I like to sing the praises of Troy Hunt and his efforts to improve the world’s password security. I also take digital security very seriously, but I can understand why most people don’t. Even the most keen people can suffer from apathy from time to time.
‘I know it’s compromised’
What the hell was I thinking. It takes 30 seconds to change a password. Spotify was using an old password that, if you enter it into HIBP shows:
Luckily someone was trying their luck when I happened to be listing to Spotify and I was able to get it sorted in about 20 minutes. Spotify’s customer service was excellent and they got my e-mail changed back (the hijacker changed it) and forced a password reset. The password is now a nice long random string of characters safely stored in LastPass.
What is Credential Stuffing?
Credential stuffing is a very popular method of account hijacking. Details are gather from large data breaches; usually just e-mail’s and passwords, but occasionally other personal info too. The details are then entered into other websites to see what can be unlocked.
Since so many people use the same e-mail and password for everything, this can be and easy way to take over a large number of accounts. Fortunately Spotify wasn’t that critical, but if you password reuse extends to banks, PayPal and shopping sites, it could cost you a lot of money.
How to Keep Password Safe
It’s simple, and not particularly time consuming. Like most things in life you can get 80% of the result for 20% of the effort, and 80% security is way more than most people have.
There are 3 simple steps you need to follow:
- Come up with 2 really strong passwords that you can remember, and don’t tell anyone what they are
- Use one for your e-mail account and one for a password manager (KeePass, 1Password, LastPass, Dashlane etc)
- Use you password manager to generate and store different passwords for every site/service you use
For bonus points, use 2 Factor Authentication (2FA) where available (either through a security key, app or text messages). That’s it. If any website you use ends up having a data breach, all your other accounts are safe. Some password managers even offer monitoring and alerts to warn you when this happens.