Databases of leaked passwords and account protection
Databases of leaked passwords contain passwords obtained and published after hacking attacks or due to insufficient system security. These databases can help regular users discover if their passwords have been compromised, but cyber attackers can also misuse them. This article explains how databases of leaked passwords work, what steps to take if a leak is discovered, and what preventive measures to enhance security.
A data breach is a severe security violation in which unauthorized individuals copy, transfer, steal, alter, or misuse sensitive information. Causes of data breaches include cyberattacks (such as social engineering), poor system security, or human error.
Leaked data can appear in so-called databases of leaked passwords. Databases are online lists where data from security incidents or attacks are collected and published. The purpose of these databases can be twofold: They can help users determine if their passwords have been compromised. At the same time, they can serve attackers in carrying out further attacks.
„One of the most significant data breaches occurred in 2018, involving the unauthorized handling of data from 87 million Facebook users, which led to the shutdown of the British consulting firm Cambridge Analytica.“
How to use databases of leaked passwords?
Among the most well-known and comprehensive password leak databases are Have I Been Pwned and Weakpass. These tools provide extensive lists of leaked passwords that can be used to check the security of your accounts. Their main advantage is that they allow you to verify whether your password was part of a data breach without giving direct access to login credentials. They do not display specific login details associated with accounts but only show lists of leaked passwords without linking them to particular accounts.
The advantage of these databases is that users can verify whether their login credentials have been compromised = part of a data breach. This lets users change their passwords and enhance account security. Administrators can use the databases to check for leaks from their systems.
On the other hand, cyber attackers often misuse information from these databases to conduct dictionary attacks. These attacks can lead to unauthorized access to user accounts, identity theft, and other forms of fraud. Attackers use leaked information for systematic testing and penetration into systems.
The Have I Been Pwned service offers the Notify Me feature, which allows users to register their email addresses and be informed if their data is part of a breach. This feature provides immediate notifications, enabling a quick response and enhanced protection of accounts from potential misuse.
How long is leaked data valuable?
Does the value of leaked data decrease over time? The answer is both yes and no. The value of leaked data depends on their currency and validity. Static information, such as birthdates or names, retains its value over the long term.
In contrast, passwords can lose value because people change them periodically, reset them when forgotten, or update them after discovering a data breach. Once an attacker makes the data public, their value drops significantly. Therefore, attackers initially keep the data for themselves, use it for their purposes, and only later sell it within their network of contacts. Moreover, many companies today actively search for potential leaked databases as part of their preventive security measures.
How Have I Been Pwned secure leaked passwords?
You can find detailed information about the current security measures applied to the acquired data by the authors of the Have I Been Pwned database at the provided link.
What if my password appears in a database of leaked passwords?
The presence of your password in a database can mean it does not meet current security standards (e.g., it is too short, does not contain a combination of letters, numbers, and special characters, or is easily guessable). Another possibility is that another user used the same password.
Both scenarios present a risk because an attacker might add the password to their dictionary and attempt to break into other accounts. Suppose you find that your password has been compromised. In that case, it is crucial to take immediate action to protect your accounts, ideally by following these steps:
1. Change your password: update the compromised password on all services where it was used.
2. Monitor affected accounts: check your accounts for any suspicious activities (e.g., unusual logins).
3. Update other passwords: ensure that no other passwords are similar to the compromised ones.
How to Minimize Password Leakage?
Strong and unique passwords are essential for protecting your accounts, though they cannot wholly prevent data breaches from specific services. It is recommended to create passwords in the form of passphrases, consisting of several easy-to-remember words with at least 12 characters, including uppercase letters and special symbols. You can find inspiration for creating a passphrase from a part of a poem, a scene you see on your way to work, or a memorable experience. An example of a passphrase might be "pickingVioletsW34R-dynamite".
What you should (and should not) do when creating passwords?
- Avoid predictable symbol substitutions: do not use simple substitutions like @ instead of A or 0 instead of O.
- Do not include easily discoverable information: avoid using personal information, such as names or birth dates.
- Do not reuse passwords across accounts: each account should have a unique password.
- Do not share passwords: never share your passwords with others.
- Do not save passwords in your browser: browsers can be vulnerable to attacks; storing passwords in a password manager is safer.
However, creating such passwords poses a challenge: remember many different passwords? And is a strong password alone sufficient to protect your account? This is where a password manager and multi-factor authentication come to the rescue.
Password Manager
A password manager stores and encrypts your login credentials. You only need to remember one strong password that protects all your accounts. Additionally, it allows you to generate secure passwords and automatically fills them in when logging in. While a password manager cannot entirely prevent data breaches, it significantly limits their impact on the affected service, as you use different, unique passwords for each service.
Multi-factor authentication
The real protection against the misuse of a leaked password is multi-factor authentication (two-factor authentication). Even if an attacker obtains your password, they cannot log in without the second factor, such as a code from an app or SMS. This additional layer of security significantly increases the protection of your accounts. We recommend using multi-factor authentication with a security key for maximum security of your accounts and identity.
Conclusion
Data breaches pose a severe threat but can also help effectively protect our accounts. Using databases like Have I Been Pwned lets us quickly identify compromised passwords and take appropriate actions. The key to security is the trio: passphrases, a password manager, and two-factor authentication, which help us minimize risks and protect our online accounts.