I know, I know. You want to use secure passwords, but you’re afraid you won’t remember them. The ones you remember are the easy ones, so that’s what you use whenever you have to create an account. Unfortunately, those are the easiest ones to guess also.
I feel your pain! I use lots of online accounts, and my memory isn’t perfect, so I know exactly what you are talking about.
However… I have the solution for you. I am going to cover this subject in two different blog posts – one today, and one in a week.
Today’s post: Why it’s a problem to use the same password at all sites. Next week: The solution to the problem.
If you use the same password for most of your online accounts, you are not alone. A lot of people do it. That’s what the scammers and hackers are counting on. It’s what makes their job easy.
To illustrate this, I want to relate a story of something that happened to one of my clients recently. I’ll call him Steve.
One day a couple of months ago, Steve logged into his email account, and noticed an email from the manager of his local bank (we’ll call him Joe). Steve thought it was a different “Joe” and didn’t pay much attention to it.
Later that same day, he saw a second email from Joe. This time it clicked with him who it was. The two emails were to confirm a money transfer of $3000. At the same time, Steve checked his bank accounts and saw an unusual transfer, but it was not for $3000. This transfer was in the amount of $12,000 plus change.
Steve called the bank’s main office, and had them start investigating the $12,000 transfer.
Then he called Joe, the branch manager. Steve asked Joe about the emails, and Joe said he was just responding to Steve’s email – about the unexpected death in Steve’s family, and Steve’s request for the money transfers. This is when everyone woke up to the fact that there was a scam being perpetrated here. Joe started his own investigation.
Since I often blog about security issues related to computers, Steve called me. He explained the whole story. I confirmed with him that he was still able to log into his email account – that meant that the scammer wasn’t smart enough to change the password (yet). In these cases, the first thing the email account owner should do is change the password – this locks out the scammer so that no further damage can be done.
Shortly after that, the scammer apparently thought of this, and he changed the password. Now Steve couldn’t get into his email account. He called me later and fortunately we were able to gain control of his email again.
In the meantime – and this is really the thing that surprised me the most – Steve’s bank had done two transfers of money out of his account. These transfers totaled over $15,000, and it was all done on the basis of a phony email. Clearly, Joe, the bank manager should have followed better procedures than to perform such a transaction just on receipt of an email. Since the bank was at fault, they restored the money to Steve’s account.
So how does this happen?
Steve admitted that he had been using the same password in many different online accounts – his bank, Paypal, eBay, and others. That means that once one of those accounts is compromised, they are all in danger of being compromised.
Here’s an example:
Let’s say I have a Gmail account. My user name is ScottJohnson@gmail.com. For my password, I choose computer99 (a weak password, by the way – but that’s a separate issue). I also have an eBay account, a Paypal account, and a LinkedIn account – and they all use that same password.
Then one day, the computer security at LinkedIn is compromised, and millions of user names and passwords are released to Russian hackers (this actually happened). Since the hackers now have your LinkedIn account, they know your password and your email address. Guess how difficult it is for them to go to Gmail.com and log in to your email account. Your email password gets changed so that you can no longer access your email.
Then they go to Paypal. To log in, again all they need is your email address (which they have) and your trusty all-purpose password (which they have). So they log in, and change the password on your Paypal account. Paypal won’t change the password on any account without email confirmation – but since the hackers already have control of your email, they can pose as you and click the link in the Paypal email to confirm the change of password.
Then they go on eBay and the fun really begins. They start buying things, using your eBay account. Then they pay for the items using your Paypal account. They have the seller ship the items to a different address. It’s common for them to use the address of a house that has been foreclosed on, and is empty. Using the UPS or Fedex tracking number, they know the day of the delivery, and they just hang out near the house watching for the package to arrive. When it shows up, they pick it up and disappear.
Are you starting to see how this could become a huge nightmare?
And all because you thought using the same password everywhere was easier.
I hope by now you are getting the picture that it is important to use a different password every time you set up an account, and every one of those passwords needs to be strong. And by “strong”, I mean it needs to be at least 12 digits, containing a mix of numbers, upper and lower case letters, and a random character or two (like $ or #). And it cannot be a proper name or a word found in the dictionary.
I know you’re thinking, “I can’t do that! I’ll never be able to remember them or keep them all straight!”. I have an answer for that, and trust me, it’s brilliant. And free. I will tell you the whole solution in next week’s blog, but I’ll just say this: recently I switched to a new computer. I had hundreds of passwords for various online accounts stored in Firefox and Internet Explorer. I didn’t even have to know what they are – they just moved from one computer to the other, and I can log in to all my sites just like I always have.
You don’t have to come up with the passwords, and you don’t have to remember them. You’re gonna love this.