Frequently we
hear of large data breaches from email, social networking, news and other types
of websites which we are members off.
Many of us may have been challenged by the site owner to change our
password when the site suffered a breach and would even have received a breach notification
email.
It would
however be useful to have a service which could tell us if our passwords were
available in plain text online, anytime we wished. The good news is that a
security blogger Troy Hunt has set-up a site http://haveibeenpwned.com/ Here you
could enter your email id (a common login credential) and find out if the
corresponding password was exposed on breached sites. The bad news is that it covers only data breaches
where the hacker has dumped the compromised list of passwords on paste sites
such as PasteBin. This represent a small fraction of the passwords exposed and
in all probability allowed a window of time for the hacker to gain access to
your account before the breach was uncovered. It also allows anyone (friend,
foe, bully, ex-partner, relative, competitor and colleague) who knows your
email id to check for the password, and selectively target you.
My advice to
all Cybercitizens in general but more specifically after you discover that your
password has been exposed is to”
1.
Never
reuse that exposed password and to never reuse password on multiple sites. A
single exposure can have a cascading effect in the compromise of your online
assets. If you have used the same password on multiple sites then quickly
change the password on all of them.
2.
To use
two factor authentication which a large majority of sites offer to limit the
use of disclosed passwords
3.
To
change your passwords once every 3 months to limit the exposure window. In
large dumps the hacker may take time to target your account and if you have changed
your password by then, you would get lucky
4.
To quickly
change passwords once you are aware that there has been a breach