Chances are you have online accounts that you haven’t used for a long time, maybe years.

The average American has between 70 and 100 online accounts requiring passwords, and many of them are likely dormant and probably forgotten.

When I began writing this story, I checked my bookmarks and found dozens of inactive accounts. I was amazed!

“Old and abandoned—but not deleted—accounts create a major security risk,” said digital security expert Adam Levin, author of Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.

Even though you’re not using those dormant accounts, they may contain a lot of personal information, such as birthdate and mother’s maiden name (used for authentication), cell phone number, email address, credit card and bank account numbers, and possibly Social Security number.

“If those old accounts have weak passwords, and they are still being used on other accounts, this could come back to haunt you, as it puts all of those accounts at risk of being hacked,” Levin told Checkbook.

A new survey by CreditCards.com finds that 80 percent of U.S. adults have re-used online passwords.

Criminals have automated software that tries to use stolen user names and passwords to break into other online accounts. It’s a successful hacking technique called “credential stuffing.”

“Those old accounts may not seem like they have much value to you, but criminals have been passing around those old passwords and keeping track of a lot of those accounts,” said Chester Wisniewski, a principal research scientist at the digital security firm Sophos. “They can mine your old messages and profile information to commit identity theft. These cyberthieves can also pretend to be you to convince friends or family to click a malicious link or surrender their personal information to them.”

Canceling Old Accounts Can Be Challenging

Signing up for an account is easy; canceling can be difficult. Some sites hide this information to discourage you from leaving. Others don’t allow you delete your account. According to a blog post from Comparitech, a site that tests and compares tech services:

“Many websites now sell user information or incorporate user information into their business practices. What you may find is that instead of allowing you to delete an account, some services instead only let you delete your personal information on the site, while the account itself (including the username and password) are maintained in the system.

To note, this is legally allowed in the U.S. While all U.S. businesses must offer at least two avenues to identify and delete account information—one of which must be a toll-free number—U.S. businesses do not have to delete the account itself. Instead, businesses are allowed to de-identify and aggregate your personal information.”

Some of the major sites that don’t permit account deletion include Barnes & Noble, Netflix, Starbucks, and YouTube, according to Comparitech.

If you run into a roadblock, don’t give up. Call customer service or send an email, or do an internet search for “how to cancel my account.”

Protect Yourself

After you delete those dormant accounts, figure out what other accounts have that same password and change them.

You should create a unique password for each account. This is critical because it prevents credential stuffing. If one account is breached, other accounts will not be jeopardized.

“These new passwords should be long and complicated, so they’ll be difficult to remember,” Wisniewski said. But you don’t have to remember them. Just store them in your web browser or use a password manager to keep track of them.

Password management software lets you create strong, unique, and encrypted passwords for each of your online accounts. They’re stored in a digital vault accessible from all your devices. You just need to create (and remember) one master password.

Apple’s embedded password manager is called “Keychain.” Most internet browsers also have them, with options to sync those passwords across multiple devices. While browsers’ “save passwords” features are convenient, they’re not as robust as what you’d get from a dedicated password management program.

More Info: How to Create and Easily Store Secure Passwords

Where available, also take advantage of two-factor authentication (2FA). Even the best passwords can be compromised through phishing attacks or data breaches. Two-factor authentication requires a password and a second identifying factor—such as a fingerprint scan or a code sent to your phone, email address or app—to log into that account.

It’s not foolproof, but 2FA can stop most hackers from using a stolen password to access important accounts.

Bottom Line: A weak password with 2FA is better than a strong password without it.

 

Become a Smarter Consumer Get free, expert advice delivered to your inbox every Wednesday when you sign up for the Weekly Checklist newsletter.



Contributing editor Herb Weisbaum (“The ConsumerMan”) is an Emmy award-winning broadcaster and one of America's top consumer experts. He is also the consumer reporter for KOMO radio in Seattle. You can also find him on Facebook, Twitter, and at ConsumerMan.com.