Have You Been pwned?
So now that I have your attention with a catchy subject, let me talk a little bit about security. I participate in writing a blog at my workplace and this was my latest blog I wrote for them. I am a geek at heart and have a passion for cybersecurity. I know that it may sound boring and too techie for some of you but I enjoy learning about the all the new and creative ways that black hat hackers can attack us and how we can defend ourselves against them. So just what does it mean to be “pwned” (pronounced like "poned") ? Being pwned is internet slang or leetspeak for being owned. If you have been pwned it means that you have been hacked or had your data compromised in some way.
Have you ever wondered if your data or passwords have been compromised? Me too. There is a site that can tell you not only if your accounts have been compromised, but also which breaches your information were included in and what information was leaked(McAfee, 2018). The website is called Have I been pwned. You simply put in your email address that you use for all your accounts (think LinkedIn, Amazon, etc.) and click the “pwned?” button and it will quickly return what breaches your account has been included in. Most of us will likely see “Oh no – pwned!” because believe it or not, most have been part of a breach. Scroll down past the tips on better security and it tells you what breaches your account was in and what type of information was compromised (email address, employers, geographic locations, passwords, phone numbers, etc.). There are tons of great information on this site. I would encourage you to explore. Heck, maybe you will find it as interesting as I do :-)
This is all great information and you may be thinking, I am safe because I got a notification of the breach and changed my password for that account. Nice Job! Another handy fact is that most of us share our super-safe, super-secret password among all our internet accounts. Hackers know this and also know that whatever account was hacked will likely force you to change that password. If you didn’t take the extra step of changing that password on all the other accounts you share then you are vulnerable. Hackers will find your password from the LinkedIn breach and go try it on your Amazon account.
So how do you protect yourself? Below is a list of good password practices (Colby, 2020). Some are obvious and others, like complexity is less important than length, are more of a revelation.
1. Think Length, Not Complexity - A longer password is usually better than a more random password as long as the password is at least 12-15 characters long. A long password that comprises only lower-case letters can be more beneficial than crafting just the right combination of alphanumeric gibberish. “Usually all it takes is a password just two characters longer to make up for a lack of other types of characters such as upper-case, numbers, or symbols. (Mark Burnett, author of Perfect Password)
2. Keep It Weird - Longer passwords are always better, but that length yields diminishing returns if you’re not still mixing it up. If longer passwords are based on simple patterns they will put you in just as much risk of having your identity stolen by hackers. Avoid common sports and pop culture terms (as much as you may love the Patriots, Celtics, Bruins, Star Wars and Harry Potter).
3. Don’t Bunch Up Your Special Characters – Many retailers and organizations require a combination of upper and lower case letters, numbers and symbols when creating a password. This is great! Just keep them separated. Spread out your upper case, symbols and numbers throughout the password instead of putting them all at the beginning or end.
4. No Double Dipping – I gave you an example of why using the same password across multiple accounts is a bad practice. Just don’t do it! This makes a hackers job way too easy.
5. Use 2 factor authentication – What the heck does that mean? It means that layered defense if better. Just like old castles had moats, walls, and turrets to protect them in case attackers got past one layer of defense, you should have multiple layers of defense. Most accounts now offer 2 factor authentication. This usually means you log in with your username and password and then it sends you a text or email with an additional code to enter before you can log in. Having this extra layer means an attacker would not only have to steal your password, but also have access to your phone or email. Enable 2 factor authentication if it is an option.
Hopefully I haven’t bored you too much with all the geek speak. It really is important to protect your passwords at work and at home. I will end the blog with something I find humorous and still slightly geeky. Each year the most common password list is released. This list is compiled from data breaches where passwords were compromised (Parsons, 2019). Please don’t be these people.
Here’s the top 10 most common passwords of 2019:
1. 123456
2. 123456789
3. qwerty
4. password
5. 1234567
6. 12345678
7. 12345
8. iloveyou
9. 111111
10. 123123
And, just for reference, here were the 10 most common passwords of 2018:
1. 123456
2. password
3. 123456789
4. 12345678
5. 12345
6. 111111
7. 1234567
8. sunshine
9. qwerty
10. iloveyou
Don’t get pwned!
References
Colby, C., 2020. Strong Passwords: 9 Rules To Help You Make And Remember Your Login Credentials. [online] CNET. Available at: <https://www.cnet.com/how-to/strong-passwords-9-rules-to-help-you-make-and-remember-your-login-credentials/> [Accessed 22 July 2020].
McAfee, 2018. And We're In. [podcast] Hackable?. Available at: <https://hackablepodcast.com/episodes/and-were-in> [Accessed 22 July 2020].
Parsons, J., 2019. 10 Worst Passwords Of 2019 Revealed And Nothing Has Changed | Metro News. [online] Metro.co.uk. Available at: <https://metro.co.uk/2019/12/19/10-worst-passwords-2019-revealed-nothing-changed-11932281/> [Accessed 22 July 2020].