Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
You must log in or # to comment.
God fucking dammit, I fucking hate seeing people self-censor themselves on the internet.
Possibly related question. Layely I’ve been getting email ‘replies’ from various businesses and services (all over the country, USA) all about an ‘inquiry’ that I never made. Apparently someone just got my email address and is using that for – what ? A couple questions:
** What is that someone up to, why doing that?
** Should I do something about that?
** What could I do? Don’t want to change email address.
That’s just your email address being sold by information brokers. Not illegal, not a reason to change your email address. Block, delete & move on.
Probably unrelated, domain spoofing is common, but miss-configured mail servers will accept those emails and process auto replies. They can also abuse input forms to try and send out emails, but that typically does not have much control over content.
If you are getting more emails than you can deal with, than can be used to try and mask other emails by burying them in a large email volume. In that case you should be looking for emails from important accounts you do own (eg banking.)
I got this email a few days ago. I don’t even know who these people are and why they have my details. But I’ve had to change my Google account passwords anyway.
Why did you censor yourself in the title?
They’ll censor “fucking”, but still use the Lord’s name in vain. smh.
Who cares about your invented god? Let people speak however they want
Pratchett fan
-ing hell, is it?
Probably because they primarily live in a censorship world, be it digital or in-person, and change is difficult for most people.
No one gave you the memo?
You’re allowed to swear on the internet as long as you’re not one of the weird instances.
what ******* memo?
This is why my password is hunter2, no one can see what is says under the asterix,
for anyone who doesn’t get the reference, it’s an ancient Bash chatlog: https://knowyourmeme.com/memes/hunter2
(it’s asterisk)
For me, if this happens, it has no impact since almost every page i sign up to has a unique password. The most important ones has mfa as well.
Use a password manager. Simple.
I use a password manager in my personal life but my job doesn’t allow it so I have to keep the 10 or so passwords I have for various vendor sites in my notes. All my passwords are the same thing with slight variations to meet the different asinine password policies the different sites use. It’s fucking stupid but I don’t care if they’re not going to give me a good way to keep all this shit straight.
Totally fair. I also dont care if company blocks things i need to do it right.
1Password and Bitwarden both work across multiple devices, os’s and browsers. Work uses 1Password which i have on work computer and work phone. i use bitwarden across home desktop, laptop, phone, homelab, testing phones
How unique do passwords have to be in order to be considered safe? If they follow a pattern are they still safe or do these bots try alterations to the leaked passwords as well?
Like if your password to Reddit was reddit1234 and your password to Google was google1234, if the Reddit password leaked is your Google one still okay?
Probably not if it’s a human but bots shouldn’t be able to figure that out ya?
They are completely random strings for each site, so having one will not help crack the other.
But if people pick their own passwords, it tends to be some word like you wrote, and then a hacker could try and crack the others by guessing similar words.
That would be great if I only used one browser on one device with one operating system. Between my work laptop, my Macbook, my phone, and my gaming PC nothing syncs and it’s very difficult to share storage between all of them.
You can install bitwarden on all those devices. Maybe im not fully understanding…
I also dont use just one computer and platform.
Yeah, just tell your work IT staff that you need admin rights to your workstation so you can “install the software you want to” (that they don’t supply or support or update).
See how well that works. /s
Ah right. Sorry, I just always used Linux with admin rights since I work in IT.
Didn’t mean to offend you (or anyone else).
I work in IT too (Windows) and have admin rights on my workstation. Even though I have the power to install any software, it’s against policy to do so (and technically that’s a good policy).
Also, I don’t like the idea of anyone/anything but me having my passwords. I go with 2FA if something is important/certified based 2FA if it’s really important.
I share my Bitwarden account among 4 browser profiles on 2 PC-s.
I don’t think anyone just uses one device anymore, pretty sure there are workarounds.
Same, but I do have some level of worry regarding portability. My solution isn’t local or self hosted, as I was looking for easy and works across Linux/Windows/Mac/Android/iOS. I do not look forward to needing to change to a new password manager in the future, but given the way everything seems to be going it seems likely that I’ll have to at some point.
It takes a little more effort to setup, but the alternative to syncing a local keystore db like KeePassXC would be vaultwarden, which is a self hosted open source Bitwarden server that gives you all the features of Bitwarden and has full compatibility with all the clients.
Spinning it up is actually very easy, you just have to decide if you want to integrate SSL via a reverse proxy setup or just use the builtin webserver for HTTPS.
Right answer. In fact, the only viable answer.
I think its almost a crime that browsers havent evolved to make users generate unique, secure passwords by default. Its just another huge sign that these browser companies dont care about security or privacy, despite their marketing departement rabbling those words.
I dont think there has been any evolution at all in this area. Browsers can save passwords but they dont help the user generate secure, unique ones, and dont encourage users to have separate accounts. Instead the web is trying to make users use something like Google or Facebook logins, so they are completely dependent on those tech companies.
