Did you just see an article claiming there has been a massive data breach and billions of passwords were leaked? Don't panic. News sites love to publish these articles, even if the news is old and they repeat them often. Here's what you need to do to protect your accounts.
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (133 videos).
You can also watch this video at YouTube.
Watch more videos about related subjects: Security (133 videos).
Video Summary
In This Tutorial
Learn what to do when you hear about a big password leak. Understand how to stay safe using a password manager, check for compromised passwords, use two-factor authentication, and protect yourself from phishing attacks.
Don’t Panic
Articles about password leaks are common and often sensationalized. Many leaks are from old databases, and the info may not be new. The goal of these articles is usually to grab your attention, not necessarily inform you accurately. Focus on your own security instead of reacting emotionally to vague headlines.
You Need To Be Using a Password Manager
Password managers are essential for modern security. They generate strong random passwords, help you enter them easily, and prevent phishing by only filling in passwords on the correct websites. Apple users already have one built in via the Passwords app. Use that at the very least, or choose a third-party manager if preferred.
Check Your Password Manager’s Security Section
Open the security section of your password manager to see compromised, reused, or weak passwords. Apple’s Passwords app will flag any passwords found in security breach databases. Change compromised or weak passwords right away. Don’t reuse passwords across different sites.
Use Two-Factor Authentication For Important Sites
Set up two-factor authentication (2FA) on accounts that matter—banking, email, social media, etc. Use an app, your password manager, or SMS to receive codes. Even if someone has your password, they won’t get in without that second factor.
Beware Of Phishing Attacks
Scammers try to trick you into giving up codes or personal info via email, text, or calls. If someone asks for a code they supposedly just sent you, it’s a scam. Never share codes or personal info this way.
Should You Change Your Passwords Anyway?
If a specific service is mentioned in a breach and you have an account there, check their official guidance. Otherwise, you don’t need to change all your passwords every time you see a scary article. It’s more effective to regularly review the security section of your password manager and keep 2FA enabled.
Video Transcript
Hi, this is Gary with MacMost.com. Do you just see an article about a huge leak of billions of passwords? Don't Panic! I'll tell you what to do.
Let's say you just saw an article about a huge number of passwords that have just been leaked. You think, wait a minute. I use passwords. Maybe I'm in some sort of danger here. What should I do?
Well, the first thing is don't panic! You actually see articles like this all the time. You may miss most of them but sites are constantly publishing articles because they make for great click bait. In fact a lot of the articles you see are basically updates, month after month, of the same password leak. Those leaks themselves aren't actually new leaks. They're just discovered data bases of passwords online. The passwords, themselves, may have actually been leaked years and years ago and they just accumulating. That's why these leaks seem to get bigger and bigger. They include the old passwords as well as, maybe, some new ones that they found. Sometimes the articles are really vague because it is not just passwords, it's ID's, other personal information, things like that. So they will show a really big number but maybe only some of that is passwords.
Some may not actually be passwords but hashes which are ways to identify if a password is correct. A leak of a hash really isn't that dangerous. It is the password, itself, that's the problem. But articles tend to be very vague about this kind of thing. They want you to feel scared. They want you to read the article every time. So the main thing you need to do is don't panic. Just because you see an article like this today doesn't mean you're suddenly in some sort of danger. Here's what you should do.
The first thing is you should be using a Password Manager. If you're not using a Password Manager by now you're really behind on security. Password Managers do three main things to protect you here. One is they generate strong passwords when you create a new account or change your password at an existing account. It's important to have strong passwords. If you think of the password yourself it's a weak password, especially if includes like a name, a date, anything like that. That's easily guessed by an algorithm. A strong password is one that is just a random string of letters and numbers.
Next, it allows you to enter the password easily by inserting it for you. This is important because without that if you had to type the password yourself you're going to tend to fallback on shorter, weaker passwords that are easy to remember. It's important that the Password Manager help you enter your password because that is what allows you to use the strong unique passwords.
The third thing it does is protect you from phishing attacks when you are sent to a site that's not a real site. Instead of entering the password into a site that's not the real one, a Password Manager is simply going to not know what the password is for that site, because it is the wrong site. That's a very important aspect of what Password Managers do. So you should be using a Password Manager by now.
Now, as an Apple user you are lucky you've got a built-in Password Manager on all your devices. The Password's App from Apple provides all the security you need. You certainly can use a third party Password Manager if you like. But at lease use the Apple Password Manager.
Okay, so you're using a Password Manager. You've heard about one of these security breeches. How can you check to see if your passwords are affected. Well, any good Password Manager, including Apple's Passwords App, has a section for this. In the Password Manager you go to the Security Section and here you can see that it lists any passwords that are compromised. You see any of these leaked passwords end up in the Security Database which a Password Manager will match to. So, it can identify if your password is one of the ones that has been compromised. This is where you'll find that. If you see one listed here that shows that it is compromised you know you've got to change that password as soon as possible. You'll also find other warnings here. Like if a password has been reused. It is very important that you only use a password at one site. Don't reuse it on other sites.
Sometimes you do get a false positive here. For instance Goggle has many different websites where you can login using your Goggle Account. But in other cases you should not be using the same password at unrelated websites that have different accounts. Also, it is going to show any weak passwords here. So passwords that you made years ago and they are not strong passwords randomly generated by the Password Manager, they'll show here and you can take this opportunity to update those passwords to something stronger.
If you find these videos valuable consider joining the more that 2000 others that support MacMost at Patreon. You get exclusive content, course discounts, and more. You can read about it at macmost.com/patreon.
The other thing you should do is identify any sites that are very important. Things like banks, email accounts, social media. Anything that you use on a regular basis. Those should all be using two-factor authentication, where you use a security code generated by an app or by your Password Manager, or maybe received over text. Always use two--factor authentication when it is available. This means if somebody does have your password they still can't get into your account. They need that second factor there, that code, to get in.
So once you've got all that squared away, all the security alerts taken care of, you're using two-factor at all of the important sites, the other thing you need to worry about is social engineering. Basically phishing attacks. This is when you get an email, a text message, or a phone call from somebody who is trying to scam you. So you want to pay really careful attention to these. Make sure you don't give out any information. If somebody says they are sending you a code and then you need to send them back that code, that's a phishing attack. They're actually trying to trigger your two-factor authentication and then getting you to tell them the code.
So one last thing I want to address is what if a site or service isn't listed as a security problem in your Password Manager. Should you still change the password when you see one of these scary articles? Well, if the password breech does involve a particular site or service and you have an account there then you want to go to that particular site or service and see what they advise. If it is a true serious threat then they will probably be telling people, oh everybody should update their passwords. Then you do that. Otherwise whether you update the passwords is up to you. If it makes you feel better you can but most of us have way too many accounts to be changing our passwords every time we see a scary article. Remember if you change the password recently for a site and then there is a new leak, chances are they have your old password, not the new one, and hopefully you are protected by two-factor authentication anyway, So it is not always necessary to constantly be changing your password every month or so. But it probably is a good idea to every once in a while, perhaps every month or so, check your security section of your Password Manager even if you haven't seen a scary article just to see if there are any new compromised passwords listed.
To summarize, don't panic. Check the security section of your Password Manager, and stay informed. Thanks for watching.
Thanks bunches
Another excellent, succinct video Gary & team. Thanks.
OK, OK, Gary...you talked me into using a PW manager.....😡 I don't trust them but it is really getting to the point that I have to get some help. Another safety precaution I do is : NEVER click in an email to go to my bank or other sensitive site. I note what they want me to know and then I log in myself without the email link. The extra step could save me a lot of headaches. THANK YOU for all you do for the Mac community.