Skip to main content

Check if your online username and passwords are safe


You might be wondering how safe your passwords are, you might have heard that company data, your data has been leaked. There have been many famous breaches. Companies such as Yahoo and Facebook have been breached. This is not to say they do not have excellent security measures in place or that their security is somehow lax. They spend millions to secure your data, but to goes to prove that even with vast resources, large companies are targets. These attackers can be malicious individuals, organisations and, in some cases countries. It does not matter how safe your data is, it will at some point be breached or to put it another way - leaked. The natural question that arises is how safe is my data? While there can never be a comprehensive approach, there are some basic things you can do to check.

How to perform some basic checks

Navigate to:

Enter your email address and hit the "pwnd?".

You will get an output similar to this:



I already use a popular password program, so I did not sign up for a 1Password account. On the above screen, I clicked on the "subscribe button", entered my email address and confirmed the email which was sent to my email address. This means I will get an email if there is another reported breach.

If you are like and most of the rest of the world, you may be using Google Chrome as your browser.

"Google Chrome...is far and away the most popular" - with 68.5% of users worldwide using it.


If this is the case, you maybe using it to help store your passwords. You can manage your password storage here: https://passwords.google.com/. Recently, I noticed that when I was logging in to certain sites, I was getting a message from Google Chrome warning me that a data breach on a site or app exposed one of my passwords.


This window pops which gives you the option  of checking your passwords. If you get this and haven't already checked your passwords click the "check passwords" button.

You should be asked to verify it is you. Once you have entered your Google password you will receive a report like this:



This is a genuine report about an account I have used, and it's associated website passwords. It is safe to say that most of these have been changed now!

How do we get into this state? I went through this process. For me, it was a combination of laziness and a poor memory. I started off using the same password for non-essential accounts. That is accounts that did not require credit card and personal details. This became far too convenient. Even if I had not been on a website for months, I could still get in. However, this makes it easier for would be attackers. I would recommend a strong, unique password for every website that requires a log in. Here's where Google Chrome comes in handy.

To demonstrate this process, I have a site I have not updated yet and will show how Google Chrome can help. I have logged in to the website and navigated to the accounts section. How to do this will vary from website to website, but normally there will be an option to change your password somewhere in the account section of the website. I have clicked on the "reset your password" link. Some websites will take you to a form, this website has sent me an email. I have opened the email and clicked the "reset my password" button within the email. It goes without saying, do not click on these links if you have not requested to change a password. If in doubt, delete the email and login to the website directly. Do not click on any links within the suspicious email.

You will typically get taken to a screen such as this:


If you are using Google Chrome, you can click into the "New Password" box and this will happen:


Google Chrome will suggest a password, click "use suggested password". Google Chrome will then fill both the "new password" box and the verification box like this:



Click "reset my password". You will get a pop up like this:


If you want Google Chrome to remember this password, then click "Update password". This will store it for your next visit. You could also copy the username and password into your password manager. You are probably wondering how safe it is to store your password in Google Chrome.

Good question:

On Windows, Chrome uses the Data Protection API (DPAPI) to bind your passwords to your user account and store them on disk encrypted with a key only accessible to processes running as the same logged on user


Further details can be been seen in the appendix.

Google Chrome

Google Chrome allows access to your password, but only if you provide a password for verification. In this respect, it is like a password manager tool which allows access only after a master password is given. The data is securely stored on an encrypted disk, which means if the data is stolen it is extremely difficult to get anything useful from it. That being said, if you share an account on a PC - stop it, right now! No seriously, stop it. See the following guide from Microsoft and setup a separate account for each person using the PC. https://support.microsoft.com/en-gb/help/17197/windows-10-set-up-accounts. Now that is out the way, make sure you reset your password, and everybody is happy.

Accessing Google Chrome Password Manager

To access the password manager from Chrome, click the ellipses (these guys) … 
Select "settings", then passwords under the "auto-fill" section. You will get a list of sites and usernames. This maybe alarming, however do not despair - they are quite safe. Click the icon that looks like an eye:


This will reveal the password; however, you must prove who you are. 


