A few years ago, I woke up to see that I had over 2,000 unread emails In my inbox. This many new emails was incredibly alarming to me and I instantly knew something was very wrong.
It appeared as though someone or someone’s script signed my email address up for thousands of newsletters and mailing lists. At first, I wasn’t sure why they would have done this, but then I saw an email from a retailer that I purchased an item from in the past. It was my receipt for my purchase of 5 gallons of apple cider vinegar and some other random bulk items that were to be shipped to an address in another state.
The people who signed me up for mailing lists were using all the emails as a smoke screen for what they were actually trying to do. They were using my email addresses and compromised passwords to log in to numerous websites in an attempt to see which account worked.
Luckily I found this email fast and promptly changed all of my passwords to a new complex and secure password.
After working through the panic and changing all of my passwords and enabling MFA/TFA on any accounts where it was available, I remember receiving a password reset email for one of my accounts. It should have sounded the alarm for me, but it didn’t.
To check if your email address has been involved in a security breach, go to https://www.haveibeenpwned.com. Type in your email address and it will show you any breaches that included your email address.
Using a password manager does absolutely nothing if you aren’t using unique and secure passwords. Mitch Craver
The goal is for the password manager to remember your passwords. My take on this is if you can remember your password, it’s not strong enough. Let the password manager do its job.
Your password manager generally has a checker built-in that looks for duplicate passwords. Passwords need to be unique for every website where you have a login. Refer to #1 above.
Most modern password managers have a built in password generator that allows you to adjust the length and different characters it will use.
When changing your password, if the website doesn’t give you a length limit, push the number of characters in the password generator to 16+ characters and make sure it uses letters, numbers, and special characters.
If the website limits you to a certain number of characters, use the max character count as possible. Rohan at alearningaday.blog shared a shocking image from howsecureismypassword.net that shows you how long it would take to crack passwords. You can go directly to https://howsecureismypassword.net and type your password. It will instantly update to show you how long it would take a computer to crack your password.
Clifford Stoll has a quote attributed to him that is very fitting:
Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.
Passwords are only as secure as you make them, and websites that do not enforce strong password behavior, it only perpetuates the problem. If you are using the same password for every website you visit, you could be opening yourself up to a world of hurt, especially if it is an easy password to crack.
To better protect yourself: use a password manager (like 1Password), Never reuse passwords for websites, make your passwords as strong as possible, and change your passwords every 6 months.
Also, it’s a great idea to monitor your email addresses on websites like haveibeenpwned.com. If your email address shows up in a new breach, it’s time to change your passwords.