Password spring cleaning

At the beginning of April I received an email from Playstation thanking me for my purchase of eFootball PES 2020. That was followed by another one for purchasing WWE 2K20. Then another for TEKKEN 7. Then another for FIFA 20. Lastly, it ended with a polite email informing me that my sign-in ID had been changed. Bad news: my account had been hacked.

In what seems like a lifetime ago now, the world was in the early stages of being put on lockdown and hackers were taking advantage. Many companies outsource their support to Business Process Outsourcing (BPOs), which are typically located in lower wage countries where workers are packed closely together in what most people would deem a “call center”. The employees of BPO firms typically don’t have company provided laptops or the luxury of working from home so bosses had to inform their clients that support would be done by a skeleton crew due to office restrictions.

Hackers knew that by compromising tons of accounts from companies that employed this strategy they would overwhelm an already stretched support team and thus have more time to take advantage of customers and potentially get away with their crimes. That plan worked incredibly well based on a quick search of Reddit where this was happening to lots of people.

In my particular case, Playstation had removed and then deeply buried their chat support links. They had also temporarily suspended phone support altogether. Meanwhile, Chase, my credit card provider, had phone wait times of several hours. After a frustrating week or so I finally had access to my Playstation account and almost another week before I had a new credit card. All of this over an account I rarely use.

I tend to think that I have good password hygiene by using 1Password, which is always set to create a random 24 character password that includes letters, numbers, and symbols. But I realized that I probably have a lot of passwords in use that I created long before I used a manager but that I have never gone back and changed. Turns out I was right.

1Password has some really great features to help keep you safe like telling you how many reused passwords you have. Good hygiene Kyle had 124. 😳 On top of that, they’ll tell you if any of your passwords appear in publicly available databases from breeches. This service is provided by haveibeenpwned.com and is super handy. It doesn’t matter how secure your password is if your login credentials are on the internet to find. Worse if you use those same credentials in multiple places. Lastly, they provide a heads up about companies you have logins with that provide two-factor authentication (2FA) that you haven’t set up yet.

After learning all of this information I decided to set aside a few hours to go through, one by one, and update all of my passwords that 1Password identified as needing to be changed. That incredibly tedious work actually ended up taking a few days of several hour bouts but now I feel much safer with my online logins. It also taught me how incredibly varied security is across much of the internet. Sites that should be more secure often had me weaken my new password by having less characters or removing symbols. Others felt like getting into Fort Knox just to prove I am who I am to be able to change my password. A very few made the process feel secure yet also delightful. As product manager, it was a nice journey to see the good, the bad, and the ugly.

The main lesson in all of this is that most of us are likely more vulnerable to being hacked than we think we are, no matter how tech savvy we may be. Since most people right now are stuck inside all day searching for things to do, I recommend setting aside some time to get a password manager (if you don’t already have one), updating any passwords you know you use frequently, and turning on 2FA, where available. It may not be most the fun thing to do but it’s certainly more productive than scrolling through feeds and it may just save you from lots of frustration in the future.