Graham Cluley released an article today called “200 MILLION YAHOO PASSWORDS BEING SOLD ON THE DARK WEB?” about various web sites that have had stolen passwords recently posted on criminal web sites (the “dark web”).
While not really news—new password breeches are revealed quite often—but it brings some questions to mind. How do you know if your passwords have been stolen? And, what do you do about them?
If you haven’t changed your important passwords recently, you could just assume they have been stolen and change them.
Or, you can look up your email address or user name at a site like LeakedSource.com. When you put in a user name or email and click Search, it will show you possible accounts and the types of information contained in their databases for free, but not the actual information contained. You have to pay to see that.
Do you actually need to see those old passwords? Probably not; what you really need is the accounts that were compromised. If you look at those accounts and you have not changed your password in a while, here’s what to do:
- Install some kind of password manager on each of your devices, something well known, such as KeePass 2 or LastPass. Come up with a password for the manager that you will not forget. If you forget it, the password probably cannot be recovered (99.99% chance of no recovery). Keep a copy of the master password somewhere safe—your safe deposit box or even in your wallet if you need to. (Note: this may not protect you against family members or friends who want to know your secrets.) If your wallet gets stolen, you only have 1 password to change.
You can download those applications from the following sources. Note: Only download applications from the original site:
- LastPass: https://lastpass.com/
- KeePass 2: http://keepass.info/download.html Choose the Professional version.
Personally, I prefer KeePass, but LastPass is much easier to synchronize between devices because it is web-based. LastPass has had recent vulnerabilities however.
The nice thing about a password manager is that it will autotype your password (unless the username and password are on separate pages, such as some bank accounts and credit card sites use). Even in those case you can drag your username and/or password to the proper place.
- Change your important passwords—email, Facebook, MySpace, LinkedIn (for example)—to something at least 15 characters long. Do not reuse it anywhere! A password safe will generate a password for you and you can customize length and character types.
- If the site offers some kind of multi-factor authentication (MFA), take advantage of it. Yes, it is painful! But you can often set it so that your devices will remember for at least 30 days (unless you clear your cache).
- Do not share your passwords with anyone! Not your spouse, kids, friends, boss, coworkers, or someone claiming to be from Microsoft support.
- Last, change your passwords at least yearly. A good day to change them? World Password Day at https://passwordday.org/ celebrates password security on May 5 every year. They have some funny videos starring Betty White! Check them out!
Save your information and your privacy. Practice safe MFA like Betty White!
Intentional Privacy 