Protect Yourself from Password Leaks

Password Leaks“I changed my password everywhere to ‘incorrect.’ That way when I forget it, it always reminds me, ‘your password is incorrect.’” As funny as this is, people actually come up with equally ineffective passwords that are amongst the most used and easily guessed like “password”, “123456”, or “Star Wars.”

To make matters worse, they use the same login credentials across all their online accounts. What happens when someone uses the same password and email for everything online? Mark Zuckerberg is a great example. He used “dadada” and the same email across several social media accounts and they were briefly taken over. Luckily he was smarter with his company’s accounts and more sensitive sites.

It’s theorized that hackers gained access to Zuckerberg’s account via LinkedIn’s security breach that revealed 117 million unsalted logins from 2012. The real lesson is that no tech company is above reproach in these situations. Myspace, Tumbler and an agonizing list of other major sites have had leaks or will have leaks.

Here are some simple ways to thwart attacks or compartmentalize these holes in security to protect yourself:

  • Check to see if your email was involved in a leak and get alerted of future leaks involving your email via haveibeenpwned.com so you can quickly change your password.
  • Change your passwords once a year.
  • Use different email addresses and strong passwords for all your accounts.
  • Enable two-factor authentication where possible.

You can find out more about security strategies and simple online safety tactics by reading my series on how to protect your domains and other sensitive data where I explore the dangers and solutions to malicious applications, using unsecured connections, and plain bold social engineering.

If you have a cautionary tale about one of your accounts being hacked, and the controversy or hassle that ensued, please share it in the comments!

{ 3 comments… add one }

  • Nick June 15, 2016, 5:44 pm

    Can anyone point to some good coding resources to help create secure login/password storage on the server side? Storing passwords in plain text is not good so how do people set up secure login/password (with registration) to their system?

    Reply
  • Paul Buonopane June 15, 2016, 6:39 pm

    @Nick Generally, you want something that is salted and resistant to GPU cracking. If you’re working with PHP, you should use password_hash with the bcrypt algorithm: http://php.net/manual/en/function.password-hash.php You can then use password_verify to validate passwords. That page explains most of the essential “gotchas” relevant to the method. A database full of properly salted bcrypt hashes with at least 12 rounds is currently unrealistic to crack, as of 2016. Stack Exchange also has some great resources for cryptography, and they welcome unexperienced users, as long as you search for your question before posting: http://crypto.stackexchange.com/

    My analysis of the LinkedIn leak shows that about 75% of the unique passwords can be cracked by anyone with a basic gaming computer in a couple days. Hackers with special hardware can likely achieve 98% in a week or two. No matter how secure your password is, it’s important to use a completely different password on each website. Using slightly different passwords based on some pattern or base word doesn’t work: hackers optimize their cracking operations by analyzing past leaks and looking at how people change their passwords across sites. The only way to ensure that one compromised account doesn’t turn into a hundred is to use randomly generated passwords that are completely unique to each website you use.

    — Paul Buonopane, CTO at NamePros

    Reply
  • Nick June 15, 2016, 8:17 pm

    Wow, Paul, that is a great reply and some nice resources. I very much appreciate it!

    Reply

Leave a Comment