WATCH Online Compromised Password Databases – Day 21 of Cybersecurity Awareness Month
Mike Miller 00:06
Today we’re going to discuss online password databases, which can help you understand the importance of strong password hygiene. Shelly, do you know there are online websites where you can search for your own email address and any breach data associated with email?
Shelly Miller 00:20
Isn’t that awesome?
Mike Miller 00:21
Yeah, yeah. So with us today is Craig Taylor to tell us more about these online password database websites, why they’re significant, and how to use them to improve your own cybersecurity programs.
Craig Taylor 00:33
You’re absolutely right, Mike and Shelly, there are multiple online websites in the public web. That’s an important point that I’m going to touch on, where you can search for publicly disclosed, email addresses and things associated with them could be your passwords, your home address, your social media, profile information, even your marital status, your tax information, all kinds of crazy things are breached. And they get reported publicly, when a company does the right thing and reports the breach.
The unfortunate truth is that that’s the tip of the iceberg. When it comes to these things, there’s 10 to 50 times as many non reported breaches that get collected by hackers put on the dark web, not the public web, and are used by hackers to then breach us. So once once I share this information with clients that I’m working with in my vCISO engagements and that I consult with, you know, they get over the initial shock of looking at their own email address and their own compromised accounts.
They then get over that, and they say, Well, I need to do something about this, I need to think about it in the terms of all the employees that I have within my company as well, because it’s not just that one account that we’re looking at the business owner, the SMB, the MSP says, Well, I have to multiply this by the 20 employees I have in my company or my clients, 50 employees, how many compromises are out there. In earlier segments, Mike, we talked about what makes a strong password, namely length, the longer the better.
My passwords are never less than 14 characters, for example, I always store them in a password manager. And I pair the critical passwords with two factor or multi factor authentication. We’ve covered those topics during Awareness Month. So I won’t digress further than to say, long passwords in a password manager paired with two factor on all critical accounts for those listening. And really, I bring those up, because you sometimes when you’re a business owner, you get pushback on that by your employees. And what I would suggest you do is bring your employee to one of these to, you know, one of the web sites on the dark web or in the public web, and show them the compromise data that’s out there for them. Because that helps you get an agreement with your clients, with your employees with your anybody that’s pushing back on that. It’s very helpful.
Mike Miller 03:05
Yeah, yeah. So we’re beginning to see a picture about the importance of passwords, right, that you’ve yet learned over the past few videos. So tell us, you know, what are these websites that our viewers can go to in order to check for themselves?
Craig Taylor 03:22
Right, so I did mention bringing your client or your employee to these sites, and there are two public domain websites that have a good amount of data. In fact, my favorite is Have I Been Pwned. Troy Hunt and I have communicated in the past, he’s actually been doing this for over a decade. And recently, this is really big news. He’s partnered with the FBI.
See, the FBI does investigations and doesn’t make public a lot of their findings or the results of their findings. It’s, it’s it’s protected information. But what they are going to do is partner with Troy Hunt and publish their findings of all the breached information of one kind or another and share it with Troy in the Have I Been Pwned website so that the accuracy and the the aggregate amount of data is higher, to better represent a little bit more of what’s out there in the hands of hackers. So it’s really a quite a useful site.
So it’s Have I Been Pwned. Way back in 2015. When I started using that site, he had about a billion and a half credentials in there that could be checked. The unfortunate truth is it’s grown exponentially to almost 12 billion today, entry points. And remember, if you imagine a picture in your mind, an iceberg and above the waterline of the iceberg is the ice that’s showing that’s the 12 billion accounts. Below the waterline is probably 100 billion more that a hacker can search on all of your employees to find the one person who is reusing their account from the LinkedIn or you Yahoo or Dropbox breach of years ago on their VPN or critical email account today, that’s how they get in.
The second site is d hashed Dehashed is a little bit of a different site because it has the same roughly the same amount of records 14 billion records today. But you may have to subscribe there. And that’s okay. There’s no harm in doing it. I think it’s free CyberHoot pays for a relationship with both of these vendors to be able to pull it into our tool. So we automatically provide this dark web reports to all of our clients in CyberHoot. But the interesting part about de hash is they’ll actually give you some of the password information that has been breached.
So you could go to a prospect, you have to be careful because they might take offense to this or an employee and say, Hey, is your favorite password root banana, or August or whatever month of the year it is because here I see your LinkedIn account. And here’s your password for that account. Here it is the actual password. So that can really be sobering for some employees to see their own password sitting in your boss’s hand or out there public knowledge on the internet.
And again, this is just the tip of the iceberg in the public sites. So I guess in summary, if employees complain about the cybersecurity requirements you’re putting out to your company, which is migrating from an old standard of nine character complex 90 day passwords to 14 character or longer, non complex, non expiring passwords that you store in a password manager. And you pair with multi factor authentication, the best advice I can give you is to bring those folks that are complaining to these two sites Dehash that Have I Been Pwned and just show them what we’re all up against. And that then they might understand that it’s done even just me it’s like the 20 other employees here that are all being targeted for that one week account that can be breached, to get a hacker in and ransomware event or something else. So with that knowledge, hopefully you’ve become more aware and you apply it so that you become more secure.