2019-03-02

You've been Pwned!

Another day, another data breach. Emails, passwords hacked and put online for sale. The breaches have become so common that we don't pay attention anymore. Old news. Yawn. You get an email asking you to change your password. You go to the offending website, change your password and then forget about it - feeling safe in the knowledge that you've protected yourself from those fiendish hackers.

But wait. That's not nearly enough.

Ask yourself - do you use the same email and password combination on any other site? What about that cheepo.com service you signed up for 3 years ago using the exact strong password as your bank website?

The email didn't mention that, did it?

Here's the problem. Anyone can take your email and password combination and use it to get access to your secure bank website. "Hello sir/madam, welcome back. Take all you want. It's been great doing business with you. Bye".

So what can you do about it?

First, find out if your account has been compromised in a data breach.  Head over to the free service Have I been Pwned and test all the emails you use to log into websites. If any email has been compromised - you know that you will need to go to every site with the same email/password combination and change your password.

Second, make a list of all the sites you use. Update the passwords now. If you must use the same password on multiple sites (because you just can't remember all the different passwords you have to use) - then separate the sites by category - like finance, media, social etc. - and then use a separate strong password for each category. Unfortunately some sites insist on fixed length passwords which can limit your options.

Third, if the site is using two-factor authentication (2FA) - then use it. That will ensure that a breached password won't be enough to log in on its own.

Finally, start using a secure password manager like 1Password - a family account is cheaper per month than a Starbucks fancy mocha - and worth every penny if any service provider your use is compromised in the future.
If that proves too expensive, Google Chrome has a new strong password generator feature. If you let Chrome create the strong password, and Google sync is turned on - the password will be available from any Chrome browser you log in with.

No comments:

Post a Comment

Simple app, to query Splunk with JavaScript, no SDK or frameworks required

Sometimes you just need the basics. This post walks you through the simplest, quickest way to query data from Splunk, using plain old JavaS...