It’s not unusual for a site you like to get its database broken into, so you might need to be a little curious and find out whether your passwords are at risk.
You’re told to have strong password hygiene, and you’re told to change your passwords often, but you may not be told why. Funnily enough, even if you keep good passwords, you might actually lose to the service hosting those accounts and passwords.
Simply put, the problem with password security is that it can actually fall down not at the user’s end, but at the server where the passwords are stored. It means that even if you follow all the directions and maintain very strong passwords, have a different password for every account, and are careful not to give anything away, the service you use that password on could still be broken into and send out an email advising that you should change your password.
However there’s a catch: we get so many emails these days that it’s easy to pass this email off as spam or phishing, or not even see it in the first place. It might miss your inbox entirely, skip into one of your labels or folders, and you basically don’t get the memo.
So what can you do? How can you be proactive in finding out whether your email and passwords have been breached?
Regular compromises
Even though you might think a service you pay for online or expect to be ironclad is going to be totally secure, that is not always the case. In fact, there’s an old logic that says if something has been made by a human, it can probably be broken by a human.
Until we’re at the point where computers are programming and securing themselves, you can more or less expect people breaking into websites to take the password honey oozing beneath.
Passwords are lucrative, too, because they connect with identification and have the potential to make money. There are other reasons hackers break into websites, but it doesn’t change the fact that even if your password is strong, you can have it compromised by a website that has it broken into.
When a website is broken into, those websites generally tell the world that it has happened. It doesn’t always happen quickly, but it does end up happening, and it’s a good thing, because not only does it deal with culpability and responsibility on the part of the service provider, it also allows the victims to deal with the fallout and change their affected passwords.
But to deal with it, you have to know you’ve been compromised. You have to know you’ve been “pwned”. 7
What does “pwned” mean?
Hackers and cybersecurity folk have been know to speak a slightly different slang on the online world, and the term “owned” — which meant to be dominated or taken over — becomes “pwned” very easily, particularly given how close the letter “p” is to the letter “o” on a keyboard.
Being “pwned” is basically saying you’ve been compromised, which online is not fantastic as it means your details are potentially out in the open, ready for someone to use who isn’t you.
Have you been pwned?
Finding out whether you’ve been pwned doesn’t have to be a lesson in waiting until someone uses your details and locks you out. You can actually be proactive about it, and use a resource online to find out whether your email address has been included in a breach.
Created by Australia’s own Troy Hunt, “Have I Been Pwned” is a website that looks through the compromised password dumps extracted from breaches to see whether your email address was found when a website was compromised.
It doesn’t mean your password is necessarily stored there, but rather aims to inform you whether your email address at the time possibly had its password compromised, telling you of the fact and suggesting you change your password. Depending on whether the leaked database included the password or not, you can check individual passwords, though the email is a greater indication.
Have I Been Pwned is free, and only really needs your email address. Throwing that in will check the email address against the compromised indexes, and tell you if you were affected. It won’t say which password was affected, but it might just give you an idea of the password you were using and if you need to change it. If you’ve saved passwords to your web browser or a password manager, you can check your password there and consider whether it’s worth a change.
Finding out whether you’ve been pwned isn’t necessarily a be-all end-all to thwarting compromised passwords, but it’s a service that can help deal with the problem of regularly breached websites, and provide a little peace of mind, too.