After a massive data breach exposed at least 6 million Louisiana Office of Motor Vehicles records, state officials are recommending anyone who holds a Louisiana driver’s license change all of their passwords.
The state’s recommendation is precautionary, Governor’s Office of Homeland Security and Emergency Preparedness Director Case Tingle said Friday. And it’s a huge undertaking for most people.
But some digital security experts recommend taking a hard look at password security after the personal information of millions of Louisianans, including Social Security number and driver’s license data, was exposed on the internet.
Why should you change your passwords?
The personal information exposed in the OMV hack has the potential to arm someone with everything they need to access an online account except for the password, said Abe Baggili, an LSU professor and cybersecurity expert.
Many online services ask users to fill out security questions about personal details as a way to confirm someone’s identity during a password reset. The OMV breach exposed enough information that a hacker could now answer those questions or figure out the answers, Baggili said.
A hacker with access to the leaked personal information could also craft an extremely sophisticated phishing email in an attempt to steal usernames, passwords, credit card numbers and other data, Baggili said.
“You fall victim to this because it looks super legitimate, it looks like it’s coming from the right place and it looks like they have enough information about you to make it believable that they know who you are,” Baggili said.
The OMV hack has not exposed Louisianan’s personal passwords, and the state’s recommendation may be “overkill,” said Andrew Wolfe, a computer science professor at Loyola University. But residents should consider at least changing passwords for state websites, Wolfe added.
How should you change your passwords?
Regardless of the hack, some cybersecurity experts recommend taking steps to strengthen password security. A solution is fairly simple and is something people should probably already be doing, Baggili said.
“We live in an age where at this point and time a password manager is essential,” Baggili said.
Password managers secure all your passwords in one place, can alert you if a password has been leaked anywhere online and can allow you to quickly and easily change passwords to be more secure. Many internet browsers offer password managers built in to the browser, but a dedicated, separate password manager is considered more secure.
The Cybersecurity and Infrastructure Security Agency, an arm of the U.S. Department of Homeland Security tasked with guarding against cyberattacks, also recommends the use of password managers, calling them the easiest way to create a store unique passwords.
Password managers also make it easier to avoid the cybersecurity taboo of duplicating passwords across multiple websites by generating unique passwords for each account, according to the agency.
Once passwords are changed, Louisianans should also turn on two-factor authentication for any password-protected account that offers it, Baggili said.
Two-factor authentication can block a hack attempt even if the hacker already has the password for the account, Baggili said.