It is not a question of whether or not they can be opened, they are designed to be opened. How else could we retrieve our possessions when we want them? The inherent vulnerability of this design is what allows safe crackers to gain unauthorized access. Online security is similar, for our accounts to function we must be able to access them; and where there is access, there is the possibility of unauthorized access. It happens almost every day. Odds are, if you were to perform an internet search for "security breach" right now, the most recent result would be a news story about a massive breach of personal information that took place (or was disclosed) yesterday or today. That is the inherent vulnerability of accessible information at work. Security experts can try their best to prevent these breaches, but no security is infallible.
Hackers will get access to some of our information. There is nothing we can do about this. What we can do is prevent hackers from using some of our information to gain access to all our information, and this is where I failed.
I knew all the tips.
At this point I think everyone has heard most, if not all, of these:
- Don't use passwords based on personal information which can be easily accessed or guessed.
- Don't use words found in any dictionary of any language.
- Use both lowercase and capital letters.
- Use a combination of letters, numbers, and special characters.
And most importantly:
- Use different passwords on different systems/sites.
But I didn't.
I had about six variations of two passwords that I used on every site that I visited. Including my email address. The only e-mail address I had. With years worth of archived emails from every site I visit.
This could have been a disaster. In just a few hours, a hacker gained access to, and changed the passwords of every site I visit.
In the end I was fortunate. No money was stolen. Nothing was purchased on my credit cards. No new accounts opened in my name. Nothing ridiculous was posted to Facebook or Twitter. None of my MMO characters were deleted or mined for gear or gold. The hackers didn't even add Rick Astley to all my Pandora stations.
I suffered nothing more than a few hours of inconvenience regaining access to my accounts.
As is often the case, I got lucky.
Because I know I'll never get this lucky again, I now use protection:
- I use a password manager to keep track of passwords
- Every site has a unique and highly complicated password
- I have multiple email addresses that are used for unique purposes
- I no longer honestly answer "secret questions"1
Until now, this story was mostly unknown to my friends and family. In their minds, I am "the computer guy" and what you've just read could never happen to me because "I know better".
And they're right, It shouldn't have happened to me.
Don't let it happen to you.
Learn from my mistakes!
1. Often the secret questions/answers are not stored as securely as username/password and credit card information. Answering these questions honestly can give hackers access to personal information like my mother's maiden name, or my favorite movie, where I went to school. Hackers can then use this information to gain even more access to, or knowledge of, my life. By "making up" a nonsense answer for these questions, I do not give out more information about myself that could be used against me.
