During the last couple of weeks, again a number of high profile breaches of popular websites have been reported. The number of account information becoming public is mind-staggering. The last two to join the club are Kickstarter and Bitly.
The list of companies is like the who-is-who of popular services and includes Adobe, Yahoo, LinkedIn, Dropbox, MySpace, Forbes, Snapchat, Disqus, Last.fm, etc. See the full list here: https://haveibeenpwned.com/PwnedWebsites
Seeing this, we have to stop thinking account information as secure. Rather, we should not plan if our login data is exposed, but when. Fundamental changes in risk likelihoods need to drive changes in our behavior. Here is what you need to do now:
- Get a password manager and start using different passwords for each login you have.
My recommendation is to use 1Password with an independent sync mechanism like Dropbox or iCloud. This provides no party (neither the software vendor nor the cloud provider) access to both source code and passwords. For the paranoid, you can use WLAN sync without transmitting your passwords to anyone else. Having your passwords synced on your mobile and laptop also provides some degree of disaster resilience. Use 1Password for your private accounts and whatever your company provides for business accounts. At Unic, we use an enterprise tool to store all business passwords and manage access to them - including auditing who accessed which secret when.
Sign up your private email addresses (and optionally your business email account) on https://haveibeenpwned.com/NotifyMe to get informed when one of your addresses appears in a new breach.
Enable 2-factor authentication (2FA) on your most important accounts - especially those used to reset passwords: Your main private email and all sites that have credit card information. Here’s a list of all sites offering 2FA: https://www.turnon2fa.com. Ideally, you can use a single authenticator app on your smartphone (like Google Authenticator). Only use SMS if there is no other option, as SMS is not really secure, but still better than a single factor.
Now go and change your passwords on all services you find a breach for your email on https://haveibeenpwned.com/. Enable 2FA when available. Change your password to a random string of characters using the password generator in 1Password. 1Password also has a built-in watchtower service to alert you about vulnerabilities, weak and duplicate (reused) passwords.
With these simple steps, you will greatly reduce your exposure and have a backup of all your passwords on your laptop and mobile device.