A credential dump is a list of email addresses and other information sometimes including passwords that are published or sold online. When you read coverage on the news about the data breach of a big company like LinkedIn or Dropbox there is often a subsequent credential dump being leaked. More often, however, credential dumps take the form of lists that come from numerous smaller data breaches from many compromised websites over the course of several years.
These lists are commonly exploited because of insecure password practices. According to a 2018 study, 59% of users mostly or always use the same password or variation of the same password across multiple online accounts; 62% of users use the same passwords between work and personal accounts; only 55% of users update their password after news of a site or service leaking their credentials; and 61% of users claim “fear of forgetting” as the primary reason for reusing passwords. Hackers rely on practices like these to gain access to seemingly unrelated accounts after credentials are leaked.
What about my Simmons account?
Simmons Technology receives regular updates from information security sources that will notify us when our users’ credentials are potentially leaked and our Service Desk staff is ready to assist with account compromise and password reset procedures. Additionally, we require the use of SharkPass for our web applications which adds an additional layer of security to your login.
What else can I do?
Luckily, there are a few resources available to reduce the impact of credential dumps:
- Check your accounts! Have I Been Pwned is a web service that allows you to search across multiple credential dumps to see if your email address has potentially been compromised.
- Stop reusing passwords across different websites and services. LastPass is a password manager and password generator that stores and encrypts passwords for different websites.
- Change your passwords. For your Simmons account, visit preferences.simmons.edu and reset your password from time-to-time. Remember to choose strong passwords of at least 8 characters including both letters and numbers, and at least one non-alphanumeric character (e.g. “$1MmonsC0l1eg3”).
- Enable two-factor authentication, like Sharkpass, on where available on external accounts. Two Factor Auth (2FA) provides a good list of sites and services that support it.
Questions or concerns about Information Security?
Contact Richard Phung, Information Security Analyst.