In retrospect , I deserved it — if you can say anyone deserves to be hacked.
I thought I was clever. I thought I was obtuse. I thought I was being funny. My password wasn’t “password” (the second worst password out there), 123456 (the absolute worst password out there), or anything that started with the number 1, like 5 of the 8 worst passwords on this year’s list. Nor was it qwerty (#4), letmein (#7), football, iloveyou, or admin (8, 9, and 10 respectively). Nope. I choose something I thought totally obscure. Something no one would guess.
I choose Fox Mulder’s password from The X-Files: trustno1. This year, trustno1 ranks as the 25th worst password, and years after the relevant episodes aired. It’s been beaten out by starwars this year, at number 16. But it’s still in the top 25.
So when my friends started getting messages from me about mail-order Russian brides and penis enlargement, I found myself frantically changing my password to something a little more impenetrable. Not impenetrable enough, however — I was hacked again after a password that contained all lowercase letters. Now, that email’s locked down with a password that contains capital letters, numbers, and non-alphanumeric characters. It’s been several years now — during which I periodically updated my password — and I’ve stayed safe.
I was lucky. I used trustno1 for that account, and that account only. It wasn’t linked to my Facebook, my Twitter, any sites I purchased things from, or (gulp) my PayPal or Amazon accounts. Imagine if the hackers behind the bot had gotten hold of those passwords. They could have drained my bank account. I’d be disputing credit card charges for ages. I’d never feel safe online again.
[See our list of best password managers]
Scratch that. I don’t feel safe at all. I’ve changed my current email password again.
I’m not alone. Apparently, according to the Observer, Dashlane kept a list of the companies hacked in 2017 due to bad password protection. None other than U.S. President and Twitter maven Donald J. Trump topped the list with his password leaks, “thanks to a slew of cybersecurity breaches revealed among his staff members as well as cyberattacks on multiple Trump Organization websites.”
Trump himself, and several top aides — including cybersecurity advisor Rudy Guiliani — were found using the same password for multiple accounts, a major no-no. All a hacker has to do is break one easy password and he’s in to whatever else that password is protecting. Ryan Merchant, a senior advisor at Dashlane, says, “We found that the reuse of passwords is the greatest danger of cybersecurity.”
[For more quick tips, check out our Five Simple Ways To Improve Your Cybersecurity.]
Who knows how my email was breached for the first time. Maybe, as Wired suggests, it was to send spam to everyone in my address book, give them malware, and then send everyone in their address book spam, as well. But they could have been trying to get password resets from other sites (like Paypal), or even trying to access a business I owned. If the hackers had targeted my bank account or credit card accounts, they were obviously after money. Once you figure out the why, the steps are clear: change everything. Change your password, change anything you use that has a similar password. Says Paypal’s head of consumer security, Markus Jakobsson, “”Password reuse is one of the great evils and it’s very hard to prevent.”
Once you’ve changed everything, with no duplicates, you need to scan and update your computer. The hacker may have gained access through malware that allowed them to monitor password input or keystrokes.
Then check for backdoors. Make sure your security questions are the same, and that the answers to them haven’t changed, either. Make sure “nothing’s getting forwarded without your knowledge,” says Wired. If the breach was financial, assure that nothing’s been added to your account; make sure there are no new shipping addresses or debit cards. Finally, lock down your credit by calling the three major credit bureaus, and tell your friends you got hacked — so they don’t inadvertently expose themselves by opening those Russian bride spam emails.
I was stupid. Now, I have different passwords for everything, none of which resemble those on the worst passwords list. It can be a pain to remember all those passwords. But it’s worth it, and I use a password manager to help me out. I hope I don’t have to go through the hell of being hacked again. It was pretty benign — but it was still a giant pain. I can’t imagine what would have happened if money had been involved.
[If you’re concerned about your online security after making a purchase — especially after holiday shopping season — read our Security Tips For Online Shopping.]