Could your 10-year-old password end up getting you pwned?

Your faithful 10-year-old password could be your demise if you end up the victim of a data breach, which is far more likely than you might think.

In light of last month’s ‘mega data breach’ of over 2.7 billion data records, we’re giving you the low down on what it means to be pwned (not a typo, short for password owned - pwned), how hackers actually get hold of your details, and how to minimise impact if you are caught up in a breach.

What is a data breach?

A breach is when data is made available to someone who should not be able to see it, for example, a list of email addresses and passwords.

According to Troy Hunt, Microsoft Security Researcher, “data breaches are rampant and many people don’t appreciate the scale or frequency with which they occur.”

Troy is the guru on data security, he’s the guy that revealed the 2.7 billion data breach last month on his site Have I been Pwned which lists millions of passwords and emails which have already been stolen in a data breach. More on checking your own details later.

It’s down to you to make sure your online data is secure, don’t rely on an organisation letting you know that their security has been breached. Breaches can come from a single infiltrated organisation, after which they are obligated to let their customers know, but they can also come from a multitude of sources such as last month’s global breach, which was data stolen from more than 2000 websites.

How do people steal your data?

Your data can be stolen either as a result of you being individually targeted or from a cyber attack on a company or website which holds information about you.

You can be individually targeted in a number of ways. Hackers can gather valuable information about you from your social profiles (Facebook, LinkedIn, Twitter etc) and use this information in a trial and error style attack to try and guess your login combinations. Laptops and devices without sufficient anti-virus software can fall foul to a malware attack from a keylogger, which is surveillance technology on your computer that records each keystroke. And a simple yet effective technique used by hackers is shoulder surfing, which is where people simply look over your shoulder in a public location whilst you’re entering login information onto your phone or tablet.

If a company or website you use falls victim to a cyber attack then it’s time to hope you employed the below safe password strategies to ensure minimal impact from your stolen data.

How to prevent your data being stolen

The number one rule for protecting your online data is to not reuse the same password, and yep, it’s the one most of us are guilty of.

Last year Virginia Tech University and security firm Dashlane did a study of 61 million leaked passwords. They discovered that 52% of passwords were reused by people across multiple accounts.

Reusing your password for multiple accounts is dangerous because of the risk of ‘credential stuffing’. Credential stuffing is when hackers take stolen data from one site, and then use it to try and log into other online platforms. So, if you’re using the same email and password combo for your online grocery shop as well as your online banking, you’re in trouble when your favourite supermarket suffers a data breach. Strong passwords which avoid the use of places, names, date or common phrases are also a good idea.

If, like us, you use the internet to manage multiple areas of your life and will struggle to remember your 167 password combinations, consider signing up to a password manager which encrypts your passwords under one login. Now just resist writing that one login on a post it. Here’s a good review article which summarises some of the best password managers:

Signing up for two-factor authentication (2FA) is another good idea, you can add this extra layer of security to most of your online accounts (from within the platforms settings). 2FA usually involves receiving a text to your mobile phone or generating a one-time use code on a smartphone app like Authy or Google Authenticator in order to login to a site. This means even if someone does get hold of your login details, without physical access to a device such as your phone, they still can’t access your accounts.

Have my details already been stolen?

If you’ve read up to here then chances are you might be using a decade old password for over 20 accounts which is Rover1 (RIP) and chances also are, you’ve been pwned.

Time to go back to Troy Hunt, the data breach guru we quoted at the start. His website Have I been Pwned allows you to check your email addresses and passwords to see whether your data has in fact been compromised in a data breach. The service is completely free and totally secure.

If Rover1 has been cracked, you can start your Marie Kondo style cyber clear up of updating your accounts with new logins, using bulletproof passwords stored in a password manager. Then chances are, you’ll never have to think about this again.