Protecting ourselves from a breach — the “Password Club” rules

- Almost every week there is a confirmed breach of losing our personal and private data.
- The average amount of contacts exposed per breach is raising.
(source of the stats)

How can we, standard users, protect ourselves from a breach?
What can we do when we are notified that our data has been exposed?
The harsh reality?
We can only mitigate the effects.
Once the data has been exposed, it will be “out there” and no matter what we will do, there is no solution for us to erase it.

I am not affected, I don’t care. The password lost was an old one that I was using for websites which I am not interested in.
When a breach happens, it is not just our password which has been exposed, we can usually find additional information as well.
As additional information, five fields is the average of compromised information per breach.

In a common breach, we can find information like email, geographic location, physical addresses, date of birth, IP.
This is usually more than enough information for identity theft, targeted social engineering and phishing scams.

But what happens when the information leaked is an old password or old security questions and answers?
Old passwords or security questions are often used to get access to additional sites and then retrieve additional information of yourself.
How many times have you used an old password for a one-time interaction/purchase of a site you weren’t really interested in?

There are as well breaches with more personal/private information like drinking habits, drug habits, religions, sexual fetishes that could impact our life directly.
- The word “sextortion” didn’t even exist before 2010
- Email scam where attackers claim they stole your password and hacked your webcam while you were watching porn (have a look at the following breaches Ashley Madison or Mate1)

Sticky notes are fun, but not the best password managers (by Chumworth)

What can I do? How can I protect myself from a possible breach?

  • protect your virtual identity:
    sign up in sites that would alert us if our data has been exposed in a breach (e.g. have I been pwned, SpyCloud).

What data of mine is out there for others to find?

This article focus is on how to protect your real self-identity in this digital world, especially when a breach happens, but we often publicly share information that could be relevant to others without really noticing it.
If you have time, I would suggest you to try to look for data of yourself that can be found easily with few searches.
The following article explains the logic/steps to discover a person’s digital footprint, perform digital investigations and gather information using open freely accessible tools.

Thanks to u/CookiExplorer

Ladies and gentlemen, welcome to Password Club.

The first rule of Password Club is: You do not share the Password.
The second rule of Password Club is: You do NOT share the PASSWORD.
Third rule of Password Club: If there is a data breach, that password is over.
Fourth rule: 2FA when possible for every site.
Fifth rule: One unique password per site.
Sixth rule: No simple passwords nor can they match the top 10 million.
Seventh rule: The password should be as long as it can be.
And the eighth and final rule: If this is your first time using passwords, you MUST immediately sign up for a password manager and a breach alert service.

Related links

Agile practitioner, security fanatic, coffee addict, sci-fi fan, chess lover, Linux/Android user, Shorinji Kempo enthusiast.