Why you need to change your passwords right now

Have you been getting lots of spam with your passwords inside? Want to know how they’re getting them and why you need to change your password right now? Keep reading to find out.

A little story

Awhile back I had a delivery guy at my house with $113 worth of fried chicken sandwiches for someone who doesn’t live here. I found out the next day that a friend’s caviar (food delivery app) was hacked and they used her credit card and a previously saved address from when she house sat here to deliver to. The people who placed the order were probably waiting in the bushes to intercept it!

Fried chicken sandwich
The chicken sandwiches were NOT from basilisk, imo the best chicken sandwich in Portland. Look at the size of it!

How are they getting my password?

But how did they do it? How did they gain access to her account? It’s a lot easier than you think.

There’s been a lot of high profile breaches recently. A breach is when a website’s server gets hacked and someone downloads all the usernames and passwords. Some big ones include Adobe, Comcast, Domino’s, Dropbox, Evite, Equifax, Kickstarter, last.fm, LinkedIN, MyFitnessPal, Whitepages among hundreds of others (that we know about). Once they have the username & password combo, they then compile these huge lists and share them with all their friends online.

Why you should never re-use a password

And this leads us to the reason people say never to re-use a password. It takes a certain level of skill to hack a server but it takes much less skill to go on BitTorrent and download a huge list of username/password combinations. And those people who do that often write easy scripts to try those combos on every site they can think of. If you have the same username (or email!) and password combo on one of those breached sites on your caviar account, you may find chicken sandwiches in your history that you did not order!

Check if you’ve been pwned

Do you want even more of a push to make this a priority? Go check your email address(es) on haveibeenpwned.com and scroll down to see how many times your email’s been caught up in one of these breaches.

You can also now check to see if any of your passwords you use are on those lists. Go to https://haveibeenpwned.com/Passwords and type in that password you use for everything, and then promise me you’ll never use it again.

Don’t save your credit card details

Another thing that could have saved my friend from the chicken sandwich incident was not having her credit card details saved on the app or website. It’s inconvenient to keep adding your cc number each time, but it’s even more inconvenient to dispute a charge and potentially not get refunded. I only save my cc on places that have recurring payments and that’s just a handful of places. So uncheck that ‘save payment details’ checkmark every time you buy something from now on.

Use a password manager & unique, randomly generated passwords

I strongly suggest you use a password manager like lastpass or 1password. Some of the password managers can work with multiple devices and you can get a browser extension to auto-fill passwords for you, and you can even get an app on your phone. You’ll now only need to remember ONE password to log you in, and the app will auto-fill for you the randomly generated passwords for each site. Make the one password a sentence, something long and odd like: “I really enjoy eating hummus under a full moon with the company of owls”. Then have the app create a 30-40 character randomly generated unique password for each website you go to. Spend a few hours changing your passwords everywhere, starting at the most important (banking, anywhere your cc is stored, anywhere on those lists of pwned sites, gmail, apple, etc.), and working your way down.

password manager

Use 2-factor authentication

Two factor authentication is simple, it just means that the website or app requires two different ways to verify it’s you before giving access. Usually the first factor is your regular password, and often the second factor is a pin they text or email you or maybe an answer to a question they ask. It means you’ll not only need your password to get in, but also access to your email or your phone’s texts, which (hopefully) would make it harder for unwanted access. I enable 2-factor authentication on any website that is important (apple, gmail, medical related, social media) and any website that stores or has access to my personal or banking info. I recommend you do the same.

If you want an extra layer of security, the most secure way to set up 2FA is via an app for the second layer instead of a pin they send via text or email. This is because if someone already has gained access to your email, they could retrieve that pin and log in. Or if you’ve got iMessage, and they have your Apple password, they could read your text messages online and get the pin that way. Not all websites allow for an app as the 2nd authentication method, but if a website does allow for it, I recommend it. I use Authy.