The Keys to Everything You Are

There’s a particular kind of vertigo that hits when you realize your passwords aren’t really yours anymore. In January 2019, security researcher Troy Hunt published findings about a dataset called Collection #1—773 million email addresses and around 22 million unique passwords, assembled from hundreds of older breaches and circulating freely on hacking forums. Not a fresh attack. Just the accumulated wreckage of years of careless databases and cracked hashes, finally collated into something convenient for whoever wants it.

I went to Have I Been Pwned. My email appeared in seven breaches. I knew about two of them.

The weird part isn’t the number. It’s the ordinariness of it. These weren’t government secrets or corporate espionage targets. They were people who signed up for a coupon site in 2014 or used the same password on LinkedIn that they used everywhere else. The breach doesn’t feel like a crime. It feels like entropy—like your keys slowly duplicating themselves in strangers’ pockets while you go about your day.

The advice—change your passwords, use a password manager, enable two-factor authentication—is correct and also feels like telling someone to wear a seatbelt after the crash. I use a password manager now. I’ve used one for years. It still feels like I’m building a stronger lock on a house with too many doors I’ve already forgotten about.

What bothers me most is the permanence. These things don’t expire. A password leaked in 2012 is still a password leaked in 2012. The data ages but doesn’t die. Somewhere in a database, a version of me from a worse-password era is still exposed, still answering security questions about a first pet with the same words I’d use now. Identity as sediment. The self as a thing that accumulates vulnerabilities it can’t shed.