Do you have one password that you use on many different systems and sites? Or maybe three passwords that you juggle around? Did you know that one of the most common ways of accessing your accounts is to try a password from another site that was hacked? Did you know there are probably already lists online that contain your password?
Until we move over to a password-free society, managing your passwords is important to having a safe online presence. Regularly using the name of your pets, children and partners and adding numbers at the end is human but ill-advised.
The average consumer in 2017 has 118 online accounts, all of which require login credentials, and 8 out of 10 people use the same password on multiple sites. Worse still, 55% use the same password on all sites and 76% of data breaches are from stolen login information. — ITSP Magazine
Has your e-mail address and password already leaked?
My e-mail address has been part of more than 20 known data breaches according to the services Firefox Monitor and Have I been pwned. But I’m generally calm about this, because in my case being “hacked” on one service does not open me up to being compromised on other services.
The two services listed below search in public data breaches since 2007. Use them to check if your e-mail address is part of a leak or forceful break, but also to subscribe to alerts if your e-mail is found in future data breaches. In the future you will have followed the advice on this page and you can change only that unique password. Because you won’t use the same password in two places right?
A word to the wise
Activate 2-step verification for your web e-mail.
This means that in addition to your password you will need to enter a code that is sent via an app, or text message, when you log in. This extra step essentially stops anyone from logging in unless they have your password and your phone, and the ability to unlock your phone. Remember, when you reset passwords this process is most commonly routed through your e-mail. If someone else gains access to your e-mail you can find yourself in trouble…
See more below on activating 2-step-verification (also known as 2-factor authentication, or 2FA).
Use a password manager
People always tell you not to use the same password in two places, right? And you’re like “Are you kidding me with that, how am I supposed to remember 27 different passwords!?” Well, if you use a password manager you only need to remember one (but you really, really have to remember that one). A password manager can work both as software on your computer and apps on your phone (and sync your passwords between these), and they generate unique secure passwords when you need it. Password managers can also fill in your complex password for you if you use a browser plugin. My own go-to password manager is Dashlane , but there are many to choose from.
Update november 2019: The password manager Bitwarden comes highly recommended, with a version for individuals that is free for life.
Direct links to pages for changing your password
The task of changing passwords can be tedious, because you have to remember what services you use and then find the link to wherever you change your password. I’ve listed some commons services below and linked to the password page for each of them. You will need to think about what other services you use and which need a password change.
- Microsoft (also Skype/Hotmail/Outlook)
Activate/handle 2-step verification
Two-step authentication applies an additional password, or key, to your login. This can be a text message sent to your phone with an additional code, or even better you may choose to have the password generated by an app. I can not stress enough how important it is to have this activated for your e-mail. Pro tip, in case of using your phone numer: make sure you have a backup phone number stored in case your phone gets stolen.
Note that the names can differ: 2-step verification, 2-factor authentication (2FA) or Login approvals. The principle is the same for all.
Log out of other devices / sessions / apps
If someone already used your password to log in they may have an active session on your account. To be safe, you can log out of other devices than the one you are using. Also, remove access to any apps/services you may have approved in the past but aren’t using.
One reason do this is also if you used a public computer and forgot to sign out when you left the computer for another person to use. If you sell a device you will also want to “disassociate” it with your accounts.
- Apple (in this case remove associated devices in iTunes )
- Facebook / Connected apps
- Google / Connected apps / Connected service
- Microsoft / Account activity
- Twitter / Change password and Revoke access to any apps you aren’t using)
- LinkedIn (You need to change password )
If you’ve gone through the list you can now breathe a sigh of relief. Also, you know, don’t let anyone steal your phone.
Want to learn more?
The alternative search engine DuckDuckGo has a privacy-focused newsletter with accessible information on making more considered decisions when your private information is at stake.
Let’s be careful out there.
If you want to support Per's work in educating and advocating for more compassionatate, inclusive and safe digital services you can Swish (in Sweden), donate via PayPal or become a subscriber (yearly or monthly) ❤️