When you own online assets, security is particularly important. Think about it: what would happen if every web account you own was suddenly under someone else's control? Most people don't realize just how catastrophic that would be until it's too late.
Recently, the number of domainers getting attacked seems to have increased. Their accounts are hijacked and their domains irreversibly stolen. Sure, often the accounts are recovered, but rarely before anything valuable has been transferred. This is a sign that we should examine our online habits to determine where our weak spots are and how we can strengthen them.
The first step of security is to understand what you're up against. After countless hours of research and even talking directly to the enemy, here's what I've learned:
Many of the hijackings we've seen lately were probably the result of dictionary attacks. In a simple scenario, a hacker has a list of common passwords (a dictionary), and they use software to automatically attempt each one until they find a match. Although many popular websites have measures in place to block repeated login attempts, there are plenty that don't. Because most people use only one or two passwords on every site they visit, it's trivial for a hacker to find an insecure website, run a dictionary attack on an account there, and then use the resulting password to hijack more valuable accounts.
Naturally, the solution is to use an obscure password, right? Not quite. Websites get hacked every day; when this happens, the hacker will often sell the site's database to other troublemakers. The more information the database contains about each person, the higher the price. The target website won't necessarily be aware that anything has happened, so there may never be a warning sent out to users; even if they are aware, many sites don't want to admit that they've been compromised. This means hackers aren't just adding common passwords to their dictionaries, but they're also adding lists of passwords that anyone has used on specific websites.
Sometimes hackers release these databases (called dumps or leaks) to the entire underground community, free of charge. Security researchers log these events and keep historical records of significant leaks. Most people who are moderately active online probably have their information in at least one public leak. Not all of these leaks have enough information to easily determine the password of every user, but any information at all can help a hacker gain access to your accounts.
I've created a tool that can check to see whether your password is in any leaks that are commonly used in password dictionaries. As of writing, the tool knows just over 29 million passwords. Note that this isn't the only factor in password security; there are other elements to choosing a secure password. However, it's important to know whether your password is a ticking time bomb. (Note: We do NOT log or analyze passwords entered into the form, anonymously or otherwise.) Hi, Paul from the future here: I discontinued this tool when HaveIBeenPwned implemented their own, more robust version. I now recommend using that instead.
There is another tool, HaveIBeenPwned, that you should also use to check the security of your accounts. Rather than indexing passwords, it indexes usernames and email addresses. This addresses a similar issue from a slightly different angle; it's worth taking a look at both tools. They each index different types of leaks. As of writing, both tools mostly only contain information from public leaks.
Knowing all of this, the importance of avoiding password reuse should be clear. Changing your password a little for each site still counts as password reuse, especially if the changes follow some sort of pattern that can be guessed or automated by a hacker. In order to protect your online assets, you must have a separate password for each website. This also means you need a secure means of generating and storing your passwords. More on this aspect later.
Also worth reading:
Next: Part 2: Phishing Emails
Recently, the number of domainers getting attacked seems to have increased. Their accounts are hijacked and their domains irreversibly stolen. Sure, often the accounts are recovered, but rarely before anything valuable has been transferred. This is a sign that we should examine our online habits to determine where our weak spots are and how we can strengthen them.
The first step of security is to understand what you're up against. After countless hours of research and even talking directly to the enemy, here's what I've learned:
Many of the hijackings we've seen lately were probably the result of dictionary attacks. In a simple scenario, a hacker has a list of common passwords (a dictionary), and they use software to automatically attempt each one until they find a match. Although many popular websites have measures in place to block repeated login attempts, there are plenty that don't. Because most people use only one or two passwords on every site they visit, it's trivial for a hacker to find an insecure website, run a dictionary attack on an account there, and then use the resulting password to hijack more valuable accounts.
Naturally, the solution is to use an obscure password, right? Not quite. Websites get hacked every day; when this happens, the hacker will often sell the site's database to other troublemakers. The more information the database contains about each person, the higher the price. The target website won't necessarily be aware that anything has happened, so there may never be a warning sent out to users; even if they are aware, many sites don't want to admit that they've been compromised. This means hackers aren't just adding common passwords to their dictionaries, but they're also adding lists of passwords that anyone has used on specific websites.
Sometimes hackers release these databases (called dumps or leaks) to the entire underground community, free of charge. Security researchers log these events and keep historical records of significant leaks. Most people who are moderately active online probably have their information in at least one public leak. Not all of these leaks have enough information to easily determine the password of every user, but any information at all can help a hacker gain access to your accounts.
I've created a tool that can check to see whether your password is in any leaks that are commonly used in password dictionaries. As of writing, the tool knows just over 29 million passwords. Note that this isn't the only factor in password security; there are other elements to choosing a secure password. However, it's important to know whether your password is a ticking time bomb. (Note: We do NOT log or analyze passwords entered into the form, anonymously or otherwise.) Hi, Paul from the future here: I discontinued this tool when HaveIBeenPwned implemented their own, more robust version. I now recommend using that instead.
There is another tool, HaveIBeenPwned, that you should also use to check the security of your accounts. Rather than indexing passwords, it indexes usernames and email addresses. This addresses a similar issue from a slightly different angle; it's worth taking a look at both tools. They each index different types of leaks. As of writing, both tools mostly only contain information from public leaks.
Knowing all of this, the importance of avoiding password reuse should be clear. Changing your password a little for each site still counts as password reuse, especially if the changes follow some sort of pattern that can be guessed or automated by a hacker. In order to protect your online assets, you must have a separate password for each website. This also means you need a secure means of generating and storing your passwords. More on this aspect later.
Also worth reading:
- @jamesiles's blog post on two-factor authentication (2FA): Domain Theft Can Be Stopped. Here's How.
- Troy Hunt's blog, creator of HaveIBeenPwned: TroyHunt.com
Next: Part 2: Phishing Emails
Last edited: