Part 1: How did my password get hacked?

By RJ Gazarek

I really wish that we could tell you that the reason your password and account were hacked was due to some really high tech and sophisticated character, in a dark room lit only by a giant panel of computer monitors. Just like you see on your favorite TV show. Unfortunately, this isn’t the case – it’s not that complicated, it’s not that sophisticated, and unfortunately, your password was most likely hacked because of 1 of 3 things.

  • You had a different account that was already compromised
  • You downloaded a malicious program on your computer without knowing it
  • You accidentally gave your password to someone without knowing it

In this 3 part series, we are going to look at each of these scenarios and see how to make sure one of these no longer apply to you in the future.

You had a different account that was already compromised

Daisy chaining passwords are the root of most breaches. Daisy chaining basically means just using one password for multiple accounts across multiple websites, applications, and services. The major problem here should be quite apparent, if one of your accounts is compromised, then all of your accounts (that use that same password) will also be compromised.

Ask Yourself the following:

  • How many of your accounts use the exact same password?
  • Are any of those shared password accounts something critical, like a bank account, work email, or even your Active Directory password?
  • Assume that a breach happened today on one of your accounts, and an attacker accessed all of your accounts, how bad would that be for you, your family, or your organization?

If any of those questions and answers made you nervous, then it’s time to start looking at doing the following:

  • Use Two-Factor Authentication (2FA) wherever possible. A lot of websites and applications provide the ability to turn on Two Factor Authentication for your account, which would require you to type in your password as well as a pin code that you would retrieve from a 2FA device or a 2FA app on your smartphone

Use unique passwords wherever possible, especially when 2FA is not available. It can be hard to remember a different password for every account, I alone have over 300 accounts with unique passwords! So use a password manager to help keep control of those. There are a lot of really great free or low-cost ones you can purchase for your personal private life. If your organization needs a password manager, you will want something that is more business ready, integrated with Active Directory, allows for audited password sharing, and can help discover local administrative accounts. We have a solution for that from Thycotic, called Secret Server. There is also a selection of really great free IT tools to help you better manage your passwords.

Source:: Thycotic