January 20th, 2022

Reusing passwords is (always) a very bad idea! - WST

Since high profile breaches involving user credentials (usernames and passwords) continue to occur, we thought we’d revisit what the bad actors do with this information, provide ways you can help protect yourself, and point you to a tool that alerts if your email address has been included in a breach.

Typically, stolen credentials will be sold on various dark web sites. A purchaser of these credentials will often use them to try and log into various high value target websites, such as online retailers, digital video game storefronts, and financial services websites. Their hope is that people who had their account information stolen from one service provider will also use the same password for other services. The passwords are also separated to create a wordlist to use for password cracking, and email addresses will frequently be sold to use in spam email campaigns.

Recommendations

First and foremost, do not use the same set of credentials for multiple sites and services. Create a unique and complex password for all sites, and use a password manager such as KeePass, LastPass, or 1Password to keep track of your passwords. A passphrase (with spaces between words if allowed) is better than a single word password, and multi-factor authentication should always be used when available.

For your information, Have I Been Pwned? (https://haveibeenpwned.com/) is a free industry and government trusted resource for “anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or ‘pwned’ in a data breach.” You can check individual email addresses, as well as set up an alert to notify you anytime your email address is included in a breach. Admins, you can also set up an alert to notify if any email from your domain is found in a breach.

Finally, when you find out a service provider you use has been breached, change your password immediately, even if you are unsure if your account was impacted or not.



Authored by: Kyle Stelly, CISSP, PCIP

You May Want to Read More:

The Scope of SARs - Something Old and Something New - WST

January 28th, 2021

Did you know that filing Suspicious Activity Reports...

In with the new year, out with the Flash - WST

January 21st, 2021

The writing has been on the wall for a while now ...

Back to Basics: Understanding Risk Concepts - WST

January 15th, 2021

People often make judgements and decisions about risk...

Keep your institution off the evening news.


Contact Us