Best practice, and practical practices, for passwords.
One of the most common questions I get asked on the job is, “Do I really need a different password for everything?”. Short answer, yes, that is considered best practice. The best practice is to have a different password for everything so that if one account is compromised, the intruder doesn’t already have the password that is used for another account.
It’s also best practice to floss your teeth daily, change your engine oil every 3,000 miles, wash your bed sheets weekly, exercise 30 minutes a day…
So…
I like to find a realistic median that I feel is easier to follow so that it’s more likely for my clients to adhere to it and therefore keep their accounts pretty safe. Because if you’re at least changing your oil every 6,000 miles or flossing twice a week, it’s still a lot better than not doing anything at all right?
So one last time, I want to emphasize that this is not considered best practice. But of the thousands of clients I have had, I would honestly say that less than 5% follow best practices. More than 20% use the same couple of passwords for everything. And everyone else lies somewhere in the middle trying to do the right thing but getting frustrated at how difficult it is, so they end up cutting corners. I don’t blame them.
These are more like guidelines that allow you to cut some corners while keeping the support beams in place so that if something breaks, you can slap some putty over it without the whole place coming down.
So here are whatsIT PRACTICAL practices for passwords, in order of importance.
1. Every email password should be unique.
Why is this rule #1, over rule #2? Because if someone gets the password for something involved in rule #2 and tries to log in from another device, it’s going to be authenticated or verified with either your phone number or email.
It is critical that no one has access to your email at any point, but also that no one has access to your email in conjunction with any other online account.
Let’s play out two different scenarios for a very real situation I have personally seen happen.
Situation: An intruder gets access to a non-essential account, like Netflix, because your password was leaked during a breach. They try to change the password, phone number, and email address on the Netflix account (but not the billing, because obviously, they want you to keep paying for it).
Scenario 1: You get notified via email that someone tried changing your Netflix password. Since it wasn’t you that was changing the password, you log in to Netflix (by typing www.netflix.com into your trusted browser, not by clicking email links) and change the password. Crisis averted!
Scenario 2: Since Netflix uses your email as the username to sign in, the intruder already has your email address. And because they know that Netflix will verify a password change via email (this isn’t their first rodeo after all), they try to sign into your email using the password they already have. Guess what! It worked! The intruder then changes your password, email, and phone number linked to the account without you realizing it because they delete the emails before you even see them.
At first, you don’t notice, because the intruder who hijacked your Netflix account, left your email password alone and didn’t tell Netflix to log out of any current sign-ins. However, in a few months, you get a message that too many people are watching Netflix at one time. That’s strange, there are only two of us using it. You go to log in to www.netflix.com, but it says an account doesn’t exist with that email address. This is getting weird… You try to log back into your TV Netflix app just to be sure, but it gives you the same error now. What is going on? You decide to just sign back up for Netflix and start over. It obviously has to be a hiccup, right? In a few more months you decide to check your billing and notice you’re paying for 2 Netflix subscriptions now, and one of them is way more expensive (the intruders switched it to the best plan). You call your bank and they tell you they can block Netflix charges, but that means you won’t be able to charge your real Netflix account to your bank either. You call Netflix instead and they are able to see that your card is indeed linked to 2 different accounts. They remove the old account and suggest you change your password. Everything is fixed! Right?
Wrong. That intruder has your email password, you don’t really think they just threw it away, do you? With access to your email password, we just opened a Tremor-sized can of worms.
With your email compromised there are several bad situations that can happen.
- In your email settings, there is typically a place where you can set up forwarding. Savvy scammers will set this up to forward your emails to themselves, unbeknownst to you. Even if you change your email password later and they can’t get back in, it doesn’t matter, everything is forwarded to them already.
- The scammer can start trying to sign into different websites, hitting that “Forgot Password” link, which will send a link or code to your email, and allow them to change the password and get into your accounts.** Even if your inbox syncs every 5 minutes, you still may not realize you received an email if the scammer is fast enough.