Password reuse is the bane of security online. But who can blame you? We have so many accounts with passwords to remember. According to Dashlane, each email address in the United States has an average of 130 accounts associated with it. Just think of all those one-time use online retailers, which you registered with just in case or to get a discount. This would normally be the time, that I talk about the merits of password managers. That’s not the subject of this article.
For this article we’re going to presume that a large quantity of people will continue to choose convenience over security. While that may not describe you personally, it definitely describes someone you know. A friend. A family member. A colleague. Probably all of the above. For those individuals, if you’re going to continue to reuse your passwords at least change the password for your personal email.
You’ve undoubtedly had a least one password compromised in one of the countless data breaches, such as Comcast, Adobe, Tumbler, CafeMom and LinkedIn! Doubt it? You can check your password of choice against the “517,238,891 real world passwords previously exposed in data breaches” on Have I Been Pwned. (Apparently, an old password I used in college has been seen 109 times before.)
You’ve undoubtedly had a least one password compromised in one of the countless data breaches
Why should you change your personal email password, even if you keep reusing your password of choice on every other account? Your personal email account is the key to the castle. If a bad guy manages to pwn (or own) your personal email, they can get everything else. Here’s a simplified version of the bad guys’ playbook.
- Step 1: Change your email password to lock you out.
- Step 2: Determine in your email where your online accounts are located (like your bank account).
- Step 3: Go to “Forgot my password” to request a password change for any account for which they don’t already have the password. After all, that just sends a link to your personal email account, which they already own.
- Step 4: Use your email address to potentially thwart two-factor authentication, that emails you a one-time use password.
- Step 5: Check for an online account with your cell phone provider. If bad guys can own your email AND your cell phone, there’s little limit to the damage they can do.
While I’m not recommending that people continue to reuse passwords, if you’re going to do so, at least change your personal email address password. Remember, when it comes to passwords (somewhat counter-intuitively) length matters more than complexity. For your new email password consider using a service such as Use a Passphrase to generate passphrases, which are longer (thus more secure), but easier to remember. For example, according to the site the passphrase speak fiber sample klerk would take approximately 6,017,039,658 centuries to brute force crack.
If a bad guy manages to pwn (or own) your personal email, they can get everything else.
(For any technical readers wondering how this could be, while dictionary attacks can use many variants of a word in that dictionary, they don’t have a good way to append words together. So password crackers have to resort to brute force attacks instead, when attempting to crack passphrases.)
Know someone who is definitely reusing passwords? Share this article with them.
Stay vigilant.