Hey, look, there’s been another password breach! Is it time to panic? I decided not to. In fact, I decided to pretty much ignore the whole story. As a result of this breach, I only rotated one password, and frankly, it wasn’t because I was worried that this password had been compromised.
Wait, shouldn’t you panic? Based on a lot of the news stories I”ve read, that’s a popular option. However, there’s no need to freak out if you are doing things right to begin with, and that’s where you really should start.
As I’ve said before, I use a password manager. None of my passwords are duplicates, so you can’t get into my bank account with my Reddit password. That reduces the risk considerably from a breach like this. If you don’t share passwords among sites, then the breach of one will have limited effect.
Keeping that in mind, I took a look at this breach with a critical eye. First is the extent: the number of passwords for most of those sites was relatively low considering the userbase. Second is the attack method: the belief is that a keylogger was used to harvest these passwords. Given these facts, my assumption is that this was a relatively limited attack that only involved hosts infected with malware. I keep my anti-malware up to date, I keep my software up to date, I don’t browse using an account with Administrator privileges, and I don’t use Adobe Reader. I feel that I’m probably not in this group of exploited users. Finally, it’s come out that at least some of the affected sites have notified users, and I haven’t received any sad emails.
Plus, nothing has happened to make me think that any of these passwords has been compromised. My Twitter account, for example, would have almost certainly been filled with spam tweets by now had it been compromised. Ditto for Gmail (although I use two-factor authentication on my Gmail account so I was not worried at all about a compromise). I’ve been on the receiving end of plenty of compromised email and Twitter accounts to know that attackers are not usually subtle.
One exception to the obvious affect rule is Facebook, and that is the one password I changed. Not because of this breach, but because I hadn’t changed it in about a year and criminals do squat on Facebook accounts, harvesting personal data that can be leveraged in other attacks. It’s a good idea to rotate passwords on these kinds of accounts regularly, because there’s always a chance somebody is hanging out in there. I used to be very strict about rotating commerce and banking accounts as well, but I realized that if somebody had my banking password, they would use it ASAP and get away with as much money as possible, so there’s little reason to rotate passwords for these accounts preventatively.
Even if I did feel the need to rotate all of these passwords, though, the fact that I use a password manager would make it quite easy. Just as it has been easy when I’ve had to rotate my Adobe, LinkedIn, and Zappos passwords before.
We’ll always have password breaches, and there’s nothing you can do to prevent that. What you can control, however, is how likely you are to be affected by malware, and how much damage a particular breach can cause. If you make sure you don’t reuse passwords, you make it easy to rotate passwords when you need to, and you secure your computing environment, you don’t need to panic when the next breach comes along.