Don’t be Victimized on the Web: Change your Locks and Keep Different Keys on your Keychain

Note: I originally wrote this post in 2011, updated it in 2013 and am now updating it again in 2026.

Often when people think of the Internet, they see it as very different from the real world.  For example, if someone broke into your home you would change your locks, right?  And you wouldn’t just change one lock; you would change them all. In addition, you probably have several locks. A regular lock and a deadbolt. I imagine in addition to having several locks at home, you have different locks at your office and in your car.  You don’t use one key for everything.

The problem on the Internet is that most of us are running around without a deadbolt, and we use the same key all over the place. We choose simple passwords, for example our birth date, or our dog’s name, and we use that same password across the web; or we simply use two or three different passwords throughout the Internet. This is a serious mistake, especially given how easy it is for hackers to steal our money or our data once they are able to access one of our important accounts.

Setting a Strong Password

The first thing you need to do is set a strong password.  A strong password is one that is lengthy, at least 16-20 characters. It is also a mixture of letters and numbers, and, if the site allows special characters. For example, instead of using the word password, you would use p@55w0rd. It is actually even better to use random letters, numbers, and symbols because hackers are getting very good at hacking into passwords like p@55w0rd. Artificial intelligence has only made hacking easier and more effective.

Setting a strong password doesn’t solve all of your problems though. First, if you use the same password throughout the Internet and a site is compromised, now all of your accounts are compromised. Let’s say you have an account with a magazine and that site gets hacked. The hackers will try all sorts of sites with the same username or email address and password. It might not matter to you if your magazine accounts get hacked, but if you use the same username and password for your email and bank account, now you are in serious trouble. 

How Do You Remember This Stuff?

I don’t know about you, but I have serious trouble remembering passwords.  Especially when I have to remember a bunch of passwords. This leaves me in a difficult situation. I am supposed to have a different password for every site, which already causes me memory issues, and those passwords are supposed to be difficult to guess, meaning even more difficult to remember.

Fortunately, there is a solution to this problem. The solution is called a password manager. These password managers allow you to create one really hard to guess/hack password and enable you to store the passwords themselves in a secure, encrypted location. You can then use that manager on your laptop, desktop, and phone. The best password managers will actually generate the passwords for you. I personally use a service called 1password which I have found works well for me. There are numerous password managers, so take a look and see what works for you. So now your accounts are secure and the article is done, right?  Well, I am still typing, so, no, your accounts still aren’t secure.

Sidenote: The LastPass Hacks

When I first wrote this post I was using 1Password. At some point I changed to LastPass. Well, in 2022 LastPass was hacked. What annoyed me most at that time is that the hack occurred because some employee literally had everything on his laptop and somehow allowed access by hackers. While refreshing this post to make certain I had the date correct, I saw that LastPass has developed a pattern of being hacked. This, in turn, has cost its users quite a bit of money.

When LastPass was hacked back in 2022, I was fortunate because my password to login to LastPass was very strong. As a result, it gave me time to change all of my other passwords. I immediately started with my most important sites, those involving money and my clients. Having a strong password to login to your password manager bought me time, but it didn’t make me feel any better about the situation. I switched back to 1Password and spent a very unpleasant few days changing passwords across every account I had.

The LastPass breach is a cautionary tale that keeps getting worse. Hackers stole copies of users’ encrypted vaults, and they’ve been cracking them ever since. As of mid-2025, researchers estimate that over $438 million in cryptocurrency has been stolen from people who stored their crypto keys in LastPass. One person alone lost $150 million. And the thieves aren’t done; they stole another $12 million in just two days in December 2024. The thing that makes this breach different from most is that the damage increases over time. As computers get more powerful, passwords that were strong enough in 2022 become crackable. So if you were a LastPass user before August 2022 and you didn’t change every single password in your vault, you are still at risk.

LastPass settled a class action lawsuit for $24.5 million and got hit with a £1.2 million fine from the UK’s data protection authority. None of that helps the people whose money is gone. The lesson here is that even your security tools can fail you. Use a reputable password manager, I’m back on 1Password, which requires a unique and lengthy code to even access a specific user’s account on a specific computer or device. Even so, it is critical to also turn on multi-factor authentication everywhere you can. That way, even if someone cracks your password, they still can’t get in.

You Forgot Your Password? The Thief Can Access the Same Link

You have done everything you are supposed to do. Your password is so hard to guess the FBI couldn’t figure it out.  Every single site, even the simplest site, has its own password.  But now we have to deal with password reset.

If you look at virtually any website you will see an option that reads something like “forgot your password, click here.” Back when I first wrote this post, virtually every site used questions to let you get back in. Some sites still use questions, but they are normally combined with additional steps. The more common reset method is now either a link to your email or a text to your phone which then allows you to reset your password. 

What to Do?

