What to Do When your Password is Shared, Compromised or Breached

September 19, 2024

Recent news events have increased the attention on password use and how users can protect their accounts and passwords.

 

Recently, while talking with a neighbor who doesn’t work in tech, I was asked what to do after one of their streaming accounts had been compromised. My first question was, “Were you able to restore access and change your password?” They beamed with pride as they answered, “Yeah, it took a few minutes, but I kicked the hacker out.” So, I posed the next question, “Where else did you use that same password?” Slowly their proud smile faded and turned to a look of confusion. They proceeded to list several services where they had used the same generic password. As they listed off those services, it began to dawn on them that the “hacker” may not be as “kicked out” as they thought.

 

This lesson is one we in the information security world have been espousing for years: don’t reuse passwords. We’ve recommended the use of password managers to enable the use of unique passwords. But what happens when our advice is now the source of a new question: “What happens when your password manager is breached? What do I do now?” The answer becomes more complicated, but here are three tips to keep in mind.

 

 

Change Your Passwords

The easy answer to give, which is harder to accept, is to change all your passwords. This can be daunting enough, but in the face of a password manager breach, we can’t stop there. We need to teach the principle of defense in depth, a strategy that leverages multiple layers of security measures to protect your data and sensitive information

 

See how long it takes to crack a “complex” password in Optiv’s password cracking chart.

 

We at Optiv recommend guidance to secure your password, focusing on diversifying your passwords. Not only should each password be unique, but you should choose longer passwords that contain a combination of uppercase letters, lowercase letters, numbers, and symbols. But every user needs to take a few more steps to ensure that their accounts remain secure.

 

 

Enable Multifactor Authentication

We in the information security industry have been advising to enable multifactor authentication (MFA) everywhere that you can. But out of all the authentication methods, we recommend using tokens or fobs over than the typical text message or emailing of a code. There are several solutions here, including YubiKey, Google Authenticator, Microsoft Authenticator and OnlyKey.

 

The challenge can be that different services may support different solutions. For any services where the only option for MFA is choosing answers to security questions, it’s better to lie through your teeth (but still remember your answers!). After all, malicious hackers can research you on social media and find the correct answers to many of these questions.

 

 

Monitor Account Access and Services

It is important to monitor access to our accounts. Many services offer to send notifications when a user logs into the account. You should enable this feature to enhance your account security. You may receive more emails or text messages as a result. But in the event of a compromised account, knowing is half the battle. Numerous other solutions offer some type of tracking of account access or trusted devices. Review these lists periodically to ensure that there are no unexpected logins or devices.

 

Finally, monitor the services you use for public breaches so that you are aware when a password may have been compromised. Creating an alert through https://haveibeenpwned.com/ is a great place to start raising your awareness regarding the constant stream of breaches that seem to occur.

 

By raising your security awareness and by practicing a defense-in-depth strategy, you can significantly increase the security of your accounts. In light of all the recent data breach headlines, take a proactive approach instead of solely a reactive one when it comes to your password security.

 

For more cyber-smart tips and best practices, check out Optiv’s Cybersecurity Awareness Month resource hub.

Doug Rogahn
Senior Security Consultant | Optiv
Doug Rogahn is a Senior Consultant within the Application Security group of Optiv’s Threat Practice. With more than 10 years’ experience in Information Security, Doug has worked with a variety of businesses from large global enterprises to small sole proprietorships. Doug is a subject matter expert (SME) on application security and application penetration testing. Doug also enjoys branching out of the virtual world into the realm of physical security, where he runs lockpick villages for small and mid-sized security conventions.

Heather Hall
Threat Demand and Delivery Manager | Optiv
Heather is a retired Army Cyber Warrant Officer. After dedicating 22 years to public service, she jumped into industry and held roles securing companies ranging from the nation’s largest casino chain as well as the second largest privately held company and most interestingly a niche market of a private wealth family. Heather applies knowledge gained from earning 14 cyber certifications and a Master's in Cyber as a Threat Demand and Delivery Manager at Optiv Security. Heather’s role has her interacting with Fortune 100 clients to secure the United States most important resources – data and people.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit www.optiv.com.

Would you like to speak to an advisor?

How can we help you today?

Image
field-guide-cloud-list-image@2x.jpg
Cybersecurity Field Guide #13: A Practical Approach to Securing Your Cloud Transformation
Image
OptivCon
Register for an Upcoming OptivCon

Ready to speak to an Optiv expert to discuss your security needs?