We all know how the regular lottery works. You buy a ticket, you hope your number comes up, and if it does, your life changes for the better.
There’s another lottery running every single day that almost nobody realizes they’re entered in. I call it the reverse lottery. Same idea - you’re buying tickets and entering a drawing - except when your number comes up, you don’t win. You get compromised. You get ransomed for your own data. You get everything digitally stolen out from under you. The “prize” is a very bad week, a big bill, and sometimes a business that never fully recovers.
Here’s the part that gets me: most people have no idea how many tickets they’re buying. Some folks buy one or two a day. Some businesses I walk into are buying a fat stack every morning before the coffee’s even done. The more tickets you hold, the more likely your number gets drawn.
So let’s talk about how people buy tickets - and how to stop.
A spreadsheet named “passwords” (worth multiple entries)
I cannot tell you how often I see this. A file on the desktop, or a shared drive, called passwords.xlsx or passwords.docx. Every login the business has, sitting in plain text, ready to copy and paste.
This one isn’t a single ticket. It’s a whole book of them. If anyone gets onto that computer - a piece of malware, a thief, a disgruntled employee, someone who clicked the wrong link - they don’t get one account. They get everything in one shot. I see it in businesses and in homes constantly, and it always surprises me how casually people leave it sitting there.
If you’ve got a file like this, that’s the first thing to fix today.
Passwords saved in your browser
Chrome, Edge, Firefox - they all offer to “save your password,” and it’s convenient, so people say yes to everything. The problem is that browser-stored passwords are nowhere near as protected as people assume. Malware is specifically written to scrape them, and if someone gets onto your machine, those saved logins are some of the first things they walk away with.
Passwords belong in one of two places: an encrypted password manager vault, or written on paper kept somewhere genuinely safe. Anywhere else - the browser, a notes app, a sticky note on the monitor - is another ticket in the drawing.
Not turning on two-factor authentication
Two-factor authentication (2FA) is the code from an app or a text that you enter after your password. It means that even if someone steals your password, they still can’t get in without the second step.
Every account that offers 2FA and doesn’t have it turned on is a ticket. Email, banking, Microsoft 365, your password manager itself - turn it on everywhere you possibly can. This one habit blocks the overwhelming majority of account takeovers I see, and most of the time it takes about two minutes per account to set up.
Weak, short, or reused passwords
Three versions of the same bad habit, and each one is its own ticket:
- Weak passwords - anything guessable, anything based on a word, anything you can remember easily is something a computer can crack fast.
- The same or similar passwords - when one site gets breached (and they all eventually do), attackers take that password and try it everywhere else. If you reuse it, one breach unlocks your whole life.
- Anything under 14 characters - length is what actually makes a password hard to crack. Short passwords fall in seconds to modern tools, no matter how clever they look.
A password manager solves all three at once. It generates long, random, unique passwords for every account and remembers them so you don’t have to.
Skipping security updates
Those update notifications you keep clicking “remind me later” on? A lot of them are patching security holes that attackers already know about and are actively using.
When you put off updates - on Windows, on your browser, on your phone, on the software you run your business with - you’re leaving a door unlocked that the bad guys already have the address for. Every month you delay is another stack of tickets. Turn on automatic updates where you can, and don’t keep running software that’s so old it doesn’t get updates anymore.
No “immutable,” ransomware-safe backups
This is the big one, because it’s the difference between a ransomware attack being a bad day versus the end of your business.
Regular backups aren’t enough anymore. Modern ransomware goes hunting for your backups first and encrypts or deletes them before it locks up your main systems - so when you go to restore, there’s nothing to restore from. The fix is immutable backups: copies that, once written, physically cannot be changed or deleted by anyone, even an attacker with full access to your network.
If your backup can be reached and erased from the same computer that got infected, it’s not really a safety net. It’s just another ticket.
A few more tickets people don’t think about
The six above are the big ones, but the drawing has plenty of other entries:
- Clicking links and opening attachments in emails you weren’t expecting - phishing is still the number one way attackers get in the door.
- Texting or emailing passwords to coworkers or family instead of sharing them through a secure vault.
- Using public Wi-Fi for anything sensitive without protection.
- Running as an administrator all day for everyday work, so any malware you catch inherits full control of the machine.
- Letting old employee accounts stay active after someone leaves.
- Using the same password for work and personal accounts, so a breach of one becomes a breach of both.
How to stop buying tickets
You’re never going to get your odds to zero - nobody can. But you can hand back almost all of your tickets, and the goal is simple: be a harder target than the next business, which is usually enough for an attacker to move on.
Start here:
- Delete that
passwordsfile and get a real password manager. - Move your passwords out of the browser and into the vault.
- Turn on 2FA everywhere it’s offered.
- Replace weak and reused passwords with long, unique ones (14+ characters).
- Turn on automatic security updates.
- Set up immutable, ransomware-safe backups and test that they actually restore.
Do those six things and you go from holding a stack of tickets every day to holding almost none.
If you’re not sure how many tickets your business or household is buying right now, that’s exactly the kind of thing we look at. DarkHorse IT can walk through your setup and tell you precisely where your exposure is - before your number comes up.