Following up my previous post on why you should use a password manager and the one before that on password hashing and how it keeps your data safe, I wanted to write one last post on a little bit of detective work you can do at home to check if you've already fallen victim to a data breach and follow-up actions you can take to stay safe.

Discovering You've Been Pwned

The verb "to pwn" (with all its various pronunciations, the one I run into most is like "own" but with a "p" at the beginning) is a common piece of online slang used to mean "to utterly defeat". In information security, it's sometimes used colloquially to mean "to compromise or control another computer or digital system". It's very apt, then, that the service we're about to use is called Have I Been Pwned?.

Created by highly-recognised digital security professional Troy Hunt the Have I Been Pwned? service (or HIBP for short) is a completely free web service that pulls together leaked stolen data from all over the web (both the surface web that you probably use every day and the so-called "Deep Web" which we'll talk about another time) and tells you whether or not your e-mail address appears in it. You can also subscribe to be notified by e-mail if any of your account details end up doing the rounds in shady online circles in the future. Visit HIBP here and try it out.

Did you get the all-clear? If so, that's great, but don't let your guard down. While HIBP pulls together data from almost 300 compromised websites and over 5,000,000,000 (yes, 5 billion) accounts at the time of writing, new breaches happen every day and HIBP does not claim to be a complete list of every set of compromised account details out there. Stay with me, we'll be covering some important ground in the rest of this article.

Have you been pwned? If so, HIBP will list information that is currently out there about you that it found alongside your e-mail address, such as name, geographical location, occupation etc. This should serve as a wake-up call that your personal data is out there and readily available to anyone that has internet access. Now is not the time to panic, however, now is the time to do something about it. When I first used the service myself, had I been pwned? The answer is yes, multiple times across multiple e-mail addresses.

Pwned Passwords

Another service that HIBP provides is called Pwned Passwords. Using the webpage here you can enter a password and check if it is contained within any of th data breaches that HIBP is aware of. Before you go entering your password on this however, stop!

Troy provides this service for informational purposes only. Whatever you do, never enter a password you actively use anywhere that it doesn't belong. Troy is a professional (and a trustworthy one) but he says so himself that you shouldn't hand over any of your current passwords on this page. If you're curious as to whether or not a past or potential future password was/is a good idea, however, that's what this tool is designed for. If you're thinking that hunter123 is a good password, a quick check of Pwned Passwords will reveal that this password has appeared no less than 19,280 times in previous breaches and is really not a good idea to use!

Taking Action

So, maybe your information is out there, maybe it isn't, or maybe it is but HIBP doesn't know about it yet. Whichever of these three options might apply to you, it's time to take action.

If you don't already, the first step you should take is to download and use a password manager to generate secure, random passwords for your existing online accounts, which will immediately make you much, much safer. We went through this in my previous post which you should definitely take a moment to read if you haven't already. From there, you should set up two-factor authentication for both your password manager and any website that supports it.

Two-Factor Authentication?

Two-factor authentication (sometimes abbreviated 2FA) is a well-established technology that will vastly decrease the chances of an attacker being able to take control of your online accounts. You might even be using it already.

When you log into a website from a new device, even with the correct password, you'll be unable to proceed further until you enter a code sent to your phone by text message. This gives your account an extra layer of protection, because now you need two factors to prove who you are:

  • Something only you know - your password.
  • Something only you have - your mobile phone.

This is where 2FA gets its name, and why it is so effective at keeping attackers out. If they steal your password, they'd also need to steal your phone to do any damage.

This doesn't mean you can get away with not using a password manager, using a weaker password or being careless with it. The reason we're building up these defences is to put multiple layers of protection between you and an attacker, and it's important to keep all of these intact to be as safe as possible.

"But all these extra measures, a password manager and two-factor authentication, will ruin my productivity!"

This is a common and understandable complaint. Two-factor authentication makes the login process more involved for website you may use every day, and password managers (while designed to have a very gentle learning curve for new users) can take some getting used to. When we examine this argument in more detail, however, it starts to fall apart:

  • Password managers actually make you more productive. Imagine having one password to log in to everything, having the peace of mind that you're being secure about it and having your password manager sync across all your devices to keep all your logins safe, organised and in one place. The investment now is more than worth the boost in security and productivity later.
  • Two-factor authentication might take 30 seconds out of your day once or twice per week. Having your e-mail account etc. compromised, however, will take much more time to sort out. It's a worthwhile measure, both for your peace of mind and the security of your online accounts.

Generating a Password You Can Memorise

In the end, for the master password to unlock your password manager, you'll need to create a secure password you can memorise. Here are some top tips from me:

  • Simple substitutions like P4$$w0rd are so easy to crack for an attacker that you might as well not use them at all. Consider something else.
  • Appending a few numbers or starting your password with a capital letter has virtually no effect on its security. Bentley246 is very close to being just as terrible as bentley.
  • Many security professionals will advise that you choose a few words that are significant for you, but hard to guess based on your information. A good way to do this is using a random story you make up in your head and rehearse a few times. "The goat picks rapsberries on the rocketship" might become goatraspberryrocketship. This is good, but still possible for an attacker to break if they know that your password consists of a few words (they'll just try combinations from the dictionary).

My Advice

My personal preference for generating a secure password is to choose a sentence from your favourite book and base it on that. Take the following quote from Moby Dick, for example:

"Now, three to three, ye stand. Commend the murderous chalices!"

This might become N,ttt,ys.Ctmc! which is very safe, as far as passwords go. If you're worried you'll forget it, note down the chapter, page number, and line the sentence appears on (in a way that doesn't make it obvious what the note means) and keep it somewhere safe.

"But I thought I should never ever write my password down under any circumstances?"

You shouldn't, but this piece of advice is usually given to discourage people from doing things like scribbling their password on a sticky note and keeping it on their monitor. A password hint like we discussed above, stored on paper securely in a safe place for emergencies, is actually a sensible security practice.

This has been a long post, so we'll wrap up this article, and this 3-part series, here. Password security is a complicated topic, but you don't need to be a security expert to be expert about your security. It's time to take password security seriously.