Don’t Let the Pwn be King of Your Realm

As we slog through the month of January, named for the Roman god Janus, mighty god of all doorways (really?), it seems worthwhile to take inspiration from the most common depiction of Janus as a two-faced god, looking forward and backward. We can look back to countless admonitions about the weaknesses of passwords, the human weaknesses that lead to cyber breaches, and the steady litany of breaches of varying sizes and impacts, and think to ourselves, “boy are we lucky our password wasn’t stolen.”  Unless, of course, it was.  If you know your password has been stolen, my condolences.  If you don’t think it has, read on.

There is a security researcher by the name of Troy Hunt who runs a site named, Have I Been Pwned.  One can use the site to determine whether they have been the victim of a hack.  Mr. Hunt just reported the existence of a data set containing over 750 million unique email addresses and over 21 million unique passwords. (Do take a moment to reflect on the ratio).  Termed “Collection #1,”this is information that was available on a widely used hacking forum.  The data come from multiple breaches over many years.  Mr. Hunt acknowledges that the data included both email addresses and passwords he has used. It’s a collection of staggering proportion.

It is possible to use Have I Been Pwned to determine whether your email addresses and passwords are among those stolen.  The site has a feature which makes the process relatively simple. But the better tact would be to go to multi-factor authentication, or, perhaps, at least change from passwords to passphrases. Most passwords can be cracked in minutes, given the right amount of brute computing power.  Passphrases, however, are far harder to crack. A good passphrase could take months, or years to crack.  In the simplest of applications, think of a phrase that may have meaning.  Say, “The moon rises in the east.”  Now add a little complexity. Perhaps it’s “The moon rises turkey in the east.”   Or, “The moon rises turkey in the straw,” for you music lovers.

Here’s an article that offers additional thoughts on creating passphrases.  Let’s look ahead to a 2019 filled with better cyber safety practices.

By Tom Davis, SDI Cyber Risk Practice

January 22, 2019