Even the unimportant ones can cause you problems.
One of the pushbacks I get when I reiterate the importance of securing your online accounts relates to accounts you might consider “unimportant”. You may feel that extra security measures are more hassle than they’re worth. As a result, you might use a poor password, re-use a password, or fail to set up recovery mechanisms.
My concern is twofold. First, accounts often become more important over time. Second, a breach of even a so-called “unimportant” account can still cause you massive headaches.
Become a Patron of Ask Leo! and go ad-free!
Unimportant accounts do matter
Regardless of what you may believe, your accounts — all of them — are targets for hackers. Even if you think you have nothing a hacker would want, you do. Recovery from an account hack, even for an “unimportant” one, can be more painful than expected. There’s no reason not to secure all your accounts properly from the start.
Let me debunk the most common reasons I hear for downgrading the risk of even “unimportant” accounts being hacked.
“I’m not a target, I have no money.”
To put it bluntly, this is flat-out wrong.
First, hackers won’t know you have no money until after you’ve been hacked!
Second, be it your bank, PayPal, credit card, or other financial accounts — every account is a target. Even if you have no money and no credit, hackers can use your accounts to perpetrate fraud, credit scams, and more, all in your name. If that happens, you may not find out until it’s much too late, leaving you with a mess to clean up.
The same is true for shopping accounts. Even without money or an associated payment method “on file”, scammers can still cause you grief by using those accounts for various forms of fraud and mayhem.
Your accounts are valuable to scammers for a variety of reasons, all of which will impact you negatively should the worst happen.
“I don’t use this account for anything important.”
You might think this about a secondary email account set up to stem the flow of marketing or spam headed to your primary, private account.
Once again, it doesn’t matter what you use the account for; spammers want it. They want access to your contacts so their spam and scams are more likely to be opened by the people who know and trust you. If you’re using this as an alternate email account, they want access so they can compromise your primary one.
Once your email account — any email account — is compromised and spammers get hold, it’s your reputation taking the hit and it’s your mess to clean up.
You may think, “If it’s ever compromised, I’ll just walk away from it.”
Good luck with that. It’s a good bet you have, in fact, used this “unimportant” account for something you’d want to keep. You won’t realize it until it’s much too late. It’s a story I hear often enough.
Importance grows over time
It’s possible your account truly is unimportant at first. If it gets compromised early, perhaps the ramifications are small. It’s annoying to have even an unimportant account get hacked, but it’s typically not more than that: an annoyance.
The longer you hold an account, the more you use it, the more you rely on it, and the more important it becomes.
My Hotmail account, for example, was originally and for a long time a truly unimportant throw-away account. I set it up to experiment with Hotmail shortly after Microsoft purchased it.
Today, it’s one of my most important accounts because it’s my Microsoft account, used for logging into several of my Windows computers.
The longer you have an account and the more you use it, the more important it becomes. If you treated it as unimportant when you set it up, it’s likely you didn’t set up the recovery and security information that will allow you to regain access to the account — and to everything for which it’s a gateway — should it ever be compromised.
There’s no real excuse
Honestly, there’s no real excuse to do at least the bare minimum to secure any account, no matter how “unimportant” you think it may be today.
- Set a strong, unique password. 12 characters minimum, with random characters preferred, used nowhere else.
- Set recovery info. Be it a phone number, an alternate email address, or something else, set it and keep it up to date.
Really, that’s the bare minimum, and it’s just not that hard. Using a password vault lets me quickly assign new random 20-character passwords to every account I create these days. There’s just no reason not to.
Before you dismiss the account you’re creating as “unimportant” and before you assume you’re just not a valuable target, think again. Every account is more important than you think, and everyone is a target.
Take a few seconds at account creation time to protect yourself. Someday, you’ll be glad you did.
Do this
Secure your accounts from the start. Then, once you’ve done so, subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
Podcast audio
Related Video
Absolutely right, and since there are several excellent free password managers around, there’s no excuse.
Except there is, and here goes my pet rant : most sites don’t disclose their password rules, and most of them have thoroughly stupid rules. Such as too short passwords, forbidden characters or character sets, compulsory characters or diversity of characters, and so on and so forth.
So, before setting up a password with my password manager’s generator, I always need to type 1234 etc., into the password field, in order to know at least the length limit. This is a major PITA, and thousands of website administrators should be summarily shot for that.
Some sites are even more perverted : they allow you to register a 30-character password, for instance, but in fact, the internal limit may be 20 characters. So they either truncate your password (and it works), or… you’re locked out the first time you try to login !
Again, I think we should bring back the Gestapo, and round up a few hundred suspects, just to teach a lesson to the others.
Nothing less than no length limit and no character rules at all will do. They have no excuses anymore. It might have been the case 30 years ago, but not with the current technology. At the very least, fix a ridiculously high limit, such as 1 000 characters, that nobody will ever hit.
