Trust no one

Here is the IT public service announcement for today - a now annual updated version of something I wrote 3 years ago. Timely before the return to school here in Australia - but advice that might be useful for all.

Strap yourselves in this will be a long one.

Over the recent couple of years, there have been some pretty massive exposures of personal details from various websites reported - here in Australia - we had some big ones in 2022 - have a read of this list https://www.webberinsurance.com.au/data-breaches-list#twentytwo -and that's just Australia.

This all means that your data in some way shape or form has been leaked. If not your data, then your email address and password. Which probably means your data is at risk - because of how we use passwords.

If you use the same password across multiple sites, then you are at risk, if you use a common password, then you are at risk.

So, what can you do to help yourself? Brings up a term in IT called "Zero-Trust" - essentially every log on should be verified in someway, everytime.

To start with, check if you have been compromised. This can be done in 2 ways - at the same site:

1) go to https://haveibeenpwned.com/ and type in your email address - this will give you an idea about any places that your data might have been breached and how many times.

2) Same website: go to https://haveibeenpwned.com/Passwords and type in your password (this sounds counter-intuitive - I get that, however I know and trust Troy Hunt who runs the site, he is not harvesting the passwords, he will compare it against ones that have been recorded in breaches - https://www.troyhunt.com/)

If you find your password in there, then it is a password which is a known password, and if someone was trying to break into your email, netflix, whatever, then they would run list of known passwords to try and hack it. (this is known as brute force attack - see - you now know another nerdy term)

So - What do you do to protect yourself?

Fortunately - there are some good ways to protect yourself

1. Don't use the same password across multiple sites. Have a different one on each one.

2. Don't use an easy password - your name, your street, your whatever, is not a good password. These are all things that will a) likely be plain text words and b) attached to you.

3. Enable two factor authentication (2FA) or Multi-factor authentication (MFA). Now - this sounds like IT geek speak to my non-IT friends - I realise - however, it is not that hard. It basically means that you are not just relying on a password for access to something. Facebook as an example has a two factor option. https://www.facebook.com/security/2fac/setup/intro/ . Most good email services will have the same (gmail, outlook.com, etc), good banks have the 2FA or MFA (see you just learnt some nerd!). Go enable them, it will be a bit annoying to start, but shortly will just become part of your normal day to day.

Those 3 steps will make it harder for someone to get into your stuff, will make it harder for someone to steal your info, data, etc.

Now - last bit of advice - again this will sound like a geek thing - but it is really easy to use - 1 and 2 are hard - keeping a record of all the non-simple passwords will be hard - which is the reason that you probably started using easy passwords to start with. So use a password manager, such as the ones here: https://au.pcmag.com/password-managers/4524/the-best-password-managers - they can generate and store passwords for you for websites and applications - for your phone as well as your laptop and tablet. Yes - there is then a single place with all your passwords, however they are encrypted and secured, and preferably need to have your two factor authentication to open them.

Also (and some of you will have seen my fun that I have with this on facebook) - do not answer any of the posts on social media such as "The state I grew up in was known for xx, what was yours?"; "The car I learnt to drive in was a xxxx, how about you?" - these sound innocent, and if you follow the advice above, they are not your password - but they might be the answer to your password reset questions, so don't give the information away, you are sharing that publicly when you answer those, so you never know who is reading.

While you are on Troy's site - also check out if your phone number is in the breached information (if you are wondering why you are getting a lot of spam calls!)

Given how much we store online now, how much we rely on that information, simple steps can protect yourself against a "breach"

Edited to add this great advice from Margit Rosenthal - You can’t protect yourself from a breach where a third party company and criminal is involved and the horse has already bolted eg Optus or medibank group. Where this has happened you need to do the above and take additional steps to prevent any further compromise. Those companies and your bank and specialist organizations such as https://www.cyber.gov.au may be able to assist you.