18 Aug How to check if somebody knows your password. Have you been ‘pwned’?
If you read my post on ‘spear phishing’ you’ll be aware that the hijacking of email accounts is on the rise. These attacks generally revolve around the attacker already knowing the login details for the account somehow.
When I speak to customers they often wonder how the attacker knew their seemingly complex password. Did they simply guess it?
The simple answer is no, in my opinion, that’s very unlikely.
It’s much more likely that the email address and password were used on another site/ service which has led to them being compromised or ‘pwned’.
Finding out if your email address has been compromised
A good way to check if your email addresses and passwords are known is to use a service like haveibeenpwned.com.
This free service asks you to provide an email address and let it check a large list of online services that have been known to have been compromised at some point. It then returns a list of services where your email address and password were are known.
As a mail administrator, you can also do a check against a whole domain but you must verify that you own the domain first by using their verification mechanism.
The verification process has multiple options but one of the most straightforward is to have it send an email to a pre-defined email address on the domain (we chose the postmaster@domain.com option) . This email contains a one-time code that you must enter to prove you receive email for the domain. This search then returns a list of email addresses and online services that have been compromised.
If this service does find any accounts that have been compromised, the password used against that account should be considered cracked, and you really need to stop using it immediately.
You can download your list as an Excel spreadsheet or PDF file making it easier to work with the specific users responsible for the email addresses to update and lock down your accounts.
Better management of passwords
Managing strong unique passwords is not a new problem, but because of the sheer number of online accounts we have these days, coming up with passwords that are strong but memorable can be tricky without some kind of help.
(For a good idea of why long complex hard to guess passwords are so critical I highly recommend this Computerphile video on password cracking)
I’ve recently started using a password manager and I highly recommend you think about doing the same.
Using a password manager
A password manager is a tool that generates and then securely stores the passwords you use for all of your online services. Every time you enter a username and password into a website a new record is created in a secure password vault, usually accessible through your browser, mobiles devices etc.
The beauty of this is that it means you can automatically or manually create strong passwords without worrying about whether you’ll be able to remember them when they’re needed.
This secure vault is itself protected with a single password, and this is the only one you must remember, so make sure you pick a good’n!
There are lots of password managers out there but our preference is 1Password by Agile Bits (we’re not affiliated in any way).
If you haven’t ever looked at a password manager before, I definitely recommend it – while it takes a little while to update your passwords initially, it’s really not much hassle and goes a very long way indeed to protecting your accounts from the ever increasing threat they’re under from attackers.