I recently discovered a website where you can enter your email address and discover whether it has appeared on a list used by spammers and hackers (the link is below). Now you may not be surprised that your email address is on some kind of list, you get spam right? If you don’t then you are fortunate.
The scary thing about these lists is that many of the addresses on them are accompanied by a password or passwords! Yes, that’s right. Millions of email addresses and passwords associated with them are out there waiting for hackers to exploit them. Spammers are very annoying, but hackers and cyber criminals are causing mayhem with stolen data.
So this is one of the biggest threats out there for people at the moment in the online world and the quicker we all deal with our password problems, the less likely we are to fall foul of this data that’s out there.
How do I know if this is affecting me?
It would be good to know whether we are affected by these security breaches. We can find this out (I include a link further down in the article), but if even if we are in the clear, it’s no reason to continue with poor password practice. We could easily be on the next list as we don’t know which corporations data will be compromised next.
Hacked databases have originated from companies including Yahoo, Adobe, Snapchat, Tesco, Dropbox, Vodafone, LinkedIn, Minecraft, MySpace, Paddy Power, Avast, BitTorrent, Domino’s, Foxy Bingo, Kickstarter, LastFM, Malwarebytes, ReverbNation and tumblr.
That means that the email address and password combinations are either in the public domain or being shared by cyber criminals. Of course, they are being used for sending junk email or spam (with no password required) but also for darker purposes requiring the password, usually involving money, e.g. fraud or extortion.
So what can we do about this?
It may be apparent that we need to take action to avoid being exploited and the simple advice you hear often goes along the lines of:-
- Change passwords from time to time
- Change any passwords that are not strong
- Use different passwords for different services
Unfortunately, in practice, this is all just too difficult. We forget to change passwords unless we are forced to do it and secure passwords are really hard to remember. There is a good solution to these difficulties but first I want to describe the risks in a bit more detail.
These breaches have outlined the password habits of humanity and it has taught the hackers and security experts a lot. Passwords that you think might be clever are being used by thousands of people and are therefore very easy to guess (they use machines to do this).
Common not so clever passwords
12345, qwerty, qwertyui, password, passw0rd, football and welcome and their variations are all incredibly common. Also it has been discovered that many people are using the shape of the keyboard to try and outwit hackers. So zxmnzxmn, poiuyt, qazplm etc are all very vulnerable as are ANY dictionary words and even obfuscated v3rs10n5 of these words.
The hacking tools are getting smarter all the time. In the future, I can imagine a password cracking tool that will automatically scan Facebook accounts and try to crack passwords on other services for that email address by analysing habits, pets names, important dates etc. In fact, a tool like this may already exist whether created by a criminal gang or by some national security service.
What’s the best advice then?
Most security specialists advocate the use of a password manager protected by one very secure password that allows access to all of them. One password to rule them all. On the Mac there is the Keychain, free as a part of the Mac OS. This can work locally (per machine) and there is also an iCloud version to make things easier across multiple devices. On Windows 10 there is Keeper which is also free. Several third party programs exist for Mac or Windows like 1Password, LastPass, LogMeOnce and Dashlane.
Password managers make it really easy to create and save passwords so anyone with the computer password can access all online services without having to remember passwords. But you do have to remember one master password (which must not be guessable).
If however, you don’t use many services or you hate having to enter a password to access your machine, one alternative that works for some is to create a story and then capitalise it. E.g. Memorable phrase = walking, running and cycling are my favourite forms of exercise; password = firstname.lastname@example.orgE. This password is quite strong and quite memorable. If you do this, make sure that you don’t use anything to do with your name, address, pets name, date of birth or anything else that you publish online about yourself. If you use the same password for multiple services (not advised), you’ll have to change them all if one gets compromised.
Someone I know used the same password for Ebay and for PayPal. Unfortunately, they responded to a phishing email, clicked a bogus link and entered their Ebay details into the fake website (which looked exactly like the real Ebay). That was bad enough, someone bought loads of products on their account but because the PayPal account had the same username and password, they were able to pay for all the items via my friends bank account. Ouch!
You can check the strength of passwords you intend to use with this tool supplied by the Open University. Try adding a full stop, a hyphen, a capital letter or a number and watch the effects on password strength. This method can be very useful when choosing your master password when you decide to use a password manager (I hope you do).
How do I check my address?
If you would like to check to make sure your email address is secure, visit this security website run by a Microsoft professional. There is a fair chance that you might trigger a positive response and if so, it will tell you where you data was leaked from. This could give you an inkling of when it happened and therefore, which password is vulnerable. Not sure about the validity of this service? See the Wikipedia article about it.
Change your password for the service or services. Change your email password. But also, please remember that any similar passwords you’ve used on other services could now be easily guessable so you should make an effort to update all old passwords for all the services you use or have used. Of course, you should prioritise things like online banking and other services who may have access to your bank cards e.g. Amazon, Tesco, John Lewis etc.
If you get the green light you might breathe easy for now. However, this list is unlikely to be complete and data breaches are happening with alarming regularity. By implementing the advice you assure that if your details are compromised, criminals will not be able to use this information to compromise accounts you have with other providers.
Now I’m really scared, help!
If it’s all too much and you need assistance or advice, get in touch. I may be able to help you with this. Or use the information in this article at your own risk to clean up your own password minefield.