Understanding Password Breaches in Chrome
If you use the Chrome browser, and particularly their password manager, you most likely have seen an alert popup in the past few months warning that a data breach has been reported.
While this alert was first seen on Chrome, a similar message is starting to appear on other browsers as well. The warning is significant and something you should act on as soon as possible, but there are some common misconceptions about what this means.
How it works
The way that the Chrome password manager functions is that whenever you save or update a username and password combination to the password manager, it uses those values and creates a special encrypted value called a “hash”. It compares the hash it has to a database of other “hashes” that have been collected from the litany of breaches over the past years. If it finds a match, you are presented with a warning.
When you see this warning, the site you are visiting is NOT the one that has been breached. Rather, the warning is telling you that the username and password you just used on this website has been identified in a breach from another site at some time in the past. This alert shows when the password or user/ password combination matches one you’ve used on another site. If you just created your account on this website, it follows that the username and password in the breach did not come from here, but rather another site. You do not need to roast the website owner about the security of their website; they are not the culprit. Simply change your password to something different and hopefully more secure.
Here’s what you should do
1) Change your password on this site. If you leave the password as it is, there is a potential that the username combination you used on this site is already known by someone else and could be used in a future attack. A quick password change will stop them in their tracks.
2) Remember where else you used this password and change it there too. Even though we are frequently told never to do it, we all use the same passwords in multiple places to save our brains. Think of the other sites that you may have used this password and go change it there too.
3) Sometimes the alert will show how many sites are using this password and will show what domains they correspond to in your keychain. Use Chrome’s “Safety Check” in the Settings panel (chrome://settings/safetyCheck) to see if there are any other passwords of yours that might have been disclosed. If you find any, change them too!
4) Turn on two-factor authentication if authentication, if available, for sites that include sensitive information. This can include banking, medical, and tax websites.
Once the smoke has cleared and you’ve created more secure passwords, there are additional steps to consider taking to strengthen your site user security. The first step towards stronger protection is to start using strong passwords.
As a business, you want to ensure that your site is not responsible for the breach. If not, you and your customers can rest easy knowing that their information is still secure on a system level. A way to help your users maintain secure accounts is to require passwords with stricter requirements. This can include requiring symbols, upper- and lower-case letters, and numbers. Also consider excluding common words, user information (such as their name or address) or famous people or names as viable options for their passwords.
As an individual, it’s important to understand what this alert is saying. You also have to take some personal responsibility for maintaining your own security and practicing smart online habits. While we’ve all done it for ease of use, using the same password across many sites increase the risk if one site becomes exposed.
The best way to create strong passwords is to use long phrases or gibberish characters that have no meaning to you and won’t be found in a dictionary. Chrome has this feature built-in, and most 3rd party password managers such as 1Password and LastPass include password generators. The downside is that they are not easily remembered and you will need your password manager to provide them for you whenever you need them. The upside is that they are incredibly unique, cannot be socially engineered, almost eliminates this problem.
These third-party password and login banks often have a master password. This means you only need to know one password to access all of your logins. They are typically a series of varied words broken with a dash or period (such as trout.gnat.nymph.bloat). Coming up with a story surrounding the words helps to make them stick in your mind. And remember not to save this login to your keychain or leave it written down.
You might also consider registering your email at HaveIBeenPwned.com. Started by security researcher Troy Hunt as he was analyzing the forensics of past data breaches, it has become the gold standard in breach notification and the data housed there is used by countless companies to notify their customers of potential credential exposures. It’s a free service and can tell you what breaches included your email address in the past and will notify you if your email is used in one in the future. This another way to ensure great peace of mind and allow you to take a more proactive stance on your security online.