Topics

Peter Vogel

Data breaches make password checking vital

Voices Feb. 20, 2019

It is almost impossible not to have your email address show up in the large data breaches that have taken place, says Peter Vogel. (Pexels)

Over the past few years, on more than one occasion, I urged colleagues to check their various online accounts against the highly respected service haveIbeenpwned.com. Basically, Troy Hunt, the operator of that site, scours unsavory places on the Internet where hackers buy and sell stolen accounts. A match on Hunt’s site is a good indicator that a user name and/or password should be changed.

In fact, before you read any further, I suggest you launch the haveIbeenpwned.com site and test it with every email address you use. I do this regularly. It is pretty much impossible to avoid having email addresses being part of one or another of numerous big-scale attacks.

My oldest email account, in use since 1992, showed up in eight data breaches in the most recent test I ran. Among them are the big LinkedIn, Dropbox, and Adobe site compromises, numbering in the tens of millions of users.

That account of mine is also part of the January 2019 Collection #1 dump of some 2.7 billion records, including almost 800 million unique email addresses and passwords. With almost three decades of use it is pretty difficult for an email address to not be part of this massive trove of data.

Recently Google took Hunt’s concept a step further and incorporated this sort of stolen data into a real-time password checker for its Chrome interface.

  Example of a Password Checkup warning when compromised login credentials are used.  

Probably a good move for the world’s most widely used browser.

Essentially the tool goes into action whenever Chrome detects a user login in progress. When a login includes a user name and password that Google recognizes as having been compromised, an on-screen warning appears that suggests the password be changed immediately.

I urge anyone who uses Chrome as their default browser to incorporate this new tool. It is a Chrome extension that must be manually installed on your personal computer. I would anticipate it will be deployed and pushed to desktops in corporate environments very quickly, especially those using the GSuite system as opposed to the Windows-Office environment. 

You might think that this sort of tool could just be harvesting your passwords and hence be skeptical of using it. That isn’t the case. The algorithm being used is very clever and user passwords never actually leave the person’s computer in raw, plain text form.

The latest trove of user names and passwords being traded by hackers numbers in the 1 billion range. The best current thinking on the matter is to not use passwords that are being traded in the wild. Google’s tool matches the user login credentials to a database that presently has in excess of 4 billion entries.

If you wish to deploy this Chrome extension, named Password Checkup, you do so through the Google Play Store. Once installed, it will sit silently and will only appear if it detects you using a user name and/or password that is being traded and it will suggest that you change one or both, most commonly the latter.

I have already had it triggered for one of my accounts. The actual announcement appeared about 10 seconds after I has logged into the site in question. Password Checkup can’t handle changing the problematic password; you will have to do that yourself. But at least you will end up with an account that is more secure.

Some password managers, such as 1Password, will also monitor logins and inform users when account credentials are known to have been compromised.

In summary then, (1) run a check on all your accounts with haveIbeenpwned.com, (2) if Chrome is your primary browser, add the Password Checkup extension, and (3) if you log on to more than say half a dozen accounts, get and make use of an account and password manager, and don’t reuse passwords or use the same password across multiple accounts.

Follow me on Facebook (facebook.com/PeterVogelCA), on Twitter (@PeterVogel), or on Instagram (@plvogel)

[email protected]