World Password Day is Thursday, I know all of my readers are gearing up major parties to celebrate. What, you don’t know about this day in flackery? Read on.
I know my inbox runneth over with WPD PR pitches. Perhaps you have already planned your day, such as noting yet another account of yours that has been breached? Another chance to reuse that password from 1992? Time to get another password manager other than Lastpass? Or perhaps just have a cupcake decorated with ones and zeros? (Image credit: Google’s Gemini)
Here is how I am celebrating. I am actually reviewing the two free identity protection services that I have been granted, thanks to two recent and massive data breaches. One is from the credit bureau Experian, the other from a company called IdentityDefense.com. Normally, these outfits charge anywhere from $10 to $30 a month, and in the past I have not been motivated to use these, or any other service. Here is the problem: being a privacy paranoid person, I don’t want to give out any of my numbers. Yet to sign up for these services, you have to lay it all out there: SSN, birth date, previous addresses, drivers license, phone numbers and so forth.
Some things you might want to know: my wife and I have had spurious credit card charges over the years — one just recently where someone kept trying to charge a rideshare in San Francisco repeatedly. And I think her credit is still frozen (although I don’t recall when we got it or if we actually unfroze it).
The dashboard for IdentityDefense looks like this:
You’ll notice that it shows you a bunch of dark web alerts (where a bunch of passwords have been collected after a breach by some baddie), my credit score (nice), and a bunch of other stuff. The alerts all date from when I initiated the service last month and haven’t been updated. Some of these alerts are less than meaningful, such as the breach of Xss.js that was found in May of 2018 or the one called Combolist_bundles_solenya from December of 2017. I have no idea what these were, and if actually wanted to change my password, where to go about doing so. On some of the other dark web listings, the breach id’ed an actual website where I didn’t ever have an account. So right away, you can see that this information isn’t very helpful.
One thing that IdentityDefense does have is a way to file online credit freezes for the three credit agencies. You could probably find the web pages for these on your own, but still, it is nice to have this all here in one place.
Let’s look at the Experian ID works dashboard. It is less than useful:
This is because almost everything that you want to know about will require a lot of clicking around, For example, you see the “CreditLock” panel — that is slightly more than a freeze, because you can lock and unlock it in real time, and of course this is just for Experian. When you find your way to the dark web alert report, you will also see a lot of useless data, such as an email address for me that I have never used, although attached to my actual phone number. One alert had both the right phone and email for a breach from Apollo.io in July 2018, never heard of them, and when I tried to reset my password on their site, it claimed no one with that email has an account.
There is another service that businesses use to manage their dark web and other threats that I have used from time to time from CyberSixGill.com, where I wrote a white paper for them a few years ago. That paper spoke to this situation of not having very complete information about what was breached, or how metadata on the breach wasn’t of sufficiently high-enough quality or complete enough to be actionable. I wrote that you should be able to visualize the context of the threat and figure out where you were compromised, and what you should do in the future to prevent something similar from happening. That is still very much the case.
And if you are in the market for one of these services, you can read Paul Bischoff’s hands-on review of these and other services here on Comparitech. He puts them through more rigorous testing, and recommends services depending on how much of your life you want to divulge and then protect, and how complex a financial situation you might have.
So you should know by now that when something is free, it may or may not have any value to you. That latter situation is certainly the case with these protect-after-breach situations. Far better to have stronger (long and complex) passwords that are unique and managed by a service other than LastPass (I use Zoho Vault, which is free and does have value).
And if you are still in the mood to celebrate WPD, this comment from a security nerd from 2018 is instructive: “Happy WorldPasswordDay. Or in 90 days, WorldPassword1 Day.” Last year, I wrote: “Maybe on WPD in 2024 we can finally break out the bubbly and celebrate their actual demise.” Nope, not yet, put that bottle back in the fridge.
David Strom's Web Informant 
This post arrived in my inbox as I was concluding a 35-minute remote session updating my LastPass software with the IT department at my university, which provides me with free LastPass, so I was struck by your “password manager other than LastPass” comment. I looked at your 8/25/23 post on evaluating password managers, in which you wrote, “I switched over to Zoho after getting tired dealing with all the Lastpass breaches.” I have had LastPass for a year now, and I’ve never been notified of any breaches — possibly because my account is part of a university enterprise account? Should I be concerned? I welcome any further light you can share on LastPass, which, of course, has all of my personal info. Thanks, David.