Tactics to Avoid Password Leaks

Learn how Adaptive Multi-Factor Authentication combats data breaches, weak passwords, and phishing attacks.
Read more
Okta
Updated: 05/25/2022 - 12:31
Time to read: 12 minutes

Password leaks are a major problem which can expose your personal information to hackers.

Online password checkers can help to secure passwords by letting you know when a password has been compromised. You can then take important steps, including changing all your passwords, to secure your identity and personal information.

The prevalence of leaked passwords

With data breaches and password hacks regularly making the news, you may wonder how to approach password safety for yourself or the organization you work for.

When hackers gain passwords for email, social media, and even medical or bank accounts, they can steal lots of other vital information and even identities. When an institutional password is stolen, the company is vulnerable to theft, and the other employees are vulnerable to password breaches and identity theft.

So many parts of our lives involve online spaces, which include using passwords in dozens of different websites per day. This amounts to billions of login details, across billions of users worldwide.

Hundreds of websites are subject to hack attacks every year, and the stolen account details are sold on the black market or dark web. Unfortunately, you may not know that you have been hacked. When a company suffers a data breach, they may remain quiet about it for months or forever.

Understanding the history of password breaches

Almost any organization is vulnerable to data breaches like password leaks since most organizations use digital and online technology to connect workers, users/customers, and information. Technology, retail, medical, financial, and government organizations have all been the victims of cyberattacks like password leaks since at least 2004. In fact, since 2011, nearly 8 billion usernames alone have been leaked.

These major data breaches have led to password leaks:

  • 2011: Sony
  • 2012: LinkedIn, Yahoo, DropBox
  • 2013: Tumblr, Adobe, Evite
  • 2014: Rambler, Dominos
  • 2015: Ashley Madison, Clear Voice Systems, R2Games
  • 2016: Adult Friend Finder, LiveJournal, Youku
  • 2017: River City Media, Edmondo, Zomato, MyHeritage
  • 2018: MyFitnessPal, Houzz, Ticketfly, Shein
  • 2019: VerificationsIO, CafePress, LuminPDF, Canva, Facebook, Zynga, PDL
  • 2020: Minted, Wattpad

In the first six months of 2019 alone, data breaches exposed 4 billion records, usually including email addresses and passwords. These hacks are becoming more frequent, with hackers beginning to aggregate data from major leaks and either exposing passwords or selling them online.

Many people remember the infamous Experian breach in 2017, which exposed social security numbers, physical addresses, and birthdays, making it very easy for identities to be stolen.

2021 saw some of the worst data breaches yet. LinkedIn suffered a breach in April in which hackers said they scraped 500 million profiles and leaked 2 million profiles’ information as proof. Facebook barely reported a hack that affected 530 million of its users in April, and though the scraped information was from 2019, many usernames and passwords could be useful two years later.

Halfway through 2021, one of the worst password leaks in internet history occurred. Called RockYou2021, likely in reference to the notorious 2009 Rock You data breach, the file of unencrypted passwords was posted to a popular hacker forum in June. The poster claimed the file contained 82 billion passwords, and the document itself has 8.4 billion entries, weighing in at 100GB in just a plaintext file. Non-ASCII characters and whitespaces have been removed.

Even if the file only contains 8.4 billion individual passwords, rather than the 82 billion promised, there are only 5 billion internet users in the world, so the file covers at least one password for everyone.

By October of that year, many password checkers had updated their information with most of the RockYou2021 file, so you can use free checkers like CyberNews’s Personal Data Leak Checker online. But as data breaches and compilations like this one get bigger and more frequent, people may become desensitized to them and may not even check to see if their passwords have been leaked.

If you are an individual, you might just assume you have been compromised and go through the process of regularly changing your passwords and usernames. From a business perspective, IT managers should have processes in place to check employee passwords and keep systems secure.

How can I tell if I have been hacked?

Most major companies and their associated websites encrypt users’ passwords and information so that, in the event of a data breach, it is much harder for hackers to crack this information, giving users time to update their passwords and take other steps to secure their data. However, you should still take your own steps to keep your passwords safe from leaks.

It can take months for a large company to realize that their users or customers are the victims of a data breach, and even then, they may not tell each user directly about the hack. Instead, they may write a press release, which you may not find out about immediately. The worst way to find out that you, or your company, is the victim of a data breach is to discover that your identity has been stolen.

