How to limit the impact of data breaches
Some best practices and tools.
A few days ago I read the following tweet:
Unfortunately, the only correct answer is “I’ll get hacked again”. There’s simply no way we can prevent that websites or apps get hacked and consequently our personal data get stolen.
This may sound very discouraging, but there are several things you can and should do to prevent certain types of attacks and reduce harm when a data breach happens.
Defend against password reuse and brute force attacks
It’s the same old story, but a very important one: use a unique password for all your accounts. It prevents password reuse attacks that hackers use to break into different websites and services using the same username and password.
It’s not enough to use unique passwords. Use strong passwords that are not known to be breached. Attackers will try to brute force access to user accounts by using predefined lists of weak, often previously breached passwords. Some websites already block breached passwords, but most unfortunately don’t. If you use Chrome, Okta’s passprotect extension is worth installing. Whenever you enter a password on a website it checks against half a billion breached passwords and notifies you when the password is not safe to use.
The best passwords are random and long ones you can’t even remember. Password managers are ideal to generate and recall these passwords when necessary.
Limit the impact of a data breach
Every time you register an account ask yourself:
How can I minimize the impact when this account is hacked?
Here are some best practices and tools to help you:
As discussed already, use strong, unique passwords to limit the impact of a breach.
Specify only strict necessary data at account creation. When asked for unnecessary data in mandatory fields, enter fake data.
Activate two-factor authentication when possible. Even if attackers got your password they can’t access your account unless they are able provide a second verification (typically a code received via sms or an authenticator app). twofactorauth.org is a handy site that lists sites offering 2FA. There’s also an extension available for Google and Firefox (https://2fanotifier.org/) that uses twofactorauth.org under the hood and notifies when a site supports 2FA.
Often overlooked, but when you give other sites or apps access to an account they form a potential security risk for that account when they get hacked. Be very restrictive with giving a site or app access and when it’s hacked or you no longer trust it, remove its access immediately.
Data breach detection
One of password security best practices is to change passwords when there’s proof of compromise. This implies that on top of the measures discussed earlier, data breach detection services are a necessary part of your overall defense strategy.
Although these services only cover a fraction of all data breaches, they are still very valuable. The best known is probably Have I Been Pwned? You can subscribe with a particular email address and will get notified when it appears in a data breach.
Another interesting service is HackNotice. The approach is a bit different. You can specify which companies, sites and apps you want to monitor for breaches and for which identities. Whenever your identity is found in a breach that’s being monitored, you’ll be informed.
Some password managers also offer breach detection services. When you’re about to select or switch to another password manager it’s certainly good to keep this in mind.