I regularly hear from people who’ve had their email or other online account compromised, are able to recover access to it, and change their password, only to have the account stolen again almost immediately.
The problem is simple, but the solution is a bit of work.
First, you have to realize that while someone else has access to your account, they have access to everything related to that account.
As a result, changing your password just isn’t enough. You need to do more.
Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
An exploit kit was published allowing a phishing attack to hijack a two-factor secured login.
Various media declared, “Two-factor has been hacked!”
Unfortunately, these have led some to believe that two-factor authentication is pointless. To quote a reader: “This makes 2SV quite useless in many cases.”
No. Just … no. That’s a seriously mistaken conclusion.
I’m re-visiting this topic yet again because I want to be very clear: two-factor authentication is not useless. In fact, two-factor authentication — SMS-based or otherwise — is significantly more secure than not using two-factor authentication at all.
How do password managers handle random security questions? I’ve never seen this mentioned in any of the articles that I have read. Am I still going to have to maintain a readily available list of security question answers?
Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.
Do you have a general technique for creating new passwords for every single site that needs them? Yes, I did the unthinkable, I lost my LastPass account and have to start over. This is a reminder of the old saying, “When you have dug yourself into a deep hole, stop digging.” Unfortunately, I was stupid enough to keep digging. I hope you can spare some advice for someone who seems to get more stupid with age. There may be others on your list that have the same problem.
The technique is simple.
The problem is that the technique is time-consuming and ponderous.
Let’s review that technique, and what you can do to avoid this situation in the future.
I’ve long recommended password managers like Roboform and LastPass to keep track of passwords for all online accounts. Besides offering an incredible level of convenience, these tools give you a greater level of security by making it practical to use truly long and complex passwords and generate different ones for every site.
But, as with all things relating to security, there are risks.
For example, what happens if you forget your LastPass master password? Master passwords cannot be recovered. While there are a couple of options that might regain access to your password vault, the worst-case scenario is that you lose the vault — and everything in it — forever.
Not to keep beating the same old drum, but the best solution is very simple.
Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.
LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.
The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.
That’s why I recommend adding two-factor authentication to your LastPass account.
There are some websites that determine how strong is a password. I tried to compare them two of them. [One said that my 20-character example] password can be hacked in 16 billion years. [Another] says the same password can be hacked in 3 seconds. What a joke it is. In your opinion what site might be a reliable password checker?
From a purely algorithmic, or mathematical, perspective, cracking passwords is a fascinating problem.
From a user’s perspective, however, it’s not that fascinating at all. In fact, it’s downright frustrating. One of the best examples of that frustration is the scenario you outline: one sites’ “great” password might be considered horribly insecure by another.
What’s a user to do?
My recommendation? Create strong passwords that don’t need a password-strength meter at all.
I think my boyfriend/girlfriend/spouse is cheating on me. I want to hack into their email/instant message/Facebook/other account and find out what he/she/it is doing behind my back. Can you help me?
Can you get me the password for *****@hotmail.com/yahoo.com/facebook.com? This person’s been saying really bad things about me and I want to hack in and teach him/her/it a lesson.
I’ve lost the password for *****@hotmail.com. Could you please find it and send it to *****@hotmail.com? It’s really my account. Honest.
A family member has passed away, and I’d like to retrieve whatever was in his/her email account before it gets deleted for lack of use. But I don’t have the password. Can you get it for me?
These are oversimplifications of many variations.
People want to hack into other people’s accounts for a variety of reasons. Some, such as the last one, sound perfectly legitimate. Others, not so much. And others are just blatant attempts at theft, harassment, or revenge.
What’s really scary is that I get these requests every day.
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn’t get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use tools like RoboForm?
Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not-so-technically, I strongly believe they are seriously misguided.
Using a password manager is significantly safer than the alternatives.
I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?
The hacks of several online services have brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.
News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.
Quick bottom line
If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.
For a long time, the common thinking was that the best, most practical passwords consisted of a random combination of upper and lower-case letters, numbers, and a special character or two. If so composed, password length needed to be only eight characters.
Randomness remains important, but as it turns out, size matters more.
A password today should have a minimum of 12 characters, and ideally, 16 or even more.
As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.
However, to err on the side of caution, they are recommending that we all change our master passwords.
I read many articles (including some on Ask Leo!) that recommend that people should change their passwords from time to time. But what is good practice in this respect? Should it be related to frequency of use? For instance, some passwords are used frequently, some less often, and some rarely. Or should it be related to the level of security needed? For instance, passwords for online banking are more sensitive than passwords for magazine subscriptions.
Good practice in a corporate environment seems to be to force network and other password changes every 30 days or so. This would seem to be overkill in the home environment as it could result in some accounts being accessed more often to change a password than to do anything else.
Unless you get into a good routine, like when you do data backups, password changes will only get done sporadically, if at all.
Do you have a view on how to build such a good routine?
As you say, routines for things like this are difficult to set up, and if not automated, they are easily forgotten. Automation may be the answer in many cases, but it’s not always available – at least not in a convenient form.
But before we even get to that, I want to talk about the “you should change your password periodically” rule of thumb.
I’m a very strong believer in using two-factor authentication for important online accounts. For example, I rely heavily on Gmail and I have it protected using Google’s two-factor authentication option. Even if they somehow got my password, a hacker still wouldn’t be able to get in.
