Has Your Password Been Pwned?

Has Your Password Been Pwned?

How often to get you a notice that you need to change a website password because your user account credentials were stolen? Too often, right? Breaches happen because websites pay too little attention to cyber-security which is often an afterthought for the website developers.

You can check to see if your credentials have been compromised by visiting HaveIBeenPwned. Pwned is cyber-lingo for a comprised or breached website. This website checks your username or email address against 153 known website breaches. It is run by a well known and trusted security researcher and is considered safe by the cyber-security community. Don't worry: They aren't harvesting your email address.

User account names and password hashes from websites like LinkedIn, Adobe, and others, have been stolen in the past by cyber-criminals because the web admins don't update website security patches or have weak website security practices. Normally this wouldn't be too much of a problem because passwords can be properly encrypted ( or hashed, in cyber-security-speak) to prevent criminals from knowing the passwords. But again, weak security practices by the developers allow the crooks to recover the passwords.

Security is ultimately your responsibility.

This is why security ultimately falls upon the responsibility of the user: you can't rely on websites to adequately protect your credentials. This is actually a very empowering concept. You, the user, have the ability to protect yourself with three simple practices:

  1. Use a unique password for each website (i.e., don't reuse passwords)
  2. Use a password manager to keep track of your passwords.
  3. Use really, really good passwords.

Be Unique

You need to assume that at least one website you currently use is going to be comprised and your password will be discovered. But if you use the same password for everything, you will be burdened with daunting task of visiting each of your websites and changing your password. Therefore, you want to use a unique password for each website.

But you may have accounts on scores or hundreds of websites. So how do you keep track of all those different usernames and passwords? You can use a spreadsheet or a notebook. But the easiest and cheapest solution is to use a password manager.

Password Managers - Are They Secure?

Some people are wary of online password managers because they read about website getting compromised and credentials stolen. And the worst thing that they imagine is storing all their passwords at a password manager website who gets compromised and now all their passwords are available to cyber-criminals. That is a very legitimate concern is why I heavily researched password managers before settling on LastPass as my password manager of choice.

LastPass has plugins for nearly all browsers and is compatible with Mac and Windows. Plus they have a mobile app that is compatible with iOS, Android, Blackberry and Windows Mobile. Their security is concept is that only an encrypted passwords are stored on their website then synchronized to all your devices like your computer, notebook and mobile phone.  But the encryption key is only stored on your computer or mobile phone. This is important because if their website perimeter defense is ever compromised, the crooks would only get a bunch of worthless encrypted text while the encryption key, necessary to view the encrypted text, is safe on the user's device.

The LastPass browser plug-in allows you to generate a long, random, complex password for each of your websites. Since LastPass is memorizing your passwords for you, it is best to have the longest, most complex, and randomest passwords possible for your websites. The password is encrypted by your computer or mobile device and then stored on the LastPass website in it's encrypted state.

LastPass has been very transparent and has notified their users in the past when they even suspected a breach. When this has occurred, they force their customers to change their master password which instantly re-encrypts the passwords with a new encryption key.

But the key is to have a really, really good master password that is easy to remember.

Picking a Really, Really Good Master Password

Which password would you rather use: G1&toOe!VKYRBDrQIHc or item.length.limit.charm

Would it surprise you that these two passwords have equivalent password strengths? The first password is 19 random letters, numbers and punctuation. The other password consists of 4 random words with periods in between (23 characters). How could that be?

Even moderately powerful computers can help a crook figure out short passwords or single word passwords or passwords substituting some numbers for some of the letters (e.g., w1nn3r). Cyber-criminals use password-guessing software that tries every possible combination or letter, number, special characters and dictionary words. But there is a law of diminishing returns when computers try to guess passwords with more than 8 to 10 characters. In other words, it takes too much time and electrical power (i.e., money) to for computers to guess really long passwords so cyber-crooks mostly go after the low-hanging fruit of short passwords or those that use single dictionary words.

A good password is one that is very, very long, random and complex - 12 characters is good, 20 is better. But the problem with a long, random, complex password is that they are very difficult to memorize or type in. That's not a problem if you use a password manager for websites because it will memorize the passwords for you. But what about passwords for your computer, or accounting program, or your password manager master password?

An easy to type and remember password actually means better security.

If your password is too difficult to use, then you will likely fall back into habits to make it easier like re-using passwords or changing back to a shorter, simpler password which is what you want to avoid. Therefore a password that is easy to type and memorize means better security.

A technique that I recommend is to the XKCD method of using four random words strung together or separated by punctuation or numbers. This may sound counter-intuitive since we are always warned to avoid using dictionary words in our passwords. Using a single dictionary word is dangerous. But there is some strong math which demonstrates that using four random words is significantly stronger than using a 11 random character password - plus it is easier to remember and type in four random words than 11 random characters.

So how do you come up with random words for your password? Humans are notoriously bad at random. If I were to randomly choose four words while sitting at my desk, they would be: pen, lamp, mug, monitor. See, I told you humans are bad at random.

Instead, I use a website called What3Words to select random words. I can pick any spot in the world and it will give me three random words. If I move my mouse slightly, I will then get three more random words from which I will choose my fourth random word. What3Words uses a dictionary of 40,000 English words which is more than plenty for password security.

Conclusion

For the best security, a password manager like LastPass is an indispensable tool. It will allow you to generate a unique long, random complex password for each of the website accounts. Protect your password manager account, non-web applications and your computer by using long password consisting of 4 or more random words that is secure and easy to type and memorize. With these steps, you too will avoid having your credentials pwned.