New Year, New Passwords.
If you understand why changing your passwords at least annually is important, the logic behind proactively doing it at the same time each year, and have that time of year scheduled, stop reading now and do something to congratulate yourself for being awesome! Everyone else, read on.
If you are still with me, you are like me. I understand why changing passwords is a good idea... but it is a huge pain in the password. The threat of credential theft is an abstract idea. It only happens to other people. Plus, I use two factor authentication. Even if someone got my password, they don’t have my phone--I’m safe. Most importantly I really like the “PhiAlpha1856” password I created in college!
To be honest, that used to be me. I changed my tune in the past week. I did have a favorite password. (No, it was not “PhiAlpha1856.”) It was my password for everything for a long time. There were a few variations to meet different requirements but, in general, it was the key to my kingdom. My life was not the same when I had to change my itunes password last year. A couple weeks ago, I was able to change it back. I literally jumped for joy... Within 4 hours, Apple notified me that someone had attempted to login to my account from China. I got the same notification 3 times that day before I caved and changed it again.
I couldn’t understand it. I’m careful. I don’t use public computers. I’ve never fallen for a phishing scam. How did someone in China have my password? That is where HaveIBeenPwned.com came into my life. HaveIBeenPwned ("pwned" is web speak for “owned” as in “taken,” “beaten,” “had”) searches the dark web for stolen usernames and passwords and aggregates them in searchable format. I learned that my email address had been stolen in eight separate hacks and my password was taken in unencrypted form in at least 5 of those hacks. My favorite password appeared in their database 141 times. I was shocked. More research into security revealed that even two-factor authentication is vulnerable. Phishing sites can steal codes in real time. Even more concerning is the phenomenon of SIM swapping-- the relatively easy process of taking ownership of your phone number!
I’m a realist. I know that few people will create completely different passwords for every single email address, website, network, and document. It is the best practice but in practice it is impractical. At the very least we should all take this time of year to change that favorite password to something less sentimental and more secure. If you would like to make your life as secure as possible, invest in a password manager. It is worth it. I know that LastPass and 1Password are integrated with the newest iOS and allow you to use FaceID or TouchID to login not only to websites but also apps. Both of these applications will create unique and random passwords for you and manage them all through the use of a single sign on.
Changing your credentials may be a pain password but it is infinitely easier than recovering your life once you've been hacked. Make changing your passwords annually one of the resolutions you actually achieve!
P.S. Any ΣΑΕ alumni out there still rocking “phialpha1856” as their password, it appears in the haveibeenpwned database 98 times.