I discovered a new way hackers can mess with your online accounts, even if you have a super strong password. Do you have accounts with usernames and passwords on a gazillion accounts? Yup, this article is for you.
So, if you only read 2 lines of this article, just go to this website: https://haveibeenpwned.com/ and type in your email address or your favorite username. This website will show you if your email address has been compromised. Now more info:
Shout out to the excellent podcast: ReplyAll
ReplyAll did an amazing show on how a New Yorker's Uber account had been used to pay for rides for a hacker in Russia, even though Uber had never been hacked. Here's how it works: you use the same email address and password on lots of websites. Unethical people hack into one of the many websites you might use (viz. Linkedin, Adobe, Yahoo, etc. etc). They grab thousands or millions of email addresses and passwords. Next they sell packets of these email / password combinations in a place called the dark web. Or, they use a piece of software to try out thousands of email / password combinations on sites like Uber, eBay, Amazon.com etc. etc.
Even if Uber's cybersecurity is bulletproof, if you use the same password on Uber as you used on Yahoo or another site that's been hacked, your account on Uber is now vulnerable.
So How Do You Keep Your Internet Accounts Secure?
Here are some options:
- Use a different password for every account (problem is this is kind of impossible)
- Use password manager (can be a good idea, can also be a horrible idea, more about that in a moment)
- Create your own secret password hash <--- best answer, and explanation to follow
What's Wrong With Using a Different Password for Every Account?
If you can use a different password for every account you use on line and remember them all, more power to you. This would never work for me, or many mere mortals. I use a database program called "Bento" to organize a lot of my passwords, and it's helpful. It's kind of like Microsoft Access, but easier to use and built for Mac. Unfortunately, it is no longer supported, and the replacement is more money than I want to spend. There is always the old standby of a massive Excel spreadsheet or even pen and paper. These work and are probably secure but, seem rather inelegant to me and these lists can be lost or compromised.
What's Wrong With Using a Password Manager?
ReplyAll recommends using a password manager to keep your online identity secure. I thought this was an awesome idea until a friend mentioned that this could actually be the worst option. Here's what you need to know:
What is a Password Manager
A password manager is a piece of software that automatically generates incredibly hard passwords and then remembers them for you. So when you go to an online account, you enter a single password into the password management software and the password manager automatically enters your heavily encrypted information into the account window.
What's the Problem Password Managers?
A friend who once worked at the NSA mentioned that these password managers can be cracked liked any other software and then you're really in trouble. If your password manager is compromised all of your passwords are now compromised. What's worse, if you can't get into your password manager, you are locked out of all of your accounts since you don't have the passwords. So, this is not a great option.
What is a Password Hash and How to Make One?
A hash is when you combine a few things together. Lots of people use passwords that combine two words or a word plus a number. So if they are creating a password for yahoo.com and they have an anniversary on 4/28, the make a password yahoo428. This is pretty weak since it's pretty common to see this kind of combination: "website+428". So, here's a trick taught to me be another former NSA guy: make the date every other letter. So if you're combining 428 and yahoo, instead of adding yahoo to the end (yahoo428) put 428 as every other letter in yahoo like this: y4a2h8oo. This makes a much more secure password and is as easy to remember as yahoo428. I still recommend using some kind of list, to track these, but if you lose it, you still know your "hash".
Hope this helps.