11
December 2013

Have I been pwned?

Andy Harris

A website has recently been launched which allows users to check if their email address is on any of the account lists of online services who have been hacked in the last few years e.g. Adobe, Sony, Yahoo, etc.. In what is known as being ‘pwned’, hundreds of millions of account records have been stolen and published online. Thankfully, the site only stores the email addresses of all the accounts ‘pwned’, but it does show just how many accounts have been stolen and how vulnerable to the risk of ‘password re-use’ they are.

When you consider the sheer number of passwords users have to manage these days, it’s human nature to simply reuse the same password in different places. After all, it is secret to only you, right? Invariably, people have a ‘simple’, easy-to-remember password for regular use and a more complex password (upper case, number, symbols etc.) when they are forced to use them. So far so good, but here’s the rub, most of us use a complex password at work because the corporate standard requires it, then we try to register on a new site with our simple password but can’t as it also wants a complex password. The obvious answer? To use our complex password… which just happens to be the same as our password at work. Ok, maybe we increase the last digit by 1 to make it different, but the hackers will try this too… now the password is at risk of being pwned and exposed online.

So, what can organisations do to protect their infrastructures from the password re-use risk? Simple, stop SysAdmins setting their own passwords for privileged accounts. Have a chat with us at Osirium and we can show you how system generated privileged passwords that are long, strong, complex and (more importantly) unique for every account on every critical device in your network, means that you can protect your organisation from pwning outsiders and also from the mistakes of your own insiders.

Check your email address at: http://haveibeenpwned.com