5M Google Passwords Leaked

A 3 year-old file with 5 million Google user passwords is making the rounds of the Russian hacker underground.

Report from The Register.

No one knows how it got out, whether due to corruption within the Google ranks (what better place to find those with “entrepeneurial” urgings), incompetence (systems defense is hard — it requires real smarts — that’s why the militaries and intelligence services of the world prefer spending their money on offensive measures) or the result of attacks on and undermining of Internet security by state actors (states like the US, UK and China who have been relentless in creating back doors to popular systems like Google’s, back doors that criminals are now exploiting).

You can check to see if one of your accounts has been compromised by going to haveibeenpwned.com. The database for that site contains millions (168 million at this writing) of e-mail addresses and user names published by the bad guys in tens of major breaches to date. The site was set up by Troy Hunt, an Australian security expert, and provides consumers with a powerful tool for checking on their personal exposure. Thanks Troy!

For this particular breach those have changed their passwords within the last couple of years should be safe — so long as those new passwords are strong, that is hard for a cluster of 8 core computers to guess using dictionary and brute force attacks (the technology uses by these guys is very common and cheap, but just a little additional complexity can make their task near impossible).

Passwords based on long phrases or acronyms that look nonsensical but actually stand for something the user can remember:

This1smy$tr0ngp4ssw0rd “This is my strong password”

Th3Qu1ckBr0wnF0xJ4mps0v3rTh3L4zy$ “The Quick Brown Fox Jumps Over the Lazy $”

Tr1ssm0tp (“the rain in spain stays mainly on the plain”)

Mhmhmkf4h! (“My horse, my horse, my kingdom for a horse!”)

Obviously you shouldn’t now use any of the above. Try to be creative, put a little thought into it, and for heaven’s sake use a good free password management app like Password Safe (written by cryptographer and security expert Bruce Schneier).

This entry was posted in Editorial, Security on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).