Your password likely was stolen — here’s what to do
Pardon the interruption, but your passwords are leaking.
You’ve probably become numb to all the headlines about data breaches. But a website called haveibeenpwned.com will expose the horror they’ve wreaked on you.
Type in your email address and haveibeenpwned lists websites and apps where your own passwords have been compromised. (“Pwned,” pronounced like owned, is geek speak for conquered.) Try your family members’ emails and your favorite passwords, too. An Australian security guru named Troy Hunt spends his days looking in dark corners of the Internet to add hacked data to this free site. It now totals half a billion exposed passwords and 5 billion hacked accounts. Hunt can hardly keep up.
Aside from freaking out, what are you supposed to do?
We’ve gotten a lot of hardto-follow password advice over the years. Change them every 90 days. Make them really long. Add in rAnDoM #@s! Hunt’s site proves one rule is more important than all the others in a world where breaches are unavoidable: Never, ever reuse a password.
It makes sense, if you think like a hacker. When they get their grubby paws on a password from one site, they go and try it on other sites. If you’ve used that password somewhere else, the bad guys may also have access to your email, your bank account ... your life.
Most security gurus I know use a password manager. It’s a program that keeps all your passwords in one digital safety deposit box. Aside from being the memory you wish you had, a password manager will save you time by typing in passwords for you across many different devices. And fresh updates are making these programs simpler and more useful than ever.
First, you have to stop clicking “yes” when your web browser asks “Would you like us to remember your password?” Enticing as it sounds, that doesn’t help your passwords stay up-to-date everywhere — on your office PC and your iPhone alike. Apple and Google both have their own password managers that pop up in Safari and Chrome, called iCloud Keychain and Google SmartLock, but they only work if you live in all-Apple or all-Google worlds.
After testing password managers that work across browsers and devices, I recommend one called Dashlane. It’s the one that’s simple enough you’re likely to stick with it, though its features are neck and neck with rivals 1Password and LastPass, which are also fine choices.
Dashlane, used by 10 million people, is free to try on a single device. You pay a subscription to make it securely sync up your passwords (and other secrets like credit card details and ID numbers) across your computer, phone and tablet. At $3.33 per month, Dashlane happens to be the most expensive of the three, but like the Apple of password game, its design and customer service are worth it.
Dashlane also has been largely free of drama over its own security. You’d be right to wonder how safe it is to keep all your password eggs in one basket. All three of these companies keep your passwords encrypted behind a password they themselves don’t know — so that even if they get hacked, the data is mostly useless. They never send your password over the internet. In 2015, LastPass reported it was broken into, though it reported no passwords were stolen. There are no security guarantees, but I buy the argument that it’s OK to keep your eggs in one basket if it’s more secure than the basket you build on your own.
The biggest hurdle is changing your habits. With a password manager, you don’t memorize passwords, you retrieve them from an app. Let that sink in: You won’t remember your Gmail password anymore, but you’ll be better off because now your password can be a long bunch of gobbledygook that’s harder to crack.