How to check if your details have been compromised

Filed Under: Data loss, Featured, Privacy

Screwed Loo RollEver wonder where the term "Pwned" came from?

Rumour has it that is started with the game World of Warcraft (WoW), where a map designer, intending to write "the player has been owned", mistyped it as "the player has been pwned".

In any case, it is widely used today to mean you have been screwed in some way.

So there I was, perusing the web, and I found this rather interesting piece on Brian Krebs' blog called Are you on the Pnwedlist?, a piece which introduces a new service from DVLabs (part of Tipping Point) called PwnedList.

PwnedList introduces itself as

"...a tool that allows an average person to check if their accounts have been compromised. No passwords are stored in our database. You can read more about where our data comes from here. Just enter an email address or username associated with any of your accounts to see if it's on our list. Data entered is not stored, re-used, or given to any third parties. Don't trust us? You can also use a SHA-512 hash of your email/username as input. Just don't forget to lowercase all characters first."

Now this will sound like great news to a lot of people. A team of security experts are doing some good work to help the folks on the internet find out whether or not they have been compromised.

And no doubt that it could be useful if you needed proof that your identity has been compromised and wanted to "prove" the case to your bank or other businesses you interact with.

This is not the first site to offer this service. NakedSecurity writer Paul Ducklin wrote about it earlier this year in his article LulzSec, Anonymous and other hacks - should I change my password?

These types of service could also raise a concern: what is to stop a malicious site, masquerading as a helping hand, request usernames (or even passwords) from internet users? Indeed, we have seen many nasty sites pretend to be legitimate or reputable over the years.

So, I am not sure I agree this site is for the average computer user (I don't know *ANY* average computer user who knows what a SHA-512 hash is).

If you consider yourself average, and if you are worried that your password on your email or other accounts might have been compromised, the first thing to do is change your password.

Do you use the same password on several sites? Are you passwords dictionary words? If yes, then maybe you really ought to address that now.

Make your new password long and complex as you dare. You can user a random password generator to help you. If you are worried about forgetting it, find yourself a nice obscure poem from an obscure poet and use a different line for each of your passwords. Mix it up a bit. Use numbers or characters instead of specific letters ("e" could be "&", for instance).

You can even use a reputable password manager that encrypts your passwords to help you remember them as well as keep them safe from prying eyes.

, , , ,

You might like

5 Responses to How to check if your details have been compromised

  1. Peter · 1022 days ago

    I use LastPass as it's generally great for both generating passwords, and remembering them for most sites!

  2. Jon · 1021 days ago

    I use RoboForm.

  3. nutherITguy · 1021 days ago

    I often suggest that users create one long complicated password, then I suggest they change one letter for every website that requires the password.

    For example. Lets say your password is MaiWebzA$995

    Pretty long, contains numbers, symbols, and has no dictionary words. Not too hard to remember JUST this password right? Now lets say you're logging on to yahoo email account. You could make your password for yahoo: MaiWebzY$995

    Or for G-mail: MaiWebzG$995.

    In this manner, you can create one powerful password that is nearly impossible to crack via brute force, and you can change it for every website but still remember it quite easily.

    Just don't write this down. ;-)

  4. Woo hoo, I'm no longer an average computer user... I know what a SHA-512 is... (and a SHA-256) just in case there's a quiz later.

  5. shewrite63 · 1015 days ago

    I would not trust my passwords to software or a service and would definitely not use the services of a "helpful" web site to determine if I had been pwned. D-uh.

    I have a memory like a steel trap. When that fails, most online services have the "forgot password" or "reset password" button that sends info to a very secure email account.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .