We know it’s boring, but trust us, you need to do this now. Here's why – and how.
Nobody likes spending their free time coming up with unique, cryptographically sound passwords using numbers and symbols – or at least, nobody you’d like to meet.
But that’s why it’s so important. Passwords are dull. Entering your password into a website is one of the most tedious parts of your day as it is: it’s even worse if you have to type a 15-character long mix of upper- and lower-case letters. Just having your browser remember a single password is much, much easier. While people who use the password “123456” and “password” are the lowest-hanging fruit, alarmingly, you’re probably not that much tougher a mark to hit.
Here’s why you should change your password right now.
1. Your information is likely already out there
Okay, here’s a wake-up call for everyone who thinks it won’t happen to you. It probably already has – and it wasn’t your fault. The password process has two points – you entering it, and the website receiving it – and there are plenty of places that have been hacked in the past few years: Yahoo, Dropbox, AdultFriendFinder, LinkedIn and Yahoo again, just to name a few. And all of those were in 2016.
“But I don’t use any of those services,” we hear you cry. Okay, here’s a little experiment:
- Open a new tab and go to www.haveibeenpwned.com
- Enter your email addresses into the box.
- Stare in horror at the screen at how many times your email addresses show up in leaked data.
Don’t feel bad if the results aren't good. Plenty of experienced users have had their passwords stolen from the likes of Yahoo, Tumblr, LinkedIn and Trellion, among others.
And these are just the hacks that are known about. There’s almost certainly plenty more that haven’t come to light and possibly never will...
2. Just changing a hacked password won’t keep you safe
“Big deal,” you say. “I followed Yahoo/Tumblr/LinkedIn’s instructions and changed my password right away. Nothing happened.”
“Nothing happened yet” would possibly be more fitting. The trouble is that most people reuse their passwords, and hackers know this. There’s software available that will almost instantly test the stolen email address and password combos in websites across the net. Once a sufficient bundle of working passwords for a site is found, they’ll be sold in bulk on the dark web.
3. Your login information is pretty cheap
Considering the havoc having your login details stolen can cause, it’s pretty disappointing to learn how little someone has to pay for the information. Back in 2015, McAfee’s Hidden Data Economy report revealed that while logins for bank accounts with a decent amount of money in could go for up to $700, your PayPal password could be had for as little as $20, and your Netflix password could be worth just 55 cents.
4. The impact can be worse than you think
Despite all of this, there’s a mindset that thinks “who cares? If my account is hacked, I’ll just reset the password. Job done.”
It’s not always as simple as that. On a recent episode of the Reply All podcast (an excellent show that delves deep into internet culture), the hosts discover a particularly underhand Uber hack, where one of the presenters was locked out of his account while someone in Russia continued to charge rides to him. Not only is Uber incredibly hard to get on the phone, when he finally managed to get through to somebody, they claimed his account had never existed, despite the money-sapping evidence to the contrary.
Uber was eventually able to reclaim the account via a screengrab of the ride notification, pinning the journey to the thief, but that’s not really the point: it took journalists asking questions for anything to be done. Most people don’t have the resources to harangue Uber all day and night.
And yes, this hack wasn’t Uber, but down to a suspected reused password.
5. It’s easier than you think to be secure
But you probably know all of this, deep down. Many of us do, yet never got around to fixing it with a password manager. As it turned out, this is down to two misconceptions that we’ll now put right for you:
- Password managers are a paid service.
- It’s going to be fiddly and time-consuming.
LastPass now has a fully functional free version, as does Dashlane.
And as it turns out, the process of setting up a password manager is so simple, it’ll make you wish you’d done it years ago.
Download a browser plugin and it will start remembering them as you go about your business. If it sees a weak password or duplicate, it will generate a new password for you to use – and in some cases, automatically change it for you on the site while you wait. Meanwhile on mobile, it’s not a case of opening an app to copy and paste every time – at least not on Android. If your phone has a fingerprint reader, it can be as simple as using that and the autofill will follow.
To be fair, password managers aren’t without their problems (researchers warn of the dangers of putting all your eggs in one basket, and they have been subject to occasional hacks themselves – albeit never with any serious consequences), but they’re certainly a better solution than reusing a password around the web.
Sure, it’s a slight pain if you share a laptop with someone, but what better time to give them their own account?
6. Fixing your security is far easier than dealing with a hacked account
The bottom line is this: it may seem like a hassle to sort out your passwords once and for all, but it’s almost certainly easier than facing the fallout from the next hack when it inevitably comes along.
If Amazon were hacked tomorrow, could you with all confidence say you remember every place on the web where you’ve used that password?