Note: Since this post was written in 2018, things have evolved. Passphrases are now recommended over traditional passwords.
You can also check your password to see how secure it is at a site such as Security.org.
You can generate a secure passphrase using Keeper’s free tool: Passphrase Generator. I find that even after removing a couple of words from their super-long password I get a passphrase that would take a million years to crack.
If you have no information stored anywhere that you are at all concerned about other people accessing, you can stop reading right now and go about your business.
Still here? Then like me, you have personal or professional information that you’d like to be confidential. Bank information, credit cards, etc., can make your life miserable if the wrong people get ahold of them.
A new wave of spam emails has been going around that have recipients understandably concerned. They look something like this:
From: You@yourdomain.com
To: you@yourdomain.com
Subject: you@yourdomain.com has password mikey67
You entered a password on one of the insecure sites you visited, and I hacked it. Your password from you@yourdomain.com was mikey67
The sender goes on to tell you the things he has seen through your webcam and the photos he has taken and he’s nice enough not to send them to all your contacts if you just send him some random amount in Bitcoin. The most unsettling part of this scam is that the password he sends is, or closely resembles, a valid password you used sometime in the past (and may still be using today).
So who is this person and how did he get your password? And did he hack your email account to send you mail from yourself?
Back away from the window ledge, close the liquor cabinet and take a deep breath. He didn’t hack your email to send this. Changing the return address on an email to anything you want is a very simple process and doesn’t require any access to the email account in question. Unfortunately, there is also nothing you can do to stop it. It’s also unlikely that he hacked your computer, looked through your webcam, or any of the other things that he said.
So what’s the real story here?
It seems every other day we see a story on the Internet about a data breach at some national chain or financial institution. What doesn’t make the news is when there is a breach at some small business website or maybe a site that doesn’t carry a lot of valuable data. But how many of us use the same password on all of these websites?
Many sites large and small have been breached and their password records have been cracked. These records of user names and passwords are then compiled into databases and sold or just distributed publicly. What this fine example of a human being most likely did was set up an automated system to go through these databases and send email to each person in there including the password he found in the database.
Has your information been compromised? Is some password you may still use out there on a public database?
Here’s one thing you can do to see: go to https://haveibeenpwned.com, which is a website that will allow you to search known databases derived from data breaches and will tell you if your email address appears in any of these breaches. You can also go to their Password page and enter your password to see if that password shows up in any breached accounts. Of course, it won’t tell you what account goes with what password, so if you have a simple password it may show up in many people’s accounts. For instance, no one would use the word “password” for a website password, right? Actually, “password” is a match for 3,533,661 accounts.
What should you do if your password has been compromised or to prevent compromise in the future?
First, make a plan. Use a secure password manager of some sort to store usernames and unique passwords for each site you visit. Some password managers are just organizers to securely store login information. Others interact with your web browser to handle online logins. If you need help finding one, start here.
Next, make a list of all the sites you know you’ve created accounts on. Go to each site and change your password to a unique random password and enter it in your password manager. If you need help coming up with unique passwords, try a password generator like the one at Norton Password Generator. (As mentioned above, a passphrase is recommended: Passphrase Generator.)
I realize that none of us can remember all the websites we have ever created an account on, but chances are you can remember the ones that have credit cards or other sensitive information. It’s probably worth the time and trouble to go through old emails looking for sites you may have forgotten.
Finally, establish a date (your birthday, a holiday, etc.) that you will use to regularly change the passwords on at least your most critical websites.
Remember, you’re not paranoid if they really are out to get you. Sometimes the best defense is a good defense.