More than 250 customers of a popular and powerful online attack-for-hire service that was dismantled by authorities in 2018 are expected to face legal action for the damage they caused, according to Europol, the European Union’s law enforcement agency.

In April 2018, investigators in the U.S., U.K. and the Netherlands took down attack-for-hire service WebStresser[.]org and arrested its alleged administrators. Prior to the takedown, the service had more than 151,000 registered users and was responsible for launching some four million attacks over three years. Now, those same authorities are targeting people who paid the service to conduct attacks.

In the United Kingdom, police have seized more than 60 personal electronic devices from a number of Webstresser users, and some 250 customers of the service will soon face legal action, Europol said in a statement released this week.

“Size does not matter – all levels of users are under the radar of law enforcement, be it a gamer booting out the competition out of a game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain,” Europol officials warned.

The focus on Webstresser’s customers is the latest phase of “Operation Power Off,” which targeted one of the most active services for launching point-and-click distributed denial-of-service (DDoS) attacks. WebStresser was one of many so-called “booter” or “stresser” services — virtual hired muscle that even completely unskilled users can rent to knock nearly any website or Internet user offline.

Operation Power Off is part of a broader law enforcement effort to disrupt the burgeoning booter service industry and to weaken demand for such services. In December, authorities in the United States filed criminal charges against three men accused of running booter services, and orchestrated a coordinated takedown of 15 different booter sites.

The takedowns come as courts in the United States and Europe are beginning to hand down serious punishment for booter service operators, their customers, and for those convicted of launching large-scale DDoS attacks. Last month, a 34-year-old Connecticut man received a 10-year prison sentence for carrying out DDoS attacks a number of hospitals in 2014. Also last month, a 30-year-old in the United Kingdom was sentenced to 32 months in jail for using an army of hacked devices to crash large portions of Liberia’s Internet access in 2016.

In December 2018, the ringleader of an online crime group that launched DDoS attacks against Web sites — including several against KrebsOnSecurity — was sentenced to three years in a U.K. prison. And in 2017, a 20-year-old from Britain was sentenced to two years in jail for renting out Titanium Stresser, a booter service that earned him $300,000 over several years it was in operation.

Many in the hacker community have criticized authorities for targeting booter service administrators and users and for not pursuing what they perceive as more serious cybercriminals, noting that the vast majority of both groups are young men under the age of 21 and are using booter services to settle petty disputes over online games.

But not all countries involved in Operation Power Off are taking such a punitive approach. In the Netherlands, the police and the prosecutor’s office have deployed new legal intervention called “Hack_Right,” a diversion program intended for first-time cyber offenders. Europol says at least one user of Webstresser has already received this alternative sanction.

“Skills in coding, gaming, computer programming, cyber security or anything IT-related are in high demand and there are many careers and opportunities available to use these wisely,” Europol said.

According to U.S. federal prosecutors, the use of booter and stresser services to conduct attacks is punishable under both wire fraud laws and the Computer Fraud and Abuse Act (18 U.S.C. § 1030), and may result in arrest and prosecution, the seizure of computers or other electronics, as well as prison sentences and a penalty or fine.

The U.S. Justice Department has filed criminal charges against three U.S. men accused of swatting, or making hoax reports of bomb threats or murders in a bid to trigger a heavily armed police response to a target’s address. Investigators say the men, aged 19 to 23, all carried out the attacks with the help of Tyler Barriss, a convicted serial swatter whose last stunt in late 2018 cost an Oklahoma man his life.

FBI agents on Wednesday arrested Neal Patel, 23, of Des Plaines, Ill. and Tyler Stewart, 19 of Gulf Breeze, Fla. The third defendant, Logan Patten, 19, of Greenwood, Mo., agreed to turn himself in. The men are charged in three separate indictments with conspiracy and conveying false information about the use of explosive devices.

Investigators say Patten, who used the Twitter handle “@spared,” hired Barriss in December 2017 to swat individuals and a high school in Less’s Summit, Mo.

