It’s a familiar news story these days – yet another major website is compromised and thousands of user account details are leaked online.
Now there is a website to help you discover if your details have been taken in this way. HaveIBeenPwned.com has been launched by Troy Hunt, a Microsoft Most Valuable Professional awardee for Developer Security and international speaker on web security.
Insert your email address on the website to find out if your details have been leaked, in the original attack or subsequently in one of the many occasions these details are shared online.
Now if you find your account has been compromised, don’t panic. The first course of action is to change that password, not just on the hacked website but on any any other website where that password is used.
This is the problem with online passwords. Because they are hard to remember we have a tendency to use the same password more than once. Hackers know this, so once they have your email and password combination they will use this on other popular websites. If they’re really lucky, you used this combination for your email account. At which point they can simply request passwords to be resent to them, or even impersonate you directly.
Scary stuff, but there are easy steps which you can take to protect yourself and limit the damage from these website attacks.
Step 1: Set Up Email Alerts
On the haveibeenpwned.com website, click in the Notify Me option in the menu. Troy has kindly set up free email alerts to let you know if your account has been compromised. Feel free to buy him a morning latte on the donation page, he deserves it.
Step 2: Learn to use a password keeper
If we used a unique password for every website, these kind of data leaks would not be such an issue. This would be impossible for us to remember but help is at hand, in the form of password keepers.
These tools keep all your passwords in one place, and you only have to remember the access login to the tool. I would recommend Keepass (hosted on your computer) or LastPass (hosted online), depending on your preferences.
If you host the password keeper tool on your own computer, then save the password database in DropBox, Google Drive or similar file back-up service. You can then access either system through any internet connected device – including your mobile.
Step 3: Protect your email at all costs
Special protection should be considered for your email account, as this is the nexus point for your online security. Once your email has been breached then other passwords can be requested.
Many online email providers, such as Gmail, are now offering two-factor authentication (2FA) protection. Once set up, the system will request a code sent by SMS to your phone, in addition to your password. You can set this system up in Gmail by following this guide.
For bonus points you might want to look at using a security key, such as those sold by Yubico. These are physical USB devices that will authenticate access to your password keeper. As of October Google has allowed these devices to be used on their accounts,
Multiple keys can be bought, so you have a backup but it is worth reading Brian Proffitt’s article on what to do if you loose your 2FA device.
Hopefully this article has set you on the path to better online security. This is one area where is pays to be proactive, so make this a weekend project to protect yourself and your clients. If you have any questions, then please let me know below.