Password potato chips

Jim O’Hara, CISM, CISSP, CEH, Information Security Officer

Passwords are like potato chips.  You can’t (and shouldn’t) have just one.

A new trend is developing in phishing and email extortion tactics. Attackers are including the potential victims’ passwords in the messages sent. Why would they do this?

If you’re the target of this attack, you’ll typically receive a message from someone claiming they’ve compromised your computer and have obtained a list of your website usernames and passwords.  The message will contain a set of credentials to a site you’ve used, which were valid at some point. You’ll also be threatened with some sort of undesirable consequence unless an online payment is made. By including valid credentials in the extortion message, the attacker is hoping to instill fear and doubt in your mind, prompting you to take immediate action.

But how did the attacker obtain your credentials?

When a website is compromised, the attacker typically mines the site for useful information, including the login credentials of the site’s users. The attacker knows that people tend to be lazy when it comes to passwords, and there’s a good chance one site’s credentials will work for other sites the user visits. These collections of stolen usernames and passwords are constantly being bought and sold online, and eventually, make their way into the hands of an extortionist. It’s likely the credentials in the email you receive will have been stolen quite some time ago, and in many cases are no longer valid. If you use the same password for more than one website, it will be impossible for you to determine which of the sites you visit was compromised.

This is why it’s so important to maintain unique passwords for each account you have. Yes, it takes a bit more effort to maintain separate passwords, but the additional protection is well worth the effort.

Tips to protect yourself: 

  • Never use the same password for more than one website. To keep track of multiple passwords, consider storing them in a password-protected spreadsheet.
  • Change your passwords from time to time. Especially for email accounts, or other accounts which don’t employ multi-factor authentication.
  • Never use public computers to access sensitive accounts. Even if you direct the browser to not save your credentials, the machine could be compromised in other ways designed to capture your credentials regardless.

The views expressed are those of Brinker Capital and are not intended as investment advice or recommendation. For informational purposes only. Brinker Capital, Inc., a Registered Investment Advisor