When I was a young warthog, I created my first Gmail account.
It was a time of AOL Instant Messenger, Koolaid Jammers, and learning how to bypass school internet blacklists with proxies to play flash games during comp sci.
As such, I did not create a timeless email address.
Instead, I opted for a juvenile one to befit my tremendously small ego: [email protected]
But that was my email address and slowly but surely I used it to create one account after another over more than 10 years.
Facebook, Amazon, MySpace, Soundcloud, Bank of America, WordPress, etc. The list goes on as you well know.
Some years later I wised up and created a sensible email address – only to slap on an email forwarder and continue to use my Gmail-of-youth.
I thought this blog post was about passwords?
Yeah, yeah, I’m getting there.
So, here I was using my old Gmail for all my accounts, when I started to pay attention to the news.
- 3 Billion Yahoo Accounts Hacked
- 500 Million Mariott Account Hacked
- 143 Million Equifax Accounts Exposed
Yeah, data breaches made me fix my email address because, like 73% of people, I was using the same passwords across multiple accounts.
Let me reiterate: my email-password combo was the same for basically every account I own. So, if any of these accounts became compromised, the hacker would have my email-password for all of my accounts.
And I thought, well there are so many accounts out there, mine probably is safe. Nope.
I ran my amazing email address through the breach scanner (yes, it’s legit) and found I’d had my data exposed by Apollo, a company I had literally never heard of.
As the data breaches began to pile up, not only did I become more worried, but I learned quite how easy it is to access this breached data.
Literally, any Joe Schmoe can go and retrieve it from the published list – though, I’m not going to show you how to do that, sorry.
So, I freaked out and changed all my passwords
It’s understandable, really.
It would be foolish of me to continue to trust organizations to keep my data safe, so the least I can do is plan for them to lose it and mitigate the risk of my other accounts.
I resolved to take my security into my own hands by changing the passwords of every account that I owned to one that was unique and secure.
Now, I’m not a lunatic. I didn’t stay up for 48 hours straight trying to remember every account I owned and change its password.
Instead, I took one hour to do the following task list:
- Set up a password manager
- Change my password (and email) on the most important accounts I could think of.
- Set up two-factor authentication (2FA) when available
A password manager is absolutely key here.
Without one, you’d end up with a Google Sheet with all your accounts and passwords lined up – now that wouldn’t be very secure, would it?
Though you might be thinking “well then, wouldn’t all my passwords just be stored on the password manager’s servers and equally be at risk”, password managers have deep layers of security and encryption that hinge upon a master password – so even if the data breached, without the master password the information would be useless.
Protip: Master passwords should be long phrases that you can easily remember like “honestly, I still can’t believe it’s not butter” or “long live the flying spaghetti monster”.
Longer passphrases are far more effective than 0bscur3 pAsSw0rdZ! since it takes computers way longer to guess.
Personally, I use Last Password, but I hear excellent things about One Password as well.
Two factor is equally as important since it prevents unauthorized account access even if they have your password. Always choose to use an application like Authy or Google Authenticator, instead of SMS, when available. (SMS has been proven vulnerable, but it’s better than nothing).
Protip: *always* store your 2FA backup code within your password manager – if you lose your phone, you’ll be screwed without the backup code.
After that initial hour, I decided to just update the rest of my accounts as I went along.
In all honesty, I’m still in the process.
The end … of an era
Now, my key accounts
- All have a unique, secure password stored safely (and handily) in my password manager
- Have 2FA enabled with Authy (with backup codes also stored in my password manager)
- No longer use my old Gmail address
On top of that, I added a forwarder from my old email to my new one and made sure to automatically label incoming emails from that account so I could be sure to address anything sent there.
I’ll never delete it though, it’s such a baller email address.