Reusing passwords is (always) a very bad idea! - WST

Since high profile breaches involving user credentials (usernames and passwords) continue to occur, we thought we’d revisit what the bad actors do with this information, provide ways you can help protect yourself, and point you to a tool that alerts if your email address has been included in a breach.

Typically, stolen credentials will be sold on various dark web sites. A purchaser of these credentials will often use them to try and log into various high value target websites, such as online retailers, digital video game storefronts, and financial services websites. Their hope is that people who had their account information stolen from one service provider will also use the same password for other services. The passwords are also separated to create a wordlist to use for password cracking, and email addresses will frequently be sold to use in spam email campaigns.

Recommendations

First and foremost, do not use the same set of credentials for multiple sites and services. Create a unique and complex password for all sites, and use a password manager such as KeePass, LastPass, or 1Password to keep track of your passwords. A passphrase (with spaces between words if allowed) is better than a single word password, and multi-factor authentication should always be used when available.

For your information, Have I Been Pwned? (https://haveibeenpwned.com/) is a free industry and government trusted resource for “anyone to quickly assess if they may have been put at risk due to an online account of theirs having been compromised or ‘pwned’ in a data breach.” You can check individual email addresses, as well as set up an alert to notify you anytime your email address is included in a breach. Admins, you can also set up an alert to notify if any email from your domain is found in a breach.

Finally, when you find out a service provider you use has been breached, change your password immediately, even if you are unsure if your account was impacted or not.

Authored by: Kyle Stelly, CISSP, PCIP