“Data breach”, “Data leak”, “Your password has been compromised”. Not only do nightmarish scenarios play out in your head when you hear these words, but you inevitably wonder: what’s the right thing to do now? In this post, you’ll learn how to find out if your passwords have been compromised, and if they have – what to do about it.
For World Password Day on May 6, we featured the three worst hacking attacks of the last few years here on the blog. If you want to read them, you can find the whole post here. Through the blog article, it becomes frighteningly clear how many passwords have been compromised in recent years. To briefly explain, a system or data set can be considered compromised when the owner of the system, database, or data set no longer has control over its proper functioning and its security. In other words, hundreds of millions of hacked pieces of information are floating around the web. This includes not only personal information such as name, email address and phone number, but also unencrypted passwords, credit card information and passport numbers.
Convenience jeopardizes security
What’s particularly bad about this is that one in three users uses the same password for multiple services, and almost 70% don’t change their passwords at regular intervals. And once a password and its associated email address have been hacked, hackers can easily access other accounts if they have the same credentials. The reasons for easy and same passwords are lack of motivation and willingness to remember hard and complex passwords. This is somehow understandable with “jd:9_L!(heP*BhI”. However, in this day and age and the multitude of hacked accounts, comfort should no longer be an excuse to protect one’s precious personal data with “Passw0rd1!”. Because the reality is frightening: in 2020 alone, 172 data leaks involving around 2 billion identities were published on the Internet.
Ignorance does not protect, even on the Internet
Strong passwords are important and you should choose a unique and complex password for every application from now on. But what if one or more of your passwords have already been compromised? Will users be notified when their accounts have been hacked? The short answer is yes, they should. Often users are notified via a notice on the landing page, or a newsletter, a press release is sent to all users. But who among us reads press releases. Who of us ever signs up via the landing page of the email provider in times of mailing apps and Outlook. A message like that can quickly get lost in the flood of information we ingest every day.
Become active yourself with the Identity Leak Checker
With Identity Leak Prüfer, the Hasso Plattner Institute’s online security checker, it is quick and easy to find out whether you yourself have been the victim of data theft. All the user has to do is enter his or her e-mail address and can check whether personal information is circulating freely on the Internet and can therefore be misused by unauthorized persons. This ability to check one’s e-mail address against more than 12 billion stolen identities is not possible in every country. So the first thing to do is to regularly check whether accesses have already been compromised. And not just privately. Hackers don’t stop at business access either. Therefore, employees should check not only private accesses but also business email addresses with the Identity-Leak checker.
Under this link you will find the Identity Leak Checker and you can directly find out if and which of your personal data has already been compromised:
“Attention: Your email address appears in at least one stolen and unlawfully published identity database”.
What does this even mean? Many hackers sell the stolen data on the darknet, hackers make billions in profits from it every year. The Internet black market is organized internationally and has been considered more lucrative than drug trafficking for some time. If, in addition, bank data is stolen, the criminals can even go shopping online in the name of the victims.
That’s why you should change your password first!
First step: password change
Both in private and business context. In a business context, this step is not only strongly advised, but the German Federal Office for Information Security states, “A password MUST be changed if it has become known to unauthorized persons or if there is a suspicion that it has. Passwords MUST be kept secret.”
In doing so, the new password should follow some guidelines:
- only one unique password should be used per account
- the more complex and longer the password is, the better
- the password should not contain words from a dictionary or key sequences
- the password should be strengthened by numbers and special characters
- the password should be updated by regular change intervals
Quite a lot of requirements for your new password, isn’t it?
Using a password manager for more security and convenience
Especially in a business context, this can be remedied quickly. With an average of over 16 accesses in use per employee, password policies can quickly become overwhelming and cause employees to fear forgetting their newly created and complex password. A password manager like Password Safe can combine security and convenience. The integrated password generator creates secure, unique and complex passwords at the touch of a button. Fortunately, employees don’t have to remember these passwords; the software does that for them. Only one master password is required to log in to the system, and the software automatically recognizes all other access data and inserts them into the login mask. The combination of Password Safe web access and the app means that users can log in easily from anywhere, including from the home office or on a business trip.
This means there are no more excuses here for not being able to remember “jd:9_L!(heP*BhI”. With Password Safe you only need to remember one secure and complex password. If you are having trouble creating the master password, read our blog post: 5 Tips for a Secure Master Password, in it we give tips and tricks on how to easily remember hard passwords: