Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

25 comments on “Why Your “Unimportant” Accounts Matter”

  1. Absolutely right, and since there are several excellent free password managers around, there’s no excuse.

    Except there is, and here goes my pet rant : most sites don’t disclose their password rules, and most of them have thoroughly stupid rules. Such as too short passwords, forbidden characters or character sets, compulsory characters or diversity of characters, and so on and so forth.

    So, before setting up a password with my password manager’s generator, I always need to type 1234 etc., into the password field, in order to know at least the length limit. This is a major PITA, and thousands of website administrators should be summarily shot for that.

    Some sites are even more perverted : they allow you to register a 30-character password, for instance, but in fact, the internal limit may be 20 characters. So they either truncate your password (and it works), or… you’re locked out the first time you try to login !

    Again, I think we should bring back the Gestapo, and round up a few hundred suspects, just to teach a lesson to the others.

    Nothing less than no length limit and no character rules at all will do. They have no excuses anymore. It might have been the case 30 years ago, but not with the current technology. At the very least, fix a ridiculously high limit, such as 1 000 characters, that nobody will ever hit.

    • I totally agree about the lack of specifications on creating a password. I always generate a 32 random character password with my password manager and allowe it to use all special characters. If the site does not complain about the length or characters I assume that everything is alright. Well, I used to make that assumption until I learned that my password may have been truncated to a shorter one and there was no indication that they did this. I would find out later when I tried to login and the password would be invalid because I was using my original 32 character password.
      What I do now is immediately logoff after creating my account then login using my password manager. If it fails then I fix it right away.
      There is absolutely no reason that the password length and character rules are not known BEFORE you create the password.

    • Amen to this. IMHO there should be an industry consortium whose charter is to develop secure, common standards for login protocols. Password keepers are essential (I use Dashlane), but they still get confused too often by unique features of many sites’ login pages…and when they get confused, it can hose up the UX – refreshed passwords not saved, failing to meet incorrect complexity requirements, etc. Parenthetically, that confusion can confuse a non-tech-nerd user – which is why I can’t recommend a password keeper for my 87-year-old mother in law.

      It’s a mess, and it could all be standardized. Today’s situation is like small batteries with no standards – imagine life without knowing that an AA battery may or may not work in your toy?

    • I agree that protecting our “accounts” is very important, perhaps defining exactly what is meant Accounts would be helpful, I assume is things like an adobe account, bank accounts &, etc. I use the internet a lot but it’s getting much more difficult, a game of whack-a-mole if you must. Just when you think you’ve knocked them all down another one pops up. I don’t think that Clairvaux’s comment about “summarily shot” or “rounding up several hundred suspects to teach them a lesson” was helpful. I am however wondering if the content of a website being protected helps keep the accounts protected is part of the solution. I do have virus and malware protection doesn’t that keep me protected? Pretty soon the internet is just going to be too complicated to use any longer, there’s got to be a better, more simple, answer somewhere out there … doesn’ there>

  2. I am one of those really don’t give a rip users. I use pass word managers and tough PWs for important sites, but could care less about many retailer one web sites that want me create an account. If that account gets compromised, tough luck. Many of those places are a one time need/purchase.
    As for PW managers they don’t work all the time. I am not a good typer so complicated PWs are hard to input. To many web sites don’t allow PW managers to auto fill so the manager must be opened up to copy. Sometimes they overwrite a PW when you fill in “secret” information and they think it a new login. At best PWs are still very primitive and punishment for web sites not protecting your data is far to soft.
    Sorry about the rant.

    • If you made a one-time purchase on a website and you used your credit or debit card, the website might have retained your credit card information to make it easier when you return. Anyone getting into that website would be able to purchase using your credit card. There may be some websites that really don’t matter, but if you stay in the habit of using strong unique passwords, you’ll be better protected. If you use a password manager, they are no more work than long strong unique passwords.

  3. I’m like you Leo. My Hotmail account was my unimportant account until Microsoft began demanding an account for Sign In to a computer instead of the old username and password method. Then it became important so that I don’t get locked out of my entire device. (I’ve since figured how to go back to a plain log in).

    Next, I chose to back up my phone’s pictures to OneDrive instead of Google Photos, so now my Hotmail account is double important. Had a recent scare when I couldn’t get back into the account on my home computer. It asked for verification and would not send the code to either of the two listed backup accounts. Checked next day and got in okay via the work computer, so I hope everything is okay with that account that I never use for important emailing.

    • I had the same experience. I opened a Hotmail account to try it out. I didn’t like it, so I never really used it. Then when Microsoft started requiring a Microsoft account, I started using that account. Of course, if that account had been compromised or vulnerable because of a non-unique password, I could have just opened a new account, but I had a good name on that account, and it eventually became one of the accounts I use.

  4. Has anyone ever done an actual survey to find out how many people using a relatively simple password—say something like H2oh2so4—have been hacked?

    Ditto for people using the same password for multiple unimportant accounts.

    Just curious.

    • A relatively simple password is OK as long as it is at least 16-20 characters long. As Leo said in a Tip of the Day

      “With or without spaces, an easy-to-remember random collection of words is much safer than eight random characters, as long it’s long enough. The apocryphal example is “correct horse battery staple” (25 characters without the spaces), but as long as the words are meaningful to you and the character count is over, say, 16, you’re good to go.”

