Can a website tell you when it’s time to change your password?5
This week has seen yet another study highlighting the inherent dangers of securing your personal information with just a password. According to research from Experian, the average internet user in the UK has just five different passwords, despite having 26 different online accounts. Indeed, a quarter use just one password for most of their logins.
This follows on from last week’s Yahoo! breach, meaning passwords (or, more correctly, our use of them) have come in for some pretty bad press recently. Now that we are keeping more and more of our sensitive data online, I hope that it’s only a matter of time before static passwords are discarded altogether in favor of stronger forms of authentication.
Until then, however, we have to keep looking for new ways of ensuring that we keep our passwords as safe as possible. A site I came across this week, shouldichangemypassword.com, could prove to be a valuable tool in doing this. The site invites visitors to input their email address and then tells them if their account is at risk of being compromised, encouraging them to change their password if so.
It claims that it has so far uncovered almost 12 million compromised addresses – a number which has risen by over 200,000 in recent days. This could mean one of two things: either the site is experiencing a huge surge in popularity, or the number of accounts at risk is rapidly increasing. In reality, both of these are likely to be true. The site gathers its information from breaches where email addresses have been published by hacktivist groups like Anonymous or the now disbanded LulzSec and keeps them in a database for users to check their address.
While I wouldn’t recommend anyone solely relying on services like this to tell them whether their accounts are safe or not, any tool which can help to keep internet users informed of the risks they face is welcome. And until static passwords are replaced by more robust two-factor authentication methods (such as those offered by Google) then it falls to the user to regularly change their password (which should not be password, but something much stronger) and to use services like this to ensure they are not exposed.