Ever notice how sites want you to chose very complex passwords using all sorts of combinations of letters, numbers, special characters, uppercase and lowercase? Having a strong password is good, but it’s not going to help you if you’re using the same password everywhere.
We’ve all been told ad nauseam to update our passwords, too. We’ve also been told not to use the same password more than once… But why? Why do I need a different password for every account?
Further reading: Watch out for these threats to your online privacy
This article is going to explain some useful information about passwords, why we’re told to choose “good” passwords, and what happens when we don’t…
As a sidenote, I’ve seen some convincing arguments that a passphrase can be better than a password. A passphrase would be something like “elephant-momentum-siricha-keyboard“. It can be a lot easier to remember, and you could always start the last word with a capital letter and use numbers instead of dashes in between each word, to meet the requirements for whatever site or app you’re signing up for. (You can read more about passphrases vs passwords on this article by Okta.)
Why You Need Different Passwords for Each Account
Let’s say you signed up for a woodworking forum back in 2016, then forgot all about it. You used a random old Hotmail account as the email address, and a username that you’ve used on several other sites back in the day. Let’s assume the woodworking forum didn’t keep on top of their security or use the best protocols, and their user list is hijacked by a malicious party, or even someone who works for the forum. Now, someone has a list of usernames, email address, and passwords.
With that list, a malicious party can use special, often custom-built software that will cross-reference those 3 data points to many other data points. They will check if that same email address or username appears in any other lists of leaked data, or even databases from the data brokers mentioned in the previous section, and now they’ll have even more data about you. They might know your address, where you do your banking, and they’ll know your email address, and at least one password that you use. Now, they’ll use custom software that will try to log-in to as many different sites as possible using different combinations of the data they’ve put together for you.
None of this requires a laser-targeted attack directly focused on you, it can all happen in bulk, and often does. When their log-in testers find out that you’ve used the same username/email and password combinations on different accounts, it will be flagged so that the attackers will add this to a new shortlist. This might grant them access to old email accounts of yours, which basically grants them access to any site or service you’ve signed up for using that email address, since they can do a simple password reset and now you’re in big trouble.
When you update your passwords on a semi-regular basis, that won’t prevent the data from leaking, but it drastically reduces the odds of the attackers getting any relevant or useful data. They don’t always get around to testing all the log-in information immediately, it’s often added to giant lists of hundreds of thousands of other users, maybe millions, it gets filtered, traded, bought, sold, and tested. When their log-in tester software tries your combination and it doesn’t work, they’ll get filtered off their lists.
If you use the same password on a lot of different sites, you’re going to be playing wack-a-mole as one by one, your accounts are eventually compromised.
Attackers might start to laser-focus on you as an individual and start trying to dig deeper manually, or just keep running your username, email and password combinations through more and more databases and sites until they’re able to log-in and spam your contacts with convincing phishing attempts to allow them to take over the accounts of your friends and family, or simply to post misleading spam and junk to your profiles.
In any case, if you change your passwords often enough, any data that does end up leaking won’t be useful to them, especially if you use a unique password every time that you register for something.
The Stolen Password Industrial Complex
It could be that one person or group has a huge list of compromised databases, these even get posted online. For data leaks that aren’t publicized or discovered, groups may trade in that data, buying and selling it. In these cases, the sites/apps and their users might not even know the data has been stolen by the time it’s in the hands of people who are capable of doing nefarious things with it.
There might be the group that steals the data, who then gives it to another group who will test all of the passwords and email combinations to see which ones still work, then they might re-package that data and give it to yet another group who will be more hands-on in accessing these accounts, depending on what type of account it’s for.
For social media accounts that are compromised, it might be something relatively simple and automated such as posting spam or scam advertisements through numerous different accounts, or even using it to promote legitimate products to earn a commission. Ever seen a friend on social media posting weird adds for knock-off Raybans for $20, and tagging a bunch of people? They had their account compromised, that can be what it looks like…
However, for more serious accounts, like anything involving finance, it might not be just an automated bot that posts some spam messages and moves on. This type of compromised data might get a more hands-on approach, where the bad actors might use this as one piece of the puzzle to systematically gather more and more private information about you.
The end-goal here could be to spend your money while also being able to pass verification checks (like if they’re able to clone your cellphone, so they’ll be sent the log-in codes, even on sites where you ARE taking the extra security precautions of multi-factor authentication…)
How To Protect Your Passwords
To protect your passwords, you should update any passwords that you’ve been using for a long time and ensure that you aren’t re-using the same passwords over and over.
It’s really not that difficult. It gets a bit more complex if you want to understand the ins and outs of why to do each of these things, but if you’re willing to accept at face value that these are important steps to follow, and you follow through on the following list, you can more or less ensure that if any of your accounts are compromised, it’s not from somebody getting a hold of one of your passwords.
- Update your old passwords
- Use different passwords for each site
- Ensure your passwords are complex enough, whether you use an A45254?#$5345 style, or a passphrase like yellow-organic-wrench-sale
- Use multi-factor authentication for your most important accounts (email, financial, social media, anything that can open doors to your other accounts), even if you don’t enable it for everything
- Make sure you don’t fall for any fake log-in pages or scam emails that trick you into giving out y our password
Follow these tips to avoid getting hacked, and chances are that most attackers will pass you by, because there will be much easier targets out there for them.
Remember, it’s like being chased by a bear in the woods… You don’t have to be the fastest runner in the world, you just have to be faster than the slowest!