Don’t reuse passwords! (and other password guidelines)

Last week, 530,000 Zoom accounts and passwords were for sale on the dark web (5 for a penny). Investigators think that the accounts were not ‘hacked’ or stolen from Zoom or exposed by a vulnerability. Instead, the account list was likely created from an old data breach. This is called credential stuffing. The crooks take known email addresses and password pairs and try them on other services.

This event is a good reminder that reusing passwords is bad. If one of your accounts has a data breach, or your password gets hacked by other means, the bad guys will try that account name and password on every other site they can. If you have reused that compromised password, you are now in a race with the credential thief. to change your password at every service you used it.

Our guidance on passwords:

One password per service – Keep them unique. This is hard to do but critical to limit damage when one of your accounts gets hacked phished, or otherwise compromised.

Longer is better – But only if you follow other good practices. ThisIsMyPassword is long, but it’s not a good password!

Random is better than predictable – dgr4&J2Q is better than Thing1&Thing2

The most likely way your password will get to crooks these days is a data breach or getting it from you directly via a phishing attack. The strongest password doesn’t help much once the bad guy has it. That’s what makes sharing passwords between sites so bad.  Let’s say that you were tricked into signing in to a fake Facebook login page. Now the bad guys have your info and can try your Facebook login at all of your other accounts.

With the number of accounts each of us has, it can be very hard to follow the one password per service rule. 

Using a password manager makes one password per account easier than typing the same password several times a day. A password manager securely stores your passwords and can fill in your login page automatically. We like LastPass, but 1Password and KeePass are also good solutions. Contact us to learn more about password managers or help in creating strong passwords and password policies.