You might be wondering how safe your passwords are,
you might have heard that company data, your data has been leaked. There have
been many famous breaches. Companies such as Yahoo and Facebook have been
breached. This is not to say they do not have excellent security measures in
place or that their security is somehow lax. They spend millions to secure your
data, but to goes to prove that even with vast resources, large companies are
targets. These attackers can be malicious individuals, organisations and, in
some cases countries. It does not matter how safe your data is, it will at some
point be breached or to put it another way - leaked. The natural question that
arises is how safe is my data? While there can never be a comprehensive
approach, there are some basic things you can do to check.
How to
perform some basic checks
Navigate to:
Enter your email address and hit the
"pwnd?".
You will get an output similar to this:
I already use a popular password program, so I did
not sign up for a 1Password account. On the above screen, I clicked on the "subscribe
button", entered my email address and confirmed the email which was sent
to my email address. This means I will get an email if there is another
reported breach.
If you are like and most of the rest of the world,
you may be using Google Chrome as your browser.
"Google Chrome...is
far and away the most popular" - with 68.5% of users worldwide using it.
If this is the case, you maybe using it to help
store your passwords. You can manage your password storage here: https://passwords.google.com/.
Recently, I noticed that when I was logging in to certain sites, I was getting
a message from Google Chrome warning me that a data breach on a site or app
exposed one of my passwords.
This window pops which gives you the option of checking your passwords. If you get this and haven't already checked your passwords click the "check passwords" button.
You should be asked to verify it is you. Once you have entered your Google password you will receive a report like this:
This is a genuine report about an account I have used, and
it's associated website passwords. It is safe to say that most of these have
been changed now!
How do we get into this state? I went through this
process. For me, it was a combination of laziness and a poor memory. I
started off using the same password for non-essential accounts. That is
accounts that did not require credit card and personal details. This became far
too convenient. Even if I had not been on a website for months, I could still
get in. However, this makes it easier for would be attackers. I would recommend
a strong, unique password for every website that requires a log in. Here's
where Google Chrome comes in handy.
To demonstrate this process, I have a site I have not
updated yet and will show how Google Chrome can help. I have logged in to the
website and navigated to the accounts section. How to do this will vary from
website to website, but normally there will be an option to change your
password somewhere in the account section of the website. I have clicked on the
"reset your password" link. Some websites will take you to a form,
this website has sent me an email. I have opened the email and clicked the
"reset my password" button within the email. It goes without saying,
do not click on these links if you have not requested to change a password. If
in doubt, delete the email and login to the website directly. Do not click on
any links within the suspicious email.
You will typically get taken to a screen such as
this:
If you are using Google Chrome, you can click into
the "New Password" box and this will happen:
Google Chrome will suggest a password, click
"use suggested password". Google Chrome will then fill both the
"new password" box and the verification box like this:
Click "reset my password". You will get a
pop up like this:
If you want Google Chrome to remember this password,
then click "Update password". This will store it for your next visit.
You could also copy the username and password into your password manager. You
are probably wondering how safe it is to store your password in Google Chrome.
Good question:
On Windows, Chrome
uses the Data Protection API (DPAPI) to bind your passwords to
your user account and store them on disk encrypted with a key only accessible
to processes running as the same logged on user
Further details can be been seen in the appendix.
Google Chrome
Google Chrome allows access to your password, but
only if you provide a password for verification. In this respect, it is like a
password manager tool which allows access only after a master password is
given. The data is securely stored on an encrypted disk, which means if the
data is stolen it is extremely difficult to get anything useful from it. That
being said, if you share an account on a PC - stop it, right now! No seriously,
stop it. See the following guide from Microsoft and setup a separate account
for each person using the PC. https://support.microsoft.com/en-gb/help/17197/windows-10-set-up-accounts.
Now that is out the way, make sure you reset your password, and everybody is happy.
Accessing Google
Chrome Password Manager
To access the password manager from Chrome, click
the ellipses (these guys) …
Select "settings", then passwords under
the "auto-fill" section. You will get a list of sites and usernames.
This maybe alarming, however do not despair - they are quite safe. Click the icon that looks like an
eye:
This will reveal the password; however, you must
prove who you are.
Type your Windows password to verify who you are and bingo, you have your password. You will have to ensure that you have a secure password as your Windows password and do not share this with anybody else, therefore it's important to have separate accounts. If other people need to use your computer, create a separate profile for them. Use think given earlier in this article for guidance on this.
Getting back to the problem of my many password
problems...If like me, you have many issues to work through, start by changing
a few a day. Start with the sites that are likely to hold the most information
about you. Sites which required your date of birth, your credit card
information, and more. After this, run through the list of compromised accounts
as suggested by Google Chrome Password Manager, then start going through the
re-used accounts and finally go through the accounts using a weak password. It
might take some time, but if you prioritise your most important accounts, you
can quickly get a lot more secure. Remember that every security system, no matter how good has flaws, but
if we make it as difficult as possible for attackers, we have a far greater
chance of keeping our identity safe from nefarious deeds.
Appendix
What about
unmasking of passwords with the developer tools?
One of the most frequent reports we receive is
password disclosure using the Inspect Element feature (see Issue
126398 for an
example). People reason that “If I can see the password, it must be a bug.”
However, this is just one of the physically-local attacks described in the
previous section, and
all of those points apply here as well.
The reason the password is masked is only to
prevent disclosure via “shoulder-surfing” (i.e. the passive viewing of your
screen by nearby persons), not because it is a secret unknown to the browser.
The browser knows the password at many layers, including JavaScript, developer
tools, process memory, and so on. When you are physically local to the
computer, and only when you are physically local to the computer, there are,
and always will be, tools for extracting the password from any of these places.
Comments
Post a Comment