You may notice that your credit score randomly changes. You may begin to receive random messages on Facebook, Twitter, Instagram, WhatsApp, or in your email. A friend might contact you because they noticed unusual posts on your social media. You might get locked out of your own accounts when a hacker changes your password and username.

Your personal data could be held for ransom. Or, as increasingly happens to companies like medical facilities, patient, user, or customer data is held for ransom. Most frightening of all, you might suffer financial problems. You could lose your tax rebate, be denied a loan, or have money taken from your bank account.

How to check if your password has been leaked

Rather than wait for the worst to happen, you can use online password checkers yourself. Major companies like Norton Antivirus, Kaspersky, and Avast offer options, either for free or to subscribers, to check your passwords. Subscribers to many of these antivirus software programs may also be notified when the program notices suspicious account activity.

These companies keep databases of password breaches and compare your login details to this information. If your passwords come up, you will be notified so you can change them before your personal or company security is compromised.

A free option to see if your email or password has been “pwned” in a leak or breach is the website, Have I Been Pwned? This site was created by Microsoft regional director Troy Hunt, using data from breaches spanning at least the last decade to link your information to specific companies that suffered major security leaks. However, this site is designed for individual internet users, not businesses.

Several companies also offer business or corporate protection against data breaches including viruses, hacking, and password leaks. For example, SolarWinds keeps a Watchlist dedicated to IT managers in corporate environments, who need to monitor if and when passwords and company email addresses have been leaked or hacked. Their Identity Monitor software also offers a password checker that compares employees’ existing passwords to major databases, and finds other types of compromises that might lead to password leaks or other data breaches.

What to do if your password has been leaked

Unfortunately, when you are the victim of a password leak or data breach, you must take on some serious housekeeping.

Here are the steps you should take to manage your information after a password leak: 

  • Find all the accounts you regularly use, from email and social media to bank accounts and health insurance, and change all the passwords. Consider updating username information, if possible.
  • Use a service like Have I Been Pwned to find out which data breaches might affect you, so you can change your information on those accounts, or delete the accounts you no longer use.
  • If you use a password manager, update passwords there.
  • Consider getting a random password generator so you have fully new, unique passwords for all your accounts.
  • Some accounts might be linked (for example, your Etsy account might use your Facebook information as its login information), so unlink those accounts.
  • Check your accounts regularly for suspicious activity, and consider signing up for monitoring services.
  • Think about accounts you have for services you no longer use, and close those accounts.
  • Contact your family and friends to let them know about password leaks and data breaches, especially those that have directly affected you, as these might affect them too.

Since it can take some time to learn about password leaks or other data breaches, signing up for free monitoring tools can help individuals learn when their information is no longer secure. Two of the most popular are Google’s Password Checkup and Mozilla’s Firefox Monitor, which are extensions you can download for these popular browsers. Your antivirus software likely has password monitoring and management as additions to their subscription services too.

Worst passwords in history

You may think Open Sesame or a similar phrase from a famous story would be the worst password possible, but in modern times, there are many passwords that are overused and predictable.

NordPass compiles a list of some of the most common, least secure passwords and how often they are used. Here are some examples: 

  • 12345
  • 12456
  • test1
  • password
  • asdf
  • qwerty
  • iloveyou
  • dubsmash
  • princess
  • sunshine
  • ashley
  • 111111
  • 555555
  • soccer
  • family
  • michael
  • football
  • baseball
  • chocolate
  • fitness
  • abcd1234
  • letmein
  • changeme

Of course, these passwords are quick to set up and easy to remember. This appeal also marks them as extremely common, easy to guess, and consistent hits on NordPass’s worst passwords list.

Even if you create different passwords that are more secure than these, making a password that is easy to remember can still put your data at some risk of being hacked. This is even more true when, like most people, you use the same password or similar passwords across multiple programs, including software used for your job.

If you are an IT manager, you cannot stop employees from choosing the above passwords. However, you can take some prevention steps on your own and encourage employees to take personal prevention steps.

