{"id":977,"date":"2013-12-05T18:25:02","date_gmt":"2013-12-06T00:25:02","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=977"},"modified":"2013-12-05T18:28:49","modified_gmt":"2013-12-06T00:28:49","slug":"password-breaches-dont-panic-be-prepared","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2013\/12\/password-breaches-dont-panic-be-prepared\/","title":{"rendered":"Password Breaches: Don&#8217;t Panic, Be Prepared"},"content":{"rendered":"<p>Hey, look, <a href=\"http:\/\/money.cnn.com\/2013\/12\/04\/technology\/security\/passwords-stolen\/\" target=\"_blank\">there\u2019s been another password breach<\/a>! Is it time to panic? I decided not to. In fact, I decided to pretty much ignore the whole story. As a result of this breach, I only rotated one password, and frankly, it wasn\u2019t because I was worried that this password had been compromised.<\/p>\n<p>Wait, shouldn\u2019t you panic? Based on a lot of the news stories I\u201dve read, that\u2019s a popular option. However, there\u2019s no need to freak out if you are doing things right to begin with, and that\u2019s where you really should start.<\/p>\n<p><!--more--><\/p>\n<p>As I\u2019ve said before, I use a <a href=\"http:\/\/www.nathanhunstad.com\/blog\/2011\/02\/useful-computer-utilities-keepass\/\" target=\"_blank\">password manager<\/a>. None of my passwords are duplicates, so you can\u2019t get into my bank account with my Reddit password. That reduces the risk considerably from a breach like this. If you don\u2019t share passwords among sites, then the breach of one will have limited effect.<\/p>\n<p>Keeping that in mind, I took a look at this breach with a critical eye. First is the extent: the number of passwords for most of those sites was relatively low considering the userbase. Second is the attack method: the belief is that a keylogger was used to harvest these passwords. Given these facts, my assumption is that this was a relatively limited attack that only involved hosts infected with malware. I keep my anti-malware up to date, I keep my software up to date, I don\u2019t browse using an account with Administrator privileges, and I don\u2019t use Adobe Reader. I feel that I\u2019m probably not in this group of exploited users. Finally, it\u2019s come out that at least some of the affected sites have notified users, and I haven\u2019t received any sad emails.<\/p>\n<p>Plus, nothing has happened to make me think that any of these passwords has been compromised. My Twitter account, for example, would have almost certainly been filled with spam tweets by now had it been compromised. Ditto for Gmail (although I use <a href=\"http:\/\/www.nathanhunstad.com\/blog\/2011\/02\/google-two-factor-authentication\/\" target=\"_blank\">two-factor authentication<\/a> on my Gmail account so I was not worried at all about a compromise). I\u2019ve been on the receiving end of plenty of compromised email and Twitter accounts to know that attackers are not usually subtle.<\/p>\n<p>One exception to the obvious affect rule is Facebook, and that is the one password I changed. Not because of this breach, but because I hadn\u2019t changed it in about a year and criminals do squat on Facebook accounts, harvesting personal data that can be leveraged in other attacks. It\u2019s a good idea to rotate passwords on these kinds of accounts regularly, because there\u2019s always a chance somebody is hanging out in there. I used to be very strict about rotating commerce and banking accounts as well, but I realized that if somebody had my banking password, they would use it ASAP and get away with as much money as possible, so there\u2019s little reason to rotate passwords for these accounts preventatively.<\/p>\n<p>Even if I did feel the need to rotate all of these passwords, though, the fact that I use a password manager would make it quite easy. Just as it has been easy when I\u2019ve had to rotate my Adobe, LinkedIn, and Zappos passwords before.<\/p>\n<p>We\u2019ll always have password breaches, and there\u2019s nothing you can do to prevent that. What you can control, however, is how likely you are to be affected by malware, and how much damage a particular breach can cause. If you make sure you don\u2019t reuse passwords, you make it easy to rotate passwords when you need to, and you secure your computing environment, you don\u2019t need to panic when the next breach comes along.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hey, look, there\u2019s been another password breach! Is it time to panic? I decided not to. In fact, I decided to pretty much ignore the whole story. As a result of this breach, I only rotated one password, and frankly, it wasn\u2019t because I was worried that this password had been compromised. Wait, shouldn\u2019t you&hellip; <a class=\"more-link\" href=\"https:\/\/www.nathanhunstad.com\/blog\/2013\/12\/password-breaches-dont-panic-be-prepared\/\">Continue reading <span class=\"screen-reader-text\">Password Breaches: Don&#8217;t Panic, Be Prepared<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[241,76],"class_list":["post-977","post","type-post","status-publish","format-standard","hentry","category-security","tag-breach","tag-password","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=977"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/977\/revisions"}],"predecessor-version":[{"id":980,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/977\/revisions\/980"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}