Why You Really Need a Password Manager

I like to sing the praises of Troy Hunt and his efforts to improve the world’s password security.  I also take digital security very seriously, but I can understand why most people don’t. Even the most keen people can suffer from apathy from time to time.

Example below:

D'oh

‘I know it’s compromised’

What the hell was I thinking. It takes 30 seconds to change a password. Spotify was using an old password that, if you enter it into HIBP shows:

Luckily someone was trying their luck when I happened to be listing to Spotify and I was able to get it sorted in about 20 minutes. Spotify’s customer service was excellent and they got my e-mail changed back (the hijacker changed it) and forced a password reset. The password is now a nice long random string of characters safely stored in LastPass.

What is Credential Stuffing?

Credential stuffing is a very popular method of account hijacking. Details are gather from large data breaches; usually just e-mail’s and passwords, but occasionally other personal info too. The details are then entered into other websites to see what can be unlocked.

Since so many people use the same e-mail and password for everything, this can be and easy way to take over a large number of accounts. Fortunately Spotify wasn’t that critical, but if you password reuse extends to banks, PayPal and shopping sites, it could cost you a lot of money.

How to Keep Password Safe

It’s simple, and not particularly time consuming. Like most things in life you can get 80% of the result for 20% of the effort, and 80% security is way more than most people have.

There are 3 simple steps you need to follow:

  • Come up with 2 really strong passwords that you can remember, and don’t tell anyone what they are
  • Use one for your e-mail account and one for a password manager (KeePass, 1Password, LastPass, Dashlane etc)
  • Use you password manager to generate and store different passwords for every site/service you use

For bonus points, use 2 Factor Authentication (2FA) where available (either through a security key, app or text messages). That’s it. If any website you use ends up having a data breach, all your other accounts are safe. Some password managers even offer monitoring and alerts to warn you when this happens.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.