So here’s a story in today’s WSJ about a fellow who used a Password Manager, was hacked, and the thieves got entrance to his entire life: all passwords, bank accounts, social media, work computers, and everything else that passes in today’s modern world. He’s bankrupt, destitute, and oh yeah, fired. Here’s a gifted link:
A Disney Worker Downloaded an AI Tool. It Led to a Hack That Ruined His Life.
Matthew Van Andel’s experience reveals the threat that opportunistic hackers pose to companies and individuals
The next morning, the lunchtime Slack exchange became one of more than 44 million Disney messages from the [workplace collaboration tool] published online by a cryptic hacking group with murky motivations. The hacker had used Van Andel’s login credentials to steal from his employer.The hack sent Disney’s cybersecurity team in motion to assess the damage. Private customer information, employee passport numbers, and theme park and streaming revenue numbers were in the [huge data dump.
The breach upended Van Andel’s life. The hacker stole his credit-card numbers and racked up bills—and leaked his account login details, including those to financial accounts. The attacker published Van Andel’s personal information online, ranging from his Social Security number to login credentials that could be used to access Ring cameras within his home.
This particular password manager is called “1Password”, but given the richness of the target I’m sure all of them are targets, and it’s only a matter of time before we hear of other breaches.
Meanwhile I use a different password for every site, and keep them all in my head. I can therefore access any site I want from anywhere, including at the bank or the stock brokerage, from a friend’s phone or wherever and not worry about whether I have “right right app” or about being targeted. (Obviously I don’t think I’m invulnerable, anyone can be hacked, just I’ve closed off what I consider to be an obvious pathway to my entire life.)
I’ve detailed it before, in short and (vastly) simplified form: I take 2 letters from the site. Am for Amazon, for instance. And a word I use everywhere, let’s say “change”. Change becomes “chang3” to satisfy sites that require letters and numbers, so my Amazon password would be CAmhang3. If the site requires it I add a “special character”, like “&” to the end. Now add the 3rd character from the site to the end, so for Amazon the final password is CAmhang3a, or possibly CAmhang3&a. Doesn’t look like much, eh?
Most times I enter a site and don’t use the character, if I get bounced it’s trivial to re-enter using the character and I’m in. Once you’ve done it a couple times, your personal “algorithm” becomes simple to enter.
Yes, I suppose the passwords look similar, CAmhang3a for Amazon, CWahang3&s for the Washington Post and CFihang3r for the bank, but it’s my belief that the hackers aren’t going to bother figuring out what my little algorithm is when there are people still using “Password” or “12345678” or “qwerty” for their passwords to multiple accounts. Even if they would get hold of one of mine, it doesn’t easily lead to a second, you see?
And for anything important, say financial, I always use two-factor authentification, requiring the person to be in control of one of my devices that has been “trusted.”
Anyway, don’t use password managers. Don’t trust them. Too target rich, I hide in the weeds.
I think.