markwilson.it

Have I been pwned?

Written by

Mark Wilson

in

You’re probably aware that LinkedIn suffered a major security breach, in which something like 164,611,595 sets of user credentials were stolen. Surprisingly, you won’t find anything about this in LinkedIn’s press releases.

In less enlightened times (and before I started using LastPass), I may have re-used passwords. That’s why breaches like the one at LinkedIn are potentially bad. Re-using that identity means someone can potentially log in as me somewhere else – I could be pwned.

Microsoft Regional Director and MVP, Troy Hunt (@troyhunt) has set up an extremely useful site called HaveIBeenPwned. Entering your email address (yes, that means trusting the site) checks it against a number of known lists and yes, it seems mine was compromised in three hacks (at LinkedIn, Adobe and Gawker). In all of those cases, I’ve since changed my passwords and for popular sites – where they offer the option – I’ve started to use second factor authentication solutions (Azure MFA has been on my Office 365 subscription for a long time, I use Google two-step verification too and, since tonight, I’ve added LinkedIn’s two-step verification and Facebook Login Approvals).

So, I guess the two points of this post are:

  1. For heavens sake stop re-using passwords on multiple sites – you can’t rely on the security of others.
  2. Turn on 2FA where it’s available.

Hopefully one day soon, passwords will be consigned to the dustbin of technology past…

Comments

4 responses to “Have I been pwned?”

  1. thommck avatar
    thommck

    Did you know this was a breach from 2012? LinkedIn did a blog post about it (rather than a press release) https://blog.linkedin.com/2016/05/18/protecting-our-members

    Not that it changes your message but seems a bit misleading. I guess you could add a 3rd point of; Change your passwords regularly. Most businesses would enforce users to change their password every 1-3 months so websites shouldn’t be any different.

  2. Mark Wilson avatar
    Mark Wilson

    Yep, I did know it was a 2012 breach but it’s become news in 2016 as the size of the breach and the sale of the data has become newsworthy again.

    I disagree on the change your password every x months though; in fact one thing that really annoys me is a site that either forces a change on me as a result of their poor management of my data (ahem, Costa Coffee) or nags me to change a long and complex (but memorable) password just because it’s been in use for a while (Lastpass) – perhaps they have reason to believe that the database has been compromised and by now there’s a chance someone has worked out the password that matches my hash ;-)

  3. Nick P avatar
    Nick P

    i have scrupulously followed the advice on http://xkcd.com/1693/. my password for everything is now “CorrectHorseBatteryStaple” followed by my current weight. easy.

  4. Mark Wilson avatar
    Mark Wilson

    I think you mean http://xkcd.com/936/ Nick :-)

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

More posts