Lie. That’s right, lie. Make up answers to the questions. Your first dog was named Scrappers? Fine, put instead that your first dog was named Onomatopoeia. Pick answers that no hacker will ever guess, that have nothing to do with you and won’t be found anywhere on the Web if someone should do a search on you. You can store these answers in the note fields in your password tools, so you won’t forget them.

In addition, turn on multi-factor authentication, also called two-step verification. What this means is that a hacker cannot log into your account unless they also have access to the verification step. There are a variety of options you can use for the second step. They include:

1. Text message (SMS): a code sent to your phone. This is the most common, but it also the weakest option because phone numbers can be hijacked through SIM swapping. SIM swapping is when a scammer convinces your phone carrier to transfer your phone number to their device. Once they have control of your number, they get your text messages, which of course, would include your verification codes.
2. Authenticator apps: These are applications like Google Authenticator, Microsoft Authenticator, or Authy that generate a code that changes every 30 seconds. This is much more secure than text messages because there is nothing to intercept. If your authenticator app is on your phone, make sure that you do not use a simple code to enable hackers to get into it. In addition, make certain your code to get into your phone itself is secure and that your phone is encrypted. 
3. Push notifications: Some services send a notification to your phone, and you just tap ‘approve’. Microsoft and Google both do this. This is easy to use, but you have to be careful not to approve a request that you didn’t initiate.
4. Hardware security keys: These are physical devices like YubiKey that you plug into your computer or tap on your phone. This is the most secure option, but also the most hassle and you have to buy the key.
5. Passkeys: This is a newer option that is gaining traction. Passkeys use biometrics (fingerprint, face) or your device’s PIN to authenticate. Apple, Google, and Microsoft are all pushing these as the eventual replacement for passwords entirely. The major risk with passkeys relates to government authorities such as the police or the FBI. In the United States, currently, you may not be required to give up a passcode because it is seen as a violation of your 5th amendment rights, that is the right against self-incrimination. However, they may force you to put your finger on a device or hold the device up to your face. If you have concerns about this, do not use passkeys. If you do use passkeys and are headed to a protest, I strongly suggest you turn them off and turn them on again after you are safely home.
6. Email codes: This is a code sent to your email. It is better than nothing, but still a weak option, since if someone has access to your email, they have access to everything. 

In every case, also make sure you turn encryption on for your phone. If you are not sure how to activate encryption, look on Google or your favorite AI, simply search something like “how do I encrypt my phone” and identify the make and model of your phone. In addition, look into your phone company’s answer to SIM theft. Many cell phone companies allow you to lock down your SIM with a passcode. If yours does, turn it on. This makes stealing your phone number much more difficult. If your cell phone company doesn’t offer this minor piece of security, you might want to switch to a more secure company.

Get Notified about Website Hacks

It isn’t always easy to quickly become aware of a website hack. Many hackers are hiding out in websites for long periods of time, even years, before the website becomes aware. In addition, some businesses are very slow to notify their users. This means sometimes you won’t know that website you use has been hacked for months or years. There are, however, a number of steps you can take to become notified as soon as possible.

1. Sign up for free alerts at haveibeenpwned.com. This site emails you whenever your address shows up in a new breach. Make sure to sign up with all email addresses you use. Check your existing email addresses there now; you’ll likely be unpleasantly surprised.
2. Some password tools, including 1Password, integrate with haveibeenpwned.com and will flag compromised passwords in your vault automatically.
3. Freeze your credit: Place a credit freeze with all three bureaus (Equifax, Experian, and TransUnion). This is free and prevents anyone from opening new accounts in your name. You can temporarily lift it when you actually need to apply for credit. This is more protective than a fraud alert.
4. Obtain identity theft insurance: Many homeowner’s and renter’s insurance policies offer this kind of insurance as a rider. You can also buy it separately. Many of these services provide the opportunity to visit their website and put in your email addresses, credit cards, and other information. This helps them to scan the web looking for your information so they can alert you when it is found. Make certain the insurance you purchase includes a service through which they actually will help you deal with the problem. Some companies might offer to pay off debt that won’t be forgiven due to hacking, but they don’t actually help you resolve issues leaving you to manage it yourself. 
5. Set up banking alerts: Turn on transaction notifications for every bank account and credit card so you can see activity in real time.
6. Google yourself: Google yourself and your email addresses, as well as your firm or business name. You can also turn on Google Alerts. Set an alert for your name, your email addresses, your firm or business name, and other useful items. You will get an email whenever Google indexes new content mentioning them. Do keep in mind that that Google hasn’t updated Alerts in years, so while it is useful, I wouldn’t rely on it completely. Still, the service is free, it doesn’t take long to set up alerts, and it is better than nothing. 

Protecting Your Online Presence is a Three-Step Process

Website security is crucial.  But it is also a three-step process. You need to have secure and different passwords throughout the web, make sure you have impossible to guess password reset questions, and turn on two-step verification.  Then, when you get warned that one of your sites has been hacked, quickly act to change your password on that site. These tools, in combination with a password tool, will make your accounts much safer.