Honestly, I had never come across the word “pwned” before. But as I started Googling as the steam was rising off my morning coffee, it quickly became apparent why Troy Hunt created and named a website called Have I been pwned?.
It’s a free online resource for anyone to check if they may have been put at risk due to an online account of theirs having been compromised in a data breach.
Before getting too technical, let’s start at the beginning.
There are a few stories around the origins of the word pwned, an offshoot of “owned”, pronounced as “poned”.
According to lifewire.com pwned is a commonly used expression (both online and offline) that can mean:
- to be dominated
- to be controlled against your will or;
- to be defeated by a superior power
Almost daily, we hear stories of how individuals, businesses, companies and organisations have been pwned - dominated, controlled, defeated - by cyber attackers, hackers, scammers and spammers.
Just yesterday a client told me it felt like his company had been “raped” after being hit by a dreaded ransomware attack.
Hunt, a Microsoft regional director, blogger and cyber security expert, started the website Have I been pwned? in the wake of the largest ever single breach of customer accounts at Adobe in late 2013.
As he says on his website: “I often do a post-breach analysis of user credentials and kept finding the same accounts exposed over and over again, often with the same passwords which then put the victims at further risk of their accounts being compromised.”
So he developed the site to aggregate the data of breaches to help victims find out if their accounts had been compromised and to highlight the severity of the risks of online attacks.
A breach is defined as an incident where a hacker illegally obtains data from a vulnerable system, usually exploiting weaknesses in the software.
How to check
Once you land on the site, you can immediately check if your email address or username has been compromised. You can also check for pwned accounts across an entire domain, but you do need to verify that you have control of the domain you are searching.
It will then search a database compiled by consolidating the publicly available major hacks that have occurred on the internet.
If your information is found, you will be shown a window including the pertinent status such as the site, email, and/or username. It may also display some password hints that you have entered as well. You need to then immediately go to the offending website and change your password.
Password best practice
Cyber security expert Oren Falkowitz notes: “If you can’t imagine why someone would target you, you don’t appreciate your data assets (or those to which you’re connected), and you will fail to protect them properly.”
The best way to protect yourself online is to use strong passwords. That means a mixture of many (14 or more) characters that include numbers, letters (upper and lowercase), and special characters.
The problem is, however, that we need a password for just about everything we do online these days - from banking to shopping, subscribing to accessed controlled and social media sites - and using the same one is a really bad idea. Also, it’s impossible to memorise even a handful of these longer, more secure passwords.
The best way to get a handle on your passwords is to use a secure password manager such as LastPass, which can be installed as a desktop application or as a browser extension.
LastPass will generate and store unique passwords for you. All you have to do is remember your master password to access your account.
Hunt notes that reusing passwords is “normal” and so common “because it’s easy and people aren’t aware of the potential impact. He says attacks such as credential stuffing take advantage of reused login credentials by automating login attempts against systems using known emails and password combinations.
You are able to check passwords against those obtained from previous data breaches on the Have I been pwned? website.
Final do’s and dont’s:
- Use passwords that can't be easily guessed, and protect your passwords
- Minimise storage of sensitive information
- Beware of scams
- Protect information when using the internet and email
- Ensure your computer is protected with antivirus and all necessary security "patches" and updates
- Secure laptops and mobile devices at all times: Lock them up or carry them with you
- Shutdown, lock, log off, or put your computer and other devices to sleep before leaving them unattended, and ensure they require a secure password to start up or wake-up
- Don't install or download unknown or unsolicited programs/apps.
- Secure your area before leaving it unattended
- Make backup copies of files or data you are not willing to lose - Source: https://its.ucsc.edu/security/top10.html
By Gregory Rule