We live in the age of the data breach. Within the last month, Snapchat users, customers at FedEx, and nearly 1 million lawyers in the U.K. had their passwords exposed in various data breaches. But at least one man is allowing users to check to see if their password is one that’s been unveiled.
I was horrible about passwords for the majority of my life online. I used the same variation of one password for over 15 years, starting in the mid-’90s when I began to create accounts to sign in to local BBSes, Usenet clients, and old-school AOL accounts — I put the name of a girl I had a crush on. I was no dummy — I knew her name was somewhat common and would be easy to crack if someone wanted to go after me. So I put a one (1) in front of it. Hey, presto: an uncrackable password.
The password long outlived the crush, which ended when she made the wise decision to date someone who didn’t (to my knowledge) spend a lot of time playing text-based MUDs with names like GemStone III. But I still kept using the password. It had become habit, and while her name was common, it felt safe enough. For the next 15 years or so, I just defaulted to using that password. When it came time to sign up for a college email account, or a bank password, or countless number of web forums, I used it. Sometimes password clients would require more out of me, so the one (1) would become an exclamation point (!), or a vowel would become a number.
Then, in 2010, Gawker got hacked. I had created a user account for the site, and used the same basic password I had been using since at least 1993. I went to a website set up to see if your email and password had been part of the 500 MB data dump, and there it was: My password was now out in the open.
I spent the next day going around to every site I could think of with sensitive information, creating a new, strong password based on a transposed nonsense phrase, and called it a day. But 2010 was really just the beginning. Major sites began to get breached on a monthly basis, and it became easier to keep up with what sites hadn’t suffered some sort of major security breach.
By the time security researcher Troy Hunt set up the first version of the website Have I Been Pwned in late 2013, countless major websites had suffered major security breaches, including LinkedIn, Abode, and Dropbox. I quickly discovered that I had been pwned over 15 times, and started using a two-tier system for passwords — changing up strong passwords on truly vital accounts like email or banking, and just hoping that no one cared enough to take the time to unhash password for my Kickstarter account and find out that I had backed Wasteland 2.
It also leads to the fun pastime of checking to see if other people in your life have been hacked — all you needed was their commonly used email address to see when and how they’d been pwned. Select All editor Max Read, for instance, had his password exposed after someone used his credentials to log on to the online multiplayer game Evony, perhaps best known for its soft-core banner ads featuring women asking users to “come play, my Lord!”
The answer to the problem made clear by Hunt’s site was and remains obvious: Learn how to use a password manager. Create one strong password once, and you’re free from coming up with new ones when a site gets hacked and its data compromised — you just generate a new strong password for the site and move on with your day. I eventually gave in and started using LastPass, and haven’t looked back.
But Hunt has gone a step further, releasing an API that lets users check to see if their password was ever part of a data breach — without ever revealing what that password is. Dubbed Pwned Passwords, the API works by using SHA-1 encryption to check against the first five digits of the password (using the full password, even encrypted, might allow for someone to eventually work their way back to your original password). It allows password managers like 1Password to quickly check and see if the password you’re using has been compromised in the past (which doesn’t necessarily mean you’ve been hacked, simply that someone using a password similar to yours has — either way, you may want to use something stronger. Ars Technica has a much more in-depth rundown, if you want to get into the nitty-gritty of it).
Curious, I began to go back through my various passwords over the years. Most were still safe it seemed — the LinkedIn and Dropbox hacks were bad, but failed to expose the passwords I was using at the time of the data breaches. But then I came across the one I had used for 15 years, the one I can still type from pure muscle memory, and sure enough: It had been seen 1,204 times before.