Today Troy Hunt announced that a collection of 773 million usernames and passwords were released. This release of passwords, dubbed Collection #1, contains usernames and passwords that have shown up on the dark web over the past two or three years. Think of Collection #1 as being a value pack of bundled old password lists.
If you want to find out if your passwords were released, visit his site called https://haveibeenpwned.com. If you elect to enter your email address, this will tell you if it is in the collection and give you more details.
What do you do if you are on the list? Reset your passwords. Use a password manager that will remember your passwords for you to make your life easier when you use a different password at each website from now on.
Now is a great time to enable two-step verification. A basic form of two-step verification is when you enter a username and password, and you receive a text message code to type in. Enable two-step verification on PayPal, LinkedIn, Dropbox, Facebook and every other web service you use. On each website, look for Settings > Security. You may need to dig down, but more reputable sites now support two-step verification, but you must enable the feature.
Some bad news is that, about a week ago, a tool called Modlishka shows how to break two-step verification so it isn’t that secure, but two-step verification is still more secure than a simple username password combination. If it allows, have a website use some other method than texting you a password. Using an app on your phone or calling you via a voice call are options that are often more secure than the text message. Microsoft, Google, and a service called Duo offer these options and more. Having a hardware key is even better unless your laptop users leave the key stored in the laptop case, and their password written on the bottom of the laptop.
Posted by Mike Foster