There have been a lot of well-publicized data breaches in the news lately, and I always wonder if I've been affected by them. When credit card data is affected, you get a letter from your bank or card issuer (I've gotten a few), but when it comes to web site hacks that go after passwords, you never know. Or do you?
I'd like to share a couple of resources you can use to find out whether you should be concerned, as well as a couple of things to help you increase your password effectiveness in the future.
Find out if you've been a victim
A site called "ShouldIChangeMyPassword.com" has aggregated (as of this post) 11,802,026 compromised passwords from a large number of the publicly disclosed data breaches. If you go to the site and enter your email address, it will tell you if your email shows up in the list of compromised accounts. In my case, I've been breached at least once, as the graphic below shows.
My password was compromised in the Gawker Media breach but, fortunately, I used a unique password so my exposure is very limited. I also changed my password the moment I found out (Gawker was very responsible in their notification, and I knew within a few days).
Other sites you can use to find out if your password's been compromised include:
Stronger passwords in the future
If you want to protect yourself better in the future, here are some tips that can help:
- Use different passwords for each site you visit
- Use complex passwords (mixture of upper & lower case, numbers, random characters that aren't in the dictionary, etc.)
- Don't write your passwords down
The challenge with this is that it makes it nearly impossible to remember what password belongs to which site. To make it easier, I recommend using a "password vault" that can generate complex passwords for you and then help you remember them. The best ones are multi-platform, never store your data in an unencrypted form, and allow you to share your password data securely across multiple devices.
I've tried quite a few of them and the one I like best is called "1Password." It works on Mac, Windows, Android, iPhone, iPad, and I've been using it faithfully for a couple of years. It stores an encrypted data file on your system (the makers of 1Password don't store your passwords on their own systems), and it easily shares your encrypted password data using Dropbox as the conduit.
1Password also has the ability to store other information such as credit card numbers, software license keys, and more. It can also generate and stores secure passwords for you, which makes it easy to satisfy the tips I mention above.
If you want to take a more manual approach, there is a good "personal algorithm" method using Steve Gibson's "Password Haystacks" model, detailed on the Gibson Research Corp. site. This is also a great educational site on how longer passwords offer exponentially more security.