Friday, February 10, 2017

Are my password freely available on the Internet? Four actions that can minimize damage

Frequently we hear of large data breaches from email, social networking, news and other types of websites which we are members off.  Many of us may have been challenged by the site owner to change our password when the site suffered a breach and would even have received a breach notification email.

It would however be useful to have a service which could tell us if our passwords were available in plain text online, anytime we wished. The good news is that a security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/   Here you could enter your email id (a common login credential) and find out if the corresponding password was exposed on breached sites.  The bad news is that it covers only data breaches where the hacker has dumped the compromised list of passwords on paste sites such as PasteBin. This represent a small fraction of the passwords exposed and in all probability allowed a window of time for the hacker to gain access to your account before the breach was uncovered. It also allows anyone (friend, foe, bully, ex-partner, relative, competitor and colleague) who knows your email id to check for the password, and selectively target you.

My advice to all Cybercitizens in general but more specifically after you discover that your password has been exposed is to”

1.    Never reuse that exposed password and to never reuse password on multiple sites. A single exposure can have a cascading effect in the compromise of your online assets. If you have used the same password on multiple sites then quickly change the password on all of them.
2.    To use two factor authentication which a large majority of sites offer to limit the use of disclosed passwords
3.    To change your passwords once every 3 months to limit the exposure window. In large dumps the hacker may take time to target your account and if you have changed your password by then, you would get lucky
4.    To quickly change passwords once you are aware that there has been a breach