If you’re lucky, you hear it from the company. If you’re not, you hear it on the news. If you’re really unlucky, you never hear about it at all! A company you do business with has been hacked, and your password may have been compromised. So what do you do?
First, as The Hitchhiker’s Guide to the Galaxy says, don’t panic! In most cases, what this means is that someone may or may not have a cryptic blob of text that is associated with your user name. This blob of text is called a hash, and if it’s a good one, it will be very difficult for someone to reverse engineer it to get your password. There are some things you can do to make it even more difficult for them, though.
For well-hashed passwords, the only way to get the original password is to a) guess it, or b) brute force. It may be easier than you think for someone to guess your password. Is it a series of adjacent keys? Your favorite sport? Favorite animal? Dream car? Eight grade boyfriend’s name? Yeah, so is everyone else’s. To prevent your passwords being easy to guess, don’t use words or names, or even famous phrases (trustno1, anybody?) in your passwords.
To prevent it being brute forced, make your password long. No, longer. No, even longer than that! This is why many sites require you to have a password with a minimum length. (I don’t know why they require you to have a password with a maximum length. That’s terrible.) I did a hash-cracking project a few years ago, and to even be close to non-brute forceable (by me, an amateur), a password needed to have more than 8 characters. That number can only go up as CPUs and GPUs get faster and storage density goes up. Another factor in the brute force method is the character set used. I hope you password already includes upper and lower case letters and numbers. If special characters are allowed, throw some of those in, too.
You also should never, ever use the same password for multiple accounts. Why? Because if your password is compromised from a site with poor security (like, say, social media application company RockYou), you don’t want that plaintext password that’s now posted online to also be your online banking password.
So you can’t use words or names, but it has to be really long. You have to use weird characters. And you have to have a whole new one for each of the jillions of websites you use. Oh, and did I mention that you should change them all periodically? This is getting to be a Sisyphean task.
Well, current best practice is using a password manager. I know, I know, they may have gotten some bad press lately. But if you read beyond the headlines, it’s not as dire as it sounds. There are even password managers that never store any of your data anywhere but on your own computer. (But bear in mind, that means that your data is only on your computer. No backups.)
A good password manager should ensure that only you have access to all your passwords. Yes, there is one (hopefully) long, strong password that rules them all, but one password is much easier to change (and remember!) than all of them.
How to find a good password manager? I’m glad you asked. Life hacker made a good list of the best ones. Read about them. Think about where and how you need to use it. Do you need a mobile version? Cloud backup? Password generation? Try them out. Pick the one that’s best for you.
With your new password manager and good password hygeine, news about a site you use being hacked can be more of an inconvenience than a disaster.