You've undoubtedly heard about some high-profile data breaches; some of the biggest companies in the world have had user login credentials or other sensitive account data stolen, from usernames and e-mail addresses to passwords, credit card details, home addresses, social security numbers, and plenty more.
Although there may not be much you can do to ensure that every company that has your data is handling it securely, there are a couple things you can do to help avoid getting hacked whenever a new data breach comes to light: find out whether your data was exposed, and ensure that you use good password hygiene along with multifactor authentication whenever possible. Let's explore how to find out whether your e-mail address or password may have been leaked—and what it means to have good password hygiene.
Was my e-mail address included in a data breach?
Troy Hunt is the world's foremost expert on data breaches, largely because he has created and maintained Have I Been Pwned (HIBP), a site that offers a free lookup and notification service for data breaches and dumps. ("Pwned" is hacker lingo for "owned"—i.e. hacked or compromised.) You can safely enter your e-mail address at Hunt's site to see a list of any notable breaches and dumps that contain your e-mail address, and you can optionally subscribe to receive e-mail notifications about future dumps that contain your address.
Although HIBP will tell you whether or not your e-mail address is in a particular dump, for your protection the site doesn't keep track of which passwords have been associated with your e-mail address.
Was my password included in a data breach?
There are a couple of ways to determine whether one of your passwords may have been leaked in a public data breach. HIBP also has a "Pwned Passwords" lookup page where you can—brace yourself!—type in your passwords one by one and check to see if they've ever appeared in a password dump. If the idea of typing your passwords into a third-party site makes you uncomfortable, that's excellent—it should! Although Hunt has taken precautions to safeguard passwords and has cleverly engineered the page to not actually send any passwords typed on the page to his server, you'd be perfectly justified in being suspicious.
Thankfully, there are a couple other ways to check for compromised passwords. If you use 1Password as your password manager, there's a feature called Watchtower that can look up whether or not your password has appeared in a dump on HIBP. Unfortunately, other popular password managers have not yet implemented this lookup feature; if you use some other password manager, you may wish to submit a feature request to the developer and point them to this page for details. In the mean time, another option is to import your data into a 30-day trial of 1Password so you can try out Watchtower. (Note: 1Password isn't a sponsor, and this is not an endorsement—but we do recommend using a trustworthy password manager.)
If your password has been found in a data breach, change it immediately—and use the tips below and in our 8 Things to Do Right Now If You've Been Hacked article.
How can I avoid getting my accounts hacked?
Although your e-mail address will probably end up in a data breach or dump at some point, you can take some precautions ahead of time to help prevent your accounts from getting hacked.
- Use a unique password for everything. Never reuse a password you've used in the past, because if one site gets hacked and your password becomes public knowledge, someone could try using that same password to break into your other accounts—and if you've ever reused any passwords, they might succeed.
- Use strong passwords. There are a variety of schools of thought on what exactly constitutes a "strong" password, but experts agree that having a long password (or passphrase) goes a long way toward increasing password strength. Avoid using patterns that a clever attacker could use to guess your other passwords (see #1 above). Ideally, use a unique string of pseudorandom characters for each password; you can see some examples at GRC's site (which generates new pseudorandom strings each time you reload the page) or use a password generator built into your password manager (see #3 below).
- Use a password manager from a reputable company. Naturally, if you've got dozens of unique, long, strong (and ideally pseudorandom) passwords, it's going to be nearly impossible to memorize every one of them, so you'll need to have a safe and secure way to look them up when your brain fails to remember them. A reliable password manager, properly implemented, can be an ideal way to store your passwords. Some popular and trusted password managers as of when this article was published include (in alphabetical order) 1Password, Dashlane, iCloud Keychain, and LastPass.
- Set up multifactor authentication or two-step verification. The idea behind multifactor/two-factor/two-step verification is that if someone obtains your password (something you know), they'll also need something else—typically something you have (e.g. a phone, an app, or a hardware token) or less commonly something you are (i.e. biometric data based on your unique physical characteristics). Unfortunately, not every site or service supports two-step verification, but you should definitely enable the extra layer of security whenever it's available. There's a handy, searchable index called Two Factor Auth List to help you get started. And whenever possible, try to avoid SMS text messages or a call to your mobile phone as your second step, since they're hijackable—but if those are your only second-step options, they're better than nothing, so use them.
- Don't answer "security questions" with real answers. Often the true answers to such questions can be found online or social-engineered from you, so you're better off answering with something entirely different—for example, yet another unique password or passphrase, which you can also store in your password manager.
How can I learn more?
For additional tips, check out these related articles:
- 8 Things to Do Right Now if You’ve Been Hacked
- How to Choose the Right Password Manager for You
- Two-Factor Authentication: How It Works and Why You Should Use It
- How to Choose and Answer Security Questions
Each week on the Intego Mac Podcast we talk about the latest Apple security news, so be sure to subscribe to make sure you don't miss any episodes. You'll also want to subscribe to our e-mail newsletter and keep an eye here on The Mac Security Blog for updates.