Change Your Password day, oh no…

Yesterday was Change Your Password day. While the original idea behind it is good, this day also presents a big opportunity for hackers. Hackers can use this day to get their hands on a lot of passwords. I’ll explain how.

1. Password strength checkers.
They pop up all over the place, specially on days like this. Some reputable companies will host one on their website and of course there are a lot of fake ones appearing that are controlled by folks with malicious intent. No matter where you find a password strength checker/tester, do NOT use it!! Yes the company hosting it may be reputable but come on, every major corporation has been hacked or compromised in the past so there is no reason to think a password checker hosted by Intel or McAfee is safe. (Intel didn’t even bother securing their password check site with https so everything typed there is sent in plain text!!) On days like these, if i was a hacker, i’d go after these reputable sites with everything i got and try to compromise their password checker so it sends all the information to me. If that fails i’ll build my own and send people to it using social engineering / advertising. “The strongest password wins a new MacBook Air!”. As folks want to either test their current password and/or prove their password is uncrackable, these online password checkers generate enormous amounts of traffic. Though the legit ones warn not to use your actual password, most do (what’s the point of checking a fake password that you don’t use?), and most will pick the wrong website to do it on. Don’t use online password checkers!

2. A common flaw in password use, the user.
As most people re-use their passwords on multiple websites/services, there is a big chance they are about to do it again on Change Your Password day. If a hacker had his hands on one of your old passwords or even worse, your current password, he knows to try that password again after days like this. If it didn’t work yesterday there is a big chance it will work today. After all you changed your password as instructed by all these websites, blogs and social media posts but you chose to just re-use an old password or cycle passwords around (your AppleID password became your bank password and your gmail password became your Apple ID password). For a hacker that once had your password for Service A days like these are a dream because more than likely he now also has the password for Service B, or C, or D etc.

If you want a safe, secure method of checking your password strength, use the tools built into your Mac OS. Go to Applications > Utilities and open Keychain Access. Once open, go to the File menu and select “New Password Item”, this will cause a small window to appear in which you can type any password and check it’s strength. Ignore the ‘Keychain Item Name’ and ‘Account Name’ fields as you won’t actually be adding anything to your keychain but do use the ‘Password’ box. Type in a password and it will tell you in real-time if your password is any good. You want the strength to be “Excellent” at least and the bar to be 70% green.

While days like yesterday are a good idea, it often ends up to be a fail for the user and a win for the hackers. If you changed your passwords yesterday please do the following:
– If you used any online password strength checkers, permanently discontinue any password(s) you have entered in them. If the checker was compromised it means your password is now in the hands of a stranger.
– Do not re-use old passwords.
– Do not cycle passwords between services.
– Have a look here.