I totally agree about the lack of specifications on creating a password. I always generate a 32 random character password with my password manager and allowe it to use all special characters. If the site does not complain about the length or characters I assume that everything is alright. Well, I used to make that assumption until I learned that my password may have been truncated to a shorter one and there was no indication that they did this. I would find out later when I tried to login and the password would be invalid because I was using my original 32 character password.
What I do now is immediately logoff after creating my account then login using my password manager. If it fails then I fix it right away.
There is absolutely no reason that the password length and character rules are not known BEFORE you create the password.
That’s a good suggestion. Some sites require you to log in after creating an account to assure there are no problems with the password.
Also: websites that won’t let you PASTE into the password field! WHY?! If you want someone to use a good password, let them copy and paste it in!
Amen to this. IMHO there should be an industry consortium whose charter is to develop secure, common standards for login protocols. Password keepers are essential (I use Dashlane), but they still get confused too often by unique features of many sites’ login pages…and when they get confused, it can hose up the UX – refreshed passwords not saved, failing to meet incorrect complexity requirements, etc. Parenthetically, that confusion can confuse a non-tech-nerd user – which is why I can’t recommend a password keeper for my 87-year-old mother in law.
It’s a mess, and it could all be standardized. Today’s situation is like small batteries with no standards – imagine life without knowing that an AA battery may or may not work in your toy?
That battery analogy is funny because I’ve seen identically sized button type batteries with different serial numbers.
I agree that protecting our “accounts” is very important, perhaps defining exactly what is meant Accounts would be helpful, I assume is things like an adobe account, bank accounts &, etc. I use the internet a lot but it’s getting much more difficult, a game of whack-a-mole if you must. Just when you think you’ve knocked them all down another one pops up. I don’t think that Clairvaux’s comment about “summarily shot” or “rounding up several hundred suspects to teach them a lesson” was helpful. I am however wondering if the content of a website being protected helps keep the accounts protected is part of the solution. I do have virus and malware protection doesn’t that keep me protected? Pretty soon the internet is just going to be too complicated to use any longer, there’s got to be a better, more simple, answer somewhere out there … doesn’ there>
I am one of those really don’t give a rip users. I use pass word managers and tough PWs for important sites, but could care less about many retailer one web sites that want me create an account. If that account gets compromised, tough luck. Many of those places are a one time need/purchase.
As for PW managers they don’t work all the time. I am not a good typer so complicated PWs are hard to input. To many web sites don’t allow PW managers to auto fill so the manager must be opened up to copy. Sometimes they overwrite a PW when you fill in “secret” information and they think it a new login. At best PWs are still very primitive and punishment for web sites not protecting your data is far to soft.
Sorry about the rant.
If you made a one-time purchase on a website and you used your credit or debit card, the website might have retained your credit card information to make it easier when you return. Anyone getting into that website would be able to purchase using your credit card. There may be some websites that really don’t matter, but if you stay in the habit of using strong unique passwords, you’ll be better protected. If you use a password manager, they are no more work than long strong unique passwords.
I’m like you Leo. My Hotmail account was my unimportant account until Microsoft began demanding an account for Sign In to a computer instead of the old username and password method. Then it became important so that I don’t get locked out of my entire device. (I’ve since figured how to go back to a plain log in).
Next, I chose to back up my phone’s pictures to OneDrive instead of Google Photos, so now my Hotmail account is double important. Had a recent scare when I couldn’t get back into the account on my home computer. It asked for verification and would not send the code to either of the two listed backup accounts. Checked next day and got in okay via the work computer, so I hope everything is okay with that account that I never use for important emailing.
Definitely check the recovery information associated with the account in case you get locked out again.
I had the same experience. I opened a Hotmail account to try it out. I didn’t like it, so I never really used it. Then when Microsoft started requiring a Microsoft account, I started using that account. Of course, if that account had been compromised or vulnerable because of a non-unique password, I could have just opened a new account, but I had a good name on that account, and it eventually became one of the accounts I use.
Has anyone ever done an actual survey to find out how many people using a relatively simple password—say something like H2oh2so4—have been hacked?
Ditto for people using the same password for multiple unimportant accounts.
Just curious.
Easiest way is to see if those passwords exist in databases of hacked passwords. PwndPasswords (https://haveibeenpwned.com/Passwords) would be a good one to check.
And yes, “H2oh2so4” has been hacked.
A relatively simple password is OK as long as it is at least 16-20 characters long. As Leo said in a Tip of the Day
But be careful. Four random words may be a good password but a known phrase, for example, a Shakespearian quote or a Bible verse might be hacked using a dictionary attack.
Your variation on the sulfuric acid formula would be OK but it’s too short.
My early email accounts were all provided by the ISPs I used to connect to the Internet. my earliest forays
onto the Internet – the early World Wide Web (circa Windows 95) was via a local dial-up ISP (I no longer remember their name). IIRC, they provided four email addresses (enough for me and my family.
