Reminder: Password Security

As you may have heard, the full database from LinkedIn’s 2012 compromise was posted last month, resulting in more than 150 million additional user logins having been publicized. In light of all these login credentials being leaked from LinkedIn and other services, I wanted to (again) remind everyone of the importance of maintaining secure passwords and also provide some good general guidelines to follow.

Unique Passwords

Never re-use passwords for any reason. Every login that you setup must use an entirely unique password otherwise a compromise of one service compromises your logins for other services. This is becoming more of an issue as these incidents continue to occur. The last thing you want is for an online community compromise to result in the compromise of your email or bank logins.

Limit Access

Do not share your login information with others if it can be avoided. Doing so increases the risk of a compromise significantly since you have no control over how or where that login might be used. If you must provide your login information to a 3rd party you should set a temporary password and then reset it once the 3rd party no longer needs access.

Secure Your Devices

You must properly maintain all devices where your login information is used, including computers, phones, tablets, etc. This would involve running anti-virus / anti-malware software, a firewall, and keeping all software up-to-date as applicable for the device in question.

Encryption

Login information should only be transmitted in a secure manner (over HTTPS or similarly encrypted methods). The use of unsecured wireless access points should be limited or avoided entirely. If you must use them it is highly recommend to use a VPN to help secure your activity.

Password Managers

A password manager is nearly required to be able to keep up with proper security of your logins. It’s not uncommon for someone to have logins to 100 or more websites / services which makes it impossible to memorize unique passwords for each.

There are a lot of options out there and one big thing that you have to decide is whether or not the convenience of cloud storage outweighs the risk of that provider being compromised. Personally, I use a password manager that only stores the encrypted logins locally and I manually sync it among devices as needed. After all, you do still have to be aware that a password manager provider may be compromised as well.

Lastly, I would recommend changing your passwords every 6-12 months. The additional leaked credentials from LinkedIn in 2012 wouldn’t have mattered if everyone had been doing so. Many password managers keep a full password history, making it easy to see when a password was last changed.

As always, if you have any questions or concerns please let us know. We’re happy to assist in any way that we can.

Leave a Reply