Another day, another password breach. This time, the compromised website belongs to the Plex media-streaming service, and the advice is predictable: Reset your account password immediately.
Yes, of course you should do that. But don’t stop there. Every one of these incidents is an opportunity to assess your current online security and tighten it up as needed. The goal is to make sure you’re at minimal risk when (not if) another, similar data breach occurs. The best way to do that is to follow three ironclad rules:
- Always use a long, random password
- Never reuse a password
- Always turn on 2-factor authentication (2FA), if possible
If you followed those rules, you wouldn’t have been particularly worried about today’s password breach. Why? The hash of that long, random password can’t easily be matched with its plaintext version, and even if the thieves managed to decrypt that password and try to use it before you changed it, they’d be stopped cold by the 2FA prompt.
Most importantly, if they tried those credentials on other sites, they’d have no success at all. The real danger of reusing passwords is that simply changing them in one place isn’t enough. If you use the same password on multiple websites, you could be in a heap of trouble once the bad guys start trying the stolen Plex password on popular sites like Gmail and Outlook.com.
The good news is that a first-rate password manager can help you identify weak passwords and detect duplicates. Here’s one example, a report generated by 1Password using its watchtower feature:
That’s an excellent starting point for getting your passwords in order. And don’t feel bad if the numbers seem alarmingly high. If you imported a collection of older passwords when you set up your password manager, then you’re undoubtedly dealing with a collection of credentials you created yourself. Because human beings are notoriously bad at creating truly random strings of text, those passwords are probably weak, which means they can be easily guessed or are vulnerable to a brute-force attack.
A weak password is typically too short, is made up of words that can be found in a dictionary, and/or contains all or part of the account name. Even if you did manage to create a truly random, hard-to-guess password, your password manager will flag it if it determines you’ve used that password at multiple sites.
The good news is that every modern password manager also contains a password generator, which you can use to replace those old, weak, insecure passwords. Here’s what the password generator in 1Password looks like:
One thing I love about 1Password’s generator is that it offers the option to create memorable passwords, like whinny-upswept-inferior-apiaryas an alternative to random strings of alphanumeric gibberish like TouB4kccX_kF7csPW9f9.
Unfortunately, the process of changing your old passwords is labor-intensive. For each service, you’ll need to find the page where you change your password; use the password generator to create a new, random, unique password and then update the saved entry.
As a best practice, you should do this as soon as possible for high-value sites like banks, credit card portals, and email and social media accounts. After completing each password change, I recommend that you immediately sign out of the service and sign in again, using your freshly saved password, to confirm that the new password was properly stored.
The final step is to ensure that you turn on 2-factor authentication wherever you can. You should absolutely turn on this protection for high-value sites like email services and financial institutions. Your mobile phone is the best 2FA device, ideally with an authenticator app rather than SMS messages. Just make sure you’ve got a good backup for your 2FA credentials in case your phone is lost or stolen.
For the most part, finding out which authentication methods are available for a specific site usually requires signing in and then poking around the account options section. Look for anything with the words Log in or security.
Not sure whether a service supports additional authentication options? Check out the excellent 2FA Directory, an open-source project that maintains an exhaustive list of websites, with details on whether and how they support 2FA. If your service isn’t measuring up, and switching is an option, this is definitely the place to start.