Passwords, Please. - Softrams

  • Security

Bill Jones
August 23, 2021 959 views

A woman is using her laptop that displays the password input field.

Oh noes, a breach!

We’ve all been there at some point or another when you’ve received a notice about your password was obtained with a recent breach. Something happens after these types of incidents and it’s a wonderful website claiming “Let me check if your password was leaked in the recent breach and/or previous breaches you may not be aware of.” I suspect many internet users head to these websites and enter their current password just to find out if it was leaked in a breach. I mean after all why spend the time to buy services and create the website if nobody is using it? I’ll go with my gut on this one and draw a line in the sand, these sites are being used and they’re certainly not what they appear to be at face value.

Walking Down Memory Lane

Hey you, yeah you! Did you hear about the breach at Company X shall remain nameless? For fun, this event occurred, oh, back in 1997 when many who read this blog may have been born into this world. Disclaimer, historical accuracy was tossed out the window while writing this blurb. Let’s just say this is when Password Harvesting became a thing and Joe, who is now known to us as a victim of one of these early breaches builds a web framework to test if your (PII) – Personal Identifiable Information has been included in a breach, and his service becomes a high demand, attracting many users and eventually, it turns into a well established (trustworthy) company that monitors your credit, identity, and even your favorite ice cream stock levels.

This timeframe shall henceforth be known as the Golden Password Protection Epoch. I can coin this term if it’s not a thing yet, thanks!

Rippling Time & Space

Joe had a great idea with a wonderful outcome and is now protecting many client’s PII while charging a nominal fee for the service provided. The rippling effect occurring from this era in time was that now the hackers “bad guys” have spotted this wonderful service and have decided to mock it. Not as in mock it to make fun of it, but to mimic the implementation and appear as a legitimate service provider. There is a difference here, Joe has established a trustworthy reputation with all of the Company Y clients and the bad guys have not. Their service would allow you to check if your password or even username were disclosed as part of any breach. What an amazing service, and to top it off, it’s offered at no cost to you! So, the ripple Joe set off is now causing an effect; the bad guys are taking notice and catching up but flying under the radar in terms of typical noisy intrusive measures to scan and obtain information.

Passwords, Please? – All for free!

Now we have entered our time machine and have moved back to the present time, which is in the year 2021 as the writing of this blog post shall record. The bad guys have a gold mine now, and it’s in the form of password checking sites. Be very wary of blindly trusting and entering your credentials on these websites. What I recommend and will always assert to be true is this: If you believe your password was disclosed in a breach, just reset it and all of your other passwords which may or may not be the exact same across many other websites or services you use.

A few other recommendations to consider:

  • Use a well-known trustworthy password manager, and yes, if that includes a dusty book at your home office, use it until you are ready to move into the digital age. I recommend Bitwarden as it’s fairly cheap and if you want to run the infrastructure or “host it on your own” then you are free to do so. By cheap, I also mean they have a free version with some limited functionality but for keeping track and security your passwords it works perfectly fine.
  • If you hear about a breach from Company Y, Z, W, X, T, Q, or any other single character you’d like to toss in to make it fun, just rotate your password out for the sake of not even having to worry about if the previous password was leaked.

Just these two recommendations alone will save you from tragic events that arise from entering your current credentials or any PII into a form online proclaiming to have your best interests at heart, I assure you not all of them do. While I tried to make this fun and inviting for anyone out there, Security is no laughing matter and you really do want to be sure you’re securing your personal information, passwords, and paying attention to websites offering free services.

More Stories

  • Team working on user journey testing

    Getting Started with Automation of User Journey Tests

    Murali M
    April 16, 2021

    A step-by-step guide using Gauge as our framework of choice to automate user journey tests where each individual in a team contributes towards success. Resources, screenshots, and detailed instructions are provided to ease your way into automation.

  • Build a Great Product by Focusing on Quality

    Chris Hand
    September 14, 2021

    The best software lets users accomplish their goal without getting in the way. Build quality into your process to launch better produces and empower your users.

  • Automating User Journey Tests

    Murali M
    April 9, 2021

    The need to ensure accessibility of user journey tests extends to each team member. Our open-source steps library enables everybody on the team, irrespective of their programming background, to be able to contribute to user journey tests.