Data Breaches: How to Protect Your Passwords
“Your personal information was found in a data breach.” These words can be terrifying (they don’t need to be), they can be completely ignored (they shouldn’t be), or they can be very confusing (hopefully they won’t be by the time you finish reading this). Plenty of services these days will alert you about your email address turning up in a database of stolen data—from credit monitoring services like Credit Karma, to security awareness services like KnowBe4—but it’s important to understand what this means and what to do about it to protect yourself and your business.
Let’s start with some background. Even though major online services (social media, banks, hotels, etc.) put tons of effort into protecting their users’ data, the bigger they are (and the more sensitive the personal information they store), the harder hackers try to break in. When someone eventually finds a hole in the defenses and encounters unencrypted data, they download everything they can find, try to sell it to the highest bidder (usually on the “dark web”) and vanish, often leaving the breached company completely unaware that anything happened. Arguably the most damaging data from these breaches are email/password combinations, and these same hackers (or their buyers) will then try to use those credentials, not only to log in to the breached company’s site, but to countless other sites. They can do this at an immense scale using bots in a technique called “Credential Stuffing.” This problem has been growing for years, with almost 500 million records exposed in 2018.
After being thoroughly exploited (sometimes years after the breach), these credentials will turn up and get added to public-facing databases (with email addresses decoupled from passwords) where anyone can search for their email address to find out if it’s been found in a breach. The most popular site for this is haveibeenpwned.com, which contains data on over 8 million compromised accounts. It even lets you search for passwords to see if that very clever password you use on every single shopping website has been banging around the dark web for the past five years.
This all has obvious implications for your personal information—if there are hundreds of hackers out there logging into your accounts, collecting your secrets, stealing your identity, and maybe worse—it’s not great. But it has plenty of implications for your business as well. People very often use the same password for their work accounts that they use for personal ones. When someone’s Facebook password (the same one they use for their work email) gets passed around the dark web, things can go downhill fast.
So what can you do? A few things:
Search havibeenpwned.com to see if any of your email addresses have been part of a known breach (spoiler alert: they probably all have).
If you have the same password on multiple accounts, search for it, and if it’s been compromised, change it immediately on all accounts.
In general, never use the same password more than once. Even if it’s a great password, it can still get stolen in a breach and give hackers access to everything. How do you remember all those different passwords? You use a password manager like 1Password, LastPass, or Dashlane that will help you generate random, strong, unique passwords for each site, store them securely, and autofill them into websites and even mobile apps. Some of these, like LastPass, also offer business services that let you create accounts for all your employees and even securely share credentials, allowing different employees to log in to shared accounts without ever seeing the password.
Deploy Single Sign-On. This is even better than diversified passwords. See our previous post, Why You Need Single-Sign On for more on that. OneLogin, our preferred SSO provider, just today announced a new feature called Shield that checks your passwords against breach databases and your password history to prevent reuse.
Enable Multi-Factor Authentication for all services so that, even if someone does know your password, they have a much harder time getting in. See our recent post on MFA for more.
Use strong passwords. This doesn’t help much in a data breach, but it’s worth noting here. If you’re not letting a password manager generate random passwords for you, or if you need a memorable one to log into your password manager or Single Sign-On, length is the most important factor. Go for 12 characters or more and make sure it isn’t guessable. One technique is to string together a random set of words (e.g., “dogsoupfeather”). If your company password policy has complexity requirements (one capital, one number, etc.) and forces a reset every 6 months, scrap all of that and just set it to require 12 characters.
Share this information with all of your users (even contractors!). The more your people know about this, the better.
And of course, reach out to Kinetix for more guidance and help with credential management. Don’t wait for the next breach—it may have already happened.