';--have you been pwned?

security Aug 25, 2020

Do you use the same password at different websites?  Most people do because they're unaware of the risks.  According to Rockit, 18-24-year olds are the worst at doing this.

So, this is a problem?  Well yes - if any of those websites gets hacked and your password stolen, then the attacker can log on and pretend to be you at any website you’ve used that same password.  In other words, you’re pwned!

The word "pwned" originated from the online computer game World of Warcraft, where a map designer misspelt ‘owned’ (where own was intended to be used in the sense of 'conquer' or 'dominate'). When the computer beat a player, a message along the lines of: X has been owned should have been displayed. Instead, it said: X has been pwned.  Conveniently, pwned is also a nice combination of the words 'power' and 'owned' or 'perfectly owned'.  Regardless of its origin, pwned has gained currency in common parlence.  It made it into the Oxford Dictionary in 2015 and simply means ‘defeated’ in any kind of competitive context.

Anyway, back in 2013 a security expert, Troy Hunt, was analysing data breaches for trends and patterns.  He realised that many breaches could harm users who might not even be aware their data was compromised.  As a result, he developed the Have I Been Pwned website (HIBP).

HIBP allows you to check if any of your email addresses have been involved in a data breach.  As of the time of writing HIBP has indexed over 10 billion pwned accounts over 478 pwned websites.  You can check if any of your logons have been pwned by visiting https://haveibeenpwned.com/.  Check it out!

Visit haveibeenpwned.com to check if you’ve been pwned

Earlier this month Troy decided to open source HIBP following a failed (and  extremely tiring) M&A process, and wrote this great blog article.  He describes much of his journey with HIBP and explains why he decided to open source it.  If you’re interested in this type of thing his experience makes for a great read.

How to forget all your passwords (except for one)

It’s easy to protect yourself from this type of attack by using a password manager. The best thing about password managers is they remember your passwords for you, which means you can have as many of them as you like!  They also generate stronger passwords than you could ever hope, and some even check HIPB automatically. This means you’re more secure and only need to remember one ‘master’ password.

If you work in IT you probably already use a password manager but if not, or know someone who doesn't, then check out this August 2020 article by Wired:  The Best Password Managers to Secure Your Digital Life.

Many of these have family deals too, which are great if you have teenagers in your house or want to share passwords with your partner.  An annual subscription might even make a good Christmas present!

Peter Brook

Peter is our vBridge Operations and Information Security Manager. He has over 20 years experience in many NZ organisations including PGG Wrightson, CDHB, Lyttelton Port Company and Spark Digital.