How Was My Password Hacked?

You may be surprised to learn how most passwords are hacked. It isn't by breaking into the account that is threatened, but by stealing the password from another site entirely. This happens because many people use the same password for different sites. You can easily protect yourself against this.

Video Transcript
Here's something that you may have seen in the last couple of years and it's going to keep going on. You get an Alert that you need to change your password. But then you read further into the alert the notice that it's coming out from whatever website has sent it and you find out that they claim that they haven't been hacked. Nobody's broken into their site.

So if that's true then why do you need to change your password. If nobody has broken into their site, nobody's hacked into them or your account there. How is it that you need to change your password? Well, it turns out it's relatively easy for people to get hold of your password without ever breaking into the site itself. Let me show you how it works and how you can protect yourself against it.

Here's a typical setup. Say you've got all these different websites that you belong to. Maybe there's Yahoo, there's Goggle, there's iCloud of course. There's shopping sites like Amazon. All of these have an ID and a password. Now chances are your ID is the same for every single one. It's your email address. Your password though should be completely different for each one. It should be not only different but randomly generated. So it should look something like this. So each one is randomly generated say from a password management program like OnePassword or LastPass. Or maybe from just using Safari's ability to create random passwords. Everyone is completely random. In that case, that's great.

However a lot of people don't do this. Even people who know a lot about security and feel like they know what they're doing will do something more like this. You can see that a whole bunch of passwords are the same. Now they still might be randomly generated but they figure well I've memorized this randomly generated strong password let me stick with it and use it for all these different sites. It may seem like a good idea but in fact it's not. You should definitely have randomly generated ones for each site.

So here's what happens. Say Site B is broken into. Maybe it's a site you don't even care about. Maybe it's just some game that you played a long time ago or a shopping site and you didn't even give them you credit card or anything. It's nothing that important. Somebody breaks into it who cares if they got to your account. But they broke into that site and they got your password. If they got your password there that means that they actually have your password for all the different sites where you're using that same password.

What do they do with it? Well what they do with it is they will go and test that against other sites. So, for instance, let's say Site D there, You don't care about it. Not only do you not care about it but most people don't. It's not that important of a site and maybe because of that they didn't have that great security. Somebody broke in a stole all the passwords. Now they take your ID and password and all the ones they've stolen and they try it at the other sites. Like Site J which I put here as They try all those IDs and passwords at and when they work they don't even do anything. They just log right back out. They compile all the ones that work into a big list and they can sell them for lots of money or use them for something. So your iCloud password was just stolen because you used the same password somewhere else and that site was broken into. It could be that maybe this site is some site that doesn't even care themselves if they get broken into so it's not even in the news. They don't even publicize it. For all you know your password is compromised and you may not even realize it.

This is why it is important not only to use random passwords but to use a different one for every site. Cause imagine if you had indeed set a different password for every single site and this one was compromised, that only that one would be compromised. If it's a site you don't care about you may never even know. It doesn't matter. If it is a site you care about you only need to change that one password. You never have to worry about any of the other sites being compromised because it's a totally different password there. That's why it's important.

Of course, you should go and take a further step of using two-factor or two-step authentication if it's available at any site but for general protection for almost all sites that don't have that, and even sites that do, use a different password for every site to be safe.

Comments: 16 Responses to “How Was My Password Hacked?”

    4/12/17 @ 3:56 pm

    I keep all my passwords stored in Safari’s keychain. Is there a way to cross-reference all of them to see if any duplicates exist? I recall 1Password having a similar functionality.

    4/12/17 @ 3:58 pm

    Chris: I would just manually go through the list when you have time. I wouldn’t leave it up to an automatic process because it is common to have multiple passwords to the same site — for multiple accounts. Or, just leave it as it doesn’t do any harm. If there is a site you log on to often and you see some old passwords appear, just take care of them on a case-by-case basis.

