Don't worry about strong passwords, the bad guys already have your info!

By now, I am sure that you have seen an endless stream of click-bait-y articles roll across your social stream trumpeting the benefits of "strong" passwords. These articles have no-doubt given you all sorts of tips for creating a password that will keep the bad guys out, including:

-Using a combination of letters, symbols and numbers.

-Adding random words and phrases.

-Changing the "O's" to zeros and the "E's" to threes.

These articles would have also suggested that not using a "strong" password is akin to rolling out the red carpet for bad guys in China, Russia and the Middle East; begging for them to waltz into your personal trove of LOL's, WTF's, naughty selfies, and if they have time left, your bank account.

Your friends have probably told you how great their passwords are. Making you feel guilty for the obligatory "abc123" and "password" passwords you use on everything except Facebook. Some of them have even subscribed to complex password managers with 2-step authentication in an effort to sleep better at night, with the thought that their inbox is surrounded by a virtual Great Wall! Even Edward Snowden got in on the action, with a little prodding from John Oliver's producers; suggesting that everyone think of "passphrases" instead of "passwords".

Well, I hate to break it to you, but all of that was for naught. You probably already gave your password to the hackers!

The purpose of having an indecipherable password or passphrase is to thwart "brute force" attacks. In a brute force attack, the hacker uses a piece of software to cycle through millions of combinations of passwords until they land on yours. The problem is, this exploit is virtually obsolete, and is very seldom used by anyone other than jealous wives and husbands trying to figure out why their spouse is spending so many late hours at the office, when there are perfectly good chores to be done at home.

Have you ever mistyped a password, and had the system tell you that you had 3 tries left before you had to wait? That dialog is in place to prevent brute force attacks, if the bad guy has to wait; or more specifically, there computer has to wait; for even a second between password attempts, brute forcing is no longer possible.

Virtually all password breaches today are done using 3 methods:

-Phishing

-Social Engineering

-Server side data dumps

"Phishing" is where an attacker sends bulk messages to thousands or even millions of people claiming to be a company that you have an account with, such as; Paypal, Bank of America, or even GULP, Facebook. These emails usually implore you to "sign in" or "verify" your account. When you do, BAM, they got your password, and just like Nick Cage, your money is gone in 60 seconds!

"Social Engineering" is similar to phishing; but is more of a one-on-one con. Someone may call you, or more likely your grandma, saying that the IRS is going to send them to jail unless they pay their back taxes. In these attacks the bad guys are usually looking for cash on the spot as apposed to account access.

The third and most dangerous attack happens on the other side of the wires. When you think about it, why would a hacker spend time and money to get into your account; which may only have a hundred buck's and a few risqué photos from the boudoir; when they could spend that effort to crack into BofA or Ashley Madison and get your info, as well as the info of everyone you have ever met. While the occasional story may surface about data breaches at banks, it is worth noting that they are under no obligation to tell anyone if there is a breach, and are actually incentivized to keep them a secret to avoid collateral damage. I am sure that Target would have preferred to keep their breach a secret, instead of coughing up $67 Million. Hell, the New York Stock Exchange has still not said a word about the attack that knocked the exchange offline for half-a-day in 2015.

Let us not forget about the biggest story of Christmas, 2014... the Sony hack. I am sure all those employees were sleeping sound at night, knowing that their herculean passwords were protecting everything... while a 100 terabytes of data were being vacuumed up!

Oy Vey, what to do? Avoid the internet? Pay bills in cash? Stop Sexting? Never!

For starters; change the "recovery questions" on your accounts. These are the weakest link for someone who really, really wants YOUR info. A person only needed the knowledge of Sarah Palins birthdate, zip code and where she met her husband to gain entry to her email account. Change these questions to something only you would know... if it asks for "name of pet" answer with "mount rainier".

Second; make absolutely sure you enable a pin lock on your phone. If you lose your phone, a bad guy would simply need to select "reset password" for all of your accounts. Since the reset notices get sent via text message or email to accounts that your phone automatically receives, the perp can get your stuff... and lock you out!

Third; and most importantly! Never, Never, Never click on a link in an email you were not expecting. I understand that switching back and forth between browser tabs can become tedious, even maddening... but you can carry your head high knowing that you never handed over the goods to the bad guys!

But in the end, just sit-back, relax and don't sweat it... and change your password every now and then!