This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:

  1. I use secure passwords for important stuff, but I use one common password for everything else
  2. I write my passwords in a notebook, using a special code that only I am privy to.
  3. I don’t use a computer or a smartphone to do financial stuff
  4. I am too smart and/or savvy to get sucked into a phishing/spoofing scheme. I never click on or answer anything that looks odd. Instead, I call the number on the back of my credit card.
  5. I am a small fish. No one is going to waste time with me when there are so many businesses out there to rip off, and they are the big payday.

Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.

Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.

The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.

Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.

Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?

Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.

No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.

Or continue to play the odds. Just remember the statistics:

  • the top 6 hackers in the US made more than $6 million in 2022 by stealing from individuals
  • 600,000 people a year report that they are the victims of cybercrime.
  • 70% of data breaches are on site breaches, not breaches of cloud assets
  • The top internet crime reported to the FBI in 2022 was phishing.
  • More than 80% of breaches that used hacking involved brute force or the use of lost or stolen credentials.
  • The most impersonated brand in phishing attacks is Outlook at 19%. In second place is Facebook at 17% while Office365 ranked third at 10%.
  • In 2020, the state with the most number of internet crime victims was California, with 69,541 victims and $621.5 million in losses as a result of internet crimes. Next is Florida with 53,793 victims, followed by Texas with 38,640 victims. 

Here are some password security statistics:

  • Only 24% of US adults aged 16 to 50+ use a password manager.
  • 53% of users around the globe have not changed their password in the last 12 months despite hearing about data breaches
  • 42% consider an easy-to-remember password as more important than a very secure password.
  • In the same survey, 80% of people said that they will be concerned when their password is compromised. Yet, 48% said that they will not change their password if it’s not required.
  • 42% of people think that their accounts aren’t worth a hacker’s time.

You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.


TechieDude · January 12, 2023 at 8:58 am

You’d be nuts these days to not use a password manager and have it generate your passwords. I like splashID, personally.

Not only do I use unique passwords for everything. I use unique logins for financial stuff, as well as having one email address for ‘important’ stuff – business, medical, etc. The rest I have a normal address.

And, for stuff I don’t care about, I have a burner address as well as a burner google voice number. that one I change every year or so. Keeps the spam to a minimum.

There was a tech journalist that got wiped out by a hacker, who did it for shits and giggles. He got the guy’s amazon account which gave him access to the last four digits of the card he used for apple, then called up apple for a pw reset using those creds.

Made apple change how they do security.

    Steve · January 12, 2023 at 2:15 pm

    “You’d be nuts these days to not use a password manager and have it generate your passwords.”

    That’s a little excessive. Schneier has gone over several ways of generating memorable passwords. The trick is, of course, merging a couple of the techniques together with your own twist. Sites are pretty good about telling you how well they salt the hash, and if you salt your standard strong PW string with your own site specific salt, particularly if you interleave that salt, that’s about as secure as you need to be until everyone and his dog has a quantum computer on his desk.

    Almost always cracking a PW is dictionary, social or because you use your browser to store PWs.

      Divemedic · January 12, 2023 at 6:27 pm

      There are multiple ways to generate secure passwords.
      There are multiple ways to store and fill in passwords.
      Using password managers still remains the best of them.

      Schneier himself recommends using random unmemorable alphanumeric passwords (with symbols, if the site will allow them), and a password manager to create and store them.
      In the same article, he says that, thanks to advances in technology, many older ways that were once secure are no longer useful. There are programs that can brute force try 8 million passwords per second. So let’s say that I generate a 20 character password using all four character types. If the hacker is running an 8 million password per second app on 100 simultaneous machines that are working in concert, it would take 8200 trillion years to try ten percent of the available password combinations, longer than the age of the universe.

        Steve · January 13, 2023 at 3:39 pm

        Schneier had a change of mind a few years back, somewhere around 2018, IIRC, after a vulnerability of one of the big password managers became known and there was a huge surge of identity theft on the dark web. Consolidating all your passwords in one place that means you only need to crack one password to have everything.

        The hardware dongle is the exception to that rule because dongles can’t be cycled through as fast as passwords.

          Divemedic · January 13, 2023 at 4:02 pm

          That isn’t exactly his position, but he does discuss it as being a risk. That is why you use a hardware key as MFA.
          As I discussed in previous posts, no system is 100% secure. A password wallet with a strong master password and MFA takes time to crack. Hopefully enough time that you can change your passwords, making the wallet obsolete.
          But hey, if people want to keep using pa$$w0rd123 because they are afraid of password wallets being breached, who am I to argue?

Steve · January 12, 2023 at 12:33 pm

“I use secure passwords for important stuff, but I use one common password for everything else”

Used to be this was not that horrible, so long as you define “everything else” as an account that has no personal information, especially account numbers.

But now that Google has pretty much complete records of all accounts that you access in each session, across sessions it has a pretty good picture, including anything you let slip on any of your forum accounts. And that picture is for sale.

Even if you are “that guy” who uses a different laptop for each account, and uses only public wifi spots, Google sees you.

it's just Boris · January 12, 2023 at 5:52 pm

For those who still believe #5 provides protection: Moore’s Law, plus greater availability of cracking tools, keeps dropping the “worth the bad guy’s time” threshold.

Also, consider what would happen if your account wasn’t worth time cracking, but it happens anyway. Think a hacker will say “Eh, phooey” and move on? Or will they instead use it to practice how to best extract your savings before they need to do it “for real” on a high-value account?

Comments are closed.