Collection #1 Password Megabreach: Why I Think It's Not That Big of an Issue
We’re learning more about the data breach known as Collection #1. It’s estimated that nearly 1TB of personal information affecting nearly 770 million people is now being sold for as little as $45.
At first glance this collection of credentials seems rather alarming, but it turns out much of this data is two-to-three years old. It seems rather odd to say this, but ‘meh, not really a big deal’. It seems like an odd response I know, but we should focus less on the MASSIVE size of the data in Collection #1 and be more concerned about what we should be doing to protect ourselves.
So before panicking look at some password-related tips that will help keep you secure:
Here is criteria for a good password according to CERN:
- Private: it is used and known by one person only;
- Secret: it does not appear in clear text in any file or program or on a piece of paper pinned to the monitor;
- Easily remembered: so there is no need to write it down;
- At least 8 characters long;
- A mixture of at least 3 of the following: upper case letters, lower case letters, digits and symbols;
- Not listed in a dictionary of any major language;
- Not guessable by any program in a reasonable time, for instance less than one week.
Guidance from many sites agree that password length and complexity together is what you need. Minimum password length of 8 arguably will not hold up against password\code breaking software. This rather lengthy but well written article from the INFOSEC Institute recommends a length of 12 characters.
Use of Two Factor Authentication (2FA) or Multi Factor Authentication (MFA) is also recommended.
So what should people be concerned about with a massive disclosure of data like Collection #1?
1. If any of your accounts were exposed in this collection and you have not changed the password then the data is still valid and could be used. You may want to go to https://haveibeenpwned.com/ and check your accounts to see if any of them have been compromised.
2. Do you use the same user name and password elsewhere? Often your user name for an account will be your email address. If you use the same email and password everywhere and one is compromised an attacker knows where else they are likely to use the same credentials and gain access. Don’t reuse passwords. Using a password vault helps you to store passwords for different sites so you don’t have to remember them all.
3. Have any of the passwords you have used been compromised? You can check to see if a password you are currently using has been compromised. If it has then it may be a good idea to change it. https://haveibeenpwned.com/Passwords
If your organization is looking for more ways to increase your security posture, consider the following resources:
- Patch Tuesday – Our blog and webinar series helps you develop a patching strategy and understand how these monthly updates could impact your network.
- Stay protected from ransomware – Find analyst reports, white papers, and other content designed to help you boost your defenses.
- Demo our security solutions – Our IT security professionals are ready to show you how Ivanti’s portfolio of unified IT solutions can create change within your organization.