June 28, 2018

Reusing passwords is (STILL) a very bad idea! – WST

Since high profile breaches involving user credentials (usernames and passwords) continue to occur, we thought we’d revisit what the bad guys do with this information, and ways you can protect yourself.

Typically, stolen credentials will be sold on various dark web sites, usually hosted overseas.  A purchaser of these credentials will often use them to try and log into various high value target websites, such as online retailers, digital video game storefronts, and financial services websites.  Their hope is that people who had their account information stolen from one service provider will also be using the same password for other services.  The passwords are also separated to create a wordlist to use for password cracking, and email addresses will frequently be sold to use in spam email campaigns.


First and foremost, do not use the same set of credentials for multiple sites and services.  Create a unique password for all sites, and use a password manager such as KeePass, LastPass, or 1Password to keep track of your passwords.  A passphrase is better than a single word password, and multi-factor authentication should always be used when available.

Finally, when you find out a service provider you use has been breached, change your password immediately, even if you are unsure if your account was impacted or not.

Past Weekly Security Tips – WST