Your IT Consultant

Has Your New Password Already Been Compromised?

August 8, 2017

We've all been there. We get a notice that the service we use has had a data breach and we need to change our password immediately. Many don't realize that NIST (National Institute of Standards and Technology) is in the process of changing its recommendation for password management and control. The prior guidance was to have complex passwords and change them on a frequent basis. Not anymore. The new NIST recommendations (expected to be approved in the next several months), among other things, suggests changing passwords when the password you want to use has already been proved to be compromised. How do you do that?

The obvious solution is to check a database of known compromised passwords to see if the one you want to use has already been hacked. Security researcher, Troy Hunt, has updated his Have I Been Pwned site https://haveibeenpwned.com/ to include the hash values of 320 million hacked passwords. Once you have been notified that your logon credentials may have been compromised as a result of a data breach, go to Troy's site and enter your new password. If the password has already been used by someone else, you'll get an alert warning. Troy doesn't store the actual password. Only the hash value is in the database.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
https://www.linkedin.com/in/johnsimek
https://amazon.com/author/johnsimek
https://www.senseient.com