Password security is an important concept in the modern era. What if I were to tell you that 59% of people use the same password everywhere online. Yes, more than a majority of the people out there are probably using the same password that they created when they first started using a computer.
That’s an enormous amount of people. What’s the problem with that, you ask? Well, with the volume of hacking going on in the world today, there are over 1,000 data breaches per year resulting in almost 160 million individual people with compromised information. That could easily be you.
In 2020, the number of data breaches in the United States came in at a total of 1001 cases. Meanwhile, over the course of the same year over 155.8 million individuals were affected by data exposures – that is, accidental revelation of sensitive information due to less-than-adequate information security.
– Joseph Johnson
Some of those compromised records are your actual passwords. Even if the company that is breached is encrypting your passwords, many times the keys used to decrypt those passwords are located on the same server that was hacked…In other words, data encryption is often not protecting your passwords as well as you might think. With the volume of online accounts that require passwords, if you use same password everywhere, then your password has probably been compromised already.
Still don’t believe me? You don’t have to take my word for it, because I’m here to introduce you to a tool that will tell you if your password been breached or not. The first time I used this tool four years ago, I had some suspicions that a password had been compromised. Sure enough, I discovered that it had. Perhaps if you have the same experience, you’ll be spurred on change your password and start implementing a data, privacy, and security plan of your own.
‘;–have i been pwned?
So let’s get started. The site, linked here, is Have I Been Pwned. It may look a little daunting at first, and you will see the unusual text in the above title on the front page of the site. However, this is a real site, and here’s how it works. It contains a database of known username (email) and password combinations that have been leaked online in a data breach. The crazy part is that if your username/password combination is on here, then not only did a hacker have it at one point, but that password has now been shared with the world.
That means any amateur hacker with a computer, perhaps a 16 year old in his parent’s basement with a pc and an internet connection, could have access to your login information right now.
With that information, how many “secure sites” of yours do you think a hacker could access right now? Do you have a single password connected to your email, bank account, crypto account, and social media accounts? How much could be lost because of over reliance on a single password?
Let’s dig a little deeper into using this tool.
Go to the Have I Been Pwned website. All you have to do to see if you’ve been “pwned” is enter your email. It’s that simple. The system will then search for any known passwords leaks associated with that email and it will provide you a list of data leaks where your email was found. Not only will it provide you with the specific company where your data was compromised, but it will also provide you with a paste (a text file) that you can search through. In that text file, you’ll usually see your password which was associated with your email in that leak.
Additionally, this system has a passwords page where you can enter your password directly to see if it has been pwned. To be honest, I’d steer clear of this method unless you’re searching for a password that’s no longer in use. If you do have a past/older password that is retired and you never plan to use again, then this method may be appropriate. But as a general rule of thumb you don’t want to randomly give out your password to anyone who provides a service. That’s just asking for trouble.
My password has been compromised! What should I do?
So now you’ve gone through the process. If you are anything like me, you’re a bit freaked out because you found that your password was indeed leaked online. What can you do to start protecting yourself?
Well, just change your password…right?
If you go out and change all of your passwords to a single new simple password that you’ve thought up, even if it’s complex, in a month or two you’ll find yourself in the exact same position.
Instead of simply changing your password, I’m going to recommend that you take the following steps (coffee is strongly recommended before further reading):
Step 1 – Take stock of your most important accounts
What accounts are most valuable to you? Which ones can cause you the most pain if they are lost or taken over? I would make a physical list of your most important accounts, and use that list for step #2. Here are some items to start with
Email accounts
Email accounts are used to setup and verify almost any of your other online activity. If someone gets access to your email account, can they start resetting passwords on other sites? Can they use the email to bypass security protocols and act as if they were you? This is what makes email one of the important accounts to start with.
Bank accounts
Your bank accounts probably contain most of your liquid assets and savings. Additionally, they contain personal information about you, such as routing numbers, account numbers, SSN, birthdates, and more. How much damage can someone do to your life or your identity if they compromise these accounts? Could you pay your bills for a month or two if you lost everything in your primary account?
Social media accounts
While most people enjoy their social media, they don’t often think of it from a security and privacy standpoint. This makes sense because social media is typically associated with leisure time, so privacy and security would not be a natural association. The important thing here is actually your reputation. How much damage could a bad actor do if they took over your Linkedln account? Could they post profanity or lude images on your account? Could you get fired because they sent an obscene text to your boss?
What about your Facebook account? They could delete your data, steal your friends list, and post all sorts of nasty content to your friends and family. A social media account is a doorway to work, friends, and family. We need to make sure that doorway stays shut to intruders.
Step 2 – Add 2 factor authentication
Once you have your list, you’ll want to secure those accounts with more than just a single password. The best way to accomplish this is to go into each account and set up 2 factor authentication. I have an entire article on 2FA you can check out here. But for the purposes of this article, you’ll just want to get a 2FA app (directions in the article) and set it up for your most important accounts.
When I went through this process myself I added it to my bank accounts, email, and social media accounts. You may have a more comprehensive list or yours may be smaller, but take stock of what’s most vital and secure it.
Step 3 – Start using a password manager
A password manager is a way to store and manage complex passwords using a single master password.
It is imperative that you create a Strong Master Password and that you don’t use a password that you’ve ever used anywhere before when you create your password manager account.
I also have an entire article about using a password manager, which you can check out here for more information. In a nutshell, each time you create a new account, you can add this account to your password manager which will generate a unique and complicated password for you. Then, you can also use the list you created above and change each of those account passwords using the generate password feature.
These are just a few simple steps you can take to get yourself on the path to privacy and security online.
There’s no such thing as too much security, and arming yourself with best in class tools to defend your security is a must.
Have I Been Pwned is a great tool, but the purpose here is to reveal a weakness, not to solve it. In order to solve the problem, you’ll want to start implementing a security and privacy plan like the one outlined above.
I hope this article has not scared you, that is certainly not the intent of any of my content. My hope is that I have given you some insight into how vulnerable account and passwords can be, and also provided you with an easy to follow plan in arming yourself against those weaknesses. The upfront work can feel a little daunting at first, but I have found the long-term maintenance of 2 factor authentication and password management has been easier than I expected. And this has certainly given me a lot more peace of mind. I hope it does the same for you.