PV219

b'Webwaves WebwavesIan James ASEG Webmasterwebmaster@aseg.org.auHave I been Pwned?Password security was the focus of several Webwaves columns by David Annetts, the previous webmaster, and it seems timely to revisit the topic.In Webwaves Preview issue 195 (Annetts, 2018), password hygiene was reviewed, with a number of recommendationsFigure 1.Password Strength (from https://xkcd.com/936/)put forward that can be implemented by readers to improve their security. Theof owned. Pwn has been an officialuseful way to alert people to the risk security.org how secure is my passwordScrabble word since 2015, Pwn: To own,of password reuse.tool is mentioned (https://www.security. defeat, dominate.org/how-secure-is-my-password/). ThisHave I Been Pwned (https:// Other toolstool will estimate how long it will takehaveibeenpwned.com/) is a dataAn API exists for Have I Been Pwned to crack a given password. Readers arebreach search website created (and(https://haveibeenpwned.com/API/v3) encouraged to try variations such assubsequently maintained) in 2103ensuring that Hunts extensive database webmaster, Webmaster and Webmaster00by security consultant Troy Hunt. Thecan be freely accessed. Various browsers, to see the impact of adding characters to awebsite allows users to enter their detailspassword managers and tools now use password and changing the case of someand search the billions of leaked accountsthe data to check users accounts, or have of those characters (see also Figure 1). across hundreds of data breaches. Somecreated their own implementation of the Meanwhile, Preview issue 191 (Annetts,of the features include: site. These include Firefox Monitor in the 2017) covered data breaches and someEmail or phone number search. EnterFirefox web browser, Googles Password of the EUs GDPR requirements aroundyour email or phone number to see ifCheckup and Apples Password Security protecting user data and informingyour details have been compromised.Recommendations.individuals of data breaches withinFor any data breach, details of the 72hours. information available and a backstoryRecommendationsThis led to Preview issue 199 (Annetts,of the breach are provided. To build on some of the 2019). Here readers were made awareNotify me. Enter your email addressrecommendations in Annetts (2018), it is of the have I been pwned website andand receive notifications of any futurestrongly recommended that:the ability to check if your details anddata breaches implicating that email credentials have been compromised. Inaddress. Unique passwords are used for each this column we are going to elaborateDomain search. The ability to searchaccount. The use of a Password on this and other tools that are availablefor data breaches featuring anymanager (eg. LastPass, Bitwarden, to highlight compromised accounts andemail account on a domain. This ishttps://xkcd.pw/), with a unique refresh readers on recommendations forparticularly useful for IT departmentspassword generated for each account password security. to check all email accounts in anusing a built in generator.organisation. Strong passwords are used. Users can Pwned Pwned passwords. Enter a password touse https://www.security.org/how-anonymously check if it has featuredsecure-is-my-password/ to see how Pwned pronounced poned, comes fromin a data breach. Details of howsecure various passwords are.leetspeak (https://leetspeak-converter. privacy is protected when searchingMultifactor authentication is used com/) and is a deliberate misspellingpasswords is provided. This is a verywhere possible.37 PREVIEW AUGUST 2022'