Has my information been breached?

Image of glass shattering with the word cybersecurity in pieces and a human hand poking through the glass

How do you know if your information has been taken by some nefarious hacker?

Just assume it has.

Cyber attacks happen "all the time" but the season of giving may be particularly ripe for thieves who want to hack into your online information. What can you do to protect your information?

Change your passwords

It’s always best to change passwords for sites that contain sensitive information such as financial, health or credit card data. Do not use the same password across multiple sites and never use your Social Security number as a username or password, especially in the wake of the recent Equifax breach that affected millions of people.

And if you are not doing so already, treat everything you receive online with suspicion – in your personal and business email, in case hackers are trying to trick you out of even more information.

What else can you do?

Create stronger passwords.

  • Go for at least 12 characters long and a random combination of numbers, symbols, upper- and lowercase letters.
  • Do not use the same password repeatedly.
  • Do not use browser-based password management – it's not secure.
  • For personal/private accounts: Consider using a password manager app, such as 1Password or LastPass, for managing passwords for personal purposes.
    • "These apps are not recommended for critical accounts, such as banking, trading, etc. It is a good idea to have multiple passwords for different levels in terms of importance," said Dan Kim, professor, Information Technology and Decision Sciences, College of Business.
    • "I don't use a password manager, but rather rely on my memory for personal passwords that don't have a reset feature, but I do have a record of those on an encrypted drive as a backup to my memory. I still have to remember the password to access the encrypted drive, but it is one that I use frequently enough to not forget," said Philip Baczewski, executive director, University IT.
    • "If you are considering using an Excel file to store your password, and you are selecting the Encrypt with Password option, yes, your Excel file is secure. Just keep in mind that not even Microsoft can open the file if it becomes corrupt," said Chris Stoermer, senior IT support manager, Administrative IT Services.
  • For UNT accounts: UNT does not have a recommended password manager. For university access, there is only one UNT-related password users need to remember and that is the one associated with the enterprise user identification, EUID. One approach to this issue is to select a password theme for various kinds of accounts and then have custom variations for different accounts as a way to promote memory instead of the use of Post-it notes.

Jacob Flores, UIT system administration supervisor, and former Help Desk manager, agrees with Joe Kissell's advice in a recent Wirecutter article, The Best Password Managers.

"I strongly recommend the use of a password manager. However, to be most effective, the user cannot simply enter their existing passwords into their password manager of choice. They should create new lengthy and complex passwords for each website/service, Flores said.

"Those existing passwords are to be considered too simple and/or similar to each other if they didn’t require a password manager to be remembered beforehand. For instance, having a password manager “manage” a database where every login was username@domain.com with JackAndJill77 as the password - or slight variations for each, as some tend to do – isn’t any more secure than when they started. They’ve simply documented their list of usernames and simple passwords.

"When starting to use a password manager, new passwords should be randomly generated and they should be as long as possible for each website/service. The user should have one very long password/passphrase protecting the password manager database, preferably with two-step or multi-factor authentication, MFA, protecting it, and that be the primary password they have to remember. I know my UNT password, my personal email password with MFA, and my password manager password with MFA – the rest are very lengthy, random strings that I don’t know, stored in my password manager. Having unique, lengthy random passwords may seem like paranoia-level security, but if you have a password manager remembering passwords for you, why not be as secure as possible?

"I agree with Kissell's choice(s). I would [hesitantly] recommend LastPass to your average computer user because of its simplicity in getting you set up with a secure password manager. It does that well and that’s really the driving point. However, LastPass has changed its pricing/features so many times over the last 10 years that there’s no telling what price they may stick you with once you’ve vested into their product. That being the case, and my being comfortable with technology, I went with what the article’s author gave special mention to in the “What about KeePass?” section: KeePass.  Rather than being just an application, it’s also a database standard.  So you’ll find a multitude of free and open-source KeePass compliant applications for any platform (Windows, Mac, Linux, Android, iOS, etc.) and your KeePass database that you control, as opposed to always being “in the cloud,” will work with whatever application you choose. Pretty slick."

Cyberattacks cost businesses an estimated $400 billion per year globally from direct damage and post-attack operation disruption. To give companies a way to evaluate and address their cyber risks in this quickly evolving technology age, the National Institute of Standards and Technology has developed the NIST Cybersecurity Framework.

Editor's Note: Please note that information in each edition of Benchmarks Online is likely to change or degrade over time, especially the links to various websites. For current information on a specific topic, search the UNT website, UNT's UIT Help Desk or the world wide web. Email your questions and comments to the UNT University Information Technology Department or call 940-565-4068.