Reusing passwords for numerous internet sites is dangerously insecure. A typical computer user when warned about this practice might respond as “what’s the big deal, I do it all the time”. The problem is, most typical computer users don’t really understand the inherent dangers associated with reusing passwords. This is especially troublesome if passwords are reused for sites that contain personal and/or financial information, i.e. credit card info. Below is an example of why you shouldn’t reuse your passwords.
Joe Blow is a typical computer user who has a number of web site logins that are linked to his email account email@example.com, and he uses the same password for all those sites. He uses Facebook, Instagram, Google, online banking, Steam for his gaming, Expedia for his travel, and numerous online shopping accounts including Amazon. Joe plays some online computer games and he had an account to play Town of Salem that was produced by BlankMediaGames. A recent discovery was made at the end of Dec, 2018 revealing that this site had been hacked. A serious data breach had occurred resulting in the exposure of over 8 million individual user’s email accounts, web site usernames and passwords, IP addresses, past purchases, and website activity. More information on this hack can be found here: https://blog.dehashed.com/town-of-salem-blankmediagames-hacked/ Since Joe uses the same password for all of his website accounts, the Town of Salem breach created exposure to most of Joe’s online activity including his email account, banking, social media and online shopping. A question most people would ask, “Once a breach has occurred, what do hackers do with all that data”? Partial or complete databases of this kind of information are sold on the Dark Web, either outright or through an auction process to the highest bidder. Data of this kind can make its way into criminal organizations where they can handsomely profit by exploiting user’s accounts and personal information. A data breach can occur on a targeted organization and not be discovered for several months. In Joe’s case, he was unaware of the data breach that had occurred with his Town of Salem account. One day, Joe tried to log into his online banking account, and kept getting an error, saying his userID or password was incorrect. After several login attempts, he decided to reset his password, but when asked to complete an email verification, he was unable to log into his email account. Joe was under a time constraint to make a rent payment to his landlord, so he made a trip to his local banking branch to make the payment and resolve his online login problem. When he reached the bank, to his horror, the banking representative informed him that he only had a balance of $5 dollar remaining in his account. At this point, Joe realized something serious had occurred and his various online accounts had been compromised, but he couldn’t understand why this had happened? He used what he thought was a very strong password. The problem was, he had reused his password on various accounts, including the Town of Salem account. That security breach had exposed his email and password information for the criminal world to exploit. His banking account was compromised because he reused his common password and didn’t use multifactor authentication (can also be referred as two-factor authentication), a service that his bank had offered, but something that he never got around to setting up. Hackers were now able to log into his various internet accounts and not only drain his bank account, but gather and dissect all kinds of personal information on Joe. Once the perpetrators had control of Joe’s email account, they were able to change his password on all of his other accounts, thus locking Joe out. By following more secure practices in Password Management, Joe could have avoided this situation from happening. Joe wonders how one could possibly set up and remember countless user names and passwords for all his accounts. By utilizing a password management program like Lastpass, where only one master password has to be remembered, and a different password can be generated and used for all his accounts, Joe’s problem could have been alleviated. Use multifactor authentication wherever possible, especially on your most important and sensitive web sites, or on sites where financial transactions are taking place. Don’t allow web sites to remember your credit card information if possible (click the box “do not remember credit card” if that option exists). Don’t allow your browser to remember your passwords.Now Joe has the unwanted burden of resetting all his online accounts; not a simple process like setting up an online account in the first place. He also has to set up credit monitoring, so he can hopefully avoid or minimize the affect of identity theft, since most of his online accounts had been compromised. Joe will never make the mistake of reusing passwords again, and will implement better password management habits from now on. You can also refer to a previous blog posting on password management for more information.