Wait! Didn’t I just finish doing a switcheroo of all my passwords?
About three months ago, when the Heartbleed encryption bug was discovered, I painstakingly sifted through all my online accounts — banking, social media, investments and emails — to change every single one of my dang passwords. There were a lot of them, which was to be expected. After all, I live much of my life online.
Then, as if that exercise hadn’t been tedious enough, I had to make sure I jotted down each of these new passwords in a secure place, a lockbox that would keep my secrets far from cyber-thieves. For me that meant a sheet of lined paper filled with my Catholic schoolgirl script. Yes, yes, I know from my IT-savvy friends that a variety of services can help me store passwords securely. I’m sure these are immensely useful — but I don’t have a lot of confidence in them.
Call me old school. More and more I need something tangible — something to hold in my hands and sniff with my nose — to overcome my growing suspicions of a world changing too quickly.
The cheat sheet was short-lived anyway. After a few weeks of typing in these passwords, I had memorized most of them. I felt proud of my aging but still-nimble brain.
But now, thanks to a crime ring thousands of miles away, I’m back to inventing new passwords. I suspect I’ll be doing this every few weeks, as recommended by security experts who tell us that sorry, chump, our data are not safe, no matter how many firewalls a website builds in.
This latest breach is the work of Russian twentysomethings living in a small city somewhere near Mongolia. (Halfway around the world, to be sure, but their tentacles are far-reaching and powerful.) Last week, Milwaukee-based Hold Security discovered that this crime ring had collected more than a billion username and password combinations, as well as 500 million email addresses.
Yours could be among them. So could mine.
This is a scary thought.
In an email sent company-wide, my employer concluded that none of the employee log-in credentials had been compromised, but “we do strongly suggest that you consider changing all of your passwords for personal and professional online accounts as quickly as possible.”
Hence, the rush to execute the password pirouette.
Perhaps the most disconcerting part of these hacks is that most of us are only semi-literate with the complex terms and rules of programming, botnets and zombie computers. We feel helpless and overwhelmed. Stupid.
We aren’t the only ones nursing such feelings. A New York Times article on the Russian hackers reported that data security breaches have gotten larger, more expensive and more frequent in spite of improved security. One researcher lamented that criminals’ “ability to attack is certainly outpacing the ability to defend.”
We are reminded of this constantly. Before the Russians, before Heartbleed, we lived through the theft from Target of 40 million credit card numbers and 70 million addresses, phone numbers and other personal information, courtesy of hackers in Eastern Europe. There was also the theft of 200 million personal records, including Social Security numbers, from Court Venture, an aggregator of public records. And in November, some hackers in the Netherlands stole info for almost two million accounts from social networks, including Facebook, YouTube, Twitter and LinkedIn. How many more do we not know about?
We live in dangerous times. Forget the barbarians at the gate. They’re now skulking behind the log-in prompt.