Around the same time, Stewart, a.k.a. “@tragic” on Twitter, allegedly worked with Barriss to make two phony bomb threats to evacuate a high school in Gurnee, Ill. In that incident, Barriss admitted telling police in Gurnee he had left explosives in a classroom and was high on methamphetamine and was thinking about shooting teachers and students.

Also in December 2017, Patel allegedly worked with Barriss to plan a bomb threat targeting a video game convention in Dallas, Texas. Patel is also accused of using stolen credit cards to buy items of clothing for Barriss.

The Justice Department’s media release on the indictments doesn’t specify which convention Barriss and Patel allegedly swatted, but a Wired story from last year tied Barriss to a similarly timed bomb threat that caused the evacuation of a major Call of Duty tournament at the Dallas Convention Center.

“When the social media star SoaR Ashtronova tweeted about the confusion she felt as she fled the event beneath the whir of police helicopters, Barriss taunted her from one of his Twitter accounts: ‘It got ran, baby girl. Thats what happens,” Wired reported.

Interestingly, it was a dispute over a $1.50 grudge match in a Call of Duty game that would ultimately lead to Barriss’s final — and fatal — swatting a year later. On Dec. 28, 2018, Barriss phoned police in Wichita, Kan. from his location in California, telling them he was a local man who’d just shot his father and was holding other family members hostage.

Prosecutors say Barriss did so after getting in the middle of a dispute between two Call of Duty gamers, 18-year-old Casey Viner from Ohio and Shane Gaskill, 20, from Wichita. Viner allegedly asked Barriss to swat Gaskill. But when Gaskill noticed Barriss’ Twitter account suddenly following him online, he tried to deflect the attack. Barriss says Gaskill allegedly dared him to go ahead with the swat, but then gave Barriss an old home address — which was then being occupied by someone else.

When Wichita police responded to the address given by Barriss, they shot and killed 28-year-old Andrew Finch, a father of two who had no party to the dispute and did not know any of the three men.

Both Viner and Gaskill have been charged with wire fraud, conspiracy and obstruction of justice. Barriss pleaded guilty in Nov. 2018 to a total of 51 charges brought by federal prosecutors in Los Angeles, Kansas and Washington, D.C. He has agreed to serve a sentence of between 20 to 25 years in prison. Barrris is slated to be sentenced on March 1, 2019.

Stewart’s attorney declined to comment. Lawyers assigned to Patel and Patten could not be reached for comment.

As the victim of a swatting attack in 2013 and several other unsuccessful attempts, I am pleased to see federal authorities continue to take this crime seriously. According to the FBI, each swatting incident costs emergency responders approximately $10,000. Each hoax also unnecessarily endangers the lives of the responders and the public, and draws important resources away from actual emergencies.

The ongoing partial U.S. federal government shutdown is having a tangible, negative impact on cybercrime investigations, according to interviews with federal law enforcement investigators and a report issued this week by a group representing the interests of FBI agents. Even if lawmakers move forward on new proposals to reopen the government, sources say the standoff is likely to have serious repercussions for federal law enforcement agencies for years to come.

One federal agent with more than 20 years on the job told KrebsOnSecurity the shutdown “is crushing our ability to take the fight to cyber criminals.”

“The talent drain after this is finally resolved will cost us five years,” said the source, who asked to remain anonymous because he was not authorized to speak to the news media. “Literally everyone I know who is able to retire or can find work in the private sector is actively looking, and the smart private companies are aware and actively recruiting. As a nation, we are much less safe from a cyber security posture than we were a month ago.”

The source said his agency can’t even get agents and analysts the higher clearances needed for sensitive cases because everyone who does the clearance processing is furloughed.

“Investigators who are eligible to retire or who simply wish to walk away from their job aren’t retiring or quitting now because they can’t even be processed out due to furlough of the organization’s human resources people,” the source said. “These are criminal investigations involving national security. It’s also a giant distraction and people aren’t as focused.”

The source’s comments echoed some of the points made in a 72-page report (PDF) released this week by the FBI Agents Association, a group that advocates on behalf of active and retired FBI special agents.

