CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

Your passwords are probably a lot worse than you think

Password breaches have become commonplace. Here's how to check the status of your passwords and, more important, keep your identity safe.

As if the recent ransomware scares weren't enough to keep you up at night, password breaches continue to make news. 

Back in May, for example, security research center MacKeeper reported that a massive database of stolen passwords had surfaced online. And while it was composed largely of passwords from a variety of sources, many of them years old, its newfound accessibility -- and conglomeration into a single collection -- is cause for concern.

It's also cause for action. Although "online safety" feels increasingly like an oxymoron these days, there are still steps you can take to protect yourself when breaches like this occur. It all starts with getting rid of those overly used, poorly designed passwords you know are terrible but you use anyway. 

Improve your passwords

The most secure password in the world is useless if a hacker steals it, but it becomes much less useful if it's not the same password you use for every single log-in.

In other words, it's essential that you employ a different password everywhere you conduct online affairs. And the only effective way to do that is with a password manager, which can generate and manage unique, robust passwords for all your sites and services.

dashlane-password-changer-2.jpg

Dashlane can automatically change your passwords, a huge time-saver and a great way to get ahead of security breaches.

Screenshot by Rick Broida/CNET

Of course, even password managers aren't infallible, as LastPass users discovered recently. That's why you should change passwords regularly -- a potentially daunting task unless your password manager can perform it automatically. Dashlane and LastPass are among the handful that offer this handy feature.

Find out if you're compromised

The aforementioned database contains some 560 million passwords. Want to know if yours are in there somewhere? Head to Have I Been Pwned, which checks to see if your email address appears in any database that's been compromised.

have-i-been-pwned.jpg

The aptly named "Have I Been Pwned?" lets you know if your email address appears in a compromised database.

Screenshot by Rick Broida/CNET

If it does, don't panic: Remember that many of the sources in that database are years old. For example, one of my email addresses was indeed "pwned," but it was in the Dropbox breach of 2012 -- and I've long since changed my password there.

Of course, it certainly wouldn't hurt to change the password on any site(s) detected here. (Pro tip: Click Notify me when I get pwned so you can be informed if and when your email appears in the next breach.)

This site recently added another tool to help keep you safe: a search engine based on a database of over 300 million compromised passwords. So, rather than searching for your email address or username, you can search for a password. Of course, security expert Troy Hunt, who operates the Pwned site, advises against using his tool (or any other) to check passwords you're actively using. Rather, this is way to vet any new password you might want to employ, as you can see if it's already been compromised.

Enable two-step verification

Short of a fingerprint reader, two-step verification (aka two-step authorization) may be the single best way to protect online accounts. Most commonly, the second of the two steps (the first being entering your password) involves entering a code delivered on-demand to your phone. Even if a hacker has your password, he doesn't have your phone, and therefore shouldn't be able to bypass that second step.

Of course, this requires you to have your phone close at hand and able to receive text messages (or, if you use an authorization app instead, data connectivity). It's also an extra hassle.

Want to learn more? Read Matt Elliott's Two factor-authentication: How and why to use it. Then move onto Matt's more recent update, in which he advises against using SMS for this. (A much safer bet: "An authentication app such as Google Authenticator, Microsoft Authenticator or Authy.")

Delete old accounts

Remember AOL? Perhaps you had an account at one time, but haven't touched it in months or even years. If it's still active, and a hacker manages to break in, that still puts you at considerable risk. You might have all kinds of personal information stored there, to say nothing of photos and other media that should be kept private.

Thus, take some time to delete old, unused accounts. This is another way a password manager comes in handy: When it first imports all your passwords, you can see a full list of every account you have. Then it's a matter of working your way through them and determining which ones you want to deactivate.

Alas, you'll have to manually visit each site in turn and figure out how to actually delete your account. For help, turn to JustDelete.me, which provides direct links to the cancellation pages of hundreds of services.

Editors' note: This article was originally published on May 16, 2017, following the public release of the aforementioned password database. It has since been updated with additional tips on finding compromised passwords.