Has your password been stolen?
on 08 Oct, 2019
If you are worried that your password has been stolen, I’ve got some bad news for you: it’s actually pretty hard to tell.
Sure, there are some sites that will tell you if your password has been released as the result of a data breach. The problem is that not all data breaches are publicized, and data breaches are not the only way that your password can become public knowledge. In this guide, I’ll explain why, and show you how to keep your password safe.
Spoiler alert: you probably already know how to do that. The basics are to always use a strong password, and you should also use a different password for every site.
Has your password been leaked?
Data breaches are in the news every week, and they seem to be getting worse. In january of this year, researcher Troy Hunt found a list in an unencrypted storage space in the MEGA cloud. The list was already being circulated in hacker forums, and it contained more than 700 million email addresses and more than 20 million passwords, which makes this breach the largest ever seen.
There are a few sites that you can use to find out if your account details have been leaked in this way. Have I Been Pwned is the most popular. Go to the site and enter your password. The system will search through its database of the 6 billion accounts that have been compromised to date, and tell you if your password was included this data.
The site is kept up to date as each new breach happens, and so you can regularly check back in to see if (or when) your credentials are leaked.
So far, so good. Now you know whether your password is public knowledge, right? Wrong.
Has your password been stolen?
Using a service like Have I Been Pwned is a good start when it comes to finding out whether your password has been leaked. Unfortunately, that’s not the end of the story.
First, there is an incentive for companies not to report leaks. As a result, circumstantial evidence suggests that there are many leaks that are not public knowledge. If your password was released in that kind of hack, you’re not going to know about it.
Second, large-scale data breaches are not the only way that your password can be stolen. Most of the common types of cyberattack, for instance, are designed specifically to steal your password or other personal details. A targeted attack like this can result in a hacker stealing your password directly, and often without your knowledge.
Typically, attacks like this will occur in one of three ways. The first is a targeted phishing attack, where a hacker will divert you to a fake site and ask you to enter your password. The second is a malware infection, in which an email attachment or infected pen drive will be used to load malicious software onto your system. Finally, many attacks occur when using public WiFi networks, which are notorious for having poor security.
Any of these attacks can be used to steal your password, and ultimately lead to identity theft. And if they are successful, the first warning you are likely to get is when money suddenly goes missing from your account, or you start getting weird emails that you've apparently signed up to.
How to protect yourself
All this leads to a simple conclusion: that ‘Has My Password Been Stolen?’ is the wrong question. It might have been, it might not, but in reality it is pretty hard to tell.
The question is also telling in another way. If you are able to ask whether your password has been stolen, it’s likely because you are using the same password for every site you visit. Doing that, to put it mildly, is quite reckless, a bit lazy, and perhaps even a borderline idiot. It means that if your password is stolen, either through a data breach or a direct attack, a hacker has access to every single account you own. In short, you’ve made their job a lot easier.
You might think that coming up with a different strong password for every site you use would be difficult, and that remembering them would be even more difficult. But that’s not the case. A side effect of the continuing string of breaches and constant harping by cybersecurity experts is that there are more and better choices for password managers than even a few short years ago. With this specialized software installed, you can automatically generate and store as many secure (and complex) passwords as you need, and let the software remember them for you. Voila! No longer an idiot.
In addition to using security tools like this, you should also follow the best practices when it comes to online security. Make sure that you don't enter any personal details when you are using public WiFi, and make sure you are aware of what a malicious email attachment looks like. You should also use a reputable VPN whenever possible, so that no-one can intercept and read your personal data.
Even if you have all these protections in place, it is also a necessity to change your passwords regularly. Set a reminder for yourself to change all of your passwords quarterly, for instance, so that even if your passwords are leaked they cannot be used to access your account.
The bottom line
If you've come to this article for easy answers, I'm sorry: in reality, it's very hard to tell if your password has been stolen. The best approach is therefore to assume that your passwords are stolen or leaked on a regular basis, and take precautions.
You can protect yourself by creating (or let the password manager do it for you) strong passwords, using a different password for every site, and changing your passwords regularly. That way, even if someone does steal your password, they won't be able to do much damage with it.
Sam Bocetta is a freelance journalist specialising in US diplomacy and national security, with emphases on technology trends in cyberwarfare, cyberdefence, and cryptography