    4/12/17 @ 4:28 pm

    Thanks Gary. You mentioned 2FA. How can one plan for the event that one of their devices is lost/stolen?

    For example, I have an iMac and iPhone. I travel often. What happens if my iPhone lost or stolen? Without 2FA, I can just pick up a new iPhone at the Apple Store and can sign back into iCloud no problem. But with 2FA, my iMac is at home.

    4/12/17 @ 4:36 pm

    Chris: You can read all about that here:
    Basically, you want to set up an SMS number as a backup. Then you get your iPhone replaced (same number) so you can get access again. So you sign in, click on the button to send your code via another method, and have it sent SMS. You get the code and you are set.

    4/12/17 @ 4:44 pm

    Great! I always forget that Apple has excellent support resources. Thanks Gary.

    Paul Gardner
    4/13/17 @ 8:33 am

    I use 3 or 4 passwords across 50 or 60 sites. I also use 1Password to fill out forms and remember these IDs and passwords. I have never used their generated password function. To change over, do I need to contact each of the websites and make individual changes? I’m concerned that my iPad usage will be made more difficult. I am an Apple user. Am I better off with using Keychain or another password manager?


    Ray Shepherd
    4/13/17 @ 8:49 am

    Hi Gary. Good points well made.
    So across all my devices logged into the same apple account I can let Safari/keychain randomly generate a unique password per site ? I think I tried this once and got into trouble because some higher security sites won’t accept Safari/keychain passwords. Am I correct or was I just doing it wrong ?

    John Melito
    4/13/17 @ 9:31 am

    Great video! In your opinion, which provides the best safety, yet is easiest to use: 1Password or Msecure? Or do you suggest another. I have a MacBook pro, iPhone 6, and iPod Touch. Thank you!

    David Christensen
    4/13/17 @ 10:02 am

    I was sent an email from apple saying my iTunes password was used to attempt to log into iTunes from an ip in France. This email told me to go change my password. It did not offer me a link. Just told me to change my password I went in and changed my password and my account was already locked like the email said. I thought this was truly amazing. I did then have to go change Netflix, DIRECTV and Hulu because, your guessed it, where the same password. Not after that they are all different

    4/13/17 @ 10:17 am

    Can you recommend a good app to store passwords

    4/13/17 @ 3:04 pm

    Paul: Yes, you naturally need to change each password at each site. You don’t have to do this all at once. Just start moving toward having a unique password for each site. Start with the sites that you use most often and that are the most important. Use the built-in Safari password feature so you have random ones and you never have to type them because Safari enters them for you. Eventually when you get many sites changed to unique strong passwords, then you can finish off the last ones. Read my free security book or take my free security course for more details about password (see right sidebar).

    4/13/17 @ 3:07 pm

    Ray: Most sites today should allow the type of passwords Safari uses. If they don’t, that’s very sad as it means they aren’t serious about security. But you can always customize the password a little (remove dashes or shorten) if you need.

    4/13/17 @ 3:12 pm

    John & Marty: I usually just rely on iCloud Keychain (built-in Safari) since I am 100% in the Apple ecosystem. But I use 1Password at the same time since it is not much extra effort. 1Password would be great for those who also have one or more devices outside of Apple since you can do it on Windows, etc.

    4/13/17 @ 3:13 pm

    Very informative. Wanted to read the answers to all the above questions.

    John Stires
    4/14/17 @ 3:38 pm

    The proliferation of individual apps like Visa, E-Trade, Amazon, Auto Club, etc., means I’m back to referencing a list of (typically confusing) passwords; Safari’s keychain is out of the loop. Am I missing something?

    4/14/17 @ 4:24 pm

    John: Apps either shouldn’t ask you to enter your password very often, or use Touch ID to make it easier. But it is just a part of keeping secure — like it used to be with carrying many keys with you to lock up all of your stuff. The complexity of the password shouldn’t matter as it should always just be copy and paste anyway.

Comments Closed.