Wednesday, September 17, 2014

Test to See If Your Gmail Address Was on the Leaked List

Recently in the news, "5 million" Gmail account names and passwords were leaked into the public domain. LastPass, a service whose product promises secure password storage and utilization, acquired the now-public text file of Gmail data and analyzed it, and published some patterns and trends in password use. (LastPass presumably did this both a public service and self-promotion.)

LastPass also created an online look-up tool for anyone to search and find out whether any given Gmail address was on the list of compromised passwords.

So far, I’ve found one friend whose Gmail address was on the list, but that’s still impressive, given that there are probably hundreds of millions of Google accounts.

Even if it’s not on the list, you should change your Gmail password. There’s some information out there suggesting that the list is not a list of valid passwords, but only Gmail usernames that were “scraped” from websites. Still, better safe than sorry. If your Gmail account is on the list, consider whether any other information inside your Gmail account that might have been compromised requires further action.

Lest you think that you aren’t a target for cyber-attack, the fact is that we’re all targets, all the time. Most of these attacks are neither personal, nor actually being performed by people, but are “robotic” - software running on computers which tirelessly tests any accessible connection on the Internet (or even off the Internet), probing for weaknesses. And in the case of this story, the security compromise came not from an invasive attack upon user devices, but that potentially critical user authentication data was exposed to the public - which has happened many times in the past.

So take passwords seriously. You may not think you have anything important to protect, but you don’t want to find out otherwise.

MULTI-FACTOR AUTHENTICATION

FWIW, I've been using Google's "2-Step Verification" since April 2013. This is their implementation of "multi-factor authentication." This challenge-response strategy typically uses a traditional password ("something the user knows") with "something the user has" - typically, a hardware based "authentication token." In my case, I run the Google Authenticator app on my iPhone. But there are many other Possession Factors.

C/Net: "Two-factor authentication: What you need to know (FAQ)"



No comments: