What If Your Password Is Compromised?

Co-Authored by NCI Fellows James Antonakos and Scott Gilreath

hacker at workWe’ve been hearing a lot lately about passwords being compromised and stolen by hacker. But what happens if your password is stolen? Sometimes nothing happens. The hacker just wanted the challenge of breaking it. Other times the situation and the consequences are worse. Your password might be sold to the highest bidder. The hacker may logon to one of your accounts and do things to damage your reputation or affect your finances. Having your password allows the hacker to pretend to be you, to assume your online identity, and to do things you may never do, such as sending threatening email or uploading malware to a website.

In light of this, what should you be doing to protect yourself?

First and foremost, don’t panic. There are reasonable steps to take that don’t necessarily mean changing our online habits and re-evaluating our 21st century way of conducting social, personal, and financial business. While tools and methods have, the basics of security common sense have not fundamentally changed, and the below are tried and true methods:

  • Above all, practice the separation of passwords. This means the password(s) you use should be different for each type of account you use, such as social media, personal email, personal computer, online bank accounts, etc. If one account is compromised, the others are still intact when you use different passwords for each.
  • While we know that the longer and more complex a password is, the less the likelihood of it being compromised, it also increases the difficulty to remember that password. Instead, consider the approach to reserve your painfully long passwords for work and accounts that access your critical information (think online bank accounts, medical access, etc.) and use “good enough to easily remember” passwords for sites that if compromised, would not cause much harm. Complex passwords are always better, but passwords are only as good as your ability to safeguard them without writing them down. Remember, complex passwords contain the following characteristics:
    • At least 8 characters or symbols in length
    • Not a dictionary word (for example ApplePie, Wednesday, Purple)
    • A combination of uppercase and lowercase letters, numbers, and special characters (for example, Gla$$7!boXX )
  • Never share passwords or write them down where anyone can see them.
  • Do not store your passwords on your computer unless they are encrypted.
  • Change your passwords on a regular basis, such as every 60 days.

The old adage that you don’t have to outrun the bear that is coming at you, just the person with you, holds true to some extent in security. Changing any of your security habits for the better make you a more difficult target than someone who does not.

Contributed by James Antonakos  [all posts]

James L. Antonakos is a SUNY Distinguished Teaching Professor of Computer Science at Broome Community College, in Binghamton, NY, where he has taught since 1984. [read more]