We have recently introduced an additional security check which is done every time that you log into PPO as well as when you change your password. The check involves comparing your password, in a secure manner, against known weak and/or breached passwords. If we detect that you are using a weak or breached password we will guide you through the process to change your password.
You see the message when you try to change your password
When you try to change your password and the new password that you provide is considered weak or breached, you will see a message similar to the one shown below.
Simply type in your old password again, choose a stronger new password and click on the "Change" button again.
You see the message when you log in
If you attempt to log into PPO and we detect that you have a weak or breached password we will show you a message as below.
You then simply click on the "Forgot your password?" link on the bottom right of the form and provide your user name and e-mail address. If the user account and email address matches what we have on record, a temporary password will then be generated and sent to the email address provided.
Once you login with the temporary password that we sent to you, you will then be asked to change the temporary password to one that you provide. Note that you will not be allowed to change your password to one that is considered to be weak.
How do you know my password is weak or breached?
When you login or change your password, we hash your password and check the pre-fix against a corpus of known breached passwords. This is done using an algorithm called k-anonymity which allows us to do the check without divulging your actual password or any other information. The fact that your password is included in this corpus does not necessarily mean that you were the victim of a data breach, only that the password that you use was previously breached.
What should I do?
Firstly, you should follow the process for changing your PPO password. More importantly, if you are using the same password for other online services, you should change the password on those as well. We also encourage you to visit the Have I Been Pwned? website which will let you see in which data breaches the specific password was found. You can also search by e-mail address here. We also encourage you to use a password manager such as LastPass or 1Password to generate secure, unique passwords for every site that you visit. You should however check with your IT department first to find out if there are any policies within your organisation.
Does this mean that PPO has been hacked or breached?
No, it does not. People tend to re-use passwords across different sites, which means that if one site on which you used a particular password is breached, all sites where you use that same password are also vulnerable. The same is true when you use a very common or weak password. If you want to see in which particular data breach your password was found, you can check it on the web site links provided above.
Why are we doing this?
We have implemented this as a counter-measure against so-called "credential stuffing" attacks. This is where an attacker uses credentials compromised in a data breach against other services where a user may have re-used the same credentials. We feel that by providing our users with this check we are alerting them to the fact that they are using a potentially compromised password.
This type of check is also in line with the latest NIST recommendations and although not yet widely implemented, is being introduced by more and more service providers.