Two-factor authentication (often referred to as multi-factor authentication, 2FA, or MFA) adds the requirement of “something you have” to “something you know” in order to log in to an online service.
You’re already familiar with something you know: that’s a password. Something you have might be a mobile phone capable of receiving a text message, an authenticator application running on a mobile device, a dedicated key fob, or even a specialized USB device. Two-factor authentication simply means that you provide not only a password, but you must also prove that you have the second factor in your possession. If you don’t, you can’t log in even if you know the password.
Neither can hackers – and that’s the point.
Failing to prepare for loss of that second factor, however, is an easily overlooked, yet easily avoidable risk of two-factor authentication. The risk? Losing access to that important account … forever.
I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.
The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.
There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.
I’ll review how these features work, and how to use them safely.
Is it safe to have the same password for all of my email accounts? If one has an account in Yahoo! mail, Gmail, rediff mail, etc., and sets the same password for all of them, will it be easier for a hacker or phisher to find out about it?
Using different passwords is much safer than using one password everywhere. In fact I’ll say it’s critical these days.
Because hackers know that most people don’t take the trouble to set that up.
And they know that we typically have more than one account.
Why can’t an online service like Gmail or Hotmail or any of the others, just tell me what my password is rather than forcing me to reset it all the time? I mean, they have to know what it is anyway so that they can check that I’ve entered it in correctly. Right?
Believe it or not, online services don’t necessarily know your password.
Some services actually can tell you your password, and that’s a really, really bad thing. Among other things, it calls in to question that service’s understanding of security.
Following your advice, I use a password manager so I can use long, secure passwords and simply copy-paste into websites. Recently, however, it seems more sites use a technology that prevents this. The temptation now is to use shorter passwords, making them less secure so copying and typing them is easier. Why are sites doing this?
I haven’t seen a site that actually prevents pasting a password in the Password field, but I definitely have seen sites that either intentionally or unintentionally make password managers more difficult to use.
Leo: I know we should change passwords regularly for security, but should we also be changing the various user names for the many sites we visit? Can we be tracked by using similar user names like we can passwords?
There a couple of interesting pieces of what I would consider to be misinformation implicit in your questions. Let me address those first.
Recently, Google and Microsoft asked me to insert my telephone number and kept asking for it until I agreed to insert the number. What’s the main reason for doing this? Do they have hidden purposes for doing that? Wouldn’t they control everyone doing this? Is privacy on the internet dead?
Certainly, privacy is an interesting topic when you start talking about the internet. I think a lot of people do end up giving more information perhaps than they should. People are effectively, often willingly but in some cases accidentally, decreasing their own amount of privacy – not because it’s required, but because they post private information about themselves in public forums like Facebook, Twitter, and other sites.
But in your case, I really don’t think that’s what’s going on at all. I do not believe that Google or Microsoft have some kind of a hidden agenda to get your phone number.
In a recent newsletter, you answered someone’s question about passwords. I didn’t understand your answer. Could you clarify with an outright, direct, plain, clear answer? The person was asking about passwords, an idea he had, and would it just be safer to use repeating letters as passwords? I couldn’t understand if you were saying it was good and safer as it was harder to hack with hacking software or just the opposite. I don’t understand the explanation about how hacking software works and I don’t need to. Just the answer to that question about a series of same letters would be sufficient enough for me to know what would be good to do or not to do.
As direct, plain, and clear as I can be, the answer is no, you should not use a password that is a single repeating character.
In my defense, the answer really isn’t that simple or that easy. It actually does require a little bit of thought. The problem is that it’s a very complex topic. And there aren’t always simple yes-or-no answers.
I installed a new supposedly very good Buffalo WZR-D 1800H router. It will not accept more than 8 characters for a router password. Because of your articles and other it doesn’t seem as secure as it should be. Is there any way to add more characters to the password? It just stops accepting characters after the 8th entry.
Unfortunately, the answer to the question you ask is is no.
If a device or a website or anything that requests a password is limiting you to only 8 characters, then there is really nothing you can do to somehow increase that limit. It’s a hard-coded limitation of the software involved.
The real question then becomes: what do you do instead?
Since the day that password protection was invented, users (and the people that help them) have been dealing with the “lost password problem.” You know how it goes; you or someone you know can’t log in to their account because they can’t recall their password.
Take it from me, it happens. A lot.
For a long time – at least since Windows XP and probably before – Windows has included the ability to create a password reset disk that you can use in cases where you’ve forgotten your Windows login password.
There are a few prerequisites to using this tool. The most important one is you must create the disk before you actually need it.
Whenever I talk about using different passwords to login to different sites and how it’s important to make sure that all those passwords are difficult to guess (and thereby, conversely hard to remember), many people throw up their hands in frustration.
It’s too much to remember; too much to keep track of.
Computers, on the other hand, are great at remembering things for you. As a result, there are many popular programs that will track your online passwords for you.
I told my friend my password, and she said it was a really bad one. What does it mean to have a “bad” password? And what’s a “good” one, then?
You told someone else your password? Yikes! I’ve seen more accounts get stolen by that one simple act than by any other single cause. I sure hope you know what you’re doing – most people that have told a friend their password have come to regret it.
So what’s a bad password? One that someone could easily guess.
A good password? One that’s hard to guess, of course.
The problem is that people are way better guessers than you think. And it gets worse if the guesser starts using a computer to do the “guessing” for them.