Security Experts’ “Dirty Little Secret:” What They’re Not Telling You About Passwords

Security & Privacy

1.2 billion passwords reportedly stolen by Russian hackers. Time to change all your passwords yet again, say security experts. It seems every few months we’re told the same thing. But how many people are actually doing it? My guess is, not many. Going in and changing all your passwords is time consuming and cumbersome, after all.

But what these security experts aren’t telling you, is that they’re not even doing it themselves.

I’ve got this on good authority from one of our own experts, Sean Sullivan, the Security Advisor in our Labs.

“The dirty little secret of security experts is that when there’s a data breach and they recommend to ‘change all your passwords,’ even they don’t follow their own advice, because they don’t need to,” Sean tells me.

What? They don’t need to? Don’t we all need to? Not according to Sean. Not if you’re managing your accounts and passwords right to start with.

“Unless I find out about a breach with a specific account, I don’t worry about my passwords,” he says. “That’s because I use a tool to remember my passwords for me, and a few simple techniques that help to manage my accounts so as to minimize the risk.”

Sean says that changing or not changing the password isn’t the real problem anyway. The real problem is the way people’s accounts are linked together, and the way the passwords offer access to those accounts. If you get your accounts managed properly, you won’t have to worry every time you hear about a big data breach. If you know how your accounts are linked up, and you segregate your accounts, you’ll be in much better shape to protect yourself in the long run. Then next time you hear about a breach, you’ll be more in control – and you’ll only need to change those passwords you know are really affected.

So what are Sean’s techniques? Read on:

Diversify to reduce your risk. Segregate your accounts by creating separate email addresses for different functions. For example personal, professional, financial. That way if one email is broken into, it won’t compromise all your other information too. “Why not have a separate email address for your financial accounts? Then don’t give that address to anyone but those financial institutions,” Sean says. A bonus: if you get banking-related email in your personal account, you’ll know immediately that it’s not legit.

When possible, use a different username than your email. Some services let you pick a unique username other than your email. When possible, it’s good to take this option as it’s that much more info a hacker needs to know. And use two-factor authentication when available.

Use a unique password for each online account. Using the same password to access different accounts is rolling out a red carpet for hackers. If a password for your Facebook account is stolen, criminals can hop over to your email and other accounts and try the same password there. (And don’t use duh-passwords like “123456” or “password.” A bad password is no password at all.)

Don’t give online accounts any more data than is absolutely necessary. The less that is there to be compromised, the better.

If you are notified about a breach to a specific account, change that password. This goes without saying.

Changing your account password habits may take a little effort, but in the long run it’s easier and less stressful than having to change all passwords after news of every breach. And it’s worth it to keep your personal data and online identity safe. Start small, taking care of one account at a time and building up until all your passwords are handled.

But how does one remember so many unique passwords and log-ins, and manage them effectively? That’s where F-Secure’s  password manager, F-Secure KEY, comes in. KEY makes proper password management as easy and painless as possible. With KEY, there’s just one master password to remember, so it’s easy to have a unique password for each account. Need help generating strong passwords? KEY does that too. Check it out. It’s free to use on any one device.

Data breaches are the new reality, and it’s no longer a question of if it happens to you, but when. “There are two types of people in the world,” Sean says. “Those that manage their accounts well, and those who are going to be in a world of trouble. Which group do you want to be in?”


Image courtesy of Amnesty International UK,


Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

You might also like