How to protect yourself from any data breach

Privacy

Written by:

Ninja stealing credit cards

Ninjas are involved in most credit card thefts. (Note: this is not a true statement)

Data breaches are becoming the norm.  From Zappos to Playstation Network to Global Payments to LinkedIn, it seems like there’s another one every day.  There really is a black market for your data:  the Identity Theft Assistance Center reports that 8.1 million adults in the U.S. suffered identity theft in 2011, each of whom lost an average of $4,607.

That’s why you need to start protecting yourself now from the next big data breach.

Whenever there’s a breach, your risk is significantly higher if you’ve reused your username and password combination on other accounts and sites. Here are 4 tips to help protect your accounts from being compromised.

1. CHANGE YOUR INFORMATION ON THE BREACHED ACCOUNT

It seems obvious, but if you only do one thing, this should be it.  Was your password compromised?  Make a new one.  Was your credit card stolen?  Cancel it.

2. MAKE YOUR NEW PASSWORD STRONG

Password strength is combination of length, content, and change frequency. In general, longer passwords with a wider variety of capitalization, letters, numbers, and symbols are the most secure, and the more often you change them, the better. The harder it is for others to guess, the safer it is. A few examples of notoriously common (and therefore bad) passwords:

  • “password”
  • your first or last name
  • “123456”
  • “qwerty”
  • “letmein”
  • “master”
  • “abc123”

3. USE THIS SIMPLE TIP TO CREATE STRONG, UNIQUE PASSWORDS YOU CAN ALWAYS REMEMBER

Here’s a pro-tip for remembering all your login information. You’ll create a strong base password that you know you’ll remember, then apply a rule to it that will make slight variations of that password for each site where you register. The result: a unique password for all your accounts. Here’s how it works:

Let’s say your base password is AbinePrivacyRocks!@#! You’ll then make a rule that you’ll apply consistently whenever you make a password. One example of a rule: you’ll take the first letter of the site name and add it to the end of your base password. If you’re signing up for Facebook, for example, you’d add the “F” from Facebook and end up with AbinePrivacyRocks!@#!F.

As long as you remember your base password and the fact that you add the new letter at the end, you’ll be able to remember all your passwords on every site you use. Just be sure to never tell anyone either your base password or your rule.

4. IF YOU’VE REUSED YOUR COMPROMISED LOGIN INFO ON OTHER SITES, CHANGE THEM

A 2003 survey found that 65% of us use the same password for different applications or services. We’re only human; we can’t keep hundreds of different username and password combinations in our heads at all times. But in our effort to try to keep things simple, we expose ourselves to a great deal of risk. Think about it: a spammer who discovers your password on, say, Facebook, can then access all the other sites where you use it: PayPal, your online banking site, your phone service, your email, and everywhere else.

We recommend using your password creation rule, described above, to make new passwords on all your accounts. Start with the most important ones (like email, online banking, shopping, and social networks), and move on from there.


We hope you found these tips helpful.  Good luck, and stay private!

17 Replies to “How to protect yourself from any data breach”

  1. Oscar says:

    Thanks so very much.

  2. Dan says:

    I like your suggestion. In my case, I needed another method because I have passwords on over 200 sites. In Windows Secrets, I learned about the free LastPass tool and have been using it without a hitch for 2-3 years. It stores my passwords encrypted in a vault on my machine. It is also on their server, encrypted. This lets me access the passwords from any computer. It also has autofill and auto-logon options. Oh, yeah – it lets you pick the characteristics when asked to generate a new password; any length, user-specified number of digits, and option to include special characters. When I set up an account on a new site which asks for a password, LastPass recognizes the password field and brings up a box where I tell it to generate a password to my specs. If I accept the generated password, it automatically fills in the password field and saves the URL of the site so it is recognized the next time I visit.
    Whew – didn’t mean to get so carried away. I really do like the tool…

  3. h HI THERE I WANT TO SAY THANKS FOR YOUR SERVICE. I AM DIABLED AND LIVE ON A FIXED INCOME AND YOU ARE TRULY A BLESSING AGAIN THANKS BUNCHES & BUNCHES!!!

    • Sarah Downey says:

      Thank you so much! We’re glad to help, and it means a lot to us to hear positive comments like yours.

  4. Sara says:

    I was going to ask Abine about rec’s for password storage tools/sites. Thanks , Dan, for info re Last Pass.
    My latest concern is the malware “event” coming up on Monday July 9. Pardon my ignorance, but if using “the cloud” as a means of confusing potential attackers,
    does it affect the ability of the DNS tool provided ny the FBI et others to
    be sure your DNS is safe and clean?

  5. Allah Ackbarf says:

    One could use a passphrase and some random characters. The random characters and longer length can help make brute force attacks and most dictionary attacks harder while still being memorable enough. It’s not perfect but it just has to be good enough for now.

