Hopefully you have now got yourself a password manager now, and you have stopped reusing the same password on multiple services. If so, that’s fantastic! If not, have a look at last weeks post if you are not convinced. Perhaps I even convinced you to use long randomly generated passwords, or at least just a long password like “correct horse battery staple”, rather than short complex passwords. If you’ve got that far, you’ve taken a big step in keeping your online accounts secure. Your long passwords are significantly less likely to be cracked, and if they do somehow get out, the damage should be limited in scope.

Significantly less likely is, still, far from impossible. A poorly configured login system could leak your plain-text password. You could be fooled into giving away your password in a phishing attack. What if your new password manager was not a good choice, and your plain-text passwords are leaked? You don’t want that to be game over, and it doesn’t have to be.

Plain-text referrers to unencrypted data. Passwords should never be stored in this form, as anyone could read them.

How do you know if your password has been leaked?

There are many ways you can find out if your password has potentially been leaked. Sadly none of them, and even all of the combined are perfect. However it is very useful, even with long secure passwords, to pay attention to these methods and to change passwords that you believe may have been involved in a security breach. To be clear, just because your details have been involved in a breach, this does not mean that your password is known. Your secure passwords, if stored correctly by the service you used them with, should be for all intents and purposes impossible to crack. However you should still change them to minimise the risk. All it takes is for your plain text password to have been stored, or even stored using weak encryption and all your hard work could be undone in moments.

The primary way we will find out if our accounts are involved in a breach is that we should be notified by the service. Diligent services will let their users know and inform them that they should change their password as soon as possible as well as anywhere else they use it, which at this point is hopefully nowhere! These notifications are in many places around the world a legal requirement now, but there are obvious gaps. What if the service doesn’t know they have been breached, or tries to cover it up? It can in some cases take companies years to realise that an breach happened.

There is a great service online from a household name in the IT security space, Troy Hunt, called Have I Been Pwned?. Using this service you can check your e-mail addresses, or usernames, against a massive database of breaches, and be alerted if your details were found in any of them. Most of the breaches are easily associated with a service, however there are some where it is less obvious. If your details were found that is your signal to change the password on that account, and anywhere else you may have used it. You can set up e-mail notifications as well so that you don’t need to continuously check the service. You can also check if your password has been seen in a breach before also, I tried a very insecure password that I used to use nearly everywhere, and it has been seen 7 times before! My e-mail address was also found in 21 data breaches over the years. I’d wager that it is almost inevitable that your details will turn up in these lists at some point. It’s a great indicator to get the passwords changed and certainly nothing to be ashamed of. There is also no reason to change your e-mail address or usernames as a result of being included on these lists, just make sure to change the passwords.

You may have noticed there is a big gap here, What if HIBP does not know of a breach. Perhaps a service you use has been breached and even they don’t know themselves, or they have chosen to try and cover it up. How can we protect ourselves against this?

Multi-Factor Authentication

It is very likely that you have used a form of Multi-Factor Authentication (MFA) before. Some services will require a code sent to your e-mail address or by SMS to your phone if you try and log in from a new location. This is absolutely better than nothing, and is a very big improvement over just the single factor of your password. However these methods are not completely secure. SMS services are not particularly secure and an attacker may be able to convince your phone company to switch your SIM to theirs in a targeted attack or the phone companies computer systems could be breached giving attackers control. This might sound far-fetched, but there have been data breaches at large companies that involved exactly this kind of attack. Codes sent to your e-mail also have many issues. If your e-mail account is breached then an attacker will not just have access to these codes sent by other services, but e-mail is also used as a method to reset passwords. An attacker in this position will be able to easily reset your passwords and maintain access to the verification codes. It also presents a “Chicken and Egg” problem with securing access to your e-mail itself.

Outside of these two methods one of the most accessible and common methods is known as the Time Based One Time Password, or TOTP. Typically you will have an app on your smart phone that produces 6 digit codes that you will need alongside your password. What makes these 6 digit codes more secure is that they are only valid for a short period of time. So with this form of MFA you have to provide two pieces of information to the service you are authenticating with, a hopefully now unique and long password alongside a short but rapidly changing code. Once this is set up, an attacker who has obtained your password no longer has enough information to compromise your accounts. They will now need to obtain either one of those codes from you, and use it quickly, or a copy of the much longer key used to generate them. That key is the QR code a service will have shared with you when setting up this MFA method.

Setting up this form of MFA is usually fairly easy. It does differ slightly from one service to the next, but the basic principles are fairly universal. You will need an app or service that can store the keys and generate the code for you. Many password managers can also handle this for you. My choice of password manager, Bitwarden, can in its paid premium tier. There are many other dedicated apps both for your desktop and smart phone that work for this purpose. Common ones include Google Authenticator and Microsoft Authenticator. I use Authy from Twilio as at the time it was the only app I could find could store backups of my codes in case I lost access to my phone. Once you have got an app ready, you need to set up MFA on the services you use. In an ideal world you would set it up everywhere, but you should definitely set it up on sensitive critical services like your e-mail and password manager as a minimum, the more the better. The set up process is typically simple, you will scan a QR code with your app which will begin to generate codes for you. The service will want to verify it has been completed correctly and ask you to enter a code to verify. It is that easy. Many services wont ask you for your code every time you log in, if they recognise your device or location, and you can often tick a box to remember your device for perhaps 30 days. This reduces how cumbersome the practice is for you, while still protecting your account from unknown attackers across the internet.

What if you lose access to your one time passwords? You don’t want to be locked out of your accounts permanently if your phone breaks or is lost. Every service will have slightly different recovery methods, and you can backup codes yourself too. Many services will issue you with backup codes, these typically don’t expire and can be used in place of your normal codes and only work once. These will allow you to get into your account and add a new authenticator method. This does present a problem of how to store these securely. You could write these down and hide them at home, you won’t need access to them often but don’t forget about them completely! You could store them within your password manager, but this is clearly a compromise, and don’t leave your backup codes for your password manager inside it, as you may not be able to access them when you need to! Each service will be subtly different, which is why I take this problem into my own hands. Using an app called Authy, which I have installed on my Android phone as well as on my PC, the codes are backed up online much like many password managers. If I lose my phone I can log back into my Authy account and download the backups. You could also install an authenticator app on a second phone that you keep at home, just scan the QR code with both devices when setting up.

Complete Security?

If you have updated your passwords, and configured MFA on your most sensitive accounts you have now dramatically increased the security around your online accounts. Nothing is ever 100%, but these methods will rule out a simple password breach from compromising your accounts where MFA is enabled, and strong passwords will in most scenarios protect those less important services where MFA is not configured or perhaps not available. Attacks against you will likely have to be targeted at you specifically. These types of attacks can, and do, happen. You still need to remain vigilant against phishing attacks for example. Most criminals however are looking for easy targets or particularly lucrative ones, and you are certainly no longer an easy target.

Further Reading

How Hackers Crack Passwords

How TOTP Authenticator Apps Work

5 Ways to Detect a Phishing E-Mail