Data breaches seem to have become an everyday occurrence. What this means is that our sensitive data, including account credentials, are more likely than ever to find their way into public view. Even if only a username or only a password was leaked, it can still be used with a dictionary list of common passwords, or data from another leak, to find the correct combination of username and password. From there, all an attacker needs to do is throw the password in as many accounts as possible, and they are likely to find something that lets them in. This is why password reuse is so dangerous. If your password is leaked or easily guessed, you may have multiple accounts compromised before you even know it happened.
As a bare minimum, it is time for anyone who isn’t already using a password manager to find one and start using it. I personally have over 450 different passwords, but only have to remember the one to my password manager, and the ones for each computer I log into. If one of my passwords gets leaked, it won’t help an attacker get into any of my other accounts. Complex passwords that are not short will also make it significantly harder for cybercriminals to crack them. With those in place, I also recommend enabling multi-factor authentication (MFA) wherever it is available. Many password managers are also incorporating MFA into their service, so you don’t need different apps for your passwords and your MFA tokens. It may be a change in mindset to implement these processes, but a slight shift in how we log in will significantly increase the level of difficulty for an attacker attempting to access our accounts.
Additionally, I recommend performing regular password maintenance. When using a complex password that is not reused, this does not necessarily mean going through and changing all of your passwords, but rather reviewing the accounts you have passwords for, and removing any accounts you no longer need. Keeping your passwords to a minimum can also decrease the chances of your usernames and email addresses being stolen. Using a U2F key, which is a physical device that connects to the computer, and biometrics can also add a level of complexity to your credentials. However, it is important to keep in mind that physical keys can be lost or stolen, and biometrics are really more of a username than a password, as you cannot change them.
