The end of 2010 hackers broke into the Gawker user database and downloaded its contents, including all the usernames and passwords. Gawker operates a larger number of on-line news services, including several I read regularly. I figured no big deal, the hackers know how to leave comments on those sites.
At that time I pretty much had a single password for anything I deemed "low security," which was pretty much anything that wasn't banking oriented. My banking passwords were much stronger and each one was unique. But for email, Facebook, Twitter, etc. I used that single password.
Then I started getting emails from other businesses that had some involvement with Gawker indicating that because of the Gawker disclosure my account(s) on those businesses might be at risk.
Like me, most people tend to use the same, easy to remember password for most of their accounts. So having the username and password for Gawker gave the hackers a much higher chance they could use those same credentials to log into a more interesting account, like an on-line store that keeps your credit card information on file (like Amazon). From there they could add a new shipping address and go town. Unless your credit card fraud department gets suspicious, you might not find out for 30 days. And it is a major hassle to dispute fraudulent charges.
Even worse, if you use the same credentials to log into your email account, the hackers can go to your bank, or other high value site, and do a lost password request. Since almost all those go to your primary email account, if they can log into that, they can pretend to be you and access almost any website or on-line account you have.
Even worse, most people's default passwords are really lame. Here's a list of the top 20 passwords being used:
- 123456 - 12345 - 123456789 - password
- ilove you - princess - rockyou - 1234567
- 12345678 - abc123 - Nicole - Daniel
- babygirl - monkey - Jessica - lovely
- Michael - Ashley - 654321 - qwerty
Those are the passwords hackers always try, just in case. Please tell me you don't use any of those passwords.
Security people will tell you the best passwords are truly random, are as long as possible, and have a good mix of UPPER CASE, lower case, numbers and even punctuation. And they are virtually impossible for most people to remember.
There are some tricks to make a simple word more secure, like turning "i" into 1, "a" into 4, "e" into 3, "s" into5. That makes a word like "solitaire" into something like "50l1t41r3", which is both memorable and hard to guess.
Being a bear with little brain, I decided it was time to go back to a password generator/remember program. I had used KeePass back in the days when you loaded it as a DOS terminate and stay resident program. It worked, I just got away from it.
I'm currently using LastPass, https://lastpass.com/. I started using it in my Chrome browser to make it easier to keep track of the many websites I have accounts on. I have since moved to the Windows program version, just to allow my desktop computer to keep a local copy of my passwords, just in case LastPass ever gets acquired or goes out of business. That is becoming more important as I become ever more dependent on it remembering bunches and bunches of passwords.
I also like that it can automatically fill out many web forms with my basic information (except when the web developer was too lazy to properly name the input fields, many of those sites I decide aren't as interesting as I originally thought).
And the price is right. I have been using the free version and don't feel constrained. I might have to upgrade to the paid version so I can get support for my iPad and Android phone, but I have been holding off on that.
Also you should periodically change your passwords, especially for your high value accounts like banking, email, etc. I like the fact that when I just logged onto my bank's on-line system it told me it had been 6 months since I changed my password and required me to change it.
Bottom line is don't use the same password for all your accounts. Make your passwords more secure, using a trick like I gave you or using a random password stored in LastPass or similar program, and consider your email accounts as high value as any banking account you might have.
Now go change your passwords!!!!