really the point: it took journalists asking questions for anything to be done. Most people don’t have the resources to harangue Uber all day and night.
And yes, this hack wasn’t Uber, but down to a suspected reused password.
It’s easier than you think to be secure
But I imagine you know all of this, deep down. I did, and yet I never got around to fixing it with a password manager. As it turned out, this was down to two misconceptions that I’ll now put right for you:
Password managers are a paid service
(LastPass now has a fully functional free version, as does Dashlane)
2) It was going to be fiddly and time-consuming
As it turns out, it was neither. The process of setting up my password manager of choice was so simple, it made me wish I’d done it years ago. Download a browser plugin and it will start remembering them as you go about your business. If it sees a weak password or duplicate, it will generate a new password for you to use – and in some cases, automatically change it for you on the site while you wait. Meanwhile on mobile, it’s not a case of opening an app to copy and paste every time – at least not on Android. In fact, for me, it was as simple as using my fingerprint and the autofill would follow.
To be fair, password managers aren’t without their problems (researchers warn of the dangers of putting all your eggs in one basket, and they have been subject to occasional hacks themselves – albeit never with any serious consequences), but they’re certainly a better solution than reusing a password around the web. Sure, it’s a slight pain if you share a laptop with someone, but what better time to give them their own account?
Fixing your security is far easier than dealing with a hacked account
The bottom line is this: it may seem like a hassle to sort out your passwords once and for all, but it’s almost certainly easier than facing the fallout from the next hack when it inevitably comes along.
If Amazon were hacked tomorrow, could you with all confidence say you remember every place on the web where you’ve used that password?