These days just about every app and website gives users an account that is tied to an email address with a password. If you're like most people, you have multiple online accounts. In fact, the average person has 27 online accounts. It is therefore understandable that so many end users resort to using the same email address and easy to remember password for some or all of those accounts.
Even if you use a strong password this practice can cause big problems because it only takes one security breach to threaten all of those accounts. Any company can be hacked and large providers like Yahoo and Google or vital services like online banking at least take strong measures to protect your data and will notify you if there is a breach. However, many websites aren't proactive enough when it comes to security and reports of user data being compromised are almost a daily occurrence.
Here's an example of how things might play out. Lets say you have a total of three online accounts:
3) recipe website
Since the bank handles your money it should be safe to assume that they take security seriously. They constantly maintain the security of their servers and always update their security policies to comply with industry standards for storing client information and passwords in a safe fashion.
Facebook has hundreds of millions of users with all kinds of personal information on their site. A security breach would be a PR nightmare for them. They probably take even more measures than the banks to protect your data. So, just like your bank, the risk here is pretty low. No one will know your password except you.
What about that recipe website? Its reasonable to draw the conclusion that a recipe website won't have the same level of management and security infrastructure as Facebook or your bank. Websites like this are known in the IT security industry and to hackers as “low hanging fruit”. They are easier to hack because they don't do things like store passwords in encrypted form or update the server software when bugs are found. If this website suffers a data breach the hackers now have your email address and password. They will think to themselves, "I wonder if this person is one of the 500 million people on Facebook? I'll try this username and password there." Then they will go to Bank of America, Wells Fargo, and dozens of other popular websites to see if you have an account.
The best thing you can do is use a different password for every website. But what if you've already been using the same username/password? And what about the other bits of personal info that some websites may have (home address, mother's maiden name, etc.)? Hackers can find that information useful too. It will help to know if your data has been compromised.
How can I tell if I my accounts have been hacked?
We would like to share with you a very handy tool at https://haveibeenpwned.com This website continuously tracks and monitors known data breaches and obtains subsequent information. Simply enter your email address or user name and it will let you know if your accounts have been exposed during a known data dump.
What should I do if haveibeenpwned.com tells me I’ve been involved in a data breach?
Change the password for every account that you use with that email address or user name right away (please note it’s not necessary to change your user name or email).
If the account(s) in question have been used with any banking, stock trade, or other financial website reach out to those companies to alert them and pull a credit report from https://www.annualcreditreport.com to better assess the impact of your findings.
How can I tell if a website or application I am using is storing my passwords securely?
Ultimately, the measure of how secure a website is likely to be comes down to the resources they have available to maintain the site, how much of a premium the company puts on security, and how much you are willing to trust that they are a reliable organization that you can depend on.
There is an easy test to see if their password management is insecure. Click on the Reset Password or Forgot My Password link that most services will have to assist in the event that you've lost your password. Usually, they have some method to validate that you are you. Either you are asked a security question that only you know the answer to or a password reset link is sent to the email address associated with the account. If you receive an email that simply displays your current password then this website is not storing your data properly.
Questions or concerns? Call YPCR today at 410-525-5599 for assistance.