My next ISP was a local broadband provider (my Cable TV service provider) who promised a whopping 1 mb/s bandwidth. They provided email addresses (again, enough for my family to each have their own). We stayed with them for about a decade. During that time, I set up a Microsoft-based account (I think it was Hotmail) using my ISP-provided email address as my username (an experiment). Then, when my wife decided that out TV provider was increasing prices across the board too often, we decided to make a change. My first step was to make sure each family member had a gmail account (I already had one) for continuity. Soon after that, we switched to Dish Network for our TV service, and ATT (50 mbps service) on copper for Internet. After dropping the local TV/Internet/Phone service (that email account would become inaccessible to me), I changed my Microsoft account to use an Outlook email address for my username (IIRC, the Hotmail account morphed into an Outlook account about that time). In 2019, when my wife passed, we switched once again, this time to ATT U-Verse Basic Local for TV, and ATT Fiber-300 (which was later upgraded – free – to Fiber-500) for Internet (the service I use today).
When Microsoft offered to switch my account to password-less login I made the change. At about the same time, I decided to enable 2FA on all of my Internet-based accounts as supported it, and to enhance security wherever I could. I got USB fingerprint scanners for my PCs to enable biometric login. I installed the Microsoft Authenticator app on my mobile phone to facilitate 2FA on my PCs and Internet-based accounts, and I use LastPass (also with 2FA enabled) to store my passwords. Today, most of my accounts have 2FA enabled, my PCs and phone use biometric login. All the drives on my PCs are encrypted (protection against theft), and I check my email accounts annually on the ‘Have I Been Pwned’ website to insure they are not included in a new breach. I get email notifications when one of my accounts is (or may be) involved in a breach at which time I change the password for that account and verify that my account recovery information is correct.
I do not assume that I am safe on the Internet, or that all my security efforts really make much of a difference overall regarding malware, but I do what I can to make my devices as difficult as possible to breach in the hope that attackers will move on to an easier target. For the same fundamental reasoning, I enable 2FA on my accounts, use a password manager to manage my passwords, use long, strong, unique passwords for my accounts, check my accounts for breaches, and generally do everything I can to keep what I have as safe as possible. Security may involve much more than passwords, but they are very important. I look at long, strong, unique passwords as being the outer wall of defense protecting me from attack.
My2Cents,
Ernie
How is the best way to delete an account, say for shopping etc, that you don’t want anymore and be sure that it is removed and info destroyed?
Follow the service’s instructions for doing so, and hope that they follow through. There’s no single, standard answer.
One of the best things I did years ago was to purchase RoboForm to take care of my passwords. Also when PCMatic became a reality with super shield, I took that one too for even more security. I have not had any problems since doing that. Thanks Leo for reminding us that if we don’t protect, we will pay!
I use a similar product – Lastpass. Worked well for me over many years. It can generate complex passwords for me, but it also occasionally warns me if any of my self made passwords are too weak and need strengthening.
Hi
I definitely agree that some accounts you might create start off as “unimportant”, but then change over time as you use them more. However I can give you an instance where I have an account with just a simple password. I am a football (soccer) fan of a particular team. I sometimes visit a website with a forum for discussing tactics, players, the coach, pubs to meet in etc. The account I login with on that site has a very simple password. If someone breaches the account, all they could do is post opinions on football that I don’t agree with. My real name is not on there, no other personal information at all such as age, email address etc. It’s just a login pseudonym and a password. So I figure that it’s easier to use a simple password that I’ll never forget.
And watch out for 2 factor identification. My nephews cell phone plan closed after he died. It’s a challenge right now. I’m unable to access 2 google accounts with no way to contact google re same. Cancelled Pay Pal and 1 other, by contacting customer service. Still 4 or so to go. Also I have 2 or 3 ancient email accounts laying around. They were attached to a previous work email which is also gone. Do you have any ideas of what to do with those? Yes it will all be much easier with fewer accounts. Are there previous article that talks about any of this? Reminders will be gratefully accepted. Thank you Barbara
Unfortunately, if things haven’t been set up beforehand — either providing information for your survivors or setting up appropriate recovery mechanisms for things like losing your two-factor device — things can get really ugly. This article talks about much of it: Preparing For The Ultimate Disaster.
Leo, Google has a device called Inactive Account Manager. There are a few choices you can make in the event of your death, but primarily they lean towards “account privacy” and Google would rather close an account than grant access to a relative. It would be very difficult to get into an account unless arrangements were made before death.
Barbara, I hated the concept of 2 Factor Authorization or 2 Step Verification, but more services are insisting on it. Gmail recently made a push to enrol more users in 2 Factor, so now I have it. Verification is through my phone, and my phone is both PIN and Fingerprint protected. You can see how difficult it would be for my wife or children to access my most important account if they can’t even access my locked phone. Should they cut off my finger before they bury me? (My wife knows my PIN, but anyone else would be locked out). Gmail also has an option to print out emergency access codes for 2SV but many people neglect to do so or lose them afterwards.