I got a surprise last week when a push notification and email came in regarding someone trying to use my Twitch account. The good news here — for me — was that I enabled two-factor authentication, so while they tried, they didn’t get in.
This made me think about the last time I changed the password, it turns out it’s been years. Having worked in IT for a number of years, I should know better because this isn’t recommended password practice. This email and subsequent investigation started a flurry of password changes.
Investigation: I had a number of compromised passwords
It was a reminder to me that password strength isn’t the only important factor, monitoring your password age is too. I’d gotten complacent regarding passwords, dismissing reminders from my password manager to run a security check. When I did, it was shocking to see the number of passwords I had (mostly old passwords) that were compromised in data leaks. I also realised quickly that a number of my old passwords were duplicated, so they’ve been changed to unique entries as well.
For me, the reminder was useful and the outcomes for me were that I’ve now set a reminder to run a security check on my passwords quarterly. I’ve set up monitoring through LastPass to notify me if any of my emails are compromised in new leaks. I’ve updated a number of old passwords, as well as any reused passwords to unique entries and confirmed that anywhere possible 2FA is enabled.
What measures do you take to protect your password security?
I stopped using LastPass sometime ago, preferring Bitwarden. I do use unique passwords and Bitwarden’s password generator as much as possible.
That said I just did a check with Bitwarden and I do a number of weak passwords (old ones) that need updating.
Also at work, both staff and students are forced to change our passwords every few months.
All really valid comments Andrew.
Most larger organisations force password changes around every 3 months or so, but it’s worth considering those types of setups for personal use to minimise risks.
I run the Lastpass security challenge every once in a while (probably wouldn’t hurt to do it more often I guess), and then follow recommendations. Having said that, I do have one or two accounts with MFA activated with very old passwords. I really should go change those too.
Security and convenience are at opposite ends of the scale and occasionaly I plump for the latter.