Passwords are essential to maintaining our online security, but they’re also one of the most tedious things.
In real life, if someone is offering for sale thousands of usernames and passwords for a service, this is not a good sign. But changing the password is not enough. In recent months, regular reports of personal data and passwords being leaked and sold in large quantities. In many cases, the headline is already a warning to change your password quickly, which is never out of date, but in today’s world, it is only sufficient protection. Why is explained below?
On the dark web (a Tor-protected network), not only is the prospective buyer of the stolen account data anonymous, but so is the seller, and so is the digital currency used in the transaction. Let’s assume that the seller is not going for easy money with a scam but has obtained the accounts by hacking the service. This is an essential point because it makes sense that he did not start the hack by finding an email address and brute force the password. More normal services will filter this out after a few attempts, log the login location, and even notify the user. Anyone trying to sign in to Facebook or, for example, their Google account from a new device will get a notification immediately. It’s easy to see that the chances of accounts being hacked directly are low.
Slightly more than that, the service was hacked, and users’ data was accessed after a security flaw was discovered. As soon as this is discovered, the company concerned will take immediate action and, once the repair is complete, will notify users of the need to change their password. Unfortunately, years can go by without this being discovered, so we can only hope that the services are secure and that our passwords are encrypted on the servers. The login procedure may be secure, but that alone does not prevent our data from being stolen. It does prevent them from being logged in more than once. But there is no advanced authentication everywhere. In addition to IP addresses and location information, occasional credit card numbers, security questions and answers, and messages and highly personal data can be exposed when one of the favorite targets, peer-to-peer searchers, is hacked.
On haveibeenpwned.com, the now-defunct MySpace tops the list with nearly 360 million users, followed by LinkedIn and Adobe. You can enter your email address on the site to find out if you may be involved in data theft. Note that the site only shows results in available, searchable databases. When new incidents occur, if we are involved, it will also send us a warning – but it may be years after the theft.
We have to repeat that you should not use the same password anywhere. The reason is that attackers will use the information you have posted online to try to log into other services. Two independent words of sufficient length can be combined with a number in between to form relatively strong passwords that are easy to remember. A password safe protected by a strong master password is also helpful. Those willing to pay for convenience can use the Password Boss included with this issue, but the popular LastPass is free for a mobile device. By combining Keepass with online storage space, you can create a secure password safe that works on many devices.
But that’s not all: our passwords can also be obtained and targeted. They can use a hidden camera or keylogger to find out your password. The latter can even be targeted to your computer (mobile phone) as an email attachment, like a virus program, using a thumb drive. Caution and anti-virus, anti-spyware, and rootkit scanners can help against these. They can also obtain the password in less targeted ways, such as a phishing site. These can be revealed by clicking on a link in a fraudulent email or through a warning window when you browse. The original and fraudulent login pages look almost identical in the browser. After entering the data, the browser usually returns to the authentic page, letting you in a second time. If you ignore the browser’s address bar and the website’s full address, you might not realize you’re being scammed. The best defense against this is to avoid opening a web page from an incoming email that asks for your login details. Or if we don’t click on it. Prudence is best then!
Passwords are the keys to our online security, and there are many reasons why someone would want to obtain your passwords or usernames. One of the most common is stealing your identity and using it to make money from you. Still, they could also be wanting to send spam or malware on your behalf, phishing for information on you or your company, or gathering information for a targeted attack. Be prepared; protect yourself against hackers and criminals using the suggestions above.