There's a good chance that the password on your streaming service sucks
Three things that should be taught in school: Sex-ed, basic personal finance, and good password hygiene. Sadly, at least for those of us here in the United States, all three are sorely lacking.
The latter point was laid bare in a study from members of Google's Spam and Abuse Research Team. Too many passwords are being reused — and that opens the users to credential stuffing, which is where a bad actor tries a username and password combination leaked from one service on all kinds of other services, just to see if they'll work.
Or, to put it simply, if your Netflix email and password is the same as the what you used for MySpace and was part of that 360 million-account breach, there's a good chance someone can get into your Netflix account if they want.
The researchers (which also included one from Stanford University) came to their conclusions from Google Chrome's Password Checkup extension, which securely checks passwords saved in Chrome with more than 4 billion unsafe username and password combinations that were at some point caught up in a breach.
The pattern of behavior shouldn't be terrible surprising. Big targets like banks and other financial institutions would more typically have strong, unique passwords. Softer targets like streaming services and other entertainment sites (and, I'd wager, things that you might also log in to from some sort of TV remote control) pinged the list of unsafe logins far more often.
How much more often? The nine entertainment sites listed in the study (they didn't say which ones) made up just 0.8 percent of the total number of visits, but accounted for 6.3 percent of the warnings. The next highest warning rate was "adult" websites at 3.6 percent. (Which made up just 0.2 percent of the total number of visits. Seems low, but whatever.)
The scarier number is the "ignore rate," which means users were warned that their passwords potentially had been breached at some point — but they chose not to change them. Adult sites made up 38.5 percent of ignored warnings, and entertainment sites were second at 27.1 percent.
Here's how things were put in the study, which you can read in its entirety here as a pdf:
That bit about "perceived lack of risk" is interesting. As far as I'm concerned, a password is a password is a password. I also strongly believe that we tend to look at security completely wrong. We tend to trust the services we use, considering them to be secure until proven otherwise. That's backward. We should assume everything we do — every new service we sign up for, every new. credential — can and will be breached, and we should do whatever we can to mitigate that risk.
Strong, unique passwords are the first step in that fight. You can use what's built in to your browser, or you can use a third-party password manager. Here are but a few that are worth exploring:
LastPass is one of the most popular password managers on the planet for a reason: it brings a good balance of features for each of its pricing tiers. There's a pretty robust free option and a well-priced 6-person family plan. All the more reason to teach kids proper password and data protection habits at a young age, especially with features like Security Challenges to help you proactively change and improve your passwords.
Dashlane is a well-designed, easy-to-use password manager, but these days it's also something of a one-stop-shopping experience for online data security. Dashlane Premium comes with a VPN, separate secure browser, and Dark Web Monitoring to alert you if your info shows up in a data-dump. Premium Plus even includes credit monitoring and Identity Theft insurance, and all of those features jack up the price.
Easiest to use
1Password has surged to become one of the easiest-to-use and well-featured password managers around. Its $36/year membership is competitive, and while 1Password does have trial periods, you must pay to play. 1Password's Travel Vault can be an extra handy feature for frequent international travelers as it allows you to purge specific accounts from your on-device storage so they can't be tampered with or copied.
And you absolutely should use two-factor authentication whenever possible. Hardware keys are best, though I can't think of a single streaming service that uses them. (Save for, I suppose, YouTube TV, since it uses your Google login.) Software tokens are OK, but they can be spoofed. Time-based SMS codes should be avoided if at all possible.
And employ a service like Google Chrome's Password Checkup extension, or the Have I Been Pwned? service to see if your credentials have been caught up in a breach.
But as often is the case, the simplest solution may well be the best one: Don't reuse passwords. And if something warns you that your Netflix password may have been breached somewhere else, it's time to change it.
Get the best of iMore in your inbox, every day!
Phil is the father of two beautiful girls and is the Dad behind Modern Dad. Before that he spent seven years at the helm of Android Central. Before that he spent a decade in a newsroom of a two-time Pulitzer Prize-finalist newspaper. Before that — well, we don't talk much about those days.