A team of Vice editors quizzed attendees at the latest DEF CON, one of the biggest cybersecurity conferences in the world, why so many people were still subject to robberies and crimes on the web, with the most common answer because they don’t take even the most obvious and simple precautions.
A recent study by Google concluded that hundreds of thousands of people use not only the same password for websites and services, but even continue to use passwords that have been published and associated with their username on the internet. The equivalent in the physical world would be to lose a key that opened your front door, your car, your office and gym locker, and that, in addition, you had left where anybody could find it. The question, obviously, would not be if you were to be robbed, but when.
Hundreds of thousands of people use not only stupidly simple passwords, but also use them for multiple sites; what’s more, these passwords together with your username, are already out there, easily available to anybody who wants to use them for credential stuffing: simply take those user and password pairs and randomly test them automatically to see if that user has also used them for other services.
How to know if we are one of that sorry group? We repeat: the problem is no longer simply that your password is ridiculously simple or that we use it everywhere, which would already make you an easy victim, but that the password has been published. To find out, go to Have I Been Pwned, a service created by security expert Troy Hunt that collates security breaches and where you simply enter your email -no, they will not use it to spam- and are told if it appears in any online files and repositories. If yours comes up, the conclusion is very simple: the password you used on that service is publicly available, and you should not reuse it on any other site attached to that email, because anyone can simply try it on any service. You can even set up alarms to email you in case the email addresses you normally use appear in future data dumps.
Google has created a browser extension called Password Checkup Extension. If you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert.
If, in addition to doing this little test and correcting any existing problems, you want to start doing things properly, simply stop using the same password all the time. Better still, forget about all your passwords except one and start using a password manager. There are many, the market leaders are LastPass, 1Password, Dashlane or KeePass, with different conditions and prices that include a freemium or donation model, and that simply require a little order and discipline. Ignore anybody who says password managers are not safe because “if the site is hacked, all my passwords will be stolen”. They don’t know what they’re talking about: password managers use powerful encryption.
Finally, if you really believe you can handle your own passwords, at least take a look to see if yours have already been compromised: it doesn’t take long and it could prevent problems down the line. At least, don’t make it easy for the crooks…
Enrique Dans. Professor of Innovation. IE Business School