Where is this coming from?

I have introduced the www.HaveIBeenPwned.com service to a number of people recently. They have gone on to the website. They have typed in their email addresses and in some cases they have found that they have been included in data breaches. When they’ve gone to look and see what was breached, in a number of cases they had at least their email address and password for that service were included in the data breach.

Also check out previous #WeekendWisdom 014, #WeekendWisdom 015 and #WeekendWisdom 016.

Data breaches are bad. What should they do?

So they asked me “What should I do?”. The first thing of course is always, they must change their password on that service or site or whatever it was that was breached. Then I ask “Do you use that password anywhere else?” And they say “Yeah. I use it on multiple sites” or “It’s my favourite password. I use it everywhere.”

So I said “Well you’re going to have to change that password on all of these other platforms.”

They say “That’s going to be an awful lot of effort. Why should I worry?”

Why did you call this post Credential Stuffing?

You worry because of a thing called Credential Stuffing. What happens is that the bad guys, they take these data breaches, say from LinkedIn back in 2012. They take those email addresses and passwords that they have cracked and they try to sign into Facebook, into Twitter, into Microsoft 365, into Google G Suite, into Gmail and many, many other services. The criminals will try all of these things automatically.

They are stuffing credentials into services to be able to try and break in. That is what credential stuffing is all about. That is why you should not use the same password across multiple platforms and services.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

How can L2 Cyber Security help you?

We offer a full range of training programmes, which can be delivered online or in-person*.

L2 Cyber Security are also a partner of CyberRiskAware for online self-directed Cyber Security Awareness training and Phishing testing.

Contact us for more information at info@L2CyberSecurity.com.

*With appropriate social distancing and other health and safety measures adhered to.

Follow us on Social media:

Liam is available on Twitter, LinkedIn and Instagram.

Follow L2 Cyber on Twitter, LinkedIn, Instagram and Facebook.

© L2 Cyber Security Solutions

The post #WeekendWisdom 056 Credential Stuffing appeared first on L2 Cyber Security Solutions Ltd..

How do I find out

Last week we talked about “HaveIBeenPwned.com“, the service run by the gentleman called Troy Hunt. This has details of all the data breaches that he has become aware of over the last few years.

In some of those data breaches, there have been up to a half a billion passwords included in some of those data breaches.

So Troy has provided a feature on his site to be able to search if you have a password that is in one of those breaches and how many times has this occurred. So this will show you how unique your password is.

You’re right to be sceptical

Now you might be sceptical and say I’m not going to type in my password on this website. I don’t know where it’s going. I don’t believe it’s secure and you can check here to see what he uses to keep your passwords anonymised. You can take a look there and he explains all about it. I will leave you to read through that yourself.

And if you’re still not convinced you can go down to the bottom of the page and he has provided downloadable links to the files for all these passwords. So you can use them to search yourself. Now you will need to use some technical skills to be able to search those files.

So do you have a unique password?

But if you type in your password into the search field and it comes up saying not found. You know, great! You have a very unique password. It hasn’t been exposed in any of those data breaches.

But if you have a poor password which, unfortunately a lot of people do, you can find out how many other times it has been exposed. Sometimes there are passwords that have more exposure than others. So even still even at low numbers if you have your password, if it’s not unique you really should consider changing it to something unique.

So that’s it for this week. Let’s be careful out there and we’ll talk to you again next week.

www.L2CyberSecurity.com

www.twitter.com/L2Cyber

The post #WeekendWisdom 015 Do you have a unique password appeared first on L2 Cyber Security Solutions Ltd..