“Today we have no funds for making Confidential Human Source payments,” reads a quote from the FBIAA report, attributed to an agent in the FBI’s northeast region. “In my situation, I have two sources that support our national security cyber mission that no longer have funding. They are critical sources providing tripwires and intelligence that protect the United States against our foreign adversaries. The loss in productivity and pertinent intelligence is immeasurable.”

My federal law enforcement source mentioned his agency also was unable to pay confidential informants for their help with ongoing investigations.

“We are having the same problems like not being able to pay informants, no travel, critical case coordination meetings postponed, and no procurements to further the mission,” the source said.

The extended shutdown directly affects more than 800,000 workers, many of them furloughed or required to work without pay. Some federal employees, now missing at least two back-to-back paychecks, are having trouble keeping food on the table. CNN reports that FBI field offices across the country are opening food banks to help support special agents and staff struggling without pay.

An extended lack of pay is forcing many agents to seek side hustles and jobs, despite rules that seek to restrict such activity, according to media reports. Missing multiple paychecks also can force investigators to take on additional debt. This is potentially troublesome because excess debt down the road can lead to problems keeping one’s security clearances.

Excessive debt is a threat to clearances because it can make people more susceptible to being drawn into illegal activities or taking bribes for money, which in turn may leave them vulnerable to extortion. Indeed, this story from Clearancejobs.com observes that the shutdown may be inadvertently creating new recruiting opportunities for foreign intelligence operatives.

“If you are a hostile intelligence service human intelligence (HUMINT) targeting officer you are hoping this situation lasts a long time and has a multitude of unintended consequences affecting the cleared government employee population,” writes Christopher Burgess.

The shutdown may impact government and civilian cybersecurity efforts in other ways. As Brian Fung reported last week at The Washington Post, a rising number of federal Web sites are falling into disrepair, making it harder for Americans to access online services.

“In the past week, the number of outdated Web security certificates held by U.S. government agencies has exploded from about 80 to more than 130, according to Netcraft, an Internet security firm based in Britain,” Fung wrote.

Alex Stamos, former chief security officer at Facebook, said this creates problems for people trying to access key documents at government Web sites because the world’s dominant browser — Google Chrome — heavily discourages users from even visiting sites with expired security certificates.

But Stamos says he’s far more concerned about who’s maintaining, monitoring and safeguarding the countless Internet servers and other government online assets during the shutdown.

“What worries me more is what this indicates for the fact that there’s not standard maintenance going on,” Stamos said in this week’s episode of security journalist Patrick Gray‘s “Risky Business” podcast. “We’ve gone through a Patch Tuesday since the government shut down. Who is actually maintaining the systems, who is sitting in the SOCs [security operations centers], who’s looking at the logs? Even if you have critical cybersecurity people at NSA or Cyber Command working, there’s a lot of importance in having people show up for their jobs.”

U.S. Senate leaders are now planning to hold competing votes on Thursday in a bid to end the shutdown, but a story Wednesday in The New York Times reckons that neither measure is expected to draw the 60 votes required to advance.

“You hear [New England Patriots football coach Bill] Belichick and other coaches constantly preaching about leaving distractions outside the locker room,” said the federal law enforcement source who spoke with this author. “Can’t think of many bigger distractions like not getting paid, damaging credit scores, not being able to pay bills, and losing supplemental insurance. We just wish our national leaders would listen to another Belichick gem: ‘Do Your Job.'”

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands.

In July 2018, email users around the world began complaining of receiving spam which began with a password the recipient used at some point in the past and threatened to release embarrassing videos of the recipient unless a bitcoin ransom was paid. On December 13, 2018, a similarly large spam campaign was blasted out, threatening that someone had planted bombs within the recipient’s building that would be detonated unless a hefty bitcoin ransom was paid by the end of the business day.

Experts at Cisco Talos and other security firms quickly drew parallels between the two mass spam campaigns, pointing to a significant overlap in Russia-based Internet addresses used to send the junk emails. Yet one aspect of these seemingly related campaigns that has been largely overlooked is the degree to which each achieved an unusually high rate of delivery to recipients.

