Have you ever been to the website www.haveibeenpwned.com?
Well, it is one resource that we recommend you visit as soon as possible. At the website Have I been PWND you can search your email accounts to see if you have been involved in any known security breaches. The odds are you will have at least one account, in the 10 billion that the site has gathered from security breach corpus data, yes, you read that correctly, a whopping 10 billion email addresses that have been aggregated from either being publicly dumped or are acquired data breach collections.
This is not a static number. Over 226 million records were just added the other day from a large breach corpus named Cit0day.
So, how confident are you in the security of your accounts now that you have read this far? Just knowing that bad actors potentially have access to 10 billion usernames, and often passwords, how does that sit with you? These are not just individuals but well-organized, heavily-funded criminals and nation–state actors with some of the best minds in security, cryptography and social engineering.
We have some suggestions for you...
Take the following steps
#1. Use unique and strong passwords and usernames. The more unique and less correlating your logins are, the harder attackers (and their AI tools) must be to break into your other accounts (if the records for the first site are breached).
If you only use a handful of services, this might be all fine and easy to do from memory, but if you are like most us, you may have upwards of 50 logins and you need to use a tool, such as 1Password or LastPass to generate credentials. And now that you are effectively creating a master key that grants access to all the other keys, make the master password as long and complex as you can manage. Keep in mind that length wins when it comes to passwords. For instance, 24 characters of a known phrase will take longer to crack than 12 completely random characters do. Keep that login safe!
#2. Use multifactor authentication (MFA) options (also sometimes known as two-factor, 2FA). Being required to do something that adds a second (or even more) factor to your login, makes it more difficult to get into the account. Also, set with prior integration, such as Google Authenticator, biometrics, text messages etc. (that require access to a separate system than the one being accessed), adds greater difficulty. It may be annoying, and will slow things down a little, but it also slows down or stops the vast majority of attacks even if they happen to have your username and password.
Both 1Password, and LastPass can provide you with solutions for both of these things: a strong password manager and a free MFA that is compatible with Google and other systems.
At the end of the day, your future self is dependent on what you do with your accounts today, as breaches are an inevitable part of the internet. Do the best you can to reduce the opportunity bad actors have to getting more of your life and information when a service gets breached.
Just as we don’t use just one common key for our car, house, safety deposit box, office, don’t use the same credentials on multiple sites. The impact is very real and can result in financial, career harm and potential public embarrassment. As it only takes a couple of minutes for a computer to try all 10 billion records, it’s not like the adage that being a needle in a haystack helps, — it does not.