Cybersecurity Awareness Month 2016: Passwords and Why Not to Use the Same One

Categories: Information Security

We have been told to never use “easy” passwords and we should not use the same password for all our separate accounts. Well, why is all this fuss necessary? If the site is secure then what is the issue?

One problem is that most of the time hackers are not specifically targeting you or your account. They are focusing their hacking attempts on large companies with millions of usernames and passwords. Companies hacked and the number of accounts exposed in 2015:

1. VTech (a toy tech company aimed for kids) 4.8 million
2. T-Mobile – 15 million – names, addresses, SS#, passport numbers
3. Scottrade – 4.6 Million – didn’t release info about it until 2 years later
4. BlueCrossBS – 10 million – found out they had been hacked over a 2 year period
5. CVS/Walgreens – Unknown Millions – Credit Cards, email, passwords, addresses
6. LastPass (password manager) – data breach – passwords will need to be decrypted
7. And most recently Yahoo revealed it was hacked in 2014 and the data breach affects 500 million users. They didn’t let anyone know about the breach until late September 2016.

Now, say they have hacked one of the companies above and you have an online account with one of these companies. More than likely you use the same username or email address to all or most of the other sites that require some form of authentication. In this case these hackers now have at least half of your security breached. With this stolen data,  they can run automated programs to decrypt passwords. “Easy” passwords – those that do not contain both upper and lowercase letters, numbers, and special characters – are less challenging to crack and decrypt. For each of the decrypted passwords, the hackers have the full combination of username and password for your account. They assume most people will use the same username/password combination on other sites. So the hackers can attempt to use this newfound information on other sites, or they can sell the information to other hackers who will compromise your other online accounts, such as banking, shopping, bill paying, and personal/family insurance sites.

In some cases, companies don’t know they have been breached – sometimes for years. BlueCrossBlueShield didn’t discover their security breach for almost 2 years. Some companies will immediately disclose the data compromises but others may withhold the information for fear the news will negatively affect their business. When the news is not shared with account holders, the hackers have time to take the information and continue compromising accounts on other systems before users are made aware of the security breach. Identity theft is an unfortunate outcome of these circumstances. Imagine your headaches when all of your accounts are hacked at the same time!

Here are some tips on making a secure password that is easy to remember, but difficult to crack: 6 Tips For Creating An Unbreakable Password.

It is a good habit to use different passwords on your online accounts and frequently change the passwords. We all understand the inconvenience to have multiple passwords, but so is removing a fraudulent charge on your credit card or trying to recover from identity theft.

Mike Rasmussen
Computer Support Specialist, DASNR