Large-scale spam campaigns often are conducted using newly-registered or hacked email addresses, and/or throwaway domains. The trouble is, spam sent from these assets is trivial to block because anti-spam and security systems tend to discard or mark as spam any messages that appear to come from addresses which have no known history or reputation attached to them.

However, in both the sextortion and bomb threat spam campaigns, the vast majority of the email was being sent through Web site names that had already existed for some time, and indeed even had a trusted reputation. Not only that, new research shows many of these domains were registered long ago and are still owned by dozens of Fortune 500 and Fortune 1000 companies. 

That’s according to Ron Guilmette, a dogged anti-spam researcher. Researching the history and reputation of thousands of Web site names used in each of the extortionist spam campaigns, Guilmette made a startling discovery: Virtually all of them had at one time been registered via GoDaddy.com, a Scottsdale, Ariz. based domain name registrar and hosting provider.

Guilmette told KrebsOnSecurity he initially considered the possibility that GoDaddy had been hacked, or that thousands of the registrar’s customers perhaps had their GoDaddy usernames and passwords stolen.

But as he began digging deeper, Guilmette came to the conclusion that the spammers were exploiting an obscure — albeit widespread — weakness among hosting companies, cloud providers and domain registrars that was first publicly detailed in 2016.

EARLY WARNING SIGNS

In August 2016, security researcher Matthew Bryant wrote about spammers exploiting a security vulnerability to hijack some 20,000 established domain names to blast out junk email. A few months later, Bryant documented the same technique being used to take over more than 120,000 trusted domains for spam campaigns. And Guilmette says he now believes the attack method detailed by Bryant also explains what’s going on in the more recent sextortion and bomb threat spams.

Grasping the true breadth of Bryant’s prescient discovery requires a brief and simplified primer on how Web sites work. Your Web browser knows how to find a Web site name like example.com thanks to the global Domain Name System (DNS), which serves as a kind of phone book for the Internet by translating human-friendly Web site names (example.com) into numeric Internet address that are easier for computers to manage.

When someone wants to register a domain at a registrar like GoDaddy, the registrar will typically provide two sets of DNS records that the customer then needs to assign to his domain. Those records are crucial because they allow Web browsers to figure out the Internet address of the hosting provider that’s serving that Web site domain. Like many other registrars, GoDaddy lets new customers use their managed DNS services for free for a period of time (in GoDaddy’s case it’s 30 days), after which time customers must pay for the service.

The crux of Bryant’s discovery was that the spammers in those 2016 campaigns learned that countless hosting firms and registrars would allow anyone to add a domain to their account without ever validating that the person requesting the change actually owned the domain. Here’s what Bryant wrote about the threat back in 2016:

“In addition to the hijacked domains often having past history and a long age, they also have WHOIS information which points to real people unrelated to the person carrying out the attack. Now if an attacker launches a malware campaign using these domains, it will be harder to pinpoint who/what is carrying out the attack since the domains would all appear to be just regular domains with no observable pattern other than the fact that they all use cloud DNS. It’s an attacker’s dream, troublesome attribution and an endless number of names to use for malicious campaigns.”

SAY WHAT?

For a more concrete example of what’s going on here, we’ll look at just one of the 4,000+ domains that Guilmette found were used in the Dec. 13, 2018 bomb threat hoax. Virtualfirefox.com is a domain registered via GoDaddy in 2013 and currently owned by The Mozilla Corporation, a wholly owned subsidiary of the Mozilla Foundation — the makers of the popular Firefox Web browser.

The domain’s registration has been renewed each year since its inception, but the domain itself has sat dormant for some time. When it was initially set up, it took advantage of two managed DNS servers assigned to it by GoDaddy — ns17.domaincontrol.com, and ns18.domaincontrol.com.

GoDaddy is a massive hosting provider, and it has more than 100 such DNS servers to serve the needs of its clients. To hijack this domain, the attackers in the December 2018 spam campaign needed only to have created a free account at GoDaddy that was assigned the exact same DNS servers handed out to Virtualfirefox.com (ns17.domaincontrol.com and ns18.domaincontrol.com). After that, the attackers simply claim ownership over the domain, and tell GoDaddy to route all traffic for that domain to an Internet address they control.

