I’ve come across a lot of people, both family and customers that use easy passwords and the same one across many sites.
Here are the practical, real world ramifications of your password being hacked:
- People will spoof you. They will get into your email or social media site and pretend to be you, and ask your friends for money, with some heart rending sob story. They can threaten to expose your online activity to every contact in your list, and even if you’re an angel online, they can fabricate things that would be embarrassing at best, and harmful to your life in unimaginable ways at worst.
- Hackers will get into your website and attach viruses that can attack your customers, get into your paypal/bank, and break your website.
- Thieves can access your bank account, and ruin your life.
- Criminals can gain control of your computer, hijack your access and/or lock your files and demand ransom. This has happened to hospitals and government agencies, and each time the entire business came to a grinding halt. Lives were jeopardized and lost.
Any measure of any of the above scenarios would cost
a great deal of time, money and stress to undo, if you even could.
How to protect yourself:
- Use a password manager like Bitwarden. Let Bitwarden create long passwords (24 characters or more) that would be nearly impossible to brute-force guess. If you don’t want to, or don’t understand, there is a great password creating technique I’ll explain below.
- Use a 2FA. For accounts with sensitive info, enable two-factor authentication (2FA). This requires you to enter a code from your phone or app as a second layer of verification when logging in from a new device. So even if your password is compromised, hackers won’t be able to access the account.
- If you write down your passwords, hide that notebook. If you keep a list of passwords in your phone, lock them in a vault app, with a completely different password than your phone unlock pw, incase your phone gets lost or stolen.
- Never share passwords with anyone, and if you must for a specific project, change it as soon as possible.
- Don’t use the same password for many sites. Use one unique password per site.
- Never log in to a website from an email link. For example, If you get an email from your bank that says “your account is compromised, and click here to fix the situation”, DON’T CLICK THAT LINK! Instead, call your bank with a number from your statement, or if doing it online, open a new tab, type your bank in the url bar, and check to see if that claim is legit. Most times, it’s not, and the fake link from the email will be just slightly wrong so you don’t notice, which then guides you to a fake site, and now they will capture your login and password to your actual bank. For example the real link to chase bank is “chase.com”, but the fake one might be “chasebank.com”. Or paypaI.com instead of paypal.com – what you can’t see there is the first one used a capital i for the L in paypal. paypaI vs paypal. It’s easy to not notice the difference while you’re in a panic from the scammy email notification.
- Don’t buy things from ads that seem too good to be true. (This doesn’t fall under the purview of password protection, but as long as we’re here…). Ads that you see on Facebook Marketplace, for cars, rental homes, and even sponsored retail outlets can be scams. My parents have fallen prey to a lot of this from Facebook, especially when they show a photo of Dr. Oz or Oprah. The best rule of thumb is, if you’ve been in the physical store, it’s real. Like kohls.com, starbucks.com, azhg.com, and amazon.com.
- Botnets are usually composed of hacked computers/routers/security cameras/etc.
- I’d emphasize that data in a breached online account isn’t safe. If you find value in your account, that value isn’t safe if the account isn’t secure.
- “Don’t reuse passwords” is the first piece of advice I give people who want to improve their security, beyond your basic “don’t trust everything the internet says”. It’s a very common attack vector. The way is works is, they want something like your bank account, your bank is pretty good at security, so instead they hack some random website you signed up for eight years ago and which sucks at security, then use the creds they got there to get into your bank account.
- Password managers can do 2FA for you. It’s maybe 90% as secure for 5% of the inconvenience, and the big problem with true 2FA is it’s so annoying people don’t bother with it, or only bother with it on their most sensitive accounts.
- Password managers help with “Don’t click that link” / phishing in general by only offering/autofilling your login on the correct domain(s).
- If your website is hacked and used to distribute malware, it gets a reputation for distributing malware, getting you blocked from things like search, social media, even browsers. It’s hard and slow to fix. A similar thing happens with email reputation.
- I’d add 1Password and KeePass to the list of recommended password managers. There are a million password managers and most are mediocre and some downright insecure, so it’d be nice to give people enough options they less often go off-list.