If you’ve been paying attention to cybersecurity news, they you probably know that bulk password leaks are a regular occurrence. Rumors of breaches at TeamViewer, LinkedIn, the Russian social network VK, and Twitter have all been swirling about, and by the time this article is published, there’ll probably be a bunch more. Even Mark Zuckerberg got hacked recently.
The hard truth is that password leaks happen all the time, and there’s a decent chance that one of your accounts has been involved in one; if it hasn’t happened yet, it probably will soon. So follow these tips to make sure you stay safe, no matter how many password databases are breached.
How Do Password Leaks Happen?
It seems like there’s news of a new leak every other day; the past few years have seen big password leaks from social networks, retailers, and just about any other kind of site you can think of. In many cases, it can be traced to sub-par security on the part of those sites. Hackers find a way in, grab the database that contains hashed passwords, and then sell them off. If the hash hasn’t been salted, and the passwords are decrypted, this is bad news.
Sometimes information is leaked from an inside source, such as in the case of the Ashley Madison data leak. Disgruntled employees have a reputation for causing various types of havoc, and data leaks are among their tactics.
So what can you do to keep your accounts safe?
You can’t protect yourself if you don’t know what’s going on. This means you’ll need to pay at least some attention to cybersecurity news. By regularly checking sites like the LeakedSource.com blog or following Twitter accounts like @passwordsleaks or @PastebinLeaks, you can be among the first to know when there’s been a big leak. Even following tech on Google News or another general news site will help give you a heads-up.
You can also set up a Google Alert for “password leak” and get notifications when there’s a new one in the news. Given how many outlets cover every leak, you might receive a lot of notifications, but it’s probably worth skimming every once in a while to see if a site that you’re a member of has had a leak lately. You could also set up alerts for specific sites that you’re interested in.
And if you think there’s a chance that one of your passwords has been leaked, go to haveibeenpwned.com and enter your email address. In fact, you should probably just go check the site every once in a while. You might be surprised to find out that your account details have been leaked a few more times than you thought!
You can also set up a Notify me when I get pwned alert to get an email when your email address is listed in a password leak, which is a great way to get an early heads-up.
Change Potentially Leaked Passwords
This is another obvious one; if you think that one of your accounts may have been involved in a leak, change the password right away. Whether you log into the site and change your password manually or use a faster solution like LastPass’s one-click password change, you need to change that password immediately. If a cybercriminal has access to one of your accounts, they may be able to use it to gain access to other accounts, even if those accounts rely on different passwords.
In fact, you should probably just change your passwords on a regular basis anyway. Not all leaks get reported, and there are certainly other ways that someone can get a hold of your password. LastPass’s Security Challenge will tell you when some of your passwords are getting old, but setting up a reminder in Google Calendar, or changing your passwords every first of the month, is a really good habit to get into.
Enable Two-Factor Authentication on Important Accounts
How you define “important accounts” is up to you, but using two-factor authentication (2FA) on as many accounts as possible is a great way to stay safe from password leaks. Even if someone gets a hold of your password, they almost certainly won’t also have your phone, so they won’t be able to get into your account.
More and more sites and companies are offering 2FA as a feature, and it’s a really good idea to take advantage of it. It adds another step in the login process, and it can be kind of annoying, but if your passwords are leaked, it’ll prevent you from suffering an account compromise. It’s definitely worth it.
Don’t Duplicate Passwords
This is probably the most important step you can take. If a password database is breached and someone gets a hold of one of your passwords, they’re likely to try it on your other accounts. If none of your other accounts are using that same password, you’ll be safe from this very simple attack (cybercriminals tend to go for easy targets, which require less time on their part; this is a great way to discourage them from looking further into your vulnerability).
We have long believed that the best way to maintain a large number of different passwords is by using a password manager to keep track of them all. That way, you can use a strong password for every site without running the risk of forgetting them all (or having to manually maintain a text file… or even a Post-It note).
LastPass’s Security Challenge will even tell you how secure your collection of passwords is by looking at the strength of each password, potentially compromised sites, old passwords,and the number of duplicates that you have in your database, which will help you identify, and get rid, of ones you’ve used multiple times.
Whether you know that one of your passwords has been compromised or you just suspect that your account might have been part of a leak — and even if not, really — you should be taking action right now to make sure the problem doesn’t get worse. Find out if your accounts have been compromised, change the passwords, set up two-factor authentication, and start changing your other passwords on a regular basis. It feels like a lot of work, but the consequences for not doing it are much worse.
Is your email address listed on haveibeenpwned? Have you ever had trouble because of a leaked password? Share your experiences in the comments below!