Mozilla spokesperson Ellen Canale said Mozilla took ownership of virtualfirefox.com in September 2017 after a trademark dispute, but that the DNS nameserver for the record was not reset until January of 2019.

“This oversight created a state where the DNS pointed to a server controlled by a third party, leaving it vulnerable to misuse,” Canale said. “We’ve reviewed the configuration of both our registrar and nameservers and have found no indication of misuse. In addition to addressing the immediate problem, we have reviewed the entire catalog of properties we own to ensure they are properly configured.”

According to both Guilmette and Bryant, this type of hijack is possible because GoDaddy — like many other managed DNS providers — does little to check whether someone with an existing account (free or otherwise) who is claiming ownership over a given domain actually controls that domain name.

Contacted by KrebsOnSecurity, GoDaddy acknowledged the authentication weakness documented by Guilmette.

“After investigating the matter, our team confirmed that a threat actor(s) abused our DNS setup process,” the company said in an emailed statement.

“We’ve identified a fix and are taking corrective action immediately,” the statement continued. “While those responsible were able to create DNS entries on dormant domains, at no time did account ownership change nor was customer information exposed.”

SPAMMY BEAR

Guilmette has dubbed the criminals responsible as “Spammy Bear” because the majority of the hijacked domains used in the spam campaigns traced back to Internet addresses in Russia.

In the case of Mozilla’s Virtualfirefox.com domain, historic DNS records archived by Farsight Security show that indeed on Dec. 13, 2018 — the very same day that spammers began blasting out their bomb threat demands — the Internet address in the domain’s DNS records at GoDaddy were changed to 194.58.58[.]70, a server in the Russian Federation owned by a hosting company there called Reg.ru.

In fact, Guilmette found that that at least 3,500 of the commandeered domains traced back to Reg.ru and to a handful of other hosting firms in Russia. The next largest collection of fraudulently altered Internet addresses were assigned to hosting providers in the United States (456), although some of those providers (e.g. Webzilla/WZ Communications) have strong ties to Russia. The full list of Internet addresses is available here.

Guilmette’s sleuthing on the 4,000+ domains abused in both 2018 spam campaigns, combined with data from Farsight, suggest the spammers hijacked domains belonging to a staggering number of recognizable corporations who registered domains at GoDaddy, including but not limited to:

Abbott Laboratories; Ancestry.com; Autodesk; Capital One; CVS Pharmacy; SSL provider Digicert; Dow Chemical; credit card processors Elavon and Electronic Merchant Systems; Fair Isaac Corp.; Facebook; Gap (Apparel) Inc; Fifth Third Bancorp; Hearst Communications; Hilton Interntional; ING Bank; the Massachusetts Institute of Technology (MIT); McDonalds Corp.; NBC Universal Media; NRG Energy; Oath, Inc (a.k.a Yahoo + AOL); Oracle; Tesla Motors; Time Warner; US Bank; US Steel Corp.; National Association; Viacom International; and Walgreens.

In an interview with KrebsOnSecurity, Bryant said the domain hijacking technique can be a powerful tool in the hands of spammers and scammers, who can use domains associated with these companies not only to get their missives past junk and malware filters, but also to make phishing and malware lures far more believable and effective.

“This is extremely advantageous to attackers because they don’t have to pay any money to set it all up, and there’s a strong reputation attached to the domain they’re sending from,” Bryant said. “A lot of services will flag email from unknown domains as high risk, but the domains being hijacked by these guys have a good history and reputation behind them. This method also probably greatly complicates any sort of investigatory efforts after the spam campaign is over.”

WHAT CAN BE DONE?

Guilmette said managed DNS providers can add an extra layer of validation to DNS change requests, checking to see if a given domain already has DNS servers assigned to the domain before processing the request. Providers could nullify the threat by simply choosing a different pair of DNS servers to assign to the request. The same validation process would work similarly at other managed DNS providers.

“As long as they’re different, that ruins this attack for the spammers,” Guilmette said. “The spammers want the DNS servers to be the same ones that were already there when the domain was first set up, because without that they can’t pull of this hack. All GoDaddy has to do is see if this particularly odd set of circumstances apply in each request.”

