It is now rare that a month goes by without a significant data breach being disclosed or discovered. The most recent event I have been reading about is the “Collection 1″ data breach. My company, family and friends look to me for guidance when they hear about these events, so they know what they should do and how urgently to take that action. At times, I feel that I am becoming desensitized to these events because of their frequency, magnitude and how many of them don’t appear to directly affect systems on which I have personal accounts. But I do not want to be complacent.
In this post I explain how I use reported data breaches as a trigger to optimize improvements I make in securing access to my personal accounts. The article assumes you use a password manager. I use 1Password, but the technique should apply to most non-browser password managers.
For me, the most valuable characteristic of using any password manager is that it becomes easier to use unique, complex passwords instead of variations on a theme around your favorite passphrases, e.g. mypet, mypet1, MyPet!, etc. None of us were born using a password manager – we all have a past that we’d like to improve upon. To help with this, 1Password provides a feature named Watchtower which identifies weak, reused and vulnerable passwords. Watchtower analyzes the passwords you use and compares them to each other, built-in password strength rules and external sources of breached password data, such as Collection 1.
Now, when I read about a disclosed data breach or newly discovered data set of exfiltrated credentials, I use that as a reminder to work through Watchtower and address a few of my own weakest, oldest or most vulnerable passwords. When I do this, I try to carve out enough time to make a few improvements – 3 to 5 typically. I’d like to have the time to do more, but I have resolved to do something small rather than feel like the problem is insurmountable. While I was reviewing Watchtower findings as part of this post, I changed passwords on about 10 of my accounts. I also deleted the accounts for a few services which I no longer use, which is more about good privacy hygiene (more on that in a future article).
If you use a different password manager, you may be able to use other features to help you decide which passwords to cycle first. For example, you might be able to identify the accounts you use most frequently or the accounts whose entries were last modified furthest in the past. Even if you don’t have access to these features, you probably remember which passwords are from a time from before you started using a password manager.
As well as my personal accounts, I also think about how I can best advise members of my family, across the generations. That’s a more difficult proposition due to different levels of technical expertise and patience with electronic devices. I’m trying to instill lifelong security hygiene practices in my children and convince them that the effort is worth it. Hopefully this will put them in a better position that I am – they’ll need it.