Skip to content
Thales
Digital Identity & Security Blog
  • Enterprise Security
  • Financial Services
  • Government
  • IoT
  • Mobile
  • Software Monetization

Posted on 20 July 2012 by Thales DIS

Can a website tell you when it’s time to change your password?

Enterprise Security

Last updated: 21 March 2014

This week has seen yet another study highlighting the inherent dangers of securing your personal information with just a password. According to research from Experian, the average internet user in the UK has just five different passwords, despite having 26 different online accounts. Indeed, a quarter use just one password for most of their logins.

This follows on from last week’s Yahoo! breach, meaning passwords (or, more correctly, our use of them) have come in for some pretty bad press recently. Now that we are keeping more and more of our sensitive data online, I hope that it’s only a matter of time before static passwords are discarded altogether in favor of stronger forms of authentication.

Until then, however, we have to keep looking for new ways of ensuring that we keep our passwords as safe as possible. A site I came across this week, shouldichangemypassword.com, could prove to be a valuable tool in doing this. The site invites visitors to input their email address and then tells them if their account is at risk of being compromised, encouraging them to change their password if so.

It claims that it has so far uncovered almost 12 million compromised addresses – a number which has risen by over 200,000 in recent days. This could mean one of two things: either the site is experiencing a huge surge in popularity, or the number of accounts at risk is rapidly increasing. In reality, both of these are likely to be true. The site gathers its information from breaches where email addresses have been published by hacktivist groups like Anonymous or the now disbanded LulzSec and keeps them in a database for users to check their address.

While I wouldn’t recommend anyone solely relying on services like this to tell them whether their accounts are safe or not, any tool which can help to keep internet users informed of the risks they face is welcome. And until static passwords are replaced by more robust two-factor authentication methods (such as those offered by Google) then it falls to the user to regularly change their password (which should not be password, but something much stronger) and to use services like this to ensure they are not exposed.

5 thoughts on “Can a website tell you when it’s time to change your password?”

  1. Virginia Benedict says:
    July 20, 2012 at 5:53 pm

    Ray,

    I agree with you that the provider should implement two or even three factor authentication whenever possible. That is without question.

    Nevertheless you do realize, that one of the issues with Yahoo mail is that it uses very weak encryption and only during the login process at that. The user is typing hisher credentials while in HTTP and when the user presses send, the login data is send HTTPS only during transfer over the wire; once authenticated, the Inbox and folders are then served in HTTP (plain text).

    If an email provider cares about their customers it will serve at least 256 through and through. That is, HTTPS 3.0 or better and TLS 1.2 or better.

    …and while some users do need to be more diligent about their security and safety and not be afraid to be called paranoid because they are zealous about it. It is the ISPs and the ESPs, etc. who should bear the blunt of the responsibilities. Not so much the users. The users are adopting technologies and without the users there is no gain.

    Users (in any category) should not have to bear responsibility for something they, at the end of the day, have no control of while paying top dollar one way or another.

    Most of us use complex dedicated passwords and we are zealous self-respecting cyber citizens and yet we get ransacked. I’d say it is the responsibility of the provider to keep me safe while I practice safe surfing.

    What are your thoughts,

    ~ Virginia Benedict
    Professional Social Media Managing Curator (cir 1992)
    Market Engineering Strategist (cir 1984)
    IT Systems & Network Security/Computer Forensics (cir 2000)
    Technologies Analyst (cir 1989)

    http://www.OnSocialMedia.net
    http://www.TechMarketEditor.net
    @System_Prompt
    @TechMarketEditor

    Member Microsoft Technical Communities
    Powered by Office 365/SharePoint

    Reply
    1. Ray Wizbowski says:
      July 23, 2012 at 1:50 pm

      Virginia,

      Thanks for the comment and I couldn’t agree with you more that the provider of online applications like mail should be doing a much better job of securing the data that they are entrusted with. The challenge is that these services are often free and other than brand damage, there is no real consequence for the provider, in this case Yahoo!, to implement higher security controls which come with a cost. Now we all know that the data mining performed by mail provided would more than cover the cost of these upgrades to security, but until the consumer demands higher security or is willing to pay for a more secure service I am afraid these types of services will continue to be security light.

      I also understand you point about passwords. I know many people in our field understand the need to have complex passwords and to change them at regular intervals. But this is simply not the case with your typical consumer. I have written several posts on this over the past year and it always amazes me that whenever there is a breach where passwords are revealed some of the top passwords in use are “password”. This shows that we are a long way away from consumers understanding the importance of practicing good personal online security practices. Which the site “Do I need to change my password” is not necessarily a great resource for security conscious people, it is a good education tool for those who have no idea what is happening on the other side of their screen.

      All the best,

      Ray

      Reply
      1. Virginia Benedict says:
        July 24, 2012 at 3:57 pm

        Ray,

        The solution is for the portal/site not to accept certain types of passwords at all. We are benining to see this practice more and more.

        As far as “Free” service… hmmn!? I am a firm believer that nothing in life is free and to boot if they were not offering the email service they would have no advertisers’ revenue streams…

        Regarding your main discussion topic, my answer is a big YES! The site owner should require the guest/member to change their passwords at adequate intervals.

        Thank you for all your support and good wishes.

        Virginia Benedict

        Reply
  2. Shayne @ SICMyP says:
    July 21, 2012 at 2:00 am

    Thanks for talking about SICMyP.

    Just to answer your questions regarding the 200K. Whilst we’ve had a big influx of new visitors with the Yahoo! breach, 200K is a pretty average week for us. The 12 million have been identified over the last 13 months. I’ll let your readers to the Math.

    If anyone has any questions about the site, please don’t hesitate to ask.

    Reply
    1. Ray Wizbowski says:
      July 23, 2012 at 1:56 pm

      Shayne,

      Thanks for the comment and the offer to answer questions. It is crazy to see how many records have been published in such a short amount of time. I guess we all knew it was a lot, but I personally have never added up all the breach totals to see the full picture. I believe this is an interesting topic for our readers and hope that it helps educate people on the need to have secure password practices.

      Thanks again,

      Ray

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Related stories

Colorado is the first state to…

Government

Can healthcare survive a digital security…

Enterprise Security

Digitised healthcare records – a matter…

Corporate
Thales
  • Defence & Security
  • Digital Identity & Security
  • Aerospace
  • Space
  • Ground Transportation
  • Market-specific Solutions
  • Career
  • Investor
  • Journalist
  • Customer Online
  • Enterprise Security
  • Financial Services
  • Government
  • IoT
  • Mobile
  • Software Monetization
  • 2020 Thales Group
  • Credits
  • Legal notice
  • Data privacy
  • FAQs
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.
Facebook LinkedIn Twitter
Be aware that this site uses cookies. Before continuing browsing we advise you to click on Privacy Policy to access and read our cookie policy.OkPrivacy policy