This is what my mother-in-law said when I asked her if she had a facebook page. She said that she's been unable to login for months because someone had hacked her account. I asked her if she notified facebook once she realized this. She basically said she doesn't use the social media site, so she just stopped trying to log in.
I asked what her login was, but it was so long she didn't remember. So I went about the business of trying all of her email addresses in an attempt to retrieve and reset her password. Success! Eventually I was able to get in and reset it for her. Much to her chagrin, she wasn't hacked at all, she merely forgot her password.
But this lead me to other questions within other questions. In prior blog posts (Steps of Progression and I forgot my password I've went on about some of these type of things. And with stumbling upon her issue, it kind of ties them together neatly.
Hacked vs Not Hacked.
First off I questioned the automatic assumption that she'd been hacked. With her generation of adults, they put most belief in the nightly news and the morning newspaper. And there's always something about hackers this or hackers that. So it makes sense that her initial belief was someone hacked into her account. Secondly, she was using the same password (or a variation thereof) on most of her online accounts. She'd merely used the wrong one and locked herself out.
...highlights a problem in that many browser-based password storage tools that are actively being exploited by on-line advertising and tracking firms
So here we have a later generational adult who doesn't put much interest into the internet and its services, mainly due to what she's heard on the news, but also uses easily guessed passwords. Another delight is, she thinks if one of her accounts was hacked, just don't use that service.
Does that make anyone feel else uneasy?
If I've said it once.
This all takes me back to really really advocating the use of a password manager like 1Password, Dashlane, or Lastpass. Using one of these to manage all of your passwords really simplifies the use and generation of cryptic passwords. They also eliminate the common mistake of reusing passwords. Read the blog post if you have questions.
Everyone that understands how on-line accounts get hacked knows that the majority of accounts are hacked because the users have used passwords that are easily guessed. Now factor in your easily guessed password and add in using that same password on many different sites. You've just made it too easy.
What does all this mean? Have I been hacked?
So how does one go about seeing if one of their email addresses has been part of one of the many website hacks? A wise security expert named Troy Hunt has put together a website called Have I Been Pwned. Simply enter in each of your email addresses and click the
pwned button. If one of your emails has been part of a hack, go to each site it was taken from and change your password. This time, use a 12 character password thats generated from your password manager. I use LastPass, so all I have to do is hit Alt-G and I'm done. It creates the new crazy weird password and also updates my list.
I have many email addresses and out of them all, I had 2 that were part of site hacks. I went to my password vault and checked the password I had. Sure enough, each time the password was a very old one. I changed them all immediately.
Really, its for your own good.
Thinking about trying to convince the retired generation not only to use a password manager, but how to use one, seems quite a feat. My fathers response would be "I only have 3 or 4 accounts on-line, so I'll just make up different ones and write them down". The mother-in-law would most likely question how this password manager would work on her phone, tablet, work computer, home computer, laptops, etc. and then exclaim its just too exhausting to deal with all of it. Its an uphill battle. My mother won't create an account anywhere if it requires any of her personal information, such as a birth date.
Inevitably one of their accounts will be hacked or stolen, and I'll get another phone call asking me to fix it. Anyone slightly related to understanding computers has received these phone calls from relatives. Or their friends. Or friends of your relatives (It's true). But I think this goes the way of things such as a home security system people get after they've been robbed, or insurance for something after they've damaged & replaced it. Most of it is hindsight. Its only worth the price after you've seen how much it costs to not have it.
Please don't confuse a password manager for a browser saving your password. They aren't the same thing. Also, having the browser save your password isn't safe as you might think. According to research and publication by the Princeton's Center for Information Technology, which highlights a problem in that many browser-based password storage tools that are actively being exploited by on-line advertising and tracking firms. This means, your browser saved passwords
can be will be captured. And browser based password storage doesn't always cross platforms or systems. Meaning if you save a password on your laptop, it may not work from your desktop. Most password managers have no problem with this.
This past week my wife was working on a different computer, she had her laptop open on my desk. I asked her why, and she said "I need my passwords out of Chrome. They're not on this computer." Which goes back to my first statement...get a password manager and STOP USING SIMPLE/SAME PASSWORDS.
There are many many articles going over the pro's and con's of using password managers. Overall, there are far more pro's to using one than to not. In today's world, you can no longer trust using your memory or writing down sensitive information. You don't give people your bank account number, so don't give them access to your bank account.
What do you think?