Computer security and passwords
Received a new wrinkle on an old scam yesterday, as the email included a password I have used on websites (but not a user name) in an attempt to convince me of its authenticity.
In investigating this, I cam across this useful site:
https://haveibeenpwned.com/ (where you can check if any eμail address has been published due to a data breach/hack
You will either get an all clear message, or an 'Oh no' one.
If it's 'Oh no', scroll down the page a bit to see which sites were breached.
You can also check if a password you use has been affected here: https://haveibeenpwned.com/Passwords although that doesn't show which sites it came from.
I'm not trying to push the site, and I wouldn't sign up for any pay services it offers, but it was a useful reminder to me that I am not the only one who holds my data, and regardless of how careful I think I am being, if they are careless, my information can be released publicly.
Being honest, we are most of us lazy when it comes to passwords, so I would recommend:
1) checking if your email address has been 'pwned' (password owned, I guess)
2) making a point of changing any passwords on sites using that address if you have been pwned
3) in general, using unique passwords, but since we probably don't want to be bothered doing that, at the least, use unique passwords for sites where you provide anything more than email/username/password to register (e.g. sites where you buy stuff.) For other sites, you could use a generic password plus a website marker
e.g. password@whu606
This would also help you in future, if you did get a spammy email with a password, as it would clearly show which site had been breached.
I would describe myself as pretty security conscious in terms of computers, so this was a wake up call to me to stop being so lazy.
Is my password safe on here?
In terms of our site, passwords are stored as a 'hash' (a unique code) not in plain text, so even in the unlikely event we were hacked, no passwords would be recoverable.
The problem comes with sites that store passwords as plain text.
In investigating this, I cam across this useful site:
https://haveibeenpwned.com/ (where you can check if any eμail address has been published due to a data breach/hack
You will either get an all clear message, or an 'Oh no' one.
If it's 'Oh no', scroll down the page a bit to see which sites were breached.
You can also check if a password you use has been affected here: https://haveibeenpwned.com/Passwords although that doesn't show which sites it came from.
I'm not trying to push the site, and I wouldn't sign up for any pay services it offers, but it was a useful reminder to me that I am not the only one who holds my data, and regardless of how careful I think I am being, if they are careless, my information can be released publicly.
Being honest, we are most of us lazy when it comes to passwords, so I would recommend:
1) checking if your email address has been 'pwned' (password owned, I guess)
2) making a point of changing any passwords on sites using that address if you have been pwned
3) in general, using unique passwords, but since we probably don't want to be bothered doing that, at the least, use unique passwords for sites where you provide anything more than email/username/password to register (e.g. sites where you buy stuff.) For other sites, you could use a generic password plus a website marker
e.g. password@whu606
This would also help you in future, if you did get a spammy email with a password, as it would clearly show which site had been breached.
I would describe myself as pretty security conscious in terms of computers, so this was a wake up call to me to stop being so lazy.
Is my password safe on here?
In terms of our site, passwords are stored as a 'hash' (a unique code) not in plain text, so even in the unlikely event we were hacked, no passwords would be recoverable.
The problem comes with sites that store passwords as plain text.
Comments
I shall be working through mine today, starting with any that are for 'sensitive' sites like paypal. This was my idea ;wahoo
Not only will it help you identify which site has been breached, it can help you remember passwords without writing them down.
I’ve changed my password.
No, not necessarily, although regularly changing passwords is a good thing, so do it anyway.
What it means is that one or more of the sites you used that email address to register with have been breached, not your email account as such (unless it was the actual email host that was breached.)
Depending on which site it was, your user name and password may also have been leaked.
You can see which sites were involved by scrolling down the pwned web page when it gives you an 'oh no' message.
Mine, for example, came from a breach on the Avast forum (ironically...).
However, if you regularly use the same password when using that address to register, then it would be a good idea to change the passwords on those sites.
In general, although we never do, it is good security practice to change passwords at least every 3 months.