I recently came across a website HaveIBeenPwned.com. On the site, if you enter your email address, it will inform you if that email address has been part of a data breach.
Firstly, I checked my work address – phew, no issues there. The email address has not been part of any known breaches online.
Next I checked my personal email accounts. Both email addresses that I regularly use had both been “pwned”.
Being “pwned” implies domination or humiliation of a rival, used primarily in the Internet-based video game culture to taunt an opponent who has just been soundly defeated (e.g., "You just got pwned!").
Like many people, I have separate email addresses for different things – I have an email address (Email 1) where all the various daily deal websites flaunt their wares, and an email address (Email 2) that I typically use for communicating with my friends and family, as well as being my email that I register for my various bills and invoices from our utility providers. I am typically much more careful where I enter my Email 2 address, I don’t use it for shopping, or for signing up to any website subscriptions. So, while I wasn’t too surprised that my Email 1 address had been pwned, I was surprised that my Email 2 address had been compromised.
When I dug in a bit deeper, Email 1 had been pwned in 3 separate breaches: Zomato (2017), Last FM (2012-2016) & Onliner Spambot (2017). The scale of each of these breaches is breathtaking: Zomato – 17 million accounts, Last FM – 37 million accounts & Onliner Spambot – 711 million individual email accounts were compromised.
Email 2 had only been compromised in 1 breach: LinkedIn (2012-2016) along with 164 million other accounts. The data that was compromised was email addresses and some passwords.
Important note: You can also sign up for future notifications, so should your email address be breached in the future, you would be notified about it straight away.
So, if you are like me, and regularly use the same passwords in multiple locations – DON’T!
For the purposes of this blog I will focus on LastPass as it has a lite version that is free of charge. I have decided to use this as my password manager tool of choice going forward.
It is easy to set up and use:
- First you need to set up a master password.
- Then you can add sites into your “Vault”.
- This can either be done manually; or
- It can be done by logging into that website
- Once a site is added, the Vault will store both your username and password for that site.
- Your sites can then be assigned to folders e.g. Social, Shopping, Work, Home.
- If you download the LastPass app, you can access your vault from your mobile device.
- Once you have filled your vault, when logging into a site, LastPass can auto-fill your log in details.
- If you are logging in from a new device or location, LastPass will send you an email to verify it is really you.
Even when using a tool like LastPass there are still a number of guidelines you should follow when creating passwords.
- Use different passwords for different sites – this can all be managed through LastPass.
- Use a combination of letters, numbers and symbols in your passwords.
- Consider using a password generator to create completely random passwords.
- Don’t make your passwords personal, e.g. Pets name, or favourite sport team. Hackers can typically find out this information easily via social networks.
- If you want to create passwords you can remember without using a password manager, combine three random, memorable words with some symbols and/or numbers e.g. $RedVolcanoSpoon173
- Turn on 2 factor authentication tools wherever possible. (gmail offer this, as do many other online services)
- Do not write passwords down
- Do not share your passwords
LastPass on Managed Desktop
Lucidity are always looking to improve the usability of Managed Desktop for our customers. As part of this we are currently reviewing the viability of securely adding a catalogue of Chrome extensions that we know as safe that can added into the Managed Desktop.