Type your Windows password to verify who you are and bingo, you have your password. You will have to ensure that you have a secure password as your Windows password and do not share this with anybody else, therefore it's important to have separate accounts. If other people need to use your computer, create a separate profile for them. Use think given earlier in this article for guidance on this. 

Getting back to the problem of my many password problems...If like me, you have many issues to work through, start by changing a few a day. Start with the sites that are likely to hold the most information about you. Sites which required your date of birth, your credit card information, and more. After this, run through the list of compromised accounts as suggested by Google Chrome Password Manager, then start going through the re-used accounts and finally go through the accounts using a weak password. It might take some time, but if you prioritise your most important accounts, you can quickly get a lot more secure. Remember that every security system, no matter how good has flaws, but if we make it as difficult as possible for attackers, we have a far greater chance of keeping our identity safe from nefarious deeds.   

Appendix

What about unmasking of passwords with the developer tools?
One of the most frequent reports we receive is password disclosure using the Inspect Element feature (see Issue 126398 for an example). People reason that “If I can see the password, it must be a bug.” However, this is just one of the physically-local attacks described in the previous section, and all of those points apply here as well.
The reason the password is masked is only to prevent disclosure via “shoulder-surfing” (i.e. the passive viewing of your screen by nearby persons), not because it is a secret unknown to the browser. The browser knows the password at many layers, including JavaScript, developer tools, process memory, and so on. When you are physically local to the computer, and only when you are physically local to the computer, there are, and always will be, tools for extracting the password from any of these places.




Comments

Popular posts from this blog

Session control policies in Microsoft Defender for Cloud Apps - block copy, cut, and paste in web apps

In this article, I attempt to outline the process for creating session control policies using Conditional Access (CA) and Microsoft Defender for Cloud Apps or MDA for short. When I first set this up, I was unaware of the need to have a user sign in between setting up the CA policy and setting up the policy in MDCA which then allows session control policies to be applied. I will guide you through this, the policy setup and testing.  An overview of the setup process looks like this: 1. Setup the CA policy 2. Have a user login 3. Apply the MDA access policy and add your conditions.  4. Test it 1. Setup the CA policy Pre-requisites: -  a. the app should be available as an "Enterprise App" in Azure AD. Secondly, the app should support and be configured for SAML SSO.  b. Azure AD P1 licenses are required. My understanding was always that MDA required Microsoft 365 E5 or equivalent licenses for applying policies, but Microsoft states in the following article that Azure AD P...

Priviledged Identity Management in Azure AD

What is it? Privileged Identity Management or PIM is a service that provides just in time access to privileged roles in Azure and Azure AD. It does this with an approval process which can be manual or automatic. This article will concentrate solely on the Azure AD setup and management of PIM.  What is required? An Azure P2 license. This can be purchased as a standalone license or as part of the EMS E5 license suite. A Global Administrator account will have access to administer PIM by default, but an account can also be added to the Privileged Identity Administrator role for this purpose. A good understanding of the process, which accounts will be managed this way, and why is required is important. It is also necessary to identify who will be responsible for approving, renewing, and reviewing privileged accounts in Azure Active Directory.   Where do I find PIM? PIM can be found by logging into https://portal.azure.com and searching for PIM and clicking on "Azure AD Privil...

Microsoft Purview Endpoint DLP for MacOS

Get onboarded The first step is to get the macOS device enrolled in Intune for easy management. To do so, follow this guide: https://learn.microsoft.com/en-us/mem/intune/user-help/enroll-your-device-in-intune-macos-cp The guide is a little out of date, but the principals work all the same. Now to get the device onboarded into Microsoft Purview. https://learn.microsoft.com/en-us/microsoft-365/compliance/device-onboarding-offboarding-macos-intune?view=o365-worldwide As you will have seen in the article above, onboarding uses the same mechanism for onboarding macOS to MDE. Once the configuration profiles are installed as seen in Intune > Devices > macOS > macOS devices > click the device name > Device configuration . They should have a nice green tick next to the word “Succeeded” under the “State” header. I had a bit of a brain spasm with the naming, I would use Microsoft’s naming suggestion as seen in their guide.   Create the DLP policy To configure the ...