If you are using the same password more than once, you are doing it wrong!
I’ll walk you through a “for instance”…
If you had created a user account at Equifax prior to September 2017:
You have a complex password as required: 1119KittyCat! Which combines a birthday, your favorite pet, and a non-alphanumeric character. Good to go, right? Yes, except that you’ve also used “1119KittyCat!” at “eleventeen” other online sites, including Microsoft, Google, Netflix, Amazon, and your local bank to name a few. Who can remember all these annoying passwords, right?
Well, you probably saw in the news by now, that Equifax was breached, and maybe you got a $14 check in the mail as part of the FTC settlement. Great! Free money.
Meanwhile, the data extracted from the Equifax breach probably includes a whole lot about you: name, address, phone number, SSN, financial information, shoe size, and most likely the user account credentials you use to access Equifax.
Assuming the e-mail address/password credentials are now dumped to a file and “leaked” to the “dark web.” Your user credentials are now acquired by script kiddie that then uses it to access all of your accounts – simultaneously! The script is much smarter than the kid that just executed it – he lives in his mother’s basement, spending half his time eating hot pockets and playing Xbox and the rest of his time looking at Internet porn while “hacking” your identify!
Now here’s the “gotcha” moment – remembering passwords is hard: “I’ve heard a few times that I should get a password manager, but [insert lame ass excuse that just f*cked you here]…”
Remember that script? Each time your “leaked” credentials successfully access an account, the script begins it’s sinister work…
Suddenly you’re getting an unusual amount of email notifications and text messages on your phone. Only problem is that it’s about 2:15 a.m. – you’ve been sound asleep for hours. When you wake, you notice a bunch of notifications on your phone: “email account added,” “phone number removed,” “phone number added,” “confirmation number,” etc… You have a few new email messages from real early this morning, but your phone is prompting you for the account password when you attempt to open the message. You type your password, but the prompt persists.
You go to the kitchen to make some coffee. You put the coffee on and grab your Microsoft Surface tablet to check out the Internet while you wait. But, you can’t log in! Weird…?
“MOM! DAD!,” comes the shouting from the living room, “My Xbox isn’t working…”
So much for enjoying a Saturday morning: You’ve just been pwned by a script kiddie!
OK…. So who do you call?
While you’re milling that over, you receive a text message: “Hi, it’s Capital One. Did you just try to make this purchase with your card ending in…”
Uh-oh…. You decline the charge and call Capital One. After an eternal hold time – maybe you weren’t the only one “hacked?” – you finally speak to a human that assists you disputing the charge and changing the account number.
Next call… your company’s computer guy.
After explaining at length what has happened, he asks if you had “2FA” enabled.
Next time: “What’s 2FA?”