I just received a notice from OpenTable, as did their other participants, suggesting that I should change my OpenTable password. Their reason for this suggestion is interesting – and often overlooked.
Why did they suggest a password change? Because of the Yahoo password theft. OpenTable says the Yahoo breach had no impact on OpenTable’s systems, but they note – correctly – that many people use the same password everywhere. The OpenTable message says, “we strongly encourage you to update your password to be unique to OpenTable.” They’re worried that the Yahoo breach might have given the bad guys the password you also use at OpenTable and elsewhere.
People often overlook that point. They think, “Well, if my Yahoo password was stolen, I need to change my Yahoo password and I’m done.” The bad guys, however, know that many people use the same password over and over. If they get your Yahoo password, they can try that same password on your other accounts. According to Ofcom’s “Adults’ media use and attitudes report 2016,” the number of those who admit to using the same password on multiple sites is about the same as the number of those who say they don’t. For the bad guys, those are pretty good odds.
By the way, Ofcom’s 2016 statistic on that question is an improvement over the answers they got in 2015. If we’re feeling optimistic, we can say, “Hurray, people are learning how to improve their online safety!” If we’re feeling less optimistic, we can say, “More people know what the ‘correct’ answer to that question is, even if they’re not following it in practice.” It’s probably some of each.
I’ll repeat what I’ve said before about things you can do if your password is stolen (“When Changing Your Password Isn’t Enough”):
- Use two-factor authentication where it’s available. Even if the bad guys steal your password, that’s still not enough to log in as you. See “Two-factor authentication: What you need to know (FAQ).”
- Use a password manager to generate a long, random, unique password when you change your password. A long, random password can still be stolen, but if you have a unique password for every site, and none of those passwords are similar to each other, a theft at one site won’t help the bad guys attack you at other sites. For more information on password managers, see “The Best Password Managers of 2017.”
- Enable login alerts where they’re available. Typically, this means the site sends you a text or email alert if it sees a login from a device you haven’t used before. That doesn’t prevent the login, but it at least lets you know that something fishy happened. For example, you can use Facebook login alerts and Gmail device activity & notifications.
Kudos to OpenTable for staying on top of security even when they didn’t have a breach.