People often talk about security and how to protect yourself but one of the issues that does not get enough exposure in my opinion and the reason I started my business is the reuse of passwords and password security. Millions of people are compromising their own security by not only using the same passwords across multiple sites but also using weak passwords.
I have been trying to get the importance of password security and password reuse across to people without getting too technical so I came up with a short story that may help. This is the true story (totally made up) of Joe Qwerty and I hope it helps you not to be like Joe.
Joe Qwerty – Passwords & pa55w0rds
The Qwerty family were your average family. They lived in a little village in their 3-bedroom house. They are a family who like their gadgets but don’t have to be at the cutting edge of technology. They are essentially your typical modern family.
It was Saturday afternoon that this horror story begins and everything changed for the Qwerty family. The children were at a friends and Mrs Qwerty had gone into work at My Login Vault ,as it was busy today due to an influx of demand for password manager software ;-). Mr Qwerty (Joe) was at home and with his wife’s birthday coming up he decided it was a good time to look online for a nice present. She had said only yesterday, (after he had frequently asked her what she wanted for her birthday), that she had always wanted to drive a tank, so he begins his search on google for tank driving experiences.
After 30 minutes or so Joe finally comes to a site that offers tank driving experiences. Joe clicks on buy now and is taken to a page to sign up so that he can proceed to the checkout. As with most sites Joe fills in the sign in form.
He pops in his email address – “firstname.lastname@example.org
He pops in his name – “Joe Qwerty”
He then pops in a password to login to the site in future – “qwertypop1965” Joe chooses this password because it is the one he uses for his email account and his amazon account as it is easy to remember as it’s his last name, initials and year of birth. Joe also feels very safe with this password as a random website told him it that the password strength was very strong. Joe feels quite proud he has a strong password and feels secure and safe using this password for all his accounts. Joe sometimes uses other passwords to “mix it up bit” but tends to stick to the same 2 or 3 so that he can always remember them.
Joe completes the signup and then receives a confirmation email. He clicks to confirm his email address and is taken back to the site. He signs into his newly created account but just as he does so his wife returns home. Joe quickly closes the browser windows intending to come back to it later.
In the days ahead Joe decided against the tank driving experience after he discovers his wife was not serious about it she was just teasing him. Joe decided on a nice 2 day break away for her birthday, “Phew it’s a good job I didn’t order the tank experience” he thinks “ah well no damage done”.
Unbeknownst to Joe the website he had signed up for was not very professional and was setup on the fly and they were storing the sign up details the users had supplied but were not encrypting or securing any of the data. The tank experience website subsequently had a security breach and the database with customer details was stolen and sold on the black market.
Over the next few weeks strange things started to happen to some of Joe’s accounts. His friends were reporting that his Facebook account was posting strange posts, sometimes sexual! His email account had been locked due to strange behavior and he was required to change his password, once he got his email account working he was receiving strange emails from credit card companies he didn’t have. Worryingly there were also orders on his shopping account that he had never placed and recent access on his paybuddy account even though he had not used it in over a month.
Why did this happen to Joe?
Let’s look at what Joe does and not what happened to Joe. Although it would not have helped him with what happens below it is worth pointing out the first mistake Joe made. Although some random website said that Joe has a password strength of good it does not take much to work out the password if you can get his date of birth from a social media website.
Joe also uses the same password across multiple sites as many of us did/do. This is very detrimental to your password security. Most websites nowadays require your email address either as the username or as a way to confirm who you are and reset your password should you ever forget it. The website Joe signed up for had a data leak meaning that the passwords of its 10,000 users were exposed.
Whoever holds this data now has the email address and password combinations of 10,000 people that accessed that site. How many do you think are like Joe and use the same password on more than one site as it’s convenient to remember? How easy do you think it is for a potential criminal to pop those email address and password combinations into Facebook, PayPal, eBay, Amazon, Gmail, yahoo mail, Hotmail etc. etc. and see if they strike gold? Not very hard I assure you.
Joe compromised his password security by using the same password more than once. We are creatures of habit and while not all, a large portion use the same email address and password combination across 5,6 ,7 10 sites! If one of these sites has a data leak, then all of those accounts are then compromised allowing someone to essentially take your online identity.
Identity thieves have many of these types of databases and password reuse makes their life so much easier. Ah you say but I used a different password for that site so at least that one is safe. Really?
Even the sites with different passwords are no longer secure if you signed up to them using an email address that has been compromised as they can easily have a password reset email sent to the email address they now have access to. Consider the following scenario:
An identity thief now has access to your email account whenever they choose (until you realise it is compromised which could be days or weeks)
- They know you login to a particular account using this email address.
- They go to the accounts website and request a password reset email. You don`t have 2 factor authentication setup or it’s not offered by the site, more good news for the thief.
- They change your password via the email.
- They login to your account and use your balance or worse have access to your bank account to purchase product x or bitcoins or whatever it is.
- You suddenly find your bank account empty
What Could Joe Have Done Differently To Improve His Password Security?
Joe made the mistake very early on in his early days of computing when he decided that convenience was more important than his own password security. Yes, the website holds some responsibility and should have done more to protect his data but even some of the biggest companies in the world have had data leaks and exposed user’s data. We also have to be responsible for our own password security.
EVERY account that Joe had should have had its own unique and complex password to ensure that should one account be compromised others would not Joe could then store these in a password manager like My Login Vault.
Joe should also have ensured that his email account was the most protected account as this is the window to many of his other accounts. This includes setting up 2 factor authentication on the account.
But Joe has 30 accounts its very inconvenient and difficult to remember 30 unique and complex passwords!! I hear you say
Yes, there is an inconvenience but this can be resolved by using a Password Manager where you can store all your passwords securely and in the case of My Login Vault always be in control of the data rather than it been in the cloud. If the data is with you and only accessible when you plug it in to your computer, your security increases.
We also need to get rid of this idea that we need to be able to remember our passwords NO NO and NO. We don’t need to remember our passwords we want our passwords to be long complex and difficult to guess we don’t want to give identity thieves a helping hand by neglecting our password security.
- Make them COMPLEX(uppercase, lowercase, symbols, numbers)
- Make them RANDOM(not words, names, DOBS, make it nonsense)
- Make them LONG(Aim for a MINIMUM of 13 Characters)
Store them all in a password manager and access them when you need to.
What happened to Joe
Well the story does not go very well for Joe. Joe didn’t learn his lesson and continued to use the same few passwords for multiple accounts as he couldn’t find “the time” to change them and his password security was low on his list of priorities. The same thing happened months later again to Joe after his details were exposed via some adult sites he had signed up to. Joe’s wife found out about these sites and left Joe. Joe also lost all of the family savings after using the password “letmein” on his savings account and because of Joe’s stupidity the bank just laughed at Joe when he asked if he was covered. Joe also lost his job at My Login Vault and was sacked by his manager (Mrs Qwerty) as they could not have someone making this mistake twice working for them.
It’s not a sad end and a year later Joe won’t make the mistake a third time. Joe now has a unique password for every account he has and uses My Login Vault to store them. His wife has forgiven his stupidity and they are now happily together again although a condition was he had to sell his prized Aston Martin to replenish the savings that were lost. Joe has paid for not doing something about it the first time but things are on the up again for Joe.
So what Can I do?
DON’T BE LIKE JOE!
Stop reusing passwords and go through your accounts changing the passwords to be unique and complex. Even if you just do the important ones to start with, your emails, your shopping accounts, PayPal, Amazon etc it is a start in protecting your accounts.