Are you feeling lucky today?
No, that’s not the right question. The better question is: Are you feeling brave today?
I say this because luck has nothing to do with the outcome of what I’m going to ask you to do, however, you’ll need pretty steely nerves to take my dare. (Faced with potentially bad news, many people just turn their backs or plug their ears.)
Here’s what I’d like you to do:
- Head over to Have I been pwned, and no, that’s not a typo (I’ll explain in a moment),
- Next, enter the main email address you use on the Internet, then go back in time and enter some of your older email addresses.
Have I been pawned will show you if your email, password, and other pieces of personal information have been stolen through one or more known data breaches and distributed on the dark web. Please note that the database here only includes information from known data breaches. Unfortunately, these breaches often happen without the responsible parties knowing for months or even years.
An unsavory ‘stuffing’
Now let’s put your results in perspective. When cybercriminals get their hands on your information they start a process called “credential stuffing.” This is simply taking the addresses, usernames, passwords, and “stuffing” them into logins around the web. They have programs that do this automatically so they can stuff thousands of login credentials into thousands of websites in a matter of moments.
So if you use the same email address/username and password to log into Disqus that you use for your bank, the bad guys can hack your bank account. (By the way, I specifically mentioned Disqus here because in October 2017 they announced a breach that exposed 17.5 million login credentials. When did the breach occur? Back in July 2012. Thank you Disqus 😡.)
How to protect yourself
I hope that you’re sufficiently terrorized at this point and perhaps even thinking about never using online services again. However, we know that that’s not the answer and fortunately there is a good solution to this problem: Password managers.
As you probably recognize, credential stuffing only leads to successful hacking when people use the same password on multiple websites. And, if you’re trying to keep track of your passwords by some old-fashioned system, such as depending on your memory or sticky notes, you tend to rely on one or two passwords.
With a password manager, every site you frequent can have its own password and trust me, a password-manager-created password will be much longer and more “unguessable” than anything you can come up with on your own. I just asked my password manager to create a password 12 characters long and here’s what it gave me: grj7defK/YPz.
I personally know many extremely Internet-savvy experts who still aren’t using a password manager, so that makes me think that among average users, password manager usage is minimal.
Believe me, once you adopt one, you’ll wonder how you ever survived without it.
Okay, now for the origin of the word “pwned” as I promised above. In the online gaming world, when someone loses, they say that he has been “owned.” However, because P and O are neighbors on the keyboard, this often results in a typo creating the word pwned instead of owned.