Is your password also mine?

Password theft is a very common problem on the Internet and nearly everybody either knowingly or unknowingly becomes a victim of it. So, how do you check this and how do you protect yourself against it now and in the future?

When people with bad intentions get hold of your password, they can take over your account associated to that password and start abusing the service behind it, for instance order goods with your credit card on Amazon or, access your work accounts, delete your online photo achieve, read all your emails, start sending messages to your contacts in your name, or even take over your full online presence.
Unfortunately, it usually doesn’t stop with a single site and service because many people use the same password on multiple sites or just everywhere, meaning that those accounts can be taken over as well within minutes after they have your password. Your email account is usually your most precious service as almost all online services use this as part of their ‘Forgotten Password’ process. For an attacker, gaining access to your email service in most cases means he gains complete access to your online life.

There are two main techniques in how criminals get hold of your password. The first one is a direct technique that lures people through for instance phishing to fake sites that look the same as the original and ask you the enter your credentials. The second one is a more indirect approach where criminals breach companies and steal their data including customer/user information with e.g. contact details, credentials, and other information. In many cases, this breach data is afterwards released or sold on the underground Internet. 

Luckily there are organizations with good intentions that are harvesting all available breach data that can be found on the web and make it available to the public to test whether your email address has been found in one or more breaches and whether your password can be found in them.

The most famous site for this is “Have I Been Pwned?”.  The name “Have I Been Pwned?” is based on the hacker jargon “pwn”, which means “to compromise or take control, specifically of another computer or application.”  

The home page allows you to enter your email address where after the site will show you all known data breaches that contained at least your email address and what kind of other information such as your password was leaked.

It is recommended to check all email addresses that you used in the last decade and to immediately change the password for identified sites that have been breached, in the example above immediately change your Dropbox and MyFitnessPal passwords. Since many of us use the same password on multiple sites or even everywhere, this previous check isn’t enough yet. Especially if you have been sharing the same password amongst sites, it is also recommended to check if any of your active passwords have been found in such a known breach. To do this, click Passwords on the homepage and fill in the password that you want to check.

When your password has been seen in a breach, you will receive a screen like this:

If your password has been seen before, you should change it everywhere it is used. If your password is 1234 or something equally simple, you are probably going to find a match which is not necessarily linked to you but certainly a reason to immediately change it and start using passwords that are sufficiently strong. This because attackers are using these password lists in password guessing attacks and you are therefore vulnerable to these types of attacks if you didn’t use a strong password

What is a strong password and how can you protect yourself better if even your strong password gets stolen somewhere?

  • Turn on multi-factor authentication whenever possible for valuable services because your password, even a strong one is still a weak when stored in the clear or when compromised via the direct hacking method as described previously. All important and known Internet services such as LinkedIn, Hotmail/Outlook, Google, Facebook, Instagram, and many others support this without making it difficult to use for the user;
  • A password should only be used once;
  • It should be sufficiently strong, meaning at least 8 characters with a mixture of upper- and lower-case letters, numbers, and symbols;
  • Using a passphrase which is a password containing multiple words that are hard to guess but easy to remember is even a better option if the phrase is long enough.

Since the number of services, we are using is only growing, it has become impossible to remember all strong passwords or even passphrases. That’s why it is best practice to use a password manager instead. A good password manager will create and store passwords for you each time you create a new account on a website, making sure that it is sufficiently strong and secure. When you login to a website, it will automatically fill in your credentials and log you in. Most password managers are cloud-based, allowing you:

  • To securely share your passwords amongst all your devices;
  • Allow for emergency access for e.g. family members;
  • Additional features such as automatically checking sources such as “Have I been Pwned”, secure storage of your credit card details, passport and ID card information.

When selecting a password manager, make sure to use a well-known service (i.e. Dashlane, LastPass, 1Password,…) that has good reviews and works on all your devices. Don’t go for an unknown or ad-supported service. Your password manager holds the keys to your most valuable information, so you need to select one that is known for good security and is backed by a financially healthy company.

Once you have installed your password manager, make sure to have a secure backup and a sufficiently strong password for protecting the password manager itself.

Last but not least, subscribe yourself to the alerting service of Have I Been Pwned. The service will alert you when your email address is found in any future breach.

When you are the owner of a domain name, you can search and get an alerting service for all email address within a given domain name:

Stay safe by keeping your passwords secure and only known to you, and when available, always use multi-factor authentication. Don’t do this only for yourself but also include your family members and kids’ accounts. Most password managers offer family accounts that can accommodate this.