Around twelve months ago I came across a reference to a website, have i been pwned?, which details data breaches where user data such as ones email address, password, date of birth and other information had been stolen and then made available to other people.
I entered the main couple of email address that I use1 and discovered that I had, in fact been pwned. I couldn’t tell anyone because I didn’t know how to pronounce ‘pwned’. Despite that I did pass the site information on to family members so they could check their own addresses.
Having your data stolen and made available for purchase or use by someone else is unfortunate. In my case the situation was exacerbated because I tended to only have two or three passwords which I used depending on the importance I placed on the site. General logins for forums, etc would get the easy password (6 characters, not a dictionary word, but easy enough to identify by brute force in less than a minute). If some of those basic logins required longer passwords my second password simply appended 123 on the end. High tech, I know! I had a third password that was a little more complicated that I used for my work computer and internet banking sites. Checking it out on Use a Passphrase showed it would take 15 minutes to crack.
The issue here was that my email addresses and some of my common passwords were in the public domain (for a price) meaning none of my logins and associated information were secure. I can recall several years ago receiving notifications from some sites that I had sought to access my account from unusual IP addresses - which were flagged by the site. Whilst this raised a flag for them, it didn’t for me apart from changing the password for that one site.
Now because all of my logins in the universe were compromised, I had to set about to rectify this situation. I searched for information about password managers - that secure all of your passwords in an encrypted form. I opted for one and secured it with a passphrase. Tech experts say passphrases are much more secure and easier to remember than passwords. More secure because they are longer - three or four (or more) unconnected words are considered much safer than a shorter series. And easier to remember because they can be meaningful to the user if no-one else.
I spent many hours over the next few days changing my password at every site/forum/shop I had an account with (and deleted a few along the way). Each site is now protected by a different 16+ character password comprising random letters, numbers and shifted characters. The occasional site would say they only accepted password up to 14 or 15 characters, but that was easy to accommodate.
Now I only need to remember one password (passphrase) to be able to access the rest. The password manager I use is available as an add-on in my web browsers, has a stand alone desktop app, and also comes as an app for my phone.
My email address and passwords may have been pwned a few times in the past which compromised all of my logins, but if it happens again, only that one login will be affected. And such sites as internet banking all have two factor authentication so my password is useless without my phone and its PIN2.