When Did You Last Check Your Passwords?

I like to think of myself as web savvy and security conscious, but I had a bit of a shock this morning! The new iOS 14 passwords feature was mentioned in the group chat I have with my friends from school, and I when I checked my iPhone, I discovered that I had 373 “Security risks” identified with my passwords! Certainly not a time to be proud of getting a higher “score” than my friends… As if that was not bad enough, clicking through showed that these were not just obscure sites – it was my email/bank account/Facebook/Twitter etc. Fortunately all of these have Multi Factor Authentication (MFA) configured, so not a major issue, but still concerning.

Before you carry on reading this post, if you have not already enabled MFA on your Apple/Google/Email/social media/banking accounts, please do it now – that way your data will be significantly more secure if your password is leaked.

If you have a device running iOS 14, you can check your passwords by going to Settings > Passwords > Security Recommendations. If you do not have an iOS device, you can use the Have I Been Pwned service and enter your email address(es) to check if you are affected by any leaks. However this only checks email addresses, rather than login details and passwords together, like iOS does.

Running my email addresses through Have I Been Pwned, four out of five of them have got leak passwords associated with them. A couple were from older well known leaks – MySpace/Adobe/Dropbox/LinkedIn etc, but also newer leaks collated from username/password combinations on hacker sites. These credential lists are likely to be used by hackers to access accounts hoping that you use the same username and password.

Apple collates the “high priority” issues at the top of the list, so this evening I have been working through these, changing the passwords on the key sites, using the complex and unique passwords suggested by the Apple Keychain feature. For me, the bulk of the “compromised” passwords are old accounts where I have reused the same password, so will attack these a couple at a time changing them with Apple Keychain, or simply closing the accounts if possible.

Interestingly at least one password that has been compromised is unique, from a site which does not seem to have been hacked. However, they did not use HTTPS until fairly recently – I can only assume that my password was sniffed on a public network. This is a good reminder to look out for the padlock when you log in anywhere online, or to use a VPN service – I use Windscribe if I am connecting my phone or laptop to an unfamiliar network.

Hopefully this post has prompted you to have a think about your online security and take the time to audit your passwords. It may be boring, but better to do it proactively than have to deal with a scammer accessing your accounts.