We have recently introduced an additional security check which is done every time that you log into PPO as well as when you change your password. The check involves comparing your password, in a secure manner, against known weak and/or breached passwords. If we detect that you are using a weak or breached password we will guide you through the process to change your password.
You see the message when you try to change your password
When you try to change your password and the new password that you provide is considered weak or breached, you will see a message similar to the one shown below.
Simply type in your old password again, choose a stronger new password and click on the "Change" button again.
You see the message when you log in
If you attempt to log into PPO and we detect that you have a weak or breached password we will show you a message to that effect and advise you that an e-mail has been sent to your registered e-mail address with further instructions. When you receive the e-mail, it will contain a link which we will use to verify your identity and allow you to change your password. If you do not receive an e-mail within a couple of minutes, check your junk mail folder or alternatively contact your PPO administrator.
How do you know my password is weak or breached?
When you login or change your password, we hash your password and check the pre-fix against a corpus of known breached passwords. This is done using an algorithm called k-anonymity which allows us to do the check without divulging your actual password or any other information. The fact that your password is included in this corpus does not necessarily mean that you were the victim of a data breach, only that the password that you use was previously breached.
What should I do?
Firstly, you should follow the process for changing your PPO password. More importantly, if you are using the same password for other online services, you should change the password on those as well. We also encourage you to visit the Have I Been Pwned? website which will let you see in which data breaches the specific password was found. You can also search by e-mail address here. We also encourage you to use a password manager such as LastPass or 1Password to generate secure, unique passwords for every site that you visit. You should however check with your IT department first to find out if there are any policies within your organisation.
Does this mean that PPO has been hacked or breached?
No, it does not. People tend to re-use passwords across different sites, which means that if one site on which you used a particular password is breached, all sites where you use that same password are also vulnerable. The same is true when you use a very common or weak password. If you want to see in which particular data breach your password was found, you can check it on the web site links provided above.
Why are we doing this?
We have implemented this as a counter-measure against so-called "credential stuffing" attacks. This is where an attacker uses credentials compromised in a data breach against other services. In the case of PPO the risk of this is mitigated by the fact that PPO is not a mass market, consumer service. We however feel that providing our users with this check, we are alerting them to the fact that they are using a potentially compromised password.
This type of check is also in line with the latest NIST recommendations and although not yet widely implemented, is being introduced by more and more service providers.