One of the most common issues we encounter in servicing people’s computers is that they don’t know their password(s). Normally that’s not the biggest issue, however, because they often also have no access to the recovery methods that were setup to request a password reset when the “I Forgot My Password” button is clicked. Please allow us to cover how bad guys even get your password, some preventative maintenance and make a few recommendations so you hopefully don’t find yourself in this predicament.
HOW DID YOU GET MY PASSWORD?!?!
Passwords are everywhere. I myself have more than 200 accounts that need passwords. I’m guilty, like the rest of you, of reusing them and using some that are very similar to other ones. The good news for you and me is that is easy, but the bad news is what’s easy for you is also easy for the bad guys who want to separate you from your money. If you’re old (like me) you remember back in the 90’s when bad guys just played a little video on your screen or deleted your files just to be annoying. This isn’t the case anymore. Bad guys are after your hard-earned American dollars; they are professional con artists who expertly craft Sorry-Sally-Sob-Stories or Harry-Heartache-Hardwalk-Heartbreakers that lure us into responding out of our compassion. Then…..
You’ve been pwned (this is internet slang for “Owned” and is pronounced “poned” – how ‘owned’ would be pronounced if it had a P out front – and it originated in a comments section somewhere or on social media when a keyboard warrior was slandering another human to make him/herself feel better about their own life and typed a P instead of an O in a fit of rage – but I degress…). Ha ha
The terrible fact is this doesn’t even need to happen to you personally for your password(s) to be ‘set free’ on the open black market (often called the Dark Web). Remember when Target Stores was in the news for being hacked in 2013? The bad guys got 40 million credit card numbers. But that’s small potatoes: remember when Equifax was in the news in 2017? 147 million people, Half the population in the United States, were affected by this breach where the bad guys made off with Social Security Numbers, Phone Numbers, Bank Accounts, Tax IDs, Birthdays, Addresses and just about every other piece of identifying information. Frighteningly, even this was not the biggest breach. Yahoo! was hacked in 2012 in what some call the largest data breach to date, where 500 million users’ data was stolen. Please let me ask you a very important question: Have you even changed your password since 2012? I’d be willing to bet you haven’t.
Once the bad guys have your password you’re toast. First, they got your email address and your password in some data breach on the dark web. Second, they know you reuse your password (or at least a form of it) and will pwn your other accounts and your friends’ too. Thirdly, they know how to con people: remember, they’re professionals, they do this for a living. If you’re alarmed now, good. That’s what I meant to accomplish.
HOLY LEAKING PASSWORDS, BATMAN!
Now that you know your password has probably been leaked (or worse, other personally identifiable information), one good starting place is to head over to haveibeenpwned and see if any of your phone numbers or email addresses have been involved in a breach. Even if they haven’t, it’s a really good (maybe even the best) preventative measure to change your password…..regularly. In doing so not only will you immediately nullify the account info the bad guys have, but you will also more often remind yourself of what your password is, and in the best-case scenario, you’ll develop a system by which you manage these things thereby actively and effectively prevent being pwned.
SUGGESTIONS FROM THE SUGGESTION BOX
Do you feel like you have too many passwords to manage (or if you did it ‘right’ that you would have too many)? Why not let someone else manage them for you? Being the Mac Ranch, I suppose we’re almost obligated to note that MacOS Keychain and Safari both do it, and both of those can sync across your Apple devices using iCloud Keychain. But is that secure? Well, in short, yes it is. It’s as secure as any online secure password vault can be. Practically speaking, it’s more secure than Equifax, Target and Yahoo! combined. Jokes aside, the point I’m making is that large companies like Microsoft, Apple and Google employ the best of the best security teams.
“But Matt!” I hear you object, “Someone else has my passwords!!” “My Dear Sir/Madame,” I’ll reply, “look, the bad guys have your money because you did nothing. Google having your passwords appears in practice to be better than the bad guys having your money, yes?” Please consider your inaction as an active choice to do nothing. If you read this far, you can’t say I didn’t forewarn you.
Now, this paper wouldn’t be complete without the following thought: the vast majority of hackings out there happen because the user GAVE the bad guy the password when the bad guy asked nicely. Tech Giants will NEVER ask you for your login info. Let me say that another way. Microsoft has better things to do than to call you or email you and tell you your computer is infected or your account is infected. They do not have popups to warn you of this. It’s a con artist who is asking you to call them. DO NOT CALL THEM. Call us, call your techie children, call a techie friend, but please, for the Love, DO NOT call the number on your screen, they are the bad guys. You will spend the next week sorting through all your accounts and learning everything I just laid out (and more) the hard way.
TWO ROADS DIVERGED IN A WOOD, AND I –
I’d like to conclude by restating the importance of changing your passwords regularly. When you undertake this procedure the first time, you need to block out some time. You might not understand everything you’re doing, and you’ll need to learn the process. It’s not that complex, but it has a few moving pieces. If you need to change your Apple ID password, for instance, and if you don’t recall it, you may need to log into an email account you haven’t used in years. You might find you can’t log into that email account where they sent the reset confirmation, and you must recover that email password before you can proceed. I can’t express to you how many Mac Ranch hours have been billed because someone can’t remember their password. It’s a frustrating problem, for us and our customers. The practice of password changing will mitigate this frustration. This is the road less traveled. It will not prevent many people’s information from being stolen, but it WILL prevent the stolen account from being pwned! Happy password-changing!
about the author
Matt Lee is Technical Lead at The Mac Ranch. He has been practicing technology since 2008.