At a certain point, it seemed like everyone on the Internet had their personally identifiable information stolen ten times over.
Now the “in” breach is password databases. Unlike stolen personally identifiable information (PII), we often get to try out our john/hashcat/saminside skills as we chortle over the bad passwords users pick.
If you don’t know your password has been stolen, that is probably because the website could do a forced password reset rather than buying you credit monitoring software. That leads to the question. If someone compromises an Android web forum and steals one million usernames and hashed passwords, do I have to get notified?
States with data breach requirements tend to have a digital safe harbor. That is why we encrypt files. If they are encrypted and the laptop is stolen, and we can prove they were encrypted, we don’t have to worry about it.
Do password hashes count for this digital safe harbor?
How about if only username, email and password hash are compromised? Does that count as a PII data breach that must be disclosed?
If you use the same password across multiple websites, or you use a pattern based on website name, than compromising one account compromises all of your accounts. The website operator may not notice the intrusion. Or they may not care to disclose. While you might not care if someone starts posting as you on a hobbyist web forum that you stopped posting to 5 years ago, you’ll care when the same account gets access to your Facebook which then is used to scam your friends, or what you put on Facebook is enough to answer your bank’s security questions.
Not to sound like a broken record, but as long as we use passwords, you need to have a different one for every site. They only way to do that is through a password safe. I like LastPass because it can easily be on every computer and mobile device I have. It can prompt me to save a new site when I log into a site for which I haven’t previously save to LastPass. It can run a security check to let me know about duplicate and weak passwords. The time where one password could rule them all is over.