Ransom ware, leaks, and data breaches are common. Some are simply unreported. From email addresses to credit card numbers, names, and addresses, the information escaping is extensive. In 2021 it was estimated 38 billion records were released into the wild.
Yet everything is online these days. It seems every new purchase requires another online account. Banking, utility companies, shopping, social media, entertainment and more. Some choose not to engage in the online world but even they resort to asking more savvy friends and relatives to assist. Most will likely have some of the following:
- Social media accounts: 3-5 (Facebook, Tic-Toc, Instagram)
- Email accounts: 2-3
- Shopping accounts: 2-4 (Amazon, eBay,
- Entertainment: 2-3 (Netflix, Amazon Prime, Steam, Spotify, PlayStation)
- Bank accounts: 1-2
- Credit accounts: 2-3 (Mastercard, Visa)
- Utility service accounts: 3-5 (Power, Water, Phone, Taxes)
- Work related: 1-2
That is easily an average of 15-16 online accounts per person. Its account overload and too complicated to keep track of. A common solution is to use the same user name and password for everything. Another approach is to use some sort of pattern for the passwords or personal information that makes it easier to recall. Some sites collect and require security phrases in an effort to help secure your information. The more recent approach is to require a code sent as a text message to your phone – two factor authentication.
Besides basic account information and security questions/answers, our exposure problem is compounded by the metrics companies keep. Little bits of information stored that help profile you to better target sales, keep you engaged, or deliver specialized content. By itself this data is not very useful, but when combined it paints a very accurate picture. Much of it can be used to predict behaviour including likely passwords.
As you can see, when a company has a data breach, the information released could be damaging. Obviously using the same user name and password would leave you completely compromised. But are you safe because you used a pattern or personal information instead? Probably not.
Data breaches involving personal answers to security questions, preferences, and other metrics narrows a personality down and can assist in generating likely passwords or be used in social engineering attempts. Identity theft is also far easier with basic information and if combined with another breach?
Its not all gloom and doom as many sites require two factor authentication typically using your phone. Cell numbers in some countries can be ported out without your consent, however. Countries like Canada have strict rules in place including sending verification messages to the phone number being ported. It helps but not all sites use two factor. Worse yet, if the phone is stolen, damaged, or otherwise out of service, you are locked out.
The best approach for online accounts would be to use different user names and passwords everywhere. This way any breach would not expose any other account. Unfortunately, user names are often just email addresses and for that I would suggest having at least two. Sites that are not critical or perhaps not as trusted, could use the less common email address reducing the exposure if they become breached.
Another option is to never use personal information in security questions/answers and don’t repeat those questions/answers on another site (many will allow you to create your own). If you recall, this type of personal information could be used in ID theft and the guessing of passwords. Without it being available in the first place, there won’t be any issues if and when it is part of a data breach.
But now we are back to the overload issue. How can anyone possible remember it all. You don’t. This is where something called a vault or password safe comes in. The vault must be secured with a single user name and password that is complex enough to not be guessed but memorizable by you. The idea here is that each account is placed in the vault. When you need to access the account, you simply cut and paste from the vault. The passwords are typically copied while being displayed as all asterisks and therefore not to be seen by prying eyes. These vaults usually come with a phone and computer version so you can have it in both places.
It is critical to keep that vault backed up as it will contain all of your access and you don’t want to loose that.