SarahWest

I use a site-specific email address for each site I register with too. That means if a site gets breached and I start to get emails to a particular address from an unexpected source I know about it and can change the registered address and block the old one. I've recently started to get emails to an address that is specific to Avast, which isn't very encouraging, and I no longer use Avast.

LifeontheBeach

It's your own opinion that you're stating, and that doesn't have much logic behind it. You may be 'down to' changing your passwords regularly and use different passwords, like I do for example and probably have more tech experience that you do, but expecting all others to do it is pretty dictatorial. Is there another agenda behind your ire towards the OP?

Here's a clue for you. No matter what all corporations put in their terms of use, those are their policies and not the law. Policies can be challenged and corporations made to eat them. Like BA was made to roll back the policy about discriminatory seating policies (which links are available on the board). So quoting BA policies like it's written in stone demonstrates naivete. OP didn't give out his password. It was breached from other websites. It's not his fault.

He was here for some help and/or reassurance. Not to be told it's his fault.

Geordie405

I have to agree with SarahWest on this. It is basic network security 101 that you should use complex, random, unique passwords and, where possible, leverage MFA. Using separate e-mail addresses for each site is an added layer of security but not everyone has their own domain nor, perhaps, the time or inclination to set up a separate e-mail address for every online vendor. By using a unique password you avoid the situation where a username / password combination harvested from a breach at one site (or guessed - people still continue to use simple, easy to guess passwords) can be used across multiple sites. If I use the same username / password combination across multiple sites then I have only myself to blame for the consequential loss. The hacking of the first site may be outside of my control but the use of the same username / password subsequent to that is, in my view at least, all down to me.

The other concern here isn't simply about usernames and passwords but it's also about all the other personally identifiable information that can be harvested and changed, or used for further - large scale - identity theft and fraud. In the case posted by the OP it was theft of Avios which were then used to buy wine. However, the criminal could easily have acquired other personal data such as home addresses, e-mail addresses, date of birth etc. That can then be used for social engineering elsewhere.

LifeontheBeach

I agree 100% that these precautions need be taken. Apart from strong passwords and separate emails for different sites, specific devices are to be used exclusively for Banking and financial activities and not for browsing online so that those are recognized by the security architecture. I don't trust the password manager sites as those could be breached too and will then give up *every one* of the site/password combinations stored in them.

My point was that we can't expect ALL people to be so technologically aware. There will be some who are not able to do so for various reasons e.g. time constraints, medical conditions, maturity etc. That should not result in their getting blamed for a breach they didn't initiate.

hbtr

I agree that it may not be reasonable to expect all people to be tech-aware, but that doesn’t mean we should absolve them of such responsibility. Given how such recommendations have been repeated 100s of times in numerous settings (including non-tech settings) I am not inclined to give someone a pass so easily. Time constraints - really? You need to make time for things that are important like this, precisely because these kind of breaches are prone to happen and the fact that those breaches aren’t your fault doesn’t change the outcome. What you are labeling “dictatorial” I think we need to be changing to “common sense” in this day and age.

Kgmm77

This thread has taken a frankly ridiculous direction. Yes, people shouldn’t re-use passwords but expecting people to use site specific email addresses is utterly unrealistic.

We’re talking about the company that had one of the biggest data breaches in UK history, received the biggest fine ever and made Ł3.3bn in profit and still couldn’t be bother to implement 2FA.

The customer is not the problem here.

DYKWIA

Even if somebody hacked a password manager site, the passwords are all encrypted, so it wouldn't be any use unless they had the master password. The master password is not stored serverside.