Well, yet another data breach from yet another business that couldn’t afford top-shelf security, or didn’t understand the need for it. At this point, I think we should probably assume that all our data has been stolen, and it always will be.

We’ve focused for a long time on the idea of “let’s keep our information secure,” and it hasn’t been too long before we started to admit defeat with ideas like, “don’t use the same passwords on every site, so that if one is breaches, the others remain secure.” I think it’s probably time to move to an assumption that nothing can stop our data from being stolen.

That can actually change how you act.

For example, consider making everyone in our life invest in a password manager of some kind – even if, God help us all, that’s a paper journal you buy on Amazon. We really do need distinct passwords for each site, and they need to be phrases like “I-am-Using-Twitter-Right-Now-12345” or something. Forget 8 characters; make ’em long. Doing so makes it significantly harder for bad guys with hash tables to reverse-engineer your password, should they obtain hashes in a breach.

Press everyone to use tap-to-pay whenever possible, and kvetch to local merchants who don’t yet support tap-to-pay. NFC payment systems create a unique, per-transaction code that’s essentially useless anywhere else. If that number gets captured in a breach, it doesn’t matter. More websites need to start accepting Apple/Samsung/Whatever Pay as well, so that we’re not asking them to store permanent credit cards which will eventually be breached.

When asked to create “security questions” for account recovery (“what’s your mother’s maiden name?”), use a distinct, fake answer for each website, and note those in your password management tool or journal. For example, I’ve one website where my “mother’s maiden name” is DarthAvon. But there’s more you can do to protect yourself than making fun of Mom.

Read More