Suppose that you have several accounts on websites and use the same password for each of them. Based on data from haveibeenpwned.com, there are currently around 10 thousand million known hacked online accounts from 430 pages. If you are mentally accustomed to using the same password, there is a high probability that you also use the same password for your email account or bank account. Having the password used to log into the email for an identity thief is not a problem to x-ray the victim’s online life and even take over identity and impersonate other online accounts.
People don’t even know how easy it is today to crack a password hash protected by a weak algorithm like MD5 or SHA1. Programs for cracking password hashes using the computing power of graphics cards that perform – on the medium one – over 2 billion operations per second. Breaking a popular, well-known password through dictionaries attack takes seconds. It takes a few minutes longer to crack the same password using a few special characters or changing the case or adding numbers. Regarding the Wikipedia data, the password “123456” took the first place from 2013 to 2019. I am surprised that people still use such passwords.
To prevent annoying situations in case your password is found in public data leaks you have to follow a few rules.
- First, change the password as soon as possible after the leak of the database is published. A reliable source of information is before mentioned haveibeenpwned.com.
- The second is not to use the same passwords on different websites.
- The third is the use of strong passwords at least 16 characters long, unpredictable and preferably randomly generated.
- Fourthly is to use two-factor authentication wherever possible.
- Fifthly, change your passwords to the websites most important to you at least every three months.
It may be hard to remember a password that consists of 16 characters and is random, but programs such as password managers come in handy. The most popular, secure, cross-platform and open source is KeePass. This program gives you unlimited possibilities to secure your online accounts thanks to simplicity in use and a built-in password generator. The program itself can be protected with a password or a key file, so then you need to remember just one password instead of many or ensure a secure place on the digital medium for the key-file. It can be a pendrive or memory card that additionally can be previously encrypted with e.g. Veracrypt. It is important to make frequent backup copies of the program passwords database (.kdbx) in the case of a system crash.
A useful option is also the KeeWeb, free cross-platform password manager compatible with KeePass. The program gives the possibility to load the KeePass password database from services such as Google Drive, One Drive, Dropbox or via WebDav. You can install an add-on that checks passwords through the API from haveibeenpwned.com. This ensures that the chosen password is not in public leaks.