receiving a harsh truth about passwords

The harsh reality about your password practices

You reuse passwords, add exclamation marks to them, and are confident you won’t be hacked. Have a seat, we’ve been waiting for you.

You are looking for a book. It’s not on Amazon; it’s not on Indigo. But it’s on this website you’ve never seen before, so you create an account and go to the checkout. It asks for a password and, after thinking hard for two seconds, you type Letmein1!, your favorite default password for one-off accounts like this. You don’t mind that it’s easy to guess because “I’ll never use this account again, so who cares?” Purchase finalized.

Even if you don’t use it again, this new account is tied to your credit card and home address details, now guarded by the bullet-proof password “Letmein1!” Yes, you know a hacker could guess this password, but that won’t happen to you, right?

You are not alone; welcome to Password Rehab

I feel you; I’ve been there. The average online user has 118 accounts (and this is not the most recent stat). What percentage of those accounts do you think have a secure, well thought-out, and unique password? Exactly.

Now, let’s look at the threat: 65% of NuData’s eCommerce accounts are targeted at least once every month. This means that every two months, almost every account in a company is targeted at least once. Yes, this includes your account.

Attacks normally use a password harvested from another breach. In these situations, bad actors are looking for an account holder who reused the same or similar password across multiple accounts. These attackers are on to something: 73% of accounts are protected by duplicate passwords, and on average, 54% of people use five or fewer passwords across their entire life. Let me say that again: Across their entire life.

I know what you are thinking

“But, but… I have really good passwords for my important accounts, like online banking.” I believe you, my friend. But what about the personal information someone can access in your other “less-important” accounts? What about your address and full name saved in that online account you just created in a rush? Your name, address, and phone number are all key data points bad actors can use on a call center to access your account.

At the Aite FinCrime forum last September, Brent Whittington from Ally shared examples of fraud that occurs at their call centers, where the caller tries to access an account illegitimately. The caller impersonates the real customer and asks for information from the file or requests a change to the phone number to receive a two-factor authentication code.

Fraudsters always require the representative to bend the rules to some extent and use psychological techniques to achieve their goals. Additionally, call-center agents are some of the lowest-paid employees in a corporation, making them easier targets for these ploys. In one example, a fraudster played the sound of a crying baby in the background to create a sense of urgency and trigger the bank representative’s compassion.

This won’t happen to me – and other lies you tell yourself

Of course, why would it? It happens to millions of people each year, but why you? An academic named Tali Sharot brought the theory of optimism bias. Apparently, many of the seemingly unbiased decisions we make every day are influenced by our positive thinking about the future.

This is a good thing, but it also opens the door to the ‘won’t happen to me’ attitude. Do you, like 90% of people, believe yourself to be a better-than-average driver who is more skilled at maneuvering their vehicle at dangerously high speeds? The math doesn’t quite add up, and that’s how optimism bias gets us.

Honestly, if you want to live on the edge, choose something more interesting like ordering an extra-extra spicy butternut chicken, or jumping into the shower when the water is still cold. But password sloppiness is not that exciting of a risk, so why take that chance?

If you are still reading this, you are probably ready to make a change – or at least listen. These are the two things you should start doing today.

1. Create a better password using these tips

For a strong password, write a long passphrase with random words that make sense to you. A password is not stronger because it is complex; it is better because it is long, unique, and hard to guess. If you don’t believe me, look at this vignette (but come back; we are not done).

For example, think of the lyric of a song, a menu item from your favorite food truck, or, even better, combine them: “DontWorryBeSpicyButternutChicken.” – disclaimer: although awesome, this is not my password.

2. Get a password manager

I confess I was a password rookie until I was forced to use a password manager for work. Before, I used to rely on the Forgot My Password option like I rely on my cup of coffee in the mornings. Now, I am a convert who writes articles about why you should use one too.

A password manager improves your password hygiene exponentially. It allows you to store all your usernames and passwords, including security questions and whatever else you want, in one clean, digital closet. They generate complex passwords that you don’t have to memorize. They also offer a timer option to remind you to change your password every so often, just to be safe if your credentials were breached and you didn’t find out yet.

You can use the apps or browser plug-ins, have it based on the cloud or on your computer; there is no shortage of options. Here are some you can investigate.

Have I convinced you yet? If yes, you completed your password rehab. Go and download a password manager and start updating your ten-year-old passwords. If no, please scroll to the top and read the article again; perhaps it wasn’t quite clear enough.

Related to this post: Meet The Underground Business of OG-Username Account Takeover Attacks