Computer security and passwords

Received a new wrinkle on an old scam yesterday, as the email included a password I have used on websites (but not a user name) in an attempt to convince me of its authenticity.

In investigating this, I cam across this useful site:

https://haveibeenpwned.com/ (where you can check if any eμail address has been published due to a data breach/hack

You will either get an all clear message, or an 'Oh no' one.

If it's 'Oh no', scroll down the page a bit to see which sites were breached.

You can also check if a password you use has been affected here: https://haveibeenpwned.com/Passwords although that doesn't show which sites it came from.

I'm not trying to push the site, and I wouldn't sign up for any pay services it offers, but it was a useful reminder to me that I am not the only one who holds my data, and regardless of how careful I think I am being, if they are careless, my information can be released publicly.

Being honest, we are most of us lazy when it comes to passwords, so I would recommend:

1) checking if your email address has been 'pwned' (password owned, I guess)

2) making a point of changing any passwords on sites using that address if you have been pwned

3) in general, using unique passwords, but since we probably don't want to be bothered doing that, at the least, use unique passwords for sites where you provide anything more than email/username/password to register (e.g. sites where you buy stuff.) For other sites, you could use a generic password plus a website marker

e.g. password@whu606

This would also help you in future, if you did get a spammy email with a password, as it would clearly show which site had been breached.

I would describe myself as pretty security conscious in terms of computers, so this was a wake up call to me to stop being so lazy.

Is my password safe on here?

In terms of our site, passwords are stored as a 'hash' (a unique code) not in plain text, so even in the unlikely event we were hacked, no passwords would be recoverable.

The problem comes with sites that store passwords as plain text.

Comments

  • cheers grey 1 of my email accounts has been pwnd twice. I will change my password
  • A couple of my longstanding passwords have been exposed, it seems. (Although it doesn't seem to say if it is your password, or just the same as one used by someone else, which has been published.

    I shall be working through mine today, starting with any that are for 'sensitive' sites like paypal.

    use unique passwords for sites where you provide anything more than email/username/password to register (e.g. sites where you buy stuff.) For other sites, you could use a generic password plus a website marker

    e.g. password@whu606

    This would also help you in future, if you did get a spammy email with a password, as it would clearly show which site had been breached.

    This was my idea ;wahoo

    Not only will it help you identify which site has been breached, it can help you remember passwords without writing them down.
  • My yahoo account has been pwnd.

    I’ve changed my password.
  • Cheers grey, so if my email account I use for this site has been pwnd, does that mean I should change all passwords where I use that we a login? Or just my email account password?
  • edited July 2018
    Lukerz

    No, not necessarily, although regularly changing passwords is a good thing, so do it anyway.

    What it means is that one or more of the sites you used that email address to register with have been breached, not your email account as such (unless it was the actual email host that was breached.)

    Depending on which site it was, your user name and password may also have been leaked.

    You can see which sites were involved by scrolling down the pwned web page when it gives you an 'oh no' message.

    Mine, for example, came from a breach on the Avast forum (ironically...).

    However, if you regularly use the same password when using that address to register, then it would be a good idea to change the passwords on those sites.

    In general, although we never do, it is good security practice to change passwords at least every 3 months.
  • Cheers grey ;ok
  • Haven't been able to change my password yet but just went in to that site again and this time it had no results. Weird.
Sign In or Register to comment.