About the SA Blog Network



Opinion, arguments & analyses from the editors of Scientific American
Observations HomeAboutContact

How to Know If Hackers Have Stolen Your Password

The views expressed are those of the author and are not necessarily those of Scientific American.

Email   PrintPrint

Whatever you may feel about independent "hactivist" groups such as Anonymous and LulzSec, they are good at what they do. In the past few weeks members of these two groups have claimed responsibility for a number of data theft incidents, including the recent theft of more than 1 million user names and passwords from the Sony pictures web site. They then post these stolen names and passwords on message boards and  ordinary web pages for anyone to see. In one case, after publishing the user names and passwords to more than 26,000 users of (a pornography web site), LulzSec recommended the following mischief: 

These guys probably sign into Facebook with the same email/pass combo, so we suggest the following:1) sign into their Facebook accounts2) find their family members3) tell them all about how the victim (you!) signed up to porn sites4) watch the hilarity5) tell us about it on twitter!6) ???????7) PROFIT

Is your email address listed in any of these databases? The New York Times reports on a easy-to-use web tool that a security professional has created that will check your email address against 13 different databases containing 800,000 email address/password combinations. Called, appropriately, "Should I Change My Password?", the site runs a simple search for your email in the known files. I checked my various emails, and fortunately, the tool didn’t turn up anything amiss. But the site also gives some very solid advice: Change critical passwords regularly, and don’t reuse the same password across multiple sites.

This is something we’re very bad at. A recent report found that more than 75 percent of users use the same password for social networking sites and email—a huge risk in case one of those sites falls victim to nefarious figures.

If you find daunting the idea of creating separate passwords for all of the dozens of online accounts you need to maintain, take the advice of Christopher Mims over at the Technology Review blog: Set up four or five passwords, using one for all the low-security sites, another for any site that also has your credit card number, another for social networking, another for email, and the most secure for your banking sites. Sleep better.


Image credit: OperationPaperStorm on Flickr

Are you smarter than a machine? Enter our Great Consciousness Contest:

Rights & Permissions

Comments 10 Comments

Add Comment
  1. 1. rnmisrahi 2:39 pm 06/23/2011

    Good article. And a good way to manage your user names and passwords as well as the sites you use: PasswordSafe.
    This is freeware. I love it.
    Disclaimer: I have no connection with the developers of this software, it just have helped me survive the growing need of security without risking my sanity.
    Another level of protection? Use TrueCrypt, another freeware software. Create a PasswordSafe file in a TrueCrypt file/directory and you’ll truly sleep better.

    Link to this
  2. 2. roelfrenkema 3:18 pm 06/23/2011

    Using password software is asking for trouble and most of the time not cross platform applicable. It is simpler to just store all your passwords on GMail. ???? Yes, Gmail.
    My passwords are stored on Gmail and on my PC as GPG encryted ascii armor files. I have access to them anywhere and everywhere and on all platforms. And without the key and a password between my ears nobody can get to them.

    Link to this
  3. 3. blk 5:41 pm 06/23/2011

    If you can’t remember your personal passwords, write them down on index cards and lock them in your desk at home, or wherever you keep your important papers. A good alternative is to write them on a piece of paper in your wallet, if you need them at work. If the bad guys can get into your house or wallet, they have your credit cards, bank accounts, SSN, driver’s license number, etc., anyway.

    Don’t put your passwords on a post-it note on your monitor at work, or in your desk at work. People at work have access and may have reason to hack your accounts.

    Sometimes old-fashioned solutions are still the best.

    Link to this
  4. 4. gwshaw 10:16 pm 06/23/2011

    Even better is to make every password likely unique by using a simple to remember algorithm to modify a good base password. For instance, a remembered good base password + the first letter and last letters of the site name included somewhere in the base password. With only one password the thief won’t know how to derive another.

    Link to this
  5. 5. geojellyroll 10:25 am 06/24/2011

    Simply never use the same password on more than one site…period. Make up a pattern of passwords that make sense to you. If you forget your password you can figure it out.

    On some sites the administrators can read your password and then they Google you and go to sites you’ve been to and can use your password for access if it the same.

    Link to this
  6. 6. jgoodguy 1:36 pm 06/24/2011

    I submitted some common passwords that should have failed to the site "Should I Change My Password?" and none failed. Has anyone had a password fail?

    Link to this
  7. 7. wfitz1964 4:51 pm 06/27/2011

    There many good password manger out there . Some from antvirus fire wall combo . some are integrated into browser. You password is only as good as its weakest link. secondly not password is truly secure. If some one wants a way in they will find a way.
    Its no different then leaving a key outside your door and not expectation your home not be robbed. Simply ways that make gaining entry into your account will slow not generally guarantee fool proof access against hacking . Finally if you do visit objectionable or prongrahic web sites and are concerned about discovery then its your fool fault for going there in the 1st place.
    I don’t like those antics of those types of groups who dig in the cyber dumpster for rubbish but they have points and some of them makes sense until they are found out then who’s laughing at them.

    Link to this
  8. 8. wfitz1964 5:05 pm 06/27/2011

    I like Last pass it will work with Mozilla Firefox IE others & will run across any platform with a web browser. Yes they were hacked into and yes some password were compromised. However I also notice they will send email into your email account if your password is changed another back up if your password has been compromised.
    In the case of a liberay computer some times I use one always wipe out browsing history and assume key loging software is installed. Same for corporate computers; assume your usage is being monitored by some one even if its not. To a lesser extent on a home machine. Common sense here if your posting something going to site don’t do something can come back to haunt your in my case my rants against the medical industrial complex of facebook..

    If you follow my example it will make them more hard pressed to gain entry.
    If you log into a liberay computer goto lastpass web site use 1 password to get in then you simply cut & paste to gain entery . Now its true you need one password but if you change it often it won’t be compromised on all other web sites make a new password record it . When you go home change master password and password of the website you went to. Last pass genrate random passwords tells you when it was changed last and keeps records where you been.

    I find it a excellent program not full proof but a good one.

    Link to this
  9. 9. Asteroid Miner 2:14 pm 06/30/2011

    is definitely a virus. Why does SciAm allow it?

    Link to this
  10. 10. bourne63 9:20 pm 07/7/2011


    Link to this

Add a Comment
You must sign in or register as a member to submit a comment.

More from Scientific American

Email this Article