Recent hacks potentially compromised the passwords of hundreds of thousands of users of the popular website Gawker.com and millions of users of Trapster.com. Although a stolen password may be inconvenient, it’s no big deal, right? After all, the sites aren’t connected to your personal financial information.
But it is a big deal, and not because of what the bad guys do. It’s because most of us don’t practice good password management. Too often, we don’t bother to create a unique password each time a password is required. If you use the same password in more than one place, you could be putting your sensitive data at risk.
What to Do If Your Password Is Stolen
Although you can’t control the security practices of the websites you visit or the companies you patronize, you can take steps to protect yourself if you think your password has been compromised. Security experts advise following these steps when your password is stolen:
1. Change your password. This may seem like a no-brainer, but it’s not as simple as you may think, says Steve Santorelli, a former Scotland Yard computer crime detective who now works as director of global outreach for Team Cymru, a nonprofit Internet security research group. “Change the password of every other account that uses the same password. Then think about what data might have been exposed to the hackers,” he advises. “For example, if your email account was compromised, were there lots of personal emails in your inbox that contained further passwords and old reset emails for your other online accounts?” If so, change those passwords too.
2. Follow up with calls. If you think accounts with banks, utilities or other companies have been compromised, call to notify them. Keep a record of the calls and the names of the people with whom you spoke. “Write off the next few hours for this,” says Santorelli. “It’s a wise investment and will save you weeks of pain later cleaning up the mess.”
3. Let your email contacts know. Criminals may compromise your email account simply to harvest your contacts, so they can pretend to be you as they send your unsuspecting friends and family malware-infected links or scams. “The miscreants often reset your password and delete your contacts to prevent you from telling folks of the scam,” Santorelli cautions. “Keep backups of your contacts or use a service that keeps them on your behalf.” Then, if your account is compromised, spread the word. If you don’t have a backup list, use social media and call as many contacts as possible. “Start with those who are most likely to be taken in, such as elderly relatives,” he says.
4. Monitor bank and credit card statements. Carefully review activity on your accounts, and consider ordering a free credit report. In the U.S., visit AnnualCreditReport.com, the only website authorized by the government to provide you with a free credit report annually.
Use Strong Passwords
Of course, you’ll save yourself considerable headache if you simply use strong passwords. First, use a unique password each time you’re asked to provide one, says Michael Davis, CEO of Savid Technologies, a suburban Chicago-based IT consulting company and author of Hacking Exposed: Malware & Rootkits.
It’s not as difficult as you might imagine, says Davis. “Studies have shown that length is better than complexity. It’s better to have 20 characters that make sense to you,” he advises. So consider a favorite movie quote, part of a saying, or the punch line of a joke. You can use the first initials of each word or remove the spaces between the words, as in “Showmethemoney.” Find a way to integrate the name of the site where you need the password. For instance, you would incorporate Twitter somewhere in your Twitter password, but make sure the rest of the password is sufficiently complex and don’t use the same pattern on other sites.
“You shouldn’t have a simple password you use everywhere. If you use the same password, you’re in a bad spot if your password is stolen,” Davis says. “If you use a different passphrase every time you’re asked for a password, you won’t be affected.”
Kim Boatman is a Silicon Valley, Calif., journalist who writes about security and technology. She spent more than 15 years writing about a variety of topics for the San Jose Mercury News.