      But be careful. Four random words may be a good password but a known phrase, for example, a Shakespearian quote or a Bible verse might be hacked using a dictionary attack.

      Your variation on the sulfuric acid formula would be OK but it’s too short.

  5. My early email accounts were all provided by the ISPs I used to connect to the Internet. my earliest forays
    onto the Internet – the early World Wide Web (circa Windows 95) was via a local dial-up ISP (I no longer remember their name). IIRC, they provided four email addresses (enough for me and my family.

    My next ISP was a local broadband provider (my Cable TV service provider) who promised a whopping 1 mb/s bandwidth. They provided email addresses (again, enough for my family to each have their own). We stayed with them for about a decade. During that time, I set up a Microsoft-based account (I think it was Hotmail) using my ISP-provided email address as my username (an experiment). Then, when my wife decided that out TV provider was increasing prices across the board too often, we decided to make a change. My first step was to make sure each family member had a gmail account (I already had one) for continuity. Soon after that, we switched to Dish Network for our TV service, and ATT (50 mbps service) on copper for Internet. After dropping the local TV/Internet/Phone service (that email account would become inaccessible to me), I changed my Microsoft account to use an Outlook email address for my username (IIRC, the Hotmail account morphed into an Outlook account about that time). In 2019, when my wife passed, we switched once again, this time to ATT U-Verse Basic Local for TV, and ATT Fiber-300 (which was later upgraded – free – to Fiber-500) for Internet (the service I use today).

    When Microsoft offered to switch my account to password-less login I made the change. At about the same time, I decided to enable 2FA on all of my Internet-based accounts as supported it, and to enhance security wherever I could. I got USB fingerprint scanners for my PCs to enable biometric login. I installed the Microsoft Authenticator app on my mobile phone to facilitate 2FA on my PCs and Internet-based accounts, and I use LastPass (also with 2FA enabled) to store my passwords. Today, most of my accounts have 2FA enabled, my PCs and phone use biometric login. All the drives on my PCs are encrypted (protection against theft), and I check my email accounts annually on the ‘Have I Been Pwned’ website to insure they are not included in a new breach. I get email notifications when one of my accounts is (or may be) involved in a breach at which time I change the password for that account and verify that my account recovery information is correct.

    I do not assume that I am safe on the Internet, or that all my security efforts really make much of a difference overall regarding malware, but I do what I can to make my devices as difficult as possible to breach in the hope that attackers will move on to an easier target. For the same fundamental reasoning, I enable 2FA on my accounts, use a password manager to manage my passwords, use long, strong, unique passwords for my accounts, check my accounts for breaches, and generally do everything I can to keep what I have as safe as possible. Security may involve much more than passwords, but they are very important. I look at long, strong, unique passwords as being the outer wall of defense protecting me from attack.



  6. How is the best way to delete an account, say for shopping etc, that you don’t want anymore and be sure that it is removed and info destroyed?

  7. One of the best things I did years ago was to purchase RoboForm to take care of my passwords. Also when PCMatic became a reality with super shield, I took that one too for even more security. I have not had any problems since doing that. Thanks Leo for reminding us that if we don’t protect, we will pay!

    • I use a similar product – Lastpass. Worked well for me over many years. It can generate complex passwords for me, but it also occasionally warns me if any of my self made passwords are too weak and need strengthening.

  8. Hi

    I definitely agree that some accounts you might create start off as “unimportant”, but then change over time as you use them more. However I can give you an instance where I have an account with just a simple password. I am a football (soccer) fan of a particular team. I sometimes visit a website with a forum for discussing tactics, players, the coach, pubs to meet in etc. The account I login with on that site has a very simple password. If someone breaches the account, all they could do is post opinions on football that I don’t agree with. My real name is not on there, no other personal information at all such as age, email address etc. It’s just a login pseudonym and a password. So I figure that it’s easier to use a simple password that I’ll never forget.

  9. And watch out for 2 factor identification. My nephews cell phone plan closed after he died. It’s a challenge right now. I’m unable to access 2 google accounts with no way to contact google re same. Cancelled Pay Pal and 1 other, by contacting customer service. Still 4 or so to go. Also I have 2 or 3 ancient email accounts laying around. They were attached to a previous work email which is also gone. Do you have any ideas of what to do with those? Yes it will all be much easier with fewer accounts. Are there previous article that talks about any of this? Reminders will be gratefully accepted. Thank you Barbara

      • Leo, Google has a device called Inactive Account Manager. There are a few choices you can make in the event of your death, but primarily they lean towards “account privacy” and Google would rather close an account than grant access to a relative. It would be very difficult to get into an account unless arrangements were made before death.

    • Barbara, I hated the concept of 2 Factor Authorization or 2 Step Verification, but more services are insisting on it. Gmail recently made a push to enrol more users in 2 Factor, so now I have it. Verification is through my phone, and my phone is both PIN and Fingerprint protected. You can see how difficult it would be for my wife or children to access my most important account if they can’t even access my locked phone. Should they cut off my finger before they bury me? (My wife knows my PIN, but anyone else would be locked out). Gmail also has an option to print out emergency access codes for 2SV but many people neglect to do so or lose them afterwards.


Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.