Several months back, at the beginning of spring, I suggested it was probably a good time to check out various computer accounts you might have and carry out an electronic spring cleaning.
I also suggested using some sort of password manager so that you don’t use the same email/password combination across multiple services. That at least gets you beyond the problem faced by victims of some of the massive account data breaches of the past few years.
Want to know if your email address is part of some of the bigger data breaches that have been well-covered in the technical media? Go to haveibeenpwned.com and key in all the email addresses you use. You may be surprised.
How about dormant accounts, accounts you set up years ago and have, perhaps, long forgotten? It’s a good idea to delete these accounts. And it may involve some effort. Some services don’t have an obvious “Delete account” action on their site. Send an email to the service requesting that your account be fully and completely deleted.
It isn’t so much the breaches themselves that cause problems. It’s that people use the same authentication combination at other, more sensitive services.
I was prompted to take action with some of my own accounts.
Recently I was prompted to take action with some of my own accounts, after a service I last used several years ago, was hacked.
I went through a phase where I had to try pretty much every music streaming service that appeared. A very early one, that still exists today, was 8tracks.com.
However, other services appeared, and in recent years, along with many others who did the same thing, I switched to subscription services such as Google Music, Spotify and Deezer.
On June 29 I spotted a news release that the 8tracks.com service had been hacked. First of all, I was surprised that 8tracks.com was still in business. Second, I had an “oh, damn” moment as I thought about that period of time when I had far fewer Internet accounts, many sharing the same email/password combination.
Over the past five years I’ve added all my various Internet accounts into a sophisticated password manager called My1Login.com. At present, it houses records for 195 accounts. Yes, 195! Many are related to my school work, others are services I have explored for this column over the twenty or so years it has run, and yet others are personal.
My1Login.com nags me from time to time, telling me that certain passwords are the same or similar, or that they are too easy, presumably to guess by what is known as a dictionary attack.
Immediately upon reading the news item about 8tracks.com I fired up the My1Login.com site. Yes, indeed. I had used a password for 8tracks.com that I had used on other sites as well. Many, but not all, had been changed over the intervening half dozen or so years.
In addition, I was using four different email addresses for my various online accounts. It wasn’t as if all 195 accounts were using identical email addresses and passwords.
The 8tracks.com account data, according to the news story, was already trading on the dark web. The data included user names, email addresses and passwords. For some 18 million accounts.
Although the passwords were stored in a “hashed” (essentially encrypted) form, previous account hacks have shown that such passwords can be cracked with relatively little effort.
Consequently, I decided to spend that morning going through my 195 accounts, checking if any used the same email/password combination as had my 8tracks.com account. Indeed, there were some.
Clearly I won’t be able to ask anyone there to delete my account.
In nearly all cases I changed any passwords that matched the one I had on file for 8tracks.com. I say “nearly” because in some cases the service no longer existed. For instance, fellow streaming service Grooveshark has shut down. Clearly I won’t be able to ask anyone there to delete my account. However, that doesn’t mean the account data is necessarily deleted. Who knows? The Grooveshark computer gear could be sold as part of a bankruptcy case. Where does that leave the user data?
That may be the best lesson to take from this column. Get rid of old accounts. If there is no “Delete account” option, write the company and tell them you want your account deleted.
As for those 195 accounts of mine? My1Login reports this analysis for my passwords: 98 are strong or very strong, 13 are medium strength, 59 are weak and 10 are considered very weak. That leaves 15 which are only used to store additional information on some specialty sites I use.
Clearly, I have some work left to do on those accounts with weak passwords. That’s the nature of computer security. It requires ongoing effort and vigilance.
Follow me on Facebook (facebook.com/PeterVogelCA) and on Twitter (twitter.com/PeterVogel).