Passwords & Data Breaches

Some friends that turn to me for information security advise recently asked my thoughts on the recent announcement of the data dump announced earlier this morning. I have not updated my blog in years, for which I feel terrible about, so I hope to change that starting with this post.

I would like to thank Melanie for calling my attention to this article. It was certainly better than what I read this morning and contained some additional details.

Before you read more, I want to let you know that this post contains some satire and humor. My students love it when I do this, so I am getting on my soap box. If you know the comedian, Lewis Black, imagine him giving this lecture. I draw my inspiration from him.

Based on multiple reporting sources, it seems that this data could be a mix of old data breaches and ones yet to be reported. Reports are stating that the data is roughly 2-3 years old.  Problem is, it is not clear where the data comes from and contains usernames and DECRYPTED (read: plain text, so anyone can read them) passwords. As a side note, this means that the sites where this data were probably not storing your password in an encrypted form, or if they were, they were doing it wrong. Yes, there is a right way to do it and it involves salt, yes, salt, but not table salt. That is a different post though.

Therefore, since we do not know where it came from (at least people are not saying yet, but I suspect researchers are working on it) it makes it hard to determine if this data is from old breaches or not.

Sad thing is, there is much more to come. The seller is offering this database up for anyone wanting to shell out $45. You can bet your ass hackers are going to buy it. It is only $45…for lifetime updates…not kidding…this guy is better than your Antivirus company, right? $45 is cheap when the payout could be huge…more on that in a bit. The really bad thing though, he has about slightly less than a terabyte (read: metric butt ton) of plan text dumps to come. Do I believe it? A little, but he has released one “collection” thus far that seems legit. I highly recommend reading the Krebs On Security (aside: please pay careful attention to the nice graphic about why your computer and accounts are valuable) article as it contains additional details on how this data can be used against you and why people would want it.

The Payout

What is one of your most valuable passwords? Think about it. I will wait……. Your email password. Why? Well, how do you reset your password for all the other sites you use that are associated with that password. Are you catching what I am throwing down? I hope so. Hackers know where the password dumps come from. If they get your email, they can reset your password on other sites without you noticing (if they are good). If you haven’t changed your email password in a while, go do it NOW! I will wait. Go on, do it! All your friends are (at least I am pretending they are). Hackers will leverage every bit of information they can find about you and use it against you. Go Google yourself, it’s not egotistical, it makes sense. I want to know what information is out there about me and how can it be used against me. I check at least monthly. Heck, you can even setup Google Alerts to notify you when something new is discovered by their search engine about you.

What the heck can I do?

First off, I would head over to Have I Been Pwned (HIBP) to see if your email was ever part of a breach. Now, the fun part. Do you want to know if your password was ever part of a breach? Same site, but go here. I am probably going to catch hell for even suggesting that you enter your password to see if it was part of a breach. I am paranoid (if you haven’t figured that out yet) but the site protects your password using something called k-Anonymity. The article explains it. The site is essentially only getting the first 5 characters of your hashed password. Your browser does the comparison. This means the server never receives your password in the clear. It is sent a partial hash and the server returns the query results and the client does the matching. Yeah, it is technical, but makes sense. The HIBP site never gets your password.  Ok, so anyway, moving on. What the hell do I do George? Some hackers are hell bent on getting my cash and identity and you are talking about hashes and salt. I mean, what the hell? First, calm down. Below are a few things I want you to do:

1. Change your email password right now. If you did it earlier in this article, then skip this one. Make your password something completely DIFFERENT and complex. Promise me you will not reuse it…ever. On any system. Including work systems (your CISO will love you for this…I promise).
2. Enable multifactor authentication (MFA) anywhere you can. I do not like the MFA solutions that text you a code as that has been deprecated by NIST. It is better than nothing though. Head over to https://twofactorauth.org/ to see if any of the site you use (read: BANKS!, MEDICAL!) support this and how the heck you go about enabling it for each service. This will take some time, but do it. Hell, even our precious Facebook offers MFA. MFA can be annoying at times, I will admit. However, what is really annoying is filing a police report and calling all your banks when your money is gone from your account. Just saying.
3. Get a password manager and use it. Use a STRONG password to secure your password vault, otherwise it is useless. As a side note, my passwords for systems that I use daily, such as work, are sentences with proper punctuation, capitalization, and numbers. Mine are around 25 characters in length. The sentence is meaningful to me, but I have never uttered it aloud to anyone and no one could ever guess it. Ok, back to password managers: Password managers allow you to create a unique, complex, password for every site you use and secure it in an encrypted database. The following is NOT a paid endorsement for LastPass. I cannot say enough good things about LastPass. Free or paid. Get it. The paid version offers you a bunch more features. If you have a family, get the family version. The family version allows others in your household to have their own account and you can share passwords securely. The cool part: you can share passwords without the other person ever knowing what it is. So, share your Netflix password with the kids without them knowing what the heck it is. LastPass is amazing and has changed my life. A long time ago now, I was guilty of password reuse and using something easy for me to remember or just doing password resets all the time and really driving myself insane. I use LastPass for passwords and secure notes. Everything is encrypted and shared securely across multiple devices. If you ever forget your master password, you are SOL. LastPass cannot recover it. Oh, and by the way, they have MFA. You bet your butt MFA is on on my account.
4. Go check your passwords on the site above. Do it. Change your passwords immediately on all sites where you reuse that password and stop reusing it. STOP IT. Get the password manager thing figured out and use it. Yes, Melanie, I promised a demo a few weeks ago. I will do that as soon as I can. PS- your friendly CISO will like you more when you don’t reuse passwords. True story.
5. Start changing passwords on high value accounts first: email, banking, medical, cloud storage, etc. It is your data! Help protect it!
6. Use a separate email account and password for your high value accounts, such as banking, etc. and DO NOT use it for anything else. You do know what separate means, right?
7. Get a junk email account to use for sites requiring you to sign up to do something that you will only do once. What’s up with sites like that anyway? If you are sure you only need to provide an email address to get a piece of information (evil marketing departments do this), use a disposable email address, such as https://10minutemail.com/10MinuteMail/ Guess what? The email account lasts 10 minutes. Enough time to confirm your email account and get whatever shiny thing the website promised you. You can extend the time by clicking a button on the website. Once the 10 minutes are up, the account is gone and can never be used again. Poof!
8. Enable MFA. I said it once, but it is worth repeating. DO IT! Do it now!

Okay. I think I covered enough here. If I think of more stuff to do, I will update this. Now I have to go grade papers. Guess what? This post is about as long as most grad school weekly assignments I grade. <COUGH> looking at you, grads </COUGH> no complaining.

I had fun writing in this style and will try it out some more with future posts.