Passwords are hard to use…
Too often, people are forced to choose between creating passwords that are easy to guess and passwords that are easy to remember. The problem becomes even worse when you consider the number of passwords a person uses from day to day, to access almost everything in their personal and professional lives.
The temptation is to use the same password for everything, perhaps with minor changes to get past all the different password security restrictions that require a certain number of letters, numbers, and special characters.
When a website is hacked, often the email addresses and passwords of its users will be downloaded and sold to other hackers. There are some protections in place against this, but many times they aren’t strong enough and the passwords can be gathered anyway. Hackers then try these usernames and passwords against many other websites, hoping to find a person who has used the same password on both sites.
LinkedIn was breached in 2012, and a list containing 164 million usernames and passwords were stolen and passed around a worldwide black market a few years later. To this day, hackers will look up people on this list and find where they’re currently employed, then try their old LinkedIn password against their employer.
Luckily, there is a tool to check whether you appear on any of these lists. Troy Hunt from Queensland created HaveIBeenPwned, a website where people can look up their email address or username and it’ll tell them if any of their passwords have been compromised.
While it is important that passwords be strong and secure, it is arguably more important in today’s world that they be unique. This is why a password manager such as LastPass or 1Password is such an important tool to have in your toolkit. A password manager will create secure passwords for you, one (or more!) for each website or service you need, and store them encrypted with one “master password”. This lets you have the best of both worlds: the security of randomly generated and unique passwords, with only the one password to remember.
It is also useful to implement Multi-Factor Authentication. This makes the credential stuffing attack less dangerous, as it requires both a password and a secondary time-based code before it will allow a person to log in.