Think of a classic item in your life. Perhaps it is a song that defines your generation. Or maybe it is a life event that holds special meaning for you. We all have them. They are part of what makes life wonderful. Why do classics matter in a security blog? With the recent revelation that the LinkedIn breach was far worse than originally reported, we must reflect on the topic of classic passwords. The LinkedIn breach dates as far back as 2012, yet LinkedIn has requested password changes of all members who first created their accounts at any time prior to 2014 – two years after the breach occurred. Have you been using the same online passwords for more than two years? The fact that LinkedIn recognizes that many of their members have not changed their password in more than two years indicates that this is not a shocking revelation. Why do we use the same passwords and never change them? The answer is we stick to our standard passwords because, in most instances, they are “classics.” Is your password named after your favorite sports team that “went all the way” in 2012? Or is it based on your child’s name or your favorite musical group? All of those are among the weakest password choices. However, they are so easy to remember that it is hard to resist the urge to use them, re-use them, and hold onto them forever. Once again, it is time to seriously consider a password manager and two-step verification. Authors, such as David Bisson, have written step-by-step instructions on how to set up two-step verification (2SV) on a variety of platforms. Unfortunately, not all sites offer 2SV to users. If your online accounts do not offer this additional layer of security, your only other choice is to change your passwords with greater frequency than the championship prospects of your favorite team. I am a strong advocate of frequent password changes, though at least one highly respected security expert offers an alternate opinion on that idea. It is generally agreed that the use of the “classics” is never a good practice. Fortunately, the use of a password manager eliminates the problems of predictable passwords. While many people will complain about how they do not want to use a password manager and trust all their passwords to a single entity, it is becoming more difficult to justify using those “classics” of which we are so fond. Password managers and two-step verification – until something better comes along, this is the best way to protect your online accounts. Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
