When an account is part of a password breach, that means there was a theft of user login credentials that were retrieved in bulk without authorization. Generally, this might be due to poor system configuration. It could also be the result of a phishing attack. Hackers will sell the data including your passwords on the dark web or post the password entries online in plain text for anyone to use.
Unlike a data breach, there is no attack in a password leak. But the result of exposing users’ personal information is the same.
You should be concerned if your account was a part of a password leak and
- you have reused the same password across multiple websites or services
- any of your digital life and information has been stored online or in the cloud
- you have not set up two-factor or multi-factor authentication
How can a hacker get my password?
When a leak or password breach happens, the data is compiled into a list of account credentials. Cybercriminals use bots to attempt username and password combinations from these datasets to find out if any can log them into online accounts like email, social networks, or banking sites.
Suppose a criminal knows your email address. They can use a password spraying feature of their hacking software to try simple unsafe passwords such as “12345” to find out if any work with your email address. Bots often also do these tests in the background and if a match is found a hacker can use the details to take over your account. While this brute force method testing passwords is slow, it emphasizes the need to never reuse passwords with multiple online accounts.
Methods hackers and cyber thieves use to harvest passwords include
- Credential stuffing: Hackers use scripts to bombard a system with several combinations of exposed passwords and usernames until a match is found
- Phishing emails: This is when an email with a malicious link is planted and takes a target to a spoof website before convincing them to enter their credentials into a form that they control
- Keylogging: Keyloggers are specialized software or hardware installed on a computer or mobile device that secretly monitors keyboard activity sending every keystroke to an attacker’s control server or email address
- Wi-Fi man-in-the-middle: Using simple applications found anywhere, cybercriminals can monitor your devices while accessing public Wi-Fi to collect passwords and account data
- Local discovery: Written passwords and login credentials kept on post-its or other pieces of paper near computers or other devices is another way of inviting hackers and giving them unfettered access to your online data
- Shoulder surfing: Someone can watch your computer activity, looking for credentials and passwords you as you enter them.
How can I find out if my password was leaked?
To see if your password was leaked in a breach, use a service like Have I Been Pwned. These services compile various reports and alerts about data breaches allowing users to check to see when their data was included in a known leak. Users can also configure alerts to monitor news stories for news of future data breaches that might jeopardize their account security.
To be pwned is a leetspeak for the word owned, which means totally defeated or hacked.
Other leak checking tools include F-secure’ s Identity Theft Checker, which checks if your email was captured by any data breach, and Avast’s Hack Check, which scans and shares red flags from different databases of breached data.
Security professionals also use Google Alerts to monitor and notify them and their teams of any new data breaches or password leak news stories as they happen.
Is the Have I Been Pwned website safe to use?
This service is a trusted and safe way to find out when your passwords have been leaked in a data breach. Troy Hunt, the website’s author, is a highly respected security researcher and cybersecurity expert.
The Have I Been Pwned website was created after the Adobe Hack in 2013, where more than 35 million accounts, including usernames and encrypted passwords had been stolen. Because of this site it is possible for anyone to search for their email address across a growing list of hacked login credentials. The service only retrieves records that an address exists and what data breach it was compromised from. Visitor email queries are never stored or recorded anywhere.
Data breaches categorized as sensitive do not get high visibility in public searches immediately. It is only possible to view the response to the breach after verifying your email address. Similarly, domain owners must provide evidence that they control or have authority over the domain in question before searching for breaches through the domain search feature.
How can I make sure I have secure passwords?
To secure all of your passwords, use a password manager. Do not reuse a password across services, and do not use weak passwords that are easy to guess. Use two-factor authentication when available. Never share your passwords with anyone even if it’s just to check your email or get access to one file. These steps will better protect your password from all types of password leaks.
Usernames and passwords are a legacy authentication method going back to the early days of computing. They were never very convenient. Most users choose generally weak passwords. The reason to use a password is often misunderstood by most computer users. The reliance on passwords will continue to be the main way to protect your data for some time while the information security industry tests other security paradigms to secure sensitive data and account details. At some point passwords will no longer be required, but until then the safest passwords are only used once and never shared.
That being said, it can be necessary to use a password manager to keep track of so many complicated and long passwords. Most password vault or password manager apps will take the hassle of coming up with new strong passwords and will keep track of them so they are ready when you need each one. Most of these password tools automatically create a properly randomized string, using multiple character sets to provide a one-click copy and paste secure password when creating new accounts.
Which is the most trusted password manager?
Bitwarden is the most trusted password manager available according to many user reviews. This free and open-source password vault is user-friendly and makes password management simple and easy. It has all the features you would expect in a market-leading commercial password manager application. It can create, store, and fill in passwords on all of your devices.
Bitwarden has a free plan that includes two-factor authentication, syncing across multiple devices, secure card storage, and offline password storage.
If you subscribe to BitWarden’s Individual Premium plan for $10 per year, you help support this project’s continued success. The Premium paid tier also includes 1GB of encrypted file storage, making it easy to share sensitive documents via links that can be set to expire.
Another option for password storage is KeePass, an offline password manager where users can take control over how they handle their vault file. The user interface is a nostalgic and a bit clunky. KeePassXC has a much more modern user experience, along with a cleaner security model as well as less reliance on third-party components.
In summary, using a password manager is crucial to avoid getting caught in the next password breach. Making sure how secure your password is has never been more important.