    As they say, “Don’t be the low hanging fruit.”

  6. Allah Ackbarf says:

    The password AbinePrivacyRocks!@#! actually is basically a passphrase so this is already covered. Just thought I might point that out in case it is useful.

    Each word beginning with a capital and even random characters as a separator as well as the characters at the end might increase the difficulty for an attacker.

    Every little bit helps. The little things that make passwords just a bit harder to attack and yet still memorable are a good place to start.

  7. john doe says:

    The problem with your “forget-proof password wizard” is:

    1. If someone learns one of your passwords, they can deduce them all.
    2. You cannot, under any circumstances, reveal one of your passwords without revealing them all. I can think of numerous times when I’ve had to give my spouse or family member one of my passwords.

    • Sarah Downey says:

      Yep, it’s not foolproof, and this is one of its weaknesses. The same thing that makes it easy for you to remember also adds some vulnerability to it.

  8. forget it says:

    To add to John Doe, another problem with the “forget-proof password wizard” is changing a password. If you need to change the password to a site where you had previously used this rule, then what would you use for the new password? You have to then make an exception to the rule so you again have to remember passwords.

    One way around this is to have a a list of variations of the rule and every time you change the password you use a different variation; you still have to remember the variation used for the website, but that’s easier to remember.

    Also, if you use a clever rule, it might be difficult to guess your rule, even if someone has access to a single password. Though, I have always worried that someone would create a string of websites so that they can compare how the password changes for a single user between sites so they can learn the rule. It’s a bit far fetched, but it is something to worry about if a group of websites you use gets compromised.

    • Sarah Downey says:

      Interesting. Can you provide an example of what you mean about the variation?

      • forget it says:

        My variations are not vary complicated. My pass phrase, or base password is made of multiple words, so I vary which of the words are capitalized in any instance. Also, you can vary where you put the rule relative to the base password. Do you put it at the start, middle, end etc.

        I’m imagining that one can also change the base password around, even if only a single word in it.

        Finally, another trick that I do for the rule, is that I know some obscure language which is not well known so I use that language as a hash. Since my rule is based on some text which is different for each website, I take the ABC of the text and convert it to the ABC of the other language. Then the converted ABCs in the second language gets mapped to a number based on the rules of that language.

        This ensures that even if you have access to a few instances of my password, you probably won’t be able to workout the hash part. You can accomplish the same by having a hash between the ABCs and numbers, e.g. A=1, B=2, C=3…

        If you’re willing to put the effort you can come with many such hashes that you can use in different situations. E.g. the first letter for the exclamation symbol maps to an e and so on.

  9. Erica says:

    I use encryption when it comes to passwords. For example: Let’s say the password is apple. You could switch the adjacent letters: palpe. You could add a random letter or number in between each letter of your password: aspspslses or a1p1p1l1e1. My work password is changed every 30 days, and sometimes it is hard to come up with something new so I will double up on letters: original password is apple, after 30 days I will use aapple, then aappple then apppple, apppplle, and aappppllee. So far it has worked for me.

  10. Sydney says:

    In all instances, the various techniques used to create unbreakable coding, can be discovered. Not by the average person, or even by the above-average users out there that gave “hackers” and “hacking” a black eye (i.e., most hackers are honest hobbyists {even professional programmers} merely looking for new things to try to break up the monotony of a day). But governmental encrypting is nothing close to what is being used today on the Internet!

    One word, ENIGMA. Now that was an encryption tool that provided truly undecipherable messages, no matter the length. The ONLY way the allies, during WWII were able to break the code (and it was crucial to the war’s outcome) was that they managed to actually get their hands on an actual Enigma machine. Prior to that, there was NOBODY that was able to, nor likely ever going to, decipher the machines’ codes! The outcome of the war would very likely been a bit different, but the allies were already close to victory; had the Enigma been designed/available from the beginning of Hitler’s European domination, the outcome may have had a totally different ending (of course, Hitler slowly going nuts didn’t help any – wasn’t syphilis that led to his mind becoming Swiss cheese?). 🙂

    Anyhow, a shorter 8-10 character cypher can be about as hard to crack as one of a 100 characters. The odds of being truly secure go down drastically on sites that ONLY accept alpha-numeric characters (or even those that add but a few of your standard keyboard symbols). You’ll get a strong password by merely adding a single repeated character to a 4-8 character password (i.e., Ab@@hdp9 is 8 characters, but to make its strength a 100 time stronger, simply add a repetition of say a period, e.g., Ab@@hdp9 to Ab@@hdp9….. ;
    this thirteen character password would then keep a deciphering routine working for far more time, as each character iteration would require a lengthier period of time, even though the last 5 chars (in this case) are simply repetitive periods.

    Thanks for the fine programming with the MaskMe tools!

Leave a Reply