The password audit

Over the past few years, I’ve made an audit of our passwords a part of the end-of-year check in routine. I’ve gone through 4 stages:

1) Ensure all important accounts have strong passwords. Strong passwords = lower case letters+ upper case letters + numbers + symbols. The most common passwords found in data breaches are still variants of 12345, password, qwerty, iloveyou. So, strong passwords are a good first step.

2) Set up password breach monitoring. I have set up breach monitoring across multiple services and have found Spycloud (free) to be the best so far.

3) Set up 2 factor authentication across all important accounts. 2 factor authentication adds an extra layer of protection in case of breaches.

4) Stop reusing passwords across accounts. As steps 1-3 focused on key accounts, I was still stuck with nearly a hundred old internet accounts with reused passwords. Lastpass reminded me of this a few months ago and I started a weekly routine of cleaning up 10 accounts/passwords at a time.

This was an eye-opening exercise. I ended up closing ~50 defunct accounts and cursing another 15 services profusely for making it very hard to close accounts (requirements include live chatting or calling) before closing them anyway. I also cringed a few times when I saw how often I reused passwords. I’m glad to have done it and became a Lastpass “Security Dashboard” fan* as part of the process.

None of these steps ensure complete safety. But, in the event of a worst case scenario such as a breach or a scam, these are steps we can take to make sure damage is limited.

*This feature was free when I started on this journey. Mid-way through, it became a premium feature ($36/year). I wasn’t sure if this was in response to how often I was using it. If it was, hat tip to a smart paywall!

Russian hackers and online security

This blog has been the target of Russian hackers of late and they managed to take the site down today. We’ve finally gotten it back (thanks to support from my hosting provider and a close friend).

My friend had sage advice for me – if someone really wanted to hack into your website, they could. So, take steps to make it as hard as possible. I’ve already asked him for more advice on how to do that and intend to get on it tomorrow.

This experience has brought three learnings with it –
1. You are never fully secure online. That doesn’t mean you keep your doors open and allow all interested folk in. So, take measures to keep your websites safe. Start with strong passwords.
2. If you haven’t enabled two-factor authentication yet, I hope you consider it. I have this on my list for tomorrow.
3. The flip side of the situation – if Russian hackers feel you are worthy of an attack, there is a chance you are doing something right. :-) So, thank you for your support. I am very grateful.

That said, I’m off to enjoy what remains of my Saturday evening. Wishing you a great weekend!