Screenshot: Gracie Films
This week, password manager Dashlane analysed ten years’ worth of passwords from public data breaches. The big lesson is, don’t reuse passwords. Not even a little, not even with a “formula”. Password formulas are easy to hack. And even your bullshit accounts deserve strong, unique passwords.
If you’ve reused passwords from any of these 284 hacked sites, including MySpace, LinkedIn, Adult Friend Finder, 8tracks, and Adobe, any bored hacker could try those exposed passwords on your other accounts. (In many of these breaches, the leaked passwords were still encrypted. But some of the encryption was so weak that hackers were still able to decrypt short or common passwords.)
So don’t reuse passwords on multiple sites and services.
“But,” you say, “I only reuse my password on my bullshit accounts!” Really, you’d be fine with all your “bullshit” accounts getting exposed at once, just because your old Hotmail account got hacked? Are all those accounts really so “bullshit”?
Anything with your credit card info isn’t a bullshit account
If logging into a certain account lets you spend money, you should probably put that behind a strong password. If you just made a one-time login to ThinkGeek, and you used the same password as your old AIM account, you made it easy for a stranger to mail themselves official Young Han Solo jackets on your dime.
Do you really want to replace your credit card and do all the attendant paperwork just because you used the same password on Nordstrom Rack and 9GAG?
Anything with your social identity isn’t a bullshit account
If you logged into some trendy social media site with your bullshit password, and then that trendy social media site ended up being Twitter, it’s probably time to change it. Maybe you won’t be embarrassed when your account DMs all your friends with spam links! Maybe your aunt is too smart to fall for a scammer messaging her from your hacked account! Maybe the hacker will get more retweets than you!
Seriously, have some self-respect and get a new password for each of your social accounts.
Dashlane senior manager Ryan Merchant points out that personal info in one account can be used to access your other accounts. This mostly matters if someone is specifically targeting you, but it’s one way that a small breach can turn into a big one. So even those truly bullshit accounts are useful to someone targeting you for identity theft.
Anything you don’t want to delete isn’t a bullshit account
If handling all these old accounts sounds exhausting, delete them. (AccountKiller has specific instructions for deleting most online accounts). But if you have too much emotional attachment to delete an account, then you have too much attachment to let it get hacked.
This is all easier if you have a password manager. And yes, some day maybe a password manager could get hacked. But so far, all of our major recommendations have a much better track record than sites like AOL, Yahoo and LinkedIn. And a life without memorising passwords is a life with less stress.