Has your password been compromised
January 29, 2019 at 6:35 PM
Over the past 10 years there have been some notable data breaches, which in turn led to mass amounts of compromised personal data. These breaches include the exploitation of login credentials for various websites.
You may have noticed a common scammer email that is going around, which seemed to increase in popularity since the airing of the Black Mirror episode; Shut Up and Dance. The email will explain how your PC or laptop has been compromised, and the attacker has managed to record a video of you “in the act” through your webcam. They then proceed to provide you with your “password”, before blackmailing you into transferring them a large sum of cash, or they will be forced to send out the video to everyone in your contact list. The user then recognises the password as the one they use to login to their email or laptop, and they are convinced that this is a genuine attack and they are forced to hand over the money.
But if your machine was never compromised, how did the attacker obtain your password? The attacker in fact obtained this password from one of the previous major data breaches, and, based on the assumption that a large percentage of the population use the same password for everything they log into, there is a good possibility that this password they have presented you with is the same, or close to your email or laptop password. The attacker is simply chancing his arm that you are one of those users who has been using the same password since the invention of the internet.
How to tell if your password has been compromised
Fortunately, there is a great way of finding out if your account was included in one of the major data breaches. HaveIBeenPwned.com is a website that allows you to enter your email address against a database, and the database will come back and tell you which websites your email address is registered to that have been compromised.
Securing your password
In an ideal world, having a unique secure password (at least 8 characters, upper and lowercase letters, digits, and special characters) for each login you use will greatly reduce your chances of getting compromised, but in the real world, remembering all these passwords can be challenging. This in turn could lead you to writing your passwords down where they could then fall into the wrong hands.
If you wish to do it this way, then we would recommend storing your passwords in an encrypted database such as KeePass. KeePass is a free piece of software that allows you to create your encrypted password database, and then secure it with an addional password. Obviously, you then need to make sure that this database and password is not compromised, or an attacker will have access to all your login credentials.
Another recommended method of preventing unauthorised access would be to enable multifactor authentication (MFA) where possible. MFA allows you to assign a device such as your tablet or phone to the account, along with a secure password. When you enter your login details to access your email for example, you are then sent an additional one-time code, which you must enter along with your password. This way, an attacker must know your password and have access to your mobile device to login to your account.
Now if you would prefer not to use a password database, MFA isn’t an option, and remembering a trailer full of passwords isn’t feasible, then there is a compromise. First, pick 2-3 secure passwords (see the next section for choosing a password). Take one of these passwords and assign it only to your email address. The reason I recommend assigning just 1 password to your email, is because your email address is usually where all your password resets are sent to. If your email address is compromised, then essentially all your accounts assigned to that address could also end up compromised. The next password, you may wish to assign to something like your online banking, PayPal account or anything that stores your credit card details to make purchases. With the final password, you can use this to secure the not so critical accounts such as online forums or maybe social media. Feel free to create more passwords and split them up into further groups, but at the very least always keep your email password unique.
Choosing a password
There was a time when the recommended practice would be to change your password every 30-90 days. More recently this has been deemed as ineffective due to the below reasons:
- Changing your password frequently means you are more likely to forget your password, therefor encouraging you to write it down or keep it simple.
- Users tend not to make major alterations to the password during password change day, and may just add an extra digit to the end of the password. For example, if your password was “Donkey13” 30 days ago, there is a good chance your current password is now “Donkey14”.
- If an attacker gains access to your account a day after you change your password, this means the attacker has up to 90 days of access to your account until the next change.
It is now recommended that you just pick a secure password that is near impossible to crack and stick with it. When it comes to creating a secure password, you want something that is secure enough that it can’t be brute forced, but easy enough for you to remember.
A method I like to use, is to pick 2 random words, combine them, and add a 2 to 4 digit number on the end. For example, “MonkeyAddress7121”. This sort of password is easy to remember, but difficult to crack.
So how can you tell if your password is secure? Fortunately, there are plenty of applications you can use to test the strength of your password. One of my favourites is howsecureismypassword.net. When you access the website, just enter your password into the box and it will give you an estimate on how long it would take someone with the current available computing power to brute force your password. To crack “MonkeyAddress7121”, it would take approximately 2 trillion years. The longer the better.
To summarise, the below points should assist you in ensuring that your accounts are secure:
- Check out HaveIBeenPwned.com and find out if any of your accounts have been compromised. If they have, you need to consider changing your passwords.
- If you have been using the same password for a long period of time and it is considered insecure, then look into changing your password.
- Use HowSecureIsMyPassword.net to check how secure your new password is.
- If you have a lot of passwords to remember, then consider using a password manager such as KeePass.
- If you have been using the same password for all your accounts, and you don't want to use a password manager, then consider grouping your accounts based on importance, and use a unique password for each group.
If you would like any further information on this topic or require any other assistance, please contact firstname.lastname@example.org
By Chris Walters