If you haven't heard, I'll go with the headline, "Hackers expose 773 million email addresses, 21 million passwords!"
As the computer guy, I was asked by a few people about this, more-or-less in the form of, "What am I supposed to do?" I read the news article and I'm actually impressed by Mr. Brnovich's comments, because they're sensible and are what you're supposed to do. I'm going to add a little extra in brackets [like this]. However, before I get to Mr. B's quote, I'll mention that if you haven't already, go to haveibeenpwned.com, enter all your e-mail addresses and check to see if any are pwned. If they are, first register your e-mail accounts at haveibeenpwned.com and sign up for alerts on the e-mail address(es). So, on to the comments!
• Be cautious when storing passwords. Don’t keep written passwords in plain sight. Consider using a password manager to store a long list. [haveibeenpwned.com recommends 1password.com. I have no experience using 1password's software. If you want totally free for personal use, you'll want LastPass. It's got some problems, but free is good.]
• Create strong passwords, update them often, and create unique and different passwords for each account [and each website. If you use a stand-alone password management program, this is extremely easy to do.]
• Immediately change passwords that have been exposed and consider changing other passwords, too. [Also, if the account is for something that you no longer use, change your password, then close out your account. Preferably, you want your password to be 16 or more characters long, containing at least three capital letters, at least three lowercase letters, three numbers, and three symbols, like #$%. Avoid words from dictionaries.]
• Enable two-factor authentication. Many websites now offer more than just a password (a single factor) to verify a user’s identity. Enabling these additional features or factors provides additional security for your online accounts. [This is also called "multi-factor authentication." Generally, this means that you have to type in your password then a number from a program on your phone, from a card specifically made for that purpose, via e-mail, via a voice call, via Carrier Pigeon, etc.]
• Monitor credit card and debit card activity closely. Immediately report any suspicious activity to the bank or card company.
• Limit the amount of personal or sensitive information posted on social media. This information, such as birthdays, can be used to authenticate an account.
• Remain vigilant and take proactive steps to ensure your online safety. [Note that you might be able to get free credit monitoring. If you've been pwned, you should read up on the breach.]
I should comment on writing down passwords. 1) Don't. 2) Taping them to the bottom of your keyboard isn't sneaky. It's the first place I'll look. 3) Don't create a file on your desktop called, "These are my passwords." Any person on your network that has administrative rights can see these.
I should also mention that if you don't use a password manager -- even the under-powered one built into your browser -- using a passphrase is the best thing you can do. Say, "It was a dark and stormy night. It was the first time I saw the fnords. abcABC123!@#. This password is for woodwindforum.com."
As the computer guy, I was asked by a few people about this, more-or-less in the form of, "What am I supposed to do?" I read the news article and I'm actually impressed by Mr. Brnovich's comments, because they're sensible and are what you're supposed to do. I'm going to add a little extra in brackets [like this]. However, before I get to Mr. B's quote, I'll mention that if you haven't already, go to haveibeenpwned.com, enter all your e-mail addresses and check to see if any are pwned. If they are, first register your e-mail accounts at haveibeenpwned.com and sign up for alerts on the e-mail address(es). So, on to the comments!
• Be cautious when storing passwords. Don’t keep written passwords in plain sight. Consider using a password manager to store a long list. [haveibeenpwned.com recommends 1password.com. I have no experience using 1password's software. If you want totally free for personal use, you'll want LastPass. It's got some problems, but free is good.]
• Create strong passwords, update them often, and create unique and different passwords for each account [and each website. If you use a stand-alone password management program, this is extremely easy to do.]
• Immediately change passwords that have been exposed and consider changing other passwords, too. [Also, if the account is for something that you no longer use, change your password, then close out your account. Preferably, you want your password to be 16 or more characters long, containing at least three capital letters, at least three lowercase letters, three numbers, and three symbols, like #$%. Avoid words from dictionaries.]
• Enable two-factor authentication. Many websites now offer more than just a password (a single factor) to verify a user’s identity. Enabling these additional features or factors provides additional security for your online accounts. [This is also called "multi-factor authentication." Generally, this means that you have to type in your password then a number from a program on your phone, from a card specifically made for that purpose, via e-mail, via a voice call, via Carrier Pigeon, etc.]
• Monitor credit card and debit card activity closely. Immediately report any suspicious activity to the bank or card company.
• Limit the amount of personal or sensitive information posted on social media. This information, such as birthdays, can be used to authenticate an account.
• Remain vigilant and take proactive steps to ensure your online safety. [Note that you might be able to get free credit monitoring. If you've been pwned, you should read up on the breach.]
I should comment on writing down passwords. 1) Don't. 2) Taping them to the bottom of your keyboard isn't sneaky. It's the first place I'll look. 3) Don't create a file on your desktop called, "These are my passwords." Any person on your network that has administrative rights can see these.
I should also mention that if you don't use a password manager -- even the under-powered one built into your browser -- using a passphrase is the best thing you can do. Say, "It was a dark and stormy night. It was the first time I saw the fnords. abcABC123!@#. This password is for woodwindforum.com."