When I started drafting this blog post a while back, the title was “I Have Been Pwned Twice Already”. That number has since risen to five, and I’m assuming it will continue to rise as old breaches come to light and some long forgotten accounts get popped. So far, no immediate harm has been caused to me from these breaches, and I’ll contribute that silver lining to the reactive and since then proactive steps I’ve taken to ensure that’s the case now and in the future. This is how also you can harden your online presence against these (inevitable) breaches.
- Start by figuring out your baseline: search which of your accounts have been involved in breaches. Troy Hunt’s Have I been Pwned is one of the services where you can check that. Make sure to subscribe for future alerts as well.
- For the love of God, get a proper password manager! I’m running F-Secure KEY premium, but any of the big and reputable services will work. If you’re not familiar with password managers, basically they allow you to store all your login details in one secure place, you can create randomized, strong passwords, and most importantly you’ll be able to see for which services you’re re-using passwords – those are the ones you should change first!
- No, don’t use your browser’s built-in password manager. They’re pretty much inferior in every aspect, but on top of that they can also be used to track your online behavior (and that info will then obviously be sold to advertisers).
- Enable two-factor authentication (sometimes referred to as 2FA, MFA or two-step verification) where ever you can. If possible, select app-based authentication instead of SMS-based one. Or if you want to get serious about authentication, a hardware token like YubiKey is a good choice.
- Just delete your old accounts from services that you no longer use! Reduce your digital fingerprint and attack surface.
There are billions of account details in hundreds of breaches that have become public in way or another. Still most people are just out there YOLO’ing away with the same password or two across all their accounts! It can sometimes take months or even years for big breaches the get detected, published or reported, so chances are that some of your (and my) accounts have been breached, but the public just doesn’t know about it yet.
That’s why you need to start securing your accounts today.