Brian Russell
Brian Russell / Innovation / March 2nd, 2013

Personal password hack brings to light better practices

Why would anyone spend an hour of a perfectly good, sunny Saturday morning resetting passwords across just over a dozen websites?
I wasn’t sure why I was doing it either. I just knew that I had received an email from Pinterest asking if I had just logged into my account with them while in Poland.
I hadn’t logged into Pinterest, and I wasn’t in Poland. I had been hacked.
Around 12:30 p.m., I saw that Evernote had been hacked, and that usernames and passwords had been compromised. I used the same password there as I did at Pinterest. I had also used it at more than a dozen other sites. They may have gotten me hacked, or it could have been something else. It’s hard to know for sure. Only the person in Poland may know for sure.
Up until about 18 months ago, I had a handful of passwords I would use. They were each more than a dozen characters, upper- and lower-case, numbers and even special characters when allowed. (Can you believe some financial institutions won’t allow special characters?) I thought I was near bulletproof.
In the recent couple of years, though, I’ve given each new site or tool a unique password and used a password management tool. But, I didn’t go back and fix the other accounts, until this email this morning forced me to.
Having gone through all of these sites to now change passwords, here’s what I can share:
-I wish all sites had two-factor authentication.
Keychain Password generator-Macs have a nice tool in Keychain to help with secure password creation. So, too, do most password manager applications.
-On the account page of sites, they should have a prominent “change password” option to click.
-That area should say “Change Password.” This is not the time to get clever with phrasing.
-All sites should send an email or text message to alert that the password has changed.
-I’m eager for someone to come up with something for security that’s better than passwords.
-If you’re a business asking users to create accounts, you’d better be encrypting the stored data. Evernote said they had. It doesn’t stop the bad guys, but it makes it at least slightly more difficult for them. -If you’re a business, you need the systems in place to monitor for intrusion. Plus people responsible. -When you notice something odd going on, let the user know, like Pinterest did for me. I’m still waiting on notification from Evernote.
Have anything to add? Put it in the comments, or tweet it to @GainesvillePR.

Photo Credit: akeg via Compfight cc