Have you been using the same email address and username on various platforms for twenty years?
Have you been using the same password for your accounts for twenty years?
If so, please do the following:
- Go to HaveIBeenPwned.Com. In the search box, search your email address.
If the bottom of the page turns red, it means that your email is in at least one set of data from a breach.
2. Scroll down on the page to look at the breaches your email was in. I want you to look specifically for breaches that include passwords.
What this means is that your email address, which you have used as an account name for twenty years, and your password, which you have used across platforms for twenty years, are available for anyone on the web who wants to look. It’s pretty easy to go and find too!
This is how a LOT of identity theft and fraud happens these days.
Let’s say you created your LiveJournal account when you were fifteen. You used it a lot and by the time you were twenty the credentials you created for it were familiar and you plugged them in whenever you had to create an account. You plugged them in when you created a Facebook account. You plugged them in when you created a bank account. You plugged them in when you created the account that lets you see your lab results from your doctor’s office.
All that someone has to do to seriously fuck your life is to do the following:
- Find your email and password in one of these lists.
- Compare to other lists and see if the same information is present
- Seek out the most common account types (gmail, facebook, yahoo, hotmail, icloud, amazon, and one of about five financial institutions)
- Start entering your username and password
- Literally, profit.
That’s all it takes. If you used the same username and password in two accounts in a breach, you probably used it elsewhere. Maybe you put an exclamation after the password, or entered your birth year, but those are pretty easy things to guess about and well worth it if someone can send themselves all the cash in your bank or order a shitload of giftcards from your amazon account.
And look: I know it ’s really easy to not take warnings about passwords seriously. I know that if you haven’t been screwed by this yet that it’s easy to think that your password is strong enough, that you’re going to get overlooked because you’ve got less than a hundred dollars to your name, that you’re not going to have a problem with this.
People re-use passwords all the time. They re-use passwords constantly. And a lot of people don’t understand that those passwords are freely available out on the internet.
Think about what would happen if someone locked you out of your primary email account and there was no way to get back in. You go to change your password on social media and what does it do? Sends a confirmation to your email, which you now don’t control. Is your primary email one of the ways that you get information from your bank? Is it how you log into and track orders from online resellers? How do you log in to the profile on your phone? Do you have a browser profile? Do you log in with your email address? Does your browser profile save your credit card numbers?
This is why we use password managers. This is the advantage to password managers. With a password manager there is ONE password you have to be very careful to keep safe (the password to your password manager) and all the other passwords are disposable. Did your email get revealed in the Tumblr breach? NBD, use your password manager to generate a new, unique password for your tumblr account, change it, and you’re good to go.
I know it seems like a giant pain in the ass to start using a password manager. I know it seems like a much bigger headache to log into a password manager and copy passwords than it is to type in the password that you KNOW. But I promise that using a password manager is a much smaller headache than freezing your credit so that people stop applying for credit cards in your name, or trying to start a brand new email from scratch when you get locked out of your old one, or tracking down all of the photos that someone could download from your cloud storage and making sure that they aren’t getting posted on revenge porn sites.
I also promise that using a password manager gets easier the more you use it. It’s a big hurdle to jump over when you’re getting started, but it gets easier pretty much immediately.
And this doesn’t have to be an all-or-nothing proposition. You can create an account with a password manager and just save one login to start. It’s actually easiest if you keep it low-key and just update your logins whenever you find yourself needing to log in to a site instead of trying to go through and do it all at once before you’re familiar with the program.
I’d recommend starting with at least two things: your primary email and your primary bank account. After that update any major online retailers you shop frequently and any social media that you use often.
A password manager is also a great place to store account recovery codes, answers to security questions, previous passwords, PINs, and secondary contact methods.
A lot of people worry that a password manager is an even bigger risk than just reusing passwords or creating memorable passwords or writing passwords down in a notebook because if a password manager is breached then all of that very important data is exposed. This is a reasonable thing to fear, and that’s why it’s important to be careful about what password manager you use.
This is why I recommend Bitwarden. Bitwarden uses a very secure encryption scheme and never stores any of your data in plaintext. If Bitwarden is breached and leaks data, all that will be leaked is gibberish. What you need to worry about to keep your password manager secure are the following:
- Create a good, complicated, unique password for your password manager. This password DOES need to be memorable, so pick something that will be easy for you to remember. I like to use song lyrics and the year a song was released for this, so something like “Nggyu,Nglyd,Ngraady82” if we’re using “Never Gonna Give You Up” as an example.
- Make sure that you have secure recovery methods for your password manager; save your recovery passphrase in a safe place (I have a notebook with info like this and software activation codes and so on that I keep in my sock drawer, as well as a password protected folder on my desktop)
- Only log in to your password manager from devices that you use a pin or password to log into - if you aren’t doing that, at least make sure to set a short vault timeout, so that your password manager will log out after a set (short) period of time
- Do not use the password for your password manager anywhere else
- Do not tell anyone the password for your password manager
- Make sure that your devices have good security and don’t allow people remote access to your computer or devices.
Basically YOU are the only way that someone can get into your password manager. Your password is the only thing that can unlock it, which means that A) you have to ensure that you won’t lose the password and B) you have to ensure that nobody else has access to the password. I know that first one sounds scary, but there are a LOT of ways to recover a Bitwarden account if you take the time to set them up. The second one is much simpler, and is the thing that is going to keep your password manager safe.
Anyway ILU please use a password manager.
