On September 9th a hacker published a list of 5 million Gmail accounts with associated passwords. The passwords may not have been the password for the account in question, and there’s no telling how old the passwords are or where they originally came from. For example, if the account came from the LinkedIn hack from a couple of years ago the data might be the Gmail address on the user’s account and the LinkedIn password.
When the breach was announced, Google tested the Gmail/password combination and found only 1-2% were still valid. Even though the passwords may not be useful for Gmail, there’s still a risk. People frequently reuse passwords on different sites across the web. According to Symantec, a typical user has 26 password-protected accounts, but only 5 passwords.
Have a unique password for all of your important sites. If one site gets hacked, the hacker may test your login information on other sites. For example, if you use a password on a forum, don’t reuse that same password for your primary email address.
Create strong passwords. A good password should contain at least 12 characters and have a mix of numbers, symbols and uppercase and lowercase letters.
Do not select passwords or security questions that someone might be able to guess by following your social media accounts such as your mother’s maiden name, your pet’s or children’s names or your school.
Don’t substitute symbols or numbers for word. P@$$w0rd is an example of a weak password that might appear strong at first glance. Acronyms or word combinations make good passwords that are easy to remember.
Change your sensitive passwords regularly. Most people don’t change their passwords often enough. Change passwords on sites storing sensitive information at least once every 3-6 months.
Think you’ll have trouble remembering all these new passwords? Download a password management utility that stores your passwords in an encrypted file. There are password managers for every platform of PC, tablet and smartphone.
Enable two-factor authentication for sites and services that store sensitive information such as your bank, your cloud storage, your email and online retailers that keep your credit or debit card on file. Two-factor authentication requires you enter your password and another verification step such as a PIN texted to your cell phone.
Limit the number of password login attempts. Some sites allow you to set a maximum number of tries before your account is locked. Enable this feature if the site offers it.
Unfortunately there are no foolproof solution to password security. If someone who has the skills wants to get in, they will. Just like in the real world, security is about making your car or password as difficult to steal as possible to break into so a thief moves on to an easier target.