Businesses are increasingly dealing with data loss due to human error or theft by criminals. Dozens of times a year, new data breaches are made in the news in which passwords have been stolen. How do you know if your password is there? And how do you limit the risk?
Tip 01: Assess risk
Chatting, shopping and banking: we do more and more online. Criminals know this and as there is more and more to gain for them, they are constantly trying to break in digitally. That is why all kinds of databases are hacked, in order to loot as many passwords as possible and to gain access to data that can yield money. With a successful hack, tens of thousands of accounts can be looted simultaneously. When the company has also stored the data unencrypted, criminals can immediately use this data to break in.
However, it is not always criminals who are responsible for data leakage. Sometimes companies do not have their IT affairs in order and data leaks through poorly designed software or an unsecured server. In that case, there might not be much going on and malicious parties would never have discovered the leak. However, in all cases it is better to change the password on a company's account if a data breach has occurred.
In May 2018, the General Data Protection Regulation (GDPR) came into effect. As a result, the rules for handling personal data have become stricter and in the Netherlands the Dutch Data Protection Authority (AP) checks whether companies are doing this properly. If there is a data breach, this must also be reported to the AP and they will then initiate an investigation. On www.autoriteitpersoonsgegevens.nl you can see which data leaks the AP is investigating and see how high they estimate the risk of the data leak.
Tip 02: Password leaked?
In addition, there are a number of sites that search large files with account information, so that you can check whether your data is out there. These sites were created by well-meaning hackers who made the databases of credentials searchable. Here you can search for your e-mail address or username and see if your password has been stolen in the past during a data breach.
You can check this on the website www.haveibeenpwned.com. On the website, you enter your e-mail address in the large search bar and then you will see all data breaches that included your accounts. Of course, this does not include your passwords themselves, because then malicious parties can use the site to gain access to your accounts. You can only see which accounts linked to your email address were part of a data breach at a company.
Under the heading passwords you can search for passwords and see if your password is part of a data breach from the past. This only states whether and how often the password occurs.
Pwned
The typical name of the website comes from the term "owned" which is used by gamers when they beat an opponent in a game. 'Pwned' is a reference to the fact that this is often mistyped and players swap the o for the p. Possibly the creator of the website Have I Been Pwned is also a gamer.
Tip 03: Dutch leaks
The Have I Been Pwned database is not the only place where leaked data is collected and this database certainly does not contain all leaked data. The Dutch Police is working on its own database. When seizing network equipment from criminals, the police usually find leaked or stolen data, and when possible make it searchable.
Although this database is smaller than Have I Been Pwned's, it's a handy resource to check your account as well. You can check here if your account is included.
Tip 04: Change password
When a service where you have an account is hacked, it is always better to change the password right away. Your data may not be in the leak, but always err on the side of caution. If all goes well, a company will notify you if any account information has been leaked.
Make sure you create a new, unique password. If you use the leaked password in multiple places, make sure you change all accounts. Don't use the same password for every account, widely varying passwords are more secure. When there is a leak, you only have to change that password and malicious parties cannot access other accounts.
It is best to use a sentence to create a secure password. Then your password is always long enough and you can more easily alternate between letters, numbers and special symbols. For example: DitW@chtword1SEanExample!
Don't use the same password for every account, widely varying passwords are more secure Tip 05: Password manager
To make sure you have a secure password everywhere, you can use a password manager. That way you have a secure password everywhere, without having to remember complicated codes. There are several free password managers available that work in a similar way. We can recommend using 1Password, Sticky Password and LastPass. For this example, we'll use LastPass.
Go here to create an account with LastPass. Here you have to be in the field Master Password enter a strong password. This is the only password you need to remember, for all your other accounts LastPass remembers the password.
Once logged in to LastPass, you can start protecting the accounts with a strong password. The password manager initially walks you through a number of accounts, such as those of Facebook, Google and Twitter. After that, it is important to check which accounts you have and to create a new password for them.
The easiest way to do this is through the plugin available for all major browsers. The plugin can be found here. Once the plugin is installed, you will need to log in with your email address and master password. When you go to a site where you need to login, the plugin recognizes the login fields and fills them in if the site information is stored in LastPass.
If the details are not yet known to LastPass, it is best to change your password on the site. When you need to enter a new password, click the LastPass plugin in the top right and click Generate password. This will generate a secure password that you can copy and paste into the field where the new password should be entered. Once the password has been entered, the plugin will ask if the login details should be saved. click on OK. The next time you log in, LastPass will remember the password and will fill it in automatically.