Best password security practices

A study found that as many as 44 million Microsoft users had recycled passwords, making it much easier for hackers to guess passwords to other accounts. Now that your accounts are secured, here are some prevention steps to take so your personal data is less likely to be compromised in the future: 

  1. Create a strong password, which is at least 15 characters long and uses a combination of different characters, including upper and lowercase letters, numbers, and symbols.
  2. Avoid common substitutions or repeating similar patterns of letters and numbers in your passwords. It might be easier for you to remember, but it is also easier for hackers to steal.
  3. Do not use memorable keyboard paths, like qwerty.
  4. Use a random password generator, which creates a totally unique password. Then, use a password manager to store it. These managers encrypt password information on the user’s end, making this information tougher to decrypt.

In the early days of the internet, best practices for password creation led to predictable combinations of letters, numbers, and symbols that were then used across multiple platforms. Hackers now have the tools to guess this type of password more easily than in the late 1990s and early 2000s, so security specialists have revised their recommendations for creating your own secure passwords.

Here are the leading recommendations: 

  1. Revised passphrase method: Rather than generating a random set of letters and numbers, or using one familiar word with a series of familiar numbers or symbols, security specialists now recommend that you choose a series of words and create a phrase with some uppercase and lowercase letters.

    Use uncommon words, names of famous people or places, and words in other languages. For example: CeruleanGraciasExcaliber.

    It is best to create a phrase that brings certain images to your mind so you can remember, but choose words that are not directly associated with you, especially names and places.

  2. Sentence method: Humans typically find it easier to remember sentences than a nonsense phrase because sentences more easily bring images to mind in a sequence. Software programs and artificial intelligence have a harder time decrypting passwords in sentences.

    One common approach using this method involves creating a sentence and then using the first two letters of each word to make the new password. For example, a sentence might be: “The quick brown fox jumped over the lazy dog.” So, the password would be: ThQuBrFoJuOvThLaDo.

  3. Multi-factor authentication (MFA): This is an added layer of protection on top of creating a unique password. One of the most common forms of MFA used to be text messages with randomly generated PINs, but hackers now use this method as phishing, or they can intercept this information and use it to hack into the site.

    In response, authenticators like that from Okta can generate unique PINs every few seconds, which can either be input manually or can link directly to the site to check that you are, in fact, who you say you are. Even if you or your users do not have strong passwords, effective MFA using an authenticator program can reduce the risk of leaked passwords. 

Preventing password leaks

These are other important security steps to take:

  • Install high-quality internet security software, which is often associated with antivirus software.
  • Allow automatic software updates to keep your computer updated with the latest security patches, or regularly check for updates.
  • Do not trust sites that do not have an SSL (secure sockets layer) certificate in the URL. Secure sites are HTTPS, while insecure sites are HTTP.
  • Use a VPN on public Wi-Fi.
  • Never send anyone your password through text or email.
  • Keep your antivirus program current.
  • Do not open suspicious-looking emails or texts, especially if they ask for your password.
  • If you receive an email or text asking for your password, consider going to the site and changing your password there, not through the email.

If you are the IT manager for a company, there are four basic steps to take to reduce the risk of a data breach like a password leak:

  1. Identify potential threats, like insecure passwords and data traffic.
  2. Secure application environments that use two-factor authentication and access request for outside devices. Never use another vendor’s services without checking their security protocols.
  3. Set up recovery mechanisms in the event of a hack.
  4. Build an assurance program to enable future compliance and company resilience.

Although your information is not going to be secure forever, taking basic prevention steps can keep your information secure for as long as possible. Password encryption from multiple fronts is the best way to keep hackers away from your data, even after a major security leak.

References

Ten Years of Breaches in One Image. (June 2021). The Verge.

14 of the Worst Data Leaks, Breaches, Scrapes and Security Snafus in the Last Decade. (April 2021). CNET Tech.

RockYou2021: Largest Password Compilation of All Time Leaked Online with 8.4 Billion Entries. (June 2021). Cybernews.

Reviewing the “Mother of All Leaks.” (October 2021). Forbes.

Check if Your Data Has Been Leaked. Cybernews.

How Worried Should I Be About My Password Being Compromised, Stolen in a Data Breach? Experts Say This. (December 2020). Forbes.

Homepage. Have I Been Pwned.

Password Leak Check. SolarWinds.

Password Checkup. Google Account.

Firefox Monitor. Firefox.

Here Are the Most Popular Passwords of 2019. (August 2020). NordPass.

Microsoft Security: Password Problem Affecting 44 Million Users Revealed. (December 2019). Forbes.

Has Your Password Been Stolen? Here’s How to Find Out. (December 2019). Forbes.