Rachel Rasker* explains how she went about securing her identity online.
I’ve used the same password — for everything — for over a decade.
You might be wondering how I’ve survived this long without my identity being stolen.
I truly do not know!
While in recent years I’ve tried to change my password on important accounts like my social media or bank, I’ve struggled to keep track of my own changes.
I’m now scared to log out of Facebook, because I genuinely do not know my own password.
I just hit ‘forgot password’ every time.
But the recent Optus data breach has got me thinking about my security and identity online, and figured I better get myself together.
This is what I learnt from sorting out 12 years of passwords.
Lesson 1: Do your research
I started off by really, properly, reading my colleague Meg Watson’s article about password management.
The key takeaways were that you really shouldn’t have the same passwords for everything (fail), that they shouldn’t be related to anything personal (fail again), and that you should try passphrases as opposed to words (fail, obviously).
A passphrase is like it sounds — instead of using password123, you could use DogPasswordLunch2.
Or something slightly more complex.
Online security researcher Troy Hunt recommends using a password manager to store all the different passwords for all your different accounts, and to create a strong passphrase for that.
To get set-up, I read through Choice’s password manager buying guide, and asked a few tech-head friends what they used.
I decided to go for a paid service as it felt worth it for me, but there’s free options around too.
I narrowed my choices down to two managers.
I got very lost in the “special features” of each and trialled one brand for an hour before realising its functionality was driving me insane.
I’ve now switched to the other (migrating between managers is fairly straightforward), and have my very own passphrase, which I will hopefully be using for life now (a rather intense thought!).
Time spent: Around an hour and 30 minutes, including my software change.
Lesson 2: Importing passwords is easier than you think
In my mind, sorting out my passwords meant logging on to every single website I use, changing my password to something more complex, and then writing that new password in my manager.
But luckily, my passwords were already stored all over the place! And in most cases, those big lists of auto-fill passwords can be easily exported as a spreadsheet, and then imported back into a password manager.
For example, I had 117 logins saved on my internet browser, 55 on my phone, 18 in my work password manager and 7 in my Google account.
Not as bad as I expected!
Auto-importing most of those logins only took about 10 minutes.
So if you already use strong passwords, and alter them between accounts, your work would be done.
Unfortunately, mine was not.
Time spent: 10–15 minutes.
Lesson 3: Human passwords are not to be trusted
Most of us can barely remember bin day, let alone all our passwords.
Which is why we start to cheat a bit.
I thought I was a genius for replacing the letter ‘i’ with an ! or a 1.
Or for writing ‘a’ as @.
But turns out, this is very common! And easily hackable.
Of the 197 logins I imported (many of which were double-ups anyway), my password manager’s security feature said at least 160 of them were ‘at-risk,’ as they were either too simple, or had been re-used.
So I started to go in and change them.
The password manager was helpful at generating secure new passwords for me — something catchy like: fsehi32459534hf.
Once changed, it would automatically update the password in my account.
While I’ll obviously never remember a bunch of gibberish passwords, the password manager syncs across all my devices — so I only need to remember my master pass-phrase, and then I can easily find or auto-fill any convoluted password I want.
Time spent: Changing hundreds of passwords — hours!
Lesson 4: I have signed up for a lot of websites
Out of my mountain of at-risk logins, I probably only use between 10 and 20 websites on a regular basis.
The logins included online shopping brands and streaming services that had my debit card saved, as well as medical websites I used to book appointments with my doctor and dentist.
I used the same login details for these sites as I did for random websites I have no memory of signing up for.
I only found out I had these accounts as they were part of my ‘at-risk’ login list.
Logging on to these sites during my declutter, I found they had not only my password, but in many cases, my date of birth and my address.
Going through and working out how to delete these accounts took a lot longer than the password resets, but felt even more essential.
And these are just the sites that I autosaved — how many more out there have my details?
Time spent: Days! Often there was no ‘delete‘ button, and I had to send out emails and await confirmation.
So was it worth it?
While some parts of this task have been easier than I expected, overall, it’s been pretty exhausting.
It’s taken me hours to sort through everything.
It’s been very fiddly, and it has hurt my non-tech brain.
But! It has felt very important, and very worthwhile.
No more worrying about being hacked, no more remembering passwords, no more thinking up new ways to spell my dog’s name with special characters.
Now it’s done, it’s done.
*Rachel Rasker is a reporter and producer at ABC Everyday.
This article first appeared at abc.net.au.