How to check if your details have been compromised

Screwed Loo Roll

Screwed Loo RollEver wonder where the term “Pwned” came from?

Rumour has it that is started with the game World of Warcraft (WoW), where a map designer, intending to write “the player has been owned”, mistyped it as “the player has been pwned”.

In any case, it is widely used today to mean you have been screwed in some way.

So there I was, perusing the web, and I found this rather interesting piece on Brian Krebs’ blog called Are you on the Pnwedlist?, a piece which introduces a new service from DVLabs (part of Tipping Point) called PwnedList.

PwnedList introduces itself as

“…a tool that allows an average person to check if their accounts have been compromised. No passwords are stored in our database. You can read more about where our data comes from here. Just enter an email address or username associated with any of your accounts to see if it’s on our list. Data entered is not stored, re-used, or given to any third parties. Don’t trust us? You can also use a SHA-512 hash of your email/username as input. Just don’t forget to lowercase all characters first.”

Now this will sound like great news to a lot of people. A team of security experts are doing some good work to help the folks on the internet find out whether or not they have been compromised.

And no doubt that it could be useful if you needed proof that your identity has been compromised and wanted to “prove” the case to your bank or other businesses you interact with.

This is not the first site to offer this service. NakedSecurity writer Paul Ducklin wrote about it earlier this year in his article LulzSec, Anonymous and other hacks – should I change my password?

These types of service could also raise a concern: what is to stop a malicious site, masquerading as a helping hand, request usernames (or even passwords) from internet users? Indeed, we have seen many nasty sites pretend to be legitimate or reputable over the years.

So, I am not sure I agree this site is for the average computer user (I don’t know *ANY* average computer user who knows what a SHA-512 hash is).

If you consider yourself average, and if you are worried that your password on your email or other accounts might have been compromised, the first thing to do is change your password.

Do you use the same password on several sites? Are you passwords dictionary words? If yes, then maybe you really ought to address that now.

Make your new password long and complex as you dare. You can user a random password generator to help you. If you are worried about forgetting it, find yourself a nice obscure poem from an obscure poet and use a different line for each of your passwords. Mix it up a bit. Use numbers or characters instead of specific letters (“e” could be “&”, for instance).

You can even use a reputable password manager that encrypts your passwords to help you remember them as well as keep them safe from prying eyes.