Category Archives: Passwords

My Heritage Suffers Data Breach

In October of 2017, MyHeritage suffered a data breach. Over 92 million customer records were exposed. This included email addresses and salted SHA-1 password hashes.

Since then, attackers have been able to crack majority of the password hashes. The list of email address and cracked passwords from the MyHeritage breach has recently come up for sale on the Dark Web.

How does this affect me?

Password reuse: Many people make the mistake of using the same password over many – or on all websites.

If you have used the same password for MyHeritage as you do for Email, Facebook, Banking, etc. An attacker can use this information to access those accounts.

What do I need to do?

Identify any service where you may have used the same password, and then request a password change. This can be done via the ‘forgot my password’ link on most websites.

Set the new password to something secure and unique. Write this down in a notebook stored securely at home, or better, use a password manager.

Two great password managers are 1Password, and KeePassXC.

Another important step in keeping secure is to use Two-Factor Authentication.

Check if you have been ‘Pwned’ is a service that allows you to see if your email or password has been seen in any data breaches where data has become public.

You can check your email at:

You can check a password at:

I highly recommend you use this free service to help keep yourself secure.

What is salted and hashed?

When you sign up to a website you are required to enter a password. The password is then converted to a hash and stored in a database.

When you log into a website, the password is converted to a hash and compared with the stored hash. If they match, you are able to log in.

If your password is grenfell, and the website is using a SHA1 hashing algorithm (as was the case with MyHeritage), it will convert the text to 3EC63D4F11F08C81B448F922A316E44E0F1628E0

This is to help slow an attacker down that may have breached the service – but it is not impossible to reverse.

Using a password cracking program called Hashcat. I was able to reverse the SHA1 hash for grenfell in under a second. This was using a brute force on all lowercase letters and numbers.

A salted SHA1 hash looks a little different. Before a password hash is created a salt is added to the password.

If your password was grenfell, and the salt was 2019, the hash would be CEE02FF760DA4C0F8887AFDFA70EEF8AE1B70BC6

You can see the difference in the hashes for the same passwords. If done correctly, each users password will have a unique salt. This means users sharing the same password will still have unique password hashes.

Because the salt was known in my example, the password can also be cracked in under a second.

The attackers who have cracked the MyHeritage password hashes have been able to do some by discovering the salt that was used. and then using this information to crack the passwords.

In cases like this, simple passwords are the first that get ‘cracked’. Of the 92,283,889 accounts that were breached on MyHeritage, 91,991,358 were eventually cracked.

This potentially means 292,531 users were using passwords strong enough to withstand the cracking attempts. Using strong passwords will help you to be in this group of people.

Password Tips

Many people have poor password habits. They use the same password everywhere, and often use obvious tricks to please the conditions required on various websites.

These obvious tricks are making the first letter uppercase, adding a number to the end of the password, or substituting a O with a 0, or an S with a $.

Here are some tips on what you should and should not do regarding passwords.

Your passwords should:

Contain as many characters as possible – longer is better, although some websites do have a limit: woah!thispasswordisreallylong is better than short1

Includes uppercase and lowercase – mix it up a bit, not just the first letter: ITSnotTOOhardTOMIXTHECASES!! is better than Generic1

Include a number and/or symbol – Again, mix it up a bit. Don’t put the number or symbol at the beginning or the end: ADDSOMEsymbols$$HERE&THERE is better than Symbol$

Include multiple words – Multiple words is easier to remember than a sting of random symbols, numbers, and letters: PASSphrasesarewhatyou#WANT244 is better than Password1

Your passwords should not:

Include any personal details – YourName1, 25StreetName, 026343####

Contain the name of a family member, friend, or pet – Father1950, Lucy90, Socks1,

Contain the name of your town, farm – Grenfell2810, PropertyName2810

Make obvious substitutions. i.e. 0 instead of o, 1 instead of l, $ instead of s. Gr3nf311 is stronger than Grenfell, but cyber criminals know that we often replace letters with numbers that look the same.

Contain only a single word: Single dictionary words are the worst password you could choose. A cyber criminal attempting to log into accounts is going to access the accounts with the most simple passwords first. If you password can be found in a dictionary, your account will get compromised first.

I hope these hints help you to create better and more secure passwords!

For more password tips check out our other blog posts on Password Security and Creating Strong Passphrases using Diceware.