Why sites are bugging you to reset your password
Some large security breaches that happened years ago are the gifts that keep on giving -- at least for hackers.
GitHub, a code repository, warned on Thursday that hackers were trying to access "a large number of GitHub.com accounts" by using email addresses and passwords that the fraudsters had acquired from earlier security breaches. It's just the latest scam where hackers have sought to tap into previously released caches of data by hoping they hit upon some people who rely on the same password again and again.
People who reuse their passwords are at higher risk of getting hacked because it can lead to a domino effect of infiltrated accounts. Even if you reuse passwords at sites that seem less sensitive than banking or financial services, that's still risky, given that hackers are often looking for personal information that can help them pull off other scams, such as taking out credit cards in your name.
"People need to realize it's time to stop trying to memorize your password," said Mark Kraynak, senior vice president at security firm Imperva. "I can only say this anecdotally, but I would say 100 percent of people reuse at least one password."
One of them is Facebook (FB) CEO Mark Zuckerberg, who was hacked because his password for LinkedIn (LNKD) -- which was breached four years ago, leading to the sale of data for 117 million users -- was the same for multiple other sites.
Consumers are also likely to use variants on a favorite password, which can make it easier for hackers to figure out how to get into the accounts, he said.
The issue is related to how some people rely on simple and common passwords for their accounts, or what SplashData calls the "worst passwords list." These are no-brainers for hackers because they're usually shockingly unoriginal passwords like "123456" or "password."
But consumers are also at risk if they create a more sophisticated password, yet reuse it at multiple sites. The issue is coming to the forefront now because of large breaches at companies including LinkedIn, MySpace and Tumblr, which, despite happening many years ago, are now resurfacing after emails and passwords were posted online.
That's why you may have received emails from companies like Netflix (NFLX), which search through data leaks to find which of their customers are at risk. Some Netflix customers have recently received emails alerting them that their credentials may have been compromised from one of those older breaches, according to security site KrebsonSecurity.
LinkedIn warned its customers in May that data stolen in 2012 was now available online, and it invalidated the passwords of accounts it believes were at risk.
"We recommend that you regularly change your LinkedIn password and if you use the same or similar passwords on other online services, we recommend you set new passwords on those accounts as well," it said in the email.
Rather than trying to create unique, hard-to-guess passwords -- which are never as random as consumers believe -- it's a better bet to use a password manager, which can automatically generate new, secure passwords and store your list of passwords. Examples include KeePass and and 1Password.
On top of that, you should use two-factor authentication, which is offered by many email and social media companies. The site will ask for your mobile phone number, so that if you login from another device or want to reset your account, it'll send your phone a code that you'll need to enter to gain access to the account.
Kraynak's advice? "Be realistic," he said. "People probably have 100 passwords they need to remember. The reason they reuse them is no one can remember them. That's why I recommend a password manager."
