Security experts’ dirty little secret: They don’t change their passwords very often, because they don’t need to. Here’s what they do that can work for you too.
1.2 billion passwords reportedly stolen by Russian hackers. Before that it was Heartbleed. After a widespread, nonspecific data breach, the conventional wisdom is that people should change all their passwords. But according to F-Secure Labs, there’s a better way. With the right password management habits, you won’t need to change all your passwords every time you hear about an online attack.
Changing all one’s passwords won’t hurt, but it is cumbersome. Not only that, it’s a Band-Aid fix that stops short of offering a stronger and more long-term solution, says Sean Sullivan, Security Advisor at F-Secure Labs. Data breaches are the new reality, and it’s no longer a question of if it happens to you, but when. Sullivan says rather than being told to change all their passwords, consumers need practical advice worth following. So when the next breach is disclosed, they will be in control and will only need to change those passwords they know are affected.
“The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” says Sullivan. “Unless I find out about a breach with a specific account, I don’t worry about my passwords. That’s because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.”
So what are the successful strategies to avoid the hassle of changing passwords constantly? F-Secure points out a few key things:
Diversify to reduce your risk. Segregate your accounts by creating separate email addresses for different functions. For example personal, professional, financial. That way if one email is broken into, it won’t compromise all your other information too. “Why not have a separate email address for your financial accounts? Then don’t give that address to anyone but those financial institutions,” Sullivan says. A bonus: if you get banking-related email in your personal account, you’ll know immediately that it’s not legit.
When possible, use a different username than your email. Some services let you pick a unique username other than your email. When possible, it’s good to take this option as it’s that much more info a hacker needs to know. And use two-factor authentication when available.
Use a unique password for each online account. Using the same password to access different accounts is rolling out a red carpet for hackers. If a password for your Facebook account is stolen, criminals can hop over to your email and other accounts and try the same password there.
Don’t give online accounts any more data than is absolutely necessary. The less that is there to be compromised, the better.
If you are notified about a breach to a specific account, change that password. This goes without saying.
Changing your account password habits may take a little effort, but in the long run it’s easier and less stressful than having to change all passwords after news of every breach. And it’s worth it to keep your personal data and online identity safe. Sullivan suggests starting small, taking care of one account at a time and building up until all your passwords are handled.
It’s easy with the right tools
Then how does one remember so many unique passwords and log-ins, and manage them effectively? F-Secure’s password manager, F-Secure KEY, makes sure proper password management is as easy and painless as possible. With F-Secure KEY, there’s just one master password to remember, so it’s easy to have a unique password for each account. Usernames, passwords, PIN codes, and other important data are stored in one secure app.
F-Secure KEY now has a completely updated and refreshed mobile version. The new mobile user interface features a Favorites ring that makes it easy and fast to access all one’s most commonly used account credentials. All versions of F-Secure KEY help you generate unique, strong passwords. KEY includes a news feed from F-Secure Labs, so you can stay up-to-date on major hacking incidents. Strong encryption protects all your data.
F-Secure KEY is free to download and use on any device – Android, iOS, Windows, and Mac. To use Key with the same master password on an unlimited number of devices and sync passwords across devices via a secure European cloud, upgrade to the premium version. Premium prices start at 1.20€ per month. F-Secure KEY is available via the Apple App Store, Google Play, and at f-secure.com/key.
