Tag Archives: passwords

have you been pwned?

Well, have you? Has your information been stolen from any of the plethora of websites you’ve registered at over the years you’ve been online? You wouldn’t have a clue, would you?

There’s a large level of trust needed when conducting your online life these days, that or naivety. Whenever you hand over your details to a website, any website, they’re going to store that information for an unlimited time. And you’re trusting that they’re going to store it in a secure manner, or hoping that they simply don’t get hacked. Considering that this little website currently faces up to over 300 attempted hacks per day, hoping is futile.

Storing your information in a secure manner relies upon their IT guys to stay one step ahead of black hats. Given the nature of code, nothing is ever totally secure. What we think of as secure is simply code that hasn’t been breached – yet. Until the promised nirvana of sub-atomic level quantum computing, where today’s bits are replaced by qubits, there are absolutely no absolutes when it comes to online security.

Once your email & password for any particular site you’ve visited are hacked and that information onsold, it’s a trivial matter to grow that information into a digital replica of you. With just a wee bit of social engineering – the people on phone duty, bless them, aren’t always fully educated in Infosec requirements, they’ve always been the vulnerable point. With a little flattery, some confidence and just one or two further pieces of publicly-available data (DOB, address etc), your vital accounts can be revealed and your security shredded. I’ve witnessed it first-hand, as a wealthy business icon handed over his password with the added bonus of “it’s the same one I use on all my accounts, sharemarket, bank, everything”. That conversation took less than 5 minutes and could have cost him over $5,000,000. It didn’t, but as a demonstration of how easy it can be to breach password security, was shocking. It’s usually just two steps from any relatively insignificant personal data to your bank account.

Data breaches – that’s when a website is broken into and their database is copied (Adobe lost 153,000,000 accounts, the Playstation breach took 77,000,000 accounts) – are becoming so commonplace these days that they barely pass muster for the online newspapers. Following the theft, the captured information is usually offered for sale or maybe even just pasted online for all to see. Plainly visible will be your email address and recovery hint question. Encrypted data should include your password and recovery hint answer, although the latter isn’t always encrypted. Given the aptitude and a little financial resource, anyone can throw the encrypted data against the mighty John The Ripper and power it by renting Amazon’s Supercomputer for just a few dollars more than fuck all. How’s your personal privacy looking now, Chief? Pretty sad, huh?

What can you do about it, considering that what’s written above is largely reliant on OP’s to be vigilant with your information? And really, as though they care! Well, preventative maintenance is always a sensible investment strategy, whatever the context. I tell my mechanic that it’s his job to find whatever is wearing out on my car and fix it before it breaks. It’s a strategy that more people should employ with their IT support too. In this particular case, well, in most cases, I recommend following my lead. I’m always on the lookout for innovations in security and breakthroughs in hacking. That way my armoury is effective and my defences are up.

The latest tool – and it’ll be your longtime good friend, is haveibeenpwned.com – this site trawls for data breaches, harvests them then lets you run your email addresses against the massive combined collection to see if your details have indeed been revealed. Taylor Swift, @SwiftOnSecurity, put me onto this one. Go there, try it now.

If you’re lucky, you wont be listed. But that is highly likely luck and pure luck alone. The best feature that haveibeenpwned offers is that they’ll take your email address/es and monitor all reported breaches for a match. Should that happen, expect to be notified immediately – certainly long before any fraudster can decrypt your password and access your email account. With an early-warning radar system like this one on your side, you can feel just a wee bit safer now. Not only do you know whether or not you have been pwned in the past, you’re giving yourself wiggle room to defend against future pwning. And that, that can only be a good thing.

This has been yet another public announcement in the interest of your online security.