Has Your Password Been Leaked?

If you follow news about cybersecurity, then you may be aware that there have been numerous data breaches containing passwords, usernames, and other personal information (like addresses and phone numbers).

Has Your Password Been Leaked?

If you follow news about cybersecurity, then you may be aware that there have been numerous data breaches containing passwords, usernames, and other personal information (like addresses and phone numbers). Among these are breaches from sites and companies like Yahoo!, Equifax, Adobe, AOL, Tumblr, and many others. For those who keep abreast of information like this, it may sound like old news, but what if you're new to the subject?

One site which may help you keep informed about this kind of issue is Have I Been Pwned, which will let you know if your email address has been part of a data breach. Troy Hunt, an Australian cybersecurity expert, created it. On this site, you can type in an email address, and it will list data breaches (if any) that have affected your account. Simply type in any of your email addresses, and then hit the button that says "pwned?" to check this.

have i been pwned

Once you do, Have I Been Pwned will list data breaches (if any) that your account has been part of. Keep in mind, also, that this is just a sampling, and there may be other data breaches that contain your information as well:

have i been pwned breach list

It may surprise you, but there's a high likelihood that your email address is included in one of these breaches, particularly if you have a lot of social media accounts or use a number of popular services. Among the numerous breaches that show up are 000webhost, 500px, Adobe, Android Forums, Bitly, Dailymotion, Evony, MySpace, Tumblr, and quite a few more. If this is the case, we would recommend either changing your password on these accounts, or deleting them altogether (if you no longer use them).

On the same site, you can also check if a password that you use regularly has been included in a breach, at Have I Been Pwned: Pwned Passwords. Once again, if the site confirms that your password has been "pwned," so to speak, then you should definitely change it!

pwned passwords

The site also gives some handy advice on ways to avoid getting your password stolen in the future. One of these is the reuse of the same password on multiple accounts, which could, in theory, give an attacker access to these accounts. For instance, if you frequently use the password "ilovedogs," and you used this password on both Tumblr and Facebook, then an attacker would be likely to try the same password across any of your accounts that he had access to, especially if he already figured out that the password applied to one account.

In a similar vein, the site What Is My IP Address also has a data breach checker. As on Have I Been Pwned, you type in an email address, and if it's been included in a data breach, the results will show up below. The information will include the name of the company, its domain name, when the breach occurred, and what kind of data was leaked.

whatismyip password leaks

You may wonder, then, how can I make stronger passwords and/or prevent this? There are a number of ways. First of all, you can try using a password strength checker to see how strong your current passwords are. Examples of these are the one at Rumkin: Strength Test, or Password Strength Checker. While these aren't perfect, they can give you a general idea of how strong a password is.

password strength check

One method of generating stronger passwords which is starting to gain popularity is to use a password manager, which stores and encrypts your passwords, so that not only will they be more difficult to crack, but you won't have to remember them each time you log in. There are quite a few different password managers, but some of the best known are:

  1. KeePass
  2. LastPass
  3. Bitwarden
  4. Dashlane
  5. Keeper
  6. 1Password

What most password managers have in common is that they will store all of your passwords in a "vault," (encrypted form). In order to unlock them, you'll use a "master password," so that you only have to remember that password, as opposed to all of them. As an example, on Bitwarden, which can be used as a browser extension or downloaded, you first create your master password, and then add logins for different sites as you go along.

Bitwarden logins

Your "vault" is the place where Bitwarden stores all of your passwords. It also has a generator, which can create strong passwords, if you can't think of one off the top of your head. The only caveat to any of these password managers is that you must remember your master password, or you'll lose access to all of your passwords! In the case of Bitwarden, it will occasionally log you out as a security measure, so you'll need to retype your master password to get back into the vault.

In a similar vein, KeePass stores your passwords offline in a database, which is a file it creates on your hard drive. As with Bitwarden, you'll have a master password that will allow you to access it. There are different versions of KeePass which you can download at https://keepass.info/.

keepassxc  

There are also password generators that may help, like Correct Horse Battery Staple, which is based on the classic xkcd comic. 

xkcd password generator

One other method of generating passwords is to use something called Diceware, which is an offline method that uses dice instead of a program. To do it, take one or more dice and roll them five times for each "word" in your password (or in this case, passphrase). The sequences of rolls may look like this:

15653

54133

Each roll of five numbers corresponds to a word, number, or letter on a list. The original Diceware word list can be found at http://world.std.com/~reinhold/dicewarewordlist.pdf. Some examples of words on the list include:

appeal

ascend

piety

prize

opal

owing

nikko

The advantage of using Diceware is that, like the password generators, it takes the human element out of making a password (thus decreasing predictability), and also takes the process offline. Ideally, you would use more than one of these words in your password, making it a "passphrase." As an example, let's say you used all of the above words; your passphrase would be "appeal ascend piety prize opal owing nikko." You can choose to include spaces or not, and you can also separate the words with dots, dashes, or underscores.

If you need to use symbols or uppercase letters in your passphrase, Diceware has a method of doing this as well, although it takes a bit longer. Instead of just rolling the die once, you roll it three times for each character. The first roll corresponds to three groups of numbers, letters, and symbols. The second roll tells you which of these groups to choose from, and the third will designate which character to use.

diceware random char

While this can be tedious, it is a good method of creating passwords if you need stronger ones, and are concerned about making them offline. All in all, this is a learning process, and the more information that you have, the better. Even if your information has been compromised, making an effort to improve your security and gaining more information can only help.