400,000 Emails & Passwords Breached

In the latest news, Yahoo! announced today that 400,000 email addresses and passwords were breached yesterday and publicly posted online for all to see (and steal).  Supposedly the list has been taken down, but of course the cat is out of the bag.  Here's a link to the story in the NY Times.  And before you think "Oh, I don't use Yahoo! so I'm OK", note that the issue extends to AOL, Gmail and Hotmail users too!

The more chilling realization is that people often use the same email and password at various other sites, so it's not just an email issue.  You can expect hackers to run off and see if that email/password combination will work at Paypal, eBay, online banks, and you name it.

Our recommendation?

Best approach: We know it's a hassle, but many years ago we decided to just suck it up and use a password management program like  1Password to track different passwords at different sites.  Tracking so many unique password / login combinations all over the Internet is a hassle -- especially when you go to that one site that has special password requirements such that your "typical" password doesn't work.  Hence, we recommend an app to manage passwords, account numbers, logins and more, all in one place, that's locked in a secure and encrypted database.   1Password syncs between mobile and desktop so that your passwords are always in-hand wherever you go and whenever you need them.

Next best: If you're just not going to do the right thing, at least change/rotate them occasionally, and have at least 2 different passwords that you use: a different "high security" password, separate from your "low security" password.  The former for banking and critical account stuff, the latter for email, Facebook, etc.  This way, in the case of the LinkedIN breach a few weeks back, if your password had been compromised at least it wouldn't have affected your money accounts.

Worst case: at least follow that last recommendation and have separate passwords for "money stuff" versus "other stuff."   Firewalling the critical accounts is, well, critical.