Have you been “pwned”?

While only a few make the news, organizations across the world are being breached every day with over 7 billion credentials and identities leaked in the last decade. In 2012 and 2014, breaches of LinkedIn, Dropbox, and Yahoo exposed email addresses and passwords of 732,000,000 users alone!

These breaches are so frequent and so public that Troy Hunt created a website as a public service to collect all the publicly exposed records and lets you search to see if your accounts have been included in any major breaches. (Don’t worry - the site only lists IF you were included in a dump of exposed information, it doesn’t actually share your data that was exposed!)

The website is https://haveibeenpwned.com

All you have to do is enter your usernames and emails and it will list any breaches that included your credentials. Give it a try, see if you’ve been pwned*!

* Huge disclaimer! If your email or username is not listed here, that is not a guarantee that it HASN’T been exposed! No results here only means that your credentials are not in any of the major breaches that this website has yet added into it’s database.

The frequency of breaches and the fact that exposed data is so widely available highlights the importance of adopting a password policy that prohibits password reuse. Password reuse means using the same or similar passwords for multiple logins across different sites and systems.

As an example, say I set my password for my personal online bank account to 7*}Puej29X]zkoXR>#g4iG3z@/c8R6

This is a 30 character password containing a strong variation of uppercase, lowercase, numbers, and symbols that does not correspond to any dictionary words. On its own, this is a very strong password that is extremely difficult to guess or crack!

However, let’s assume that I also used that same password for my Dropbox account, and my password was included in the 68 million records that were exposed in the Dropbox breach in 2012. Regardless of how strong my password is, now it is exposed as part of a massive list along with my email address. My password is now public knowledge!

Cybercriminals take these lists and write special computer programs that comb the internet and try to log into different websites using the same username and password from these massive breach dumps, tracking what works and what does not. Because I reused my password on multiple sites, the failure of one company to secure my password has resulted in my security being compromised on every single other website where I used that same password - and I won’t even know until it is too late!

For this reason, you should NEVER reuse a password between sites. Any website or organization is susceptible to a breach, and it may only be a matter of time before that password gets out and compromises your personal and professional security.

As an aside: Using similar passwords with slightly different numbers across different websites (i.e. password22 on one site, password23 on another) is a form of password reuse and should be avoided. Password cracking software can automatically make slight modifications when testing passwords to find common variations like this once they have gotten ahold of your original password.

This sounds daunting, but thankfully modern password managers make this very easy to do in practice. We will cover how to use a password manager to simplify securing your digital life in a future blog post!

As a NorthSky Technology client, we’re constantly keeping up with the latest threats as well as best practices and countermeasures to you safe. Our Practical Security Program is specifically designed to efficiently assess your current security posture, highlight areas of vulnerability and exposure, and help you implement remediations, safeguards, and policies to better secure your business. Our Practical Security Program is designed to be affordable for businesses of all types and sizes - contact us today to learn more!