Old password behavior is haunting many people. Password reuse is causing problems for people even if their data was not breached recently. Stolen data from numerous mega data breaches is appearing on the dark web, in some cases, years after the theft. If a customer used the same password that appeared in a data breach, other companies may be asking you to change your password.
An increasing trend is for companies to attempt to identify customers that have used the same email and password combination on their site as well as on another site where data was stolen.
Companies generally perform a process called hashing, to camouflage passwords to reduce risk of cyber criminals accessing accounts. Each company uses a different algorithm.
Some of these companies are now running stolen passwords from other mega data breaches through the own hashing algorithm. They then perform a process to see if these hashed passwords match any existing hashed passwords on their system. If there is a match, with the same emails in both the stolen data and the company’s data records, the customer has used the same email and password combination at more than one location.
Proactive companies such as Twitter, Facebook and Netflix are notifying customers for whom they found matched passwords. Facebook is said to be advising customers via emails to change their password. Twitter and Netflix both are reported to have locked accounts and are requiring customers to change their passwords.
The challenge for these companies is to help their customer change passwords to improve their individual cyber security while assuring the customers that the company’s data was not breached.
What You Can Do
If you received an email from a reputable company advising you to change your password, even if there has not been a publicly claimed data breach, you should go to the company’s site directly and follow their procedure to change your password to a new, unique one. Don’t reuse a previous password from that site or another site.
You should also change passwords for any other sites where you may have used the same password in the past. Many people used the same password for multiple sites years ago before password hacking was such a problem. You may find it effective to have more than one email address so the combination of emails and passwords is expanded. For example, use a different email for social media than you use for banking. Consider buying your own domain name from a provider with high security and use it for your most confidential online activity.
As a business owner, you should be sure your site reminds people to use a unique password. The password requirements should be more than just limited number of alpha characters. Learn more ways to protect your business at The National Cybersecurity Institute.
Coates, M. (2016, June 10). Keeping your account safe. Retrieved from https://blog.twitter.com/2016/keeping-your-account-safe