Your password has been leaked”. In the past, the author was responsible for conveying this line to the relevant person.
Authentication information, which is a combination of IDs and passwords leaked from various web services, is bought and sold in places on the Internet called underground markets. In some cases, attackers do not sell authentication information and publish it as it is.
The author checked these authentication information and alerted those who found the organization’s email address. At that time, many people were surprised when I told them the opening lines, and asked back, “Where did the leak come from?” This is evidence that few people are aware that their authentication information has been leaked.
The thing to be sure to check when alerting is “reuse of passwords”. Refers to the act of setting the same password for multiple services. If the leaked password is used in the organization, it becomes a factor that allows unauthorized login. If the password is reused, have the password changed immediately.
Reusing passwords is a well-known bad practice. In addition to this, it has been said that password management should not be done, such as “write the password on a piece of paper”. On the other hand, there are some actions that have been recommended related to passwords, such as “using complex and difficult-to-guess character strings”, “correctly setting secret questions”, and “using the auto-fill function of web browsers”. Is this still the “common sense” of passwords? Let’s check how passwords are leaked and attack methods of unauthorized logins, and take a look at the correct management method.
More credentials exposed than the world’s population
First, how often are passwords leaked? News comes in that authentication information such as IDs and passwords have been leaked from various services. what is the total number?
There’s a website called “Have I Been Pwned? (HIBP)” where you can enter your email address and see if your credentials, including that address, have been compromised. As of January 2023, more than 12 billion credentials are registered here.
It’s possible that HIBP has duplicate information, but given that the world population is about 8 billion, you can see how many there are. It is better to think that most people who use Web services are outflowing. If in doubt, give HIBP a try.