4 changes I made immediately after 1.3 billion passwords were stolen

KSR

Earlier this month, security guru Troy Hunt added a staggering two billion unique email addresses and 1.3 billion unique passwords to his Have I Been Pwned and Pwned Passwords databases. Aggregated by Synthient, the data comes from multiple credential stuffing sources shared by threat actors, as well as data stolen directly from individuals through infostealer malware.

The number of people affected is so massive that the rollout of notifications went out in waves to Have I Been Pwned subscribers. (This service is free—enter your email address into the HIBP search field, and then click on the Notify Me button that appears before any results.)

The data also has particular characteristics that stood out to me. (You can read more about them in Hunt’s blog post.)

Between these details and the questions I’ve fielded about what to do next, I’ve changed my advice on the “right” moves for good online security.

Here’s what I now recommend.

Different email addresses for every account

Using the same email address to log into each of your accounts makes a hacker’s job easier. They can plug that info into a website along with any password they think (or know) you’ve used.

This credential stuffing attack often works because people reuse passwords. So an easy way to avoid getting tripped up this way: Use a different email address for every account.

In the old days, you had to create an actual separate account each time you needed a new email address. Not anymore.

You can create and manage masked emails for all your online accounts so vendors don’t see your actual email address.

Michael Ansaldo/Foundry

Nowadays, you can use email aliases (aka “email masks” or “masked email”) for the same purpose. To other people, it will seem like you have a different email address across your accounts. Meanwhile, you can receive messages all in one place (if you so choose). An alias forwards your emails wherever you want them to go. 

The most basic version of an email alias is the ability to add extra text to the end of your email handle (e.g., samplemail+extratext@domain.com). The format is the plus sign (+) and then whatever string of letters and numbers you want to add. Gmail and Proton Mail are two email services that support this style of email alias.

For added privacy, you can use dedicated email masks to completely hide your true email address. For example, you receive email at samplemail@domain.com, but you’d prefer it to keep that info private. So you use the built-in masked email feature provided by your email service (if applicable) or you sign up for an independent service to generate random email aliases like sample.word0000@domain.com or 19xij3900x9@domain2.com.

Fastmail (a paid email service) includes masked email as a feature.

PCWorld

Proton Mail, Fastmail, and Apple’s iCloud Mail are all examples of email services that include email masks. (Proton Mail and iCloud Mail call them “hide-my-email” aliases.) You can also sign up for Mozilla Relay, SimpleLogin, or another email masking service if you already have an email address elsewhere that you’d rather keep using.

A basic alias that relies on a +extratext style addition to your email address helps to at least keep each login harder to guess. (Add text to your email address that isn’t obvious or guessable based on the website info. For example, avoid +target if you’re on Target.com.)

But having both security and privacy is the better call these days—it makes it harder for someone to build a profile of you to create personalized, more effective phishing emails and text messages. So a truly anonymous email alias service is the better way to go.

Update your old passwords

In Troy Hunt’s writeup about importing the password data, more than one person who responded to his inquiry estimated the age of their compromised passwords falling between 10 to 20 years old.

Among a couple of the hinted characteristics of these ancient credentials: They weren’t long, for starters—about eight characters. And they included variations that barely counted as such. (One person confirmed that a compromised password only tacked on two extra exclamation marks (oof) to the end of another compromised password.)

When hashed with bcrypt 10, this is how long it can take for an “amateur” hacker to use a handful of RTX 5090 GPUs to figure out passwords. (Passwords with weaker protection will crack faster.)

Hive Systems

What makes for a good password has changed a lot in the past decade, and especially so in the past two decades. If you have old ones you have never updated, it’s time to revisit them. Shorter passwords are easy to crack now, thanks to improvements in computational performance. And what we considered random and strong in 2005 (e.g., p@$$word!) isn’t at all now.

Plus, with website breaches happening left and right as of late, you could have a pretty decently random password with the magic combination of one lowercase, one uppercase, a number, and a special character—but it could still be compromised because you’ve used only weak variations of it. (Or worse, have been outright reusing it.)

Even if you’re not using old accounts anymore, don’t leave them weakly protected with a crappy password. You may have other information like addresses, phone numbers, and other data that can be stolen and used for targeted phishing attacks.

Clean up (or delete) old accounts

Speaking of stealable personal information—if you have accounts you use infrequently, clear out details that don’t need to stay on file. Even if your password’s never stolen, the data could still leak if the website owner is a victim of hackers.

A good password manager will securely store more than just passwords and passkeys. You can keep addresses and credit card info on file, too.

Jared Newman / Foundry

Credit card info is the first thing I delete on shopping accounts. (Better to save that in your password manager, if you want the convenience of autofill.) But you can wipe your home address, phone number, and other details, too, to make it harder for a hacker to figure out your habits and guess at the smartest way to trick you out of your money (or valuable info that would lead them to your money).

Not planning to ever use the account again? Or so infrequently that it wouldn’t matter if you pay for your items as a guest? Just delete the whole thing.

Switch to passkeys

I beat this drum hard these days, and for good reason. A hacker can find out your email address and your old passwords, sure. But if you switch your primary login method to a passkey, that won’t do them any good.

Passkeys work differently than passwords. They can’t be stolen directly or used remotely by unauthorized devices. (A hacker could break into the account where you store passkeys, if you keep them in a cloud-based service, but that’s different.) They’re also tied to the website they were created for.

On PC, Windows will guide the process for saving passkeys if you don’t have a third-party password manager installed.

PCWorld

So a credential stuffing attack won’t work on a passkey-guarded account. And if you ever accidentally fall for a phishing link, it won’t work on the phony site.

Some websites don’t allow passkey-only login, so for those, update your password to something long, unique, and random and then save it in your password manager as a backup method for log in. (Enable two-factor authentication, too.)

But otherwise, passkeys are the way to go. You don’t have to think about them once they’re set up. They just work.

Exit mobile version