Have you been Pwned?

Have you been Pwned?

One of the first things I cover in my security trainings is creating strong passwords: Make them long, make them hard for people to guess but easy enough for you to remember, and make them unique.

Many people scoff at the idea of having dozens – or hundreds – of unique passwords, one for every website they use. They don’t want to adopt a password manager like LastPass, 1Password or BitWarden because it’s just another tool to learn and keep track of.

I usually convince them by running their email address through a tool called Have I Been Pwned? The website owner collects files from data breaches, filters them, and stores the usernames that appear in them. He’s got billions of records from hundreds of breaches.

If you’re curious, “pwned” is leetspeak for “owned” as in conquored/defeated. It comes from gaming, and originated because the o and p keys are next to each other on the keyboard, making for an easy typo.

When you enter your email address, you’ll get back a list of data breaches your information appears in. Here’s a small sample from my personal email.

This shows my info appeared in leaks from Bitly and CafePress, and shows exactly what information was in them.

A Quick Note About “Hashing”

You might notice that they say “hashed passwords.” Hashing is a way of transforming a password from plain text, like “this-is-my-password-and-its-long” to a scrambled version. In this case, it’s “faecfe0eab03f918f00aeeef7e060b7d015f2772”.

Hashing is one of the most basic ways that website owners can secure passwords, but it’s a bare minimum. People who want to decrypt those passwords – turning “faecfe0eab03f918f00aeeef7e060b7d015f2772” back into “this-is-my-password-and-its-long” – can run computer programs that automate testing every single possibility.

With a basic password hash (like SHA-1 mentioned above, which is just one way of hashing), a dedicated attacker could get the actual password. And this is why you want to use a different password for every website: If I used the same password on both, Bitly and CafePress, all it would take is one breach and an attacker trying to use that password on other sites. Imagine if a hacker got your password from CafePress and was then allowed to log in to your bank or email!

Checking if You’ve Been Pwned

The most basic thing you can do is enter your email address on haveibeenpwned.com and check the list that appears below it. Immediately change your passwords on all of those websites, and on any site that you re-used a password on.

You’ll also want to click the Notify me link at the top! Enter your email, confirm it, and you’ll get an email every time your personal information shows up in a new data breach.

So You’ve Been Pwned…

It’s inevitable. Even the most security conscious of us ends up in one of these breaches. Outside of never signing up for any online service ever, there’s not much you can do about it.

So when you eventually get notified that your account information is out there in the wild, you need to take some steps: Change the passwords for any sites you’ve used that password on. If the breach includes credit cards or other financial information, check your accounts for fraud and let your banks know to increase fraud protection on your accounts. If your social security number is revealed – like in the 2015 Experian breach – contact the major credit agencies (Experian, Trans Union, Equifax) and lock your credit, so that you have to approve it every time someone tries to apply for credit in your name.

Back to Unique Passwords

Of course, all the information in HaveIBeenPwned has been out there for a while. The site’s administrator isn’t hacking other sites for these lists – he’s getting them from people who have found them on the Internet. That means others could have your information before you find out that it’s out there.

So that’s why you want to use a unique password for every website. In the event that a site is breached and your password is out there, you’ll know the attacker won’t be able to get into your other accounts.

Don’t Panic

It’s going to happen. You’re going to get that email. As I said earlier, it’s inevitable. When it happens, take a breathe and step back to consider the above steps.