(Don’t) Change Your Password Day

The 1st of February is called Change Your Password Day. We at Team Spybot usually do not celebrate this day, because a forced changing of passwords regularly usually leads to weaker passwords. This year we want to change the recommendation a bit:

Check your passwords and do actually change them – to make sure that you do not have the same password for two services!

Background: A technique called credential stuffing. Credential stuffing means that criminals take lists of credentials that have been compromised on some sites and see if they work on other sites.

A few things can help:

Keep separate passwords for each service, do not use your personal details such as your date of birth, do not use words that can be found in dictionaries.

Use a password manager. This will help you keep a list of the complex passwords you choose. If you’re tech-savvy, you can use KeePass or Bitwarden to store them on your own hardware. Bitwarden is also available as a hosted service.

Use multi-factor authentication. Many services now offer two-factor authentication. Instead of just entering your username and password, you need to enter another factor (usually valid for a short time), created on your smartphone or sent by email or SMS, to log in. Criminals won’t be able to log in with just a stolen username and password.

Check if your details have been involved in any breaches. Use an online service such as Have I Been Pwned or our own services, which include Have I Been Pwned plus our own lists.