I recently wrote about how you could check to see if your email and password details have been hacked by visiting shouldIchangemypassword.com. Since my article was published, even more details have been stolen and that website now holds data on over 1.4 million compromised user details.
A few days ago I was in contact with Daniel Grzelak, the IT consultant who set up and maintains the site, and I took the opportunity to ask him a few questions about the site and his views on the problems.
What first made you decide to set up the website?
One day I found myself downloading all the leaked data and searching for my email, then my family's, then my friends and so on. With the sheer volume of leaks recently, that got out of control pretty quickly.
What’s the old programming adage? A programmer's best asset is his laziness, which also happens to be his biggest liability. When I became too lazy to keep searching everything individually, I developed the website.
How many people use the site?
The site has had just over 400,000 visitors since launch, and is currently levelling out at between 2,000 and 5,000 visitors a day.
Have you been surprised by its popularity?
Yes, I've definitely been surprised by the popularity of the site. It was designed for family and friends and unless I've got lots of relatives I don’t know about, it has exceeded all expectations. It's been a great experience though, and I'd like to thank everyone for their support.
The site is obviously bad news for those who'd like to misuse the stolen data. Have you experienced any negativity towards either yourself or the site?
No, there hasn't really been any negativity beyond one common question; "Is this a phishing site?" Once people understand that the site is trustworthy, that's it. I don't necessarily think it's bad for underground hacker types because they already have this and other data. The recent data publications are just the tip of the iceberg.
You mentioned recently the idea of an automatic alert to notify someone when their password appears on a hacked list. Have you had any ideas or feedback on how this might be achieved?
An alerting service would be great but I just don't have the time to invest unfortunately. I would love someone trustworthy to partner with and implement it. There have been many individuals and organisations asking for it.
Do you feel more should be done on website security to help prevent these compromises?
It's a very difficult problem. In some cases, sure, there is a clear lack of awareness, understanding, effort and investment. However, if you look at all the high-profile organisations being compromised, many of them already invest lots of money in security. Information security is an asymmetric problem in that the attacker need only find a single crack in defences while the defender needs to find all the cracks and patch them.
Do you think websites should have better requirements for their users' passwords?
Storing passwords in clear-text is inexcusable nowadays, and so is using weak hashing algorithms like MD5. But the job of a website developer is not to make things secure, it’s to make things work. And not many developers have the security awareness or training required. Again, it’s a difficult problem: how do you teach every developer on the planet everything they need to know about security so that a single crack never appears?
Has any of the compromised data changed the way you would advise people about security issues?
Not really, most of the security body of knowledge is sound. One point that warrants discussion is password histories and what happens if those are compromised. It's common practice to store password histories so that people don't re-use old passwords but if those histories are stolen, attackers gain access to a suite of passwords to try on other sites instead of just the one.
Finally, do you see yourself expanding the scope of the site, or starting similar ventures in the future?
Not in the near future but you never know. If something interesting comes up, then I'll certainly consider it.