Over the weekend I ran a security check on my computer. One of the startling results was the report by my password manager that I had many dozens of "compromised passwords."
After my pulse returned to something resembling normal, I looked a little more closely at the report. What they were not saying, I had to figure out, was that dozens of my accounts had been compromised. They only meant that the password that my password manager is storing for some websites was among the passwords found in someone's data breach.
I looked through the list of affected websites in my password manager and had an Aha! moment: virtually all of them are sites where I use a "throwaway" password. That is, I'm interacting with a site and they insist that I create an account, and I end up using the same password over and over. For example, I've done this for some sites that I intend to visit only once.
This is a bad idea, and I should know better. Reusing passwords is a big security risk.
Think about how this works: you use the same username and your throwaway password for a number of sites. One of the sites is breached, and your password and username fall into the hands of people with mal intent. These people then try your username+password combination on hundreds or thousands of sites. In my case, for example, they could have gotten access to dozens of sites that way.
I like to think that I've reused my throwaway password benignly, only for "unimportant" sites. But I can see in retrospect that even if the sites have no commercial value, someone could impersonate me on those sites and do some sort of mischief.
But I think we can also imagine many people using the same password not just for benign sites, but for important sites. This is one way that people's social media accounts get hacked.
So, in part for my own benefit, let's review some security practices that everyone (me, too) should be following:
Don't use the same password on different sites. As explained earlier.
Use a strong password. A strong password is one that's long and random. It doesn't mean just substituting numbers or punctuation in a word (like
S3att!e). A decent approach is to use a passphrase rather than password: not just a string of characters, but a string of words. The longer the phrase, the more "entropy" it was, meaning that it's harder to crack. Many people know the xkcd cartoon that explained this beautifully:
Of course, the site has to allow this. A surprising number of sites still prohibit spaces or have a too-short maximum password length. And the "strong test" that some sites show you as you're creating a password isn't necessarily very good, so don't take their word for it.
Use a password manager. One reason people reuse passwords is so they can remember them. Use strong passwords, as noted, and then let a password manager do the remembering. You just have to remember one password, namely the one for the password manager. (Use a strong password for that, please.)
If a site offers it, use two-factor authentication. Two-factor authentication (2FA) is where you have to provide both a username+password and a one-time password (OTP) that they send you in email or text message. 2FA isn't perfect, but it's better than username+password alone.
Among 2FA options, a good one is a hardware key, like those offered by Yubico. For this, you have a little thing that looks like a USB dongle; as part of your login, you have to touch the key. Hardware keys aren't supported on many sites yet, but you can use them on some important ones, including Gmail. (Full disclosure: we use hardware keys at work.)
Use security questions wisely. In 2008, Sarah Palin was famously hacked by someone who got answers to her security questions by studying her biographical data. The answers to your security questions are probably not that hard to find either—for example, how fast do you think someone can discover your mother's maiden name or your high school mascot? (Many social-media questions and polls seem designed to solicit information that can be used to answer security questions.)
If a site insists that you have to set up security questions, you can create answers that are meaningful to you but that aren't easily guessable. As the simplest possible approach, just lie. Just remember what your lies are. :) A more sophisticated approach is to devise an algorithm for yourself that you always use. For example, maybe you take the first letters of the question and use those as an answer. If the question is "What is your mother's maiden name?," your answer could be WIYMMN. (Don't use this particular algorithm, please.) Or you do something with numbers or whatever. The idea is just to have something that you can reproduce many months hence but that isn't guessable.
Get rid of accounts you're not using. Did you set up an account on Pinterest or Coursera or the Los Angeles Times but you never use it? Delete the account. No password worries then for that account.
And finally, lock down your main email account as tightly as possible. When there are changes to your accounts, like a password change, you often have to confirm them via email. But if your email account has already been compromised, the game is up.
I guess I'll also note that I don't let websites store my credit card number. The only company I really trust is Amazon, in part because during my time there, I was impressed with the level of paranoia that they have about security issues, haha. But if J. Random Website offers to store my credit card info, no thanks.
If you want more details on all of this, I highly recommend a whitepaper written by a couple of the solutions architects at work: Modern password security for users (PDF). They have great ideas about strong passwords, about how to handle security questions, etc.