Bryant said after he published his initial research in 2016, a number of managed DNS providers mentioned in his blog posts said they’d taken steps to blunt the threat, including Amazon Web Services (AWS), hosting provider Digital Ocean, and Google Cloud. But he suspects this is still a “fairly common” weakness and hosting providers and registrars, and many providers simply aren’t convinced of the need to add this extra precaution.

“A lot of the providers are of the opinion that it’s down to a user mistake and not a vulnerability they should have to fix,” he said. “But it’s clearly still a big problem.”

Update, 10:38 p.m.: An earlier version of this story stated that Guilmette had identified more than 5,000 domains associated with the Spammy Bear campaigns. The true number is closer to 4,000. The discrepancy was my mistake and due to a formatting error in a spreadsheet.

My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it “the largest collection ever of breached data found.” But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.

The dump, labeled “Collection #1” and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely “made up of many different individual data breaches from literally thousands of different sources.”

KrebsOnSecurity sought perspective on this discovery from Alex Holden, CTO of Hold Security, a company that specializes in trawling underground spaces for intelligence about malicious actors and their stolen data dumps. Holden said the data appears to have first been posted to underground forums in October 2018, and that it is just a subset of a much larger tranche of passwords being peddled by a shadowy seller online.

Here’s a screenshot of a subset of that seller’s current offerings, which total almost 1 Terabyte of stolen and hacked passwords:

As we can see above, Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — “Sanixer.” So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.

Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his “freshest” offering. Rather, he sort of steered me away from that archive, suggested that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which he said are not all pictured in the above screen shot and total more than 4 terabytes in size, are less than a year old, Sanixer explained.

By way of explaining the provenance of Collection #1, Sanixer said it was a mix of “dumps and leaked bases,” and then he offered an interesting screen shot of his additional collections. Click on the image below and notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1.

Holden said the habit of collecting large amounts of credentials and posting it online is not new at all, and that the data is far more useful for things like phishing, blackmail and other indirect attacks — as opposed to plundering inboxes. Holden added that his company had already derived 99 percent of the data in Collection #1 from other sources.

“It was popularized several years ago by Russian hackers on various Dark Web forums,” he said. “Because the data is gathered from a number of breaches, typically older data, it does not present a direct danger to the general user community. Its sheer volume is impressive, yet, by account of many hackers the data is not greatly useful.”

A core reason so many accounts get compromised is that far too many people have the nasty habit(s) of choosing poor passwords, re-using passwords and email addresses across multiple sites, and not taking advantage of multi-factor authentication options when they are available.

If this Collection #1 has you spooked, changing your password(s) certainly can’t hurt — unless of course you’re in the habit of re-using passwords. Please don’t do that. As we can see from the offering above, your password is probably worth way more to you than it is to cybercriminals (in the case of Collection #1, just .000002 cents per password).

For most of us, by far the most important passwords are those protecting our email inbox(es). That’s because in nearly all cases, the person who is in control of that email address can reset the password of any services or accounts tied to that email address – merely by requesting a password reset link via email. For more on this dynamic, please see The Value of a Hacked Email Account.

And instead of thinking about passwords, consider using unique, lengthy passphrases — collections of words in an order you can remember — when a site allows it. In general, a long, unique passphrase takes for more effort to crack than a short, complex one. Unfortunately, many sites do not let users choose passwords or passphrases that exceed a small number of characters, or they will otherwise allow long passphrases but ignore anything entered after the character limit is reached.

If you are the type of person who likes to re-use passwords, then you definitely need to be using a password manager, which helps you pick and remember strong and unique passwords/passphrases and essentially lets you use the same strong master password/passphrase across all Web sites.

Finally, if you haven’t done so lately, mosey on over to twofactorauth.org and see if you are taking full advantage of multi-factor authentication at sites you trust with your data. The beauty of multi-factor is that even if thieves manage to guess or steal your password just because they hacked some Web site, that password will be useless to them unless they can also compromise that second factor — be it your mobile device or security key.