Firefox has a new tool which allows you to find out what hackers already know about you based on your email address. You simply enter your email address at Firefox Monitor and click “Check for Breaches” and Firefox uses the “Have I Been Pwned” database to search for your email address in public data breaches going back to 2007. Here is an example report.
Chances are if you have had the same email address for more than a year or two your information has been compromised. In the battle between hackers and security, the hackers are winning.
I have seen several clients locked out of their own access simply because they can’t answer a sufficient percentage of questions intended to confirm their identity.
At this point in history, after the Equifax hack, it is safest to assume that the hackers can answer questions about your identity better than you can: What was your childhood street address? What is your mortgage payment to the penny? What was your maternal grandfather’s middle name?
With the assumption that the hackers are winning, it is helpful to understand how they work.
Data breaches occur not only to hack the site that was breached, but also to try every email address and password gathered on other sites. If you use the same email address on more than one site this will result in your identify being compromised on additional sites. Hackers also run sites which offer some free eDocuments so long as you register on their site. Such sites could be a hacker asking you to give them a set of credentials that you potentially are using on other sites. They will collect your credentials and then try those credentials on multiple other sites.
Given these techniques, here are some of the best practices to protect your identity:
Use a secure password vault to store your passwords. A good password vault not only stores your user id and password, but also makes it simply and easy to enter long passwords into sites. I like KeePass, but other password vaults include 1Password, LastPass, Dashlane, or Bitwarden.
Set a long random password for every site. A long random password includes upper and lower characters, numbers, and special characters. A long random password looks something like “-YH!js@kq^ooHk(u88vgh*!R”. You will never remember long random passwords. Without a secure password vault typing them for you, you will quickly grow tired of typing them. But when you use secure random passwords they are nearly impossible to decrypt and if your credentials are breached on one site they will not compromise your identity on other sites.
Use 2-factor authentication whenever offered. Two-factor authentication requires anyone logging in to have both the correct credentials (user id and password) as well as an additional authentication such as a code given to your cell phone or a token that generates a code. With two-factor authentication even if your credentials are compromised your login will still be secure. The website TwoFactorAuth.org keeps as complete a list as possible of sites that support or do not support two-factor authentication.
Freeze your credit at all three credit bureaus. Freezing your credit stops anyone from applying for credit in your name. The credit bureaus hate this because they make money selling your information to those who want to market to you. They will try to confuse you by offering to “lock down” your credit, but you should “freeze” your credit instead. Freezing your credit results in three codes (one from each bureau) necessary to unfreeze your credit. Don’t lose those codes. Even you will not be able to unfreeze your credit without those codes. Save them in your password vault.
Photo by Micah Williams on Unsplash