This is yet another installment of the passwords series that I have been working on. I recently asked some of the people in comments how they secure their passwords. I got a few variations of “I don’t use technology” as an answer. They fell into the following general categories, with most people falling into more than one of them:
- I use secure passwords for important stuff, but I use one common password for everything else
- I write my passwords in a notebook, using a special code that only I am privy to.
- I don’t use a computer or a smartphone to do financial stuff
- I am too smart and/or savvy to get sucked into a phishing/spoofing scheme. I never click on or answer anything that looks odd. Instead, I call the number on the back of my credit card.
- I am a small fish. No one is going to waste time with me when there are so many businesses out there to rip off, and they are the big payday.
Let’s talk about them one at a time. The first one: “I use secure passwords for important stuff, but I use one common password for everything else.” This is a trap that I myself fell into at one point. Here is the basic pitfall: All the black hat needs is to access one of your “unimportant” accounts to access so many others. Back in 2014, Home Depot was compromised when credentials stolen from one of the retailer’s vendors were used to access their computer system. The files of their customer database were stolen. It was a gold mine, containing point of sale records, credit card numbers, names, addresses, login information, and passwords. The breach cost Home Depot nearly $180 million.
Now the black hats have your name, address, telephone number, zip code, the name of your credit card company or bank, credit card number, user name, and password. They enter your login name and password into the computer database that they are using to crack other accounts, and they can now gain access to your other accounts. In fact, stolen credentials are often the most valuable things stolen during a data breach. Do you want to see if your credentials are being distributed on the Internet? Click here. The email that I use for day to day business has been compromised in 8 different data breaches. This information is very useful in spear phishing attacks like this one.
The use of computer assistance in breaching systems makes it easier, cheaper, and faster than ever before. The black hats are using GPUs and PCIe SDDs to attack large numbers of passwords in a short period of time in a method that is very similar to, and much more lucrative than BitCoin mining. This allows your life to be attacked with easy profits. Passwords that are invented by you using some code that you think is clever is easily cracked by a black hat with a computer.
Even in the event that you don’t use a computer or a phone, you are still vulnerable to social engineering scams that use the information from large data breaches like the Home Depot breach. The attacker contacts the victim disguised as a representative of some institution, trying to get as much personal info as possible. There’s also a chance that by posing as a bank or Google agent, he or she might get the password or credit card info right away. Contrary to other techniques, social engineering can happen offline by calling or even personally meeting the victim. 22% of all cyber crime is the result of social engineering.
Think you are too small of a fish to be a target? Think again. Targeting individuals is fast becoming the trend. A black hat can set up a computer to target you, having selected you from the list obtained from a previous company data breach, and can empty your bank accounts with less than a weeks’ work. What’s in your bank account? Twenty grand? More? Would a thief find that amount to be fair in exchange for a week’s effort?
Watch the show “To catch a thief.” People on that show always think that they are clever because they hide valuables, but the thief in this show always manages to find the hiding spots because they don’t search in the same way a homeowner does. Electronic information and its security works the same way.
No matter how you decide to do it, take the time to secure your accounts and your information using the best practices we have discussed here. You make think you are clever and have invented a system that no one else has ever thought of, but you are probably wrong.
Or continue to play the odds. Just remember the statistics:
- the top 6 hackers in the US made more than $6 million in 2022 by stealing from individuals
- 600,000 people a year report that they are the victims of cybercrime.
- 70% of data breaches are on site breaches, not breaches of cloud assets
- The top internet crime reported to the FBI in 2022 was phishing.
- More than 80% of breaches that used hacking involved brute force or the use of lost or stolen credentials.
- The most impersonated brand in phishing attacks is Outlook at 19%. In second place is Facebook at 17% while Office365 ranked third at 10%.
- In 2020, the state with the most number of internet crime victims was California, with 69,541 victims and $621.5 million in losses as a result of internet crimes. Next is Florida with 53,793 victims, followed by Texas with 38,640 victims.
Here are some password security statistics:
- Only 24% of US adults aged 16 to 50+ use a password manager.
- 53% of users around the globe have not changed their password in the last 12 months despite hearing about data breaches
- 42% consider an easy-to-remember password as more important than a very secure password.
- In the same survey, 80% of people said that they will be concerned when their password is compromised. Yet, 48% said that they will not change their password if it’s not required.
- 42% of people think that their accounts aren’t worth a hacker’s time.
You carry a gun to secure yourself from armed robbers, yet you are 200 times more likely to be the victim of internet crime. Think about that for a minute.