Firefox generates random passwords for you by default. You have to disable it in the settings if you want to use another password manager besides Firefox’s built in one.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
And an email alias.
I hate how many places don’t allow for + aliases. I want to know who leaked my email.
I use my own domain with a catchall, works like a charm
At the same time, it is trivially easy to strip a + alias, so I’d not trust it to do anything much at all.
If you use aliases for all services, it makes it slightly harder to automate trying one leaked email on another site, since the hacker needs to add the new alias on the other service.
No one is going through of all these credentials manually, so any extra obscurity can actually bring you security in a pinch. Although if you have different passwords this shouldn’t matter much…
No, you just run a simple Regex on both combolists and are done. It literally takes seconds
Even if your alias is leaked they can remove the + part and it’ll lead to your original email without aliases. They probably do some data formatting on emails to no get caught so easily and obviously.
+aliases are convenience aliases only. They are often stripped from ID datasets. Better to use a real alias.No + required. There are hundreds of companies offering aliases using their shared domain. You can also just generate a temporary email address if you don’t require any ongoing communication and the account is not super important.
Also 2FA. You’ll still want to change passwords but it buys you time.
Don’t forget unique email addresses. I’ve had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I’m pretty sure was the company selling my data). I can block those addresses and move on with my life.
My old email address from before I started doing this still receives 10+ spam emails a day.
I’ve started using {emailaddress}+{sitename}@gmail.com i.e. myemail+xyzCompany@gmail.com
That way I can at least see who sold my info. I wish I would have started doing this long ago though. Some sites dont let you use the plus symbol even though it’s valid though
This trick is common enough and trivial to reverse engineer. I can just purge my billion-email-address hacked list of all characters between a + and an @ and have a clean list that untraceable with your system.
Right? Has this ever worked for anyone? I’ve never bothered because of how easy it is for spammers to bypass.
Spammers go for the easiest targets. If you do stuff like this, they might redesign their system to make it LESS likely to send to you. Keep in mind theyre targetting the elederly, mentally handicapped, and the emotionally desperate. They specifically DO NOT want to target the educated, technologically literate, and those that will waste their time. By attempting to technologically limit them from their scams, you make it more difficult for them to target you and it makes it obvious theyre not worth your time.
Its not about making yourself scam proof, its about making yourself an unappealing target.
(This all applies to scam emails, dunno if it has any effect if the goal is phishing but i would imagine so. If they can phish 5 people in the time it takes to phish you, youre no longer their target.)
Edit: this is why scam emails look obviously scammy, with misspelled words and grammarical errors. Its not a mistake, its an attempt to preemptively weed out people who want to waste their time
I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
That is assuming that someone will sit there and try to decrypt password rules for that specific person. Chances of that happening are basically 0, unless they are some sort of a high interest person.
What’s more likely, a password manager gets a breach or someone targets only me and manages to find out multiple passwords across multiple services and cross compares them works out what the random numbers and letters mean…
I don’t know your rule, but when I hear this, usually it includes the name of the service or something, so a script kiddie armed with a levenstein distance algo could probably detect it.
That said, the “safer than the person next to you” rule applies here. You’re probably far enough down that list to not matter.
As for password manager breaches, the impact really depends on what data the password manager stores. If all decryption is done client-side and the server never gets the password, an attacker would need to break your password regardless. That’s how Bitwarden works, so the only things a breach could reveal are my email, encrypted data, and any extra info I provided, like payment info. The most likely attack would need to compromise one of the clients. That’s possible, but requires a bit more effort than a database dump.
I was thinking about this earlier. The password manager browser plugin I use (Proton Pass) defaults to staying unlocked for the entire browser session. If someone physically gained access to my PC while my password manager was unlocked, they’d be able to access absolutely every password I have. I changed the behavior to auto-lock and ask for a 6-digit PIN, but I’m guessing it wouldn’t take an impractical amount of time to brute-force a 6-digit PIN.
Before I started use a password manager, I’d use maybe 3-4 passwords for different “risks,” (bank, email, shopping, stupid shit that made me sign up, etc). Not really sure if a password manager is better (guess it depends on the “threat” you’re worried about).
Edit: Also on my phone, it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff (or can unlock with fingerprints they have on file).
Yes, it is better. The likelihood that someone will physically access your device is incredibly low, the likelihood that one of the services in your bucket gets leaked and jeopardizes your other accounts is way higher.
I set mine to require my password after a period of time on certain devices (the ones I’m likely to lose), and all of them require it when restarting the browser.
it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff
True, but it’s also highly unlikely that LE will steal your passwords.
My phone requires a PIN after X hours or after a few failed fingerprint attempts, and it’s easy to fail without being sus. In my country, I cannot be forced to reveal a PIN. If I travel to a sketchy country or something, i switch it to a password unlock.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
your email (to be able to recover your password for the password manager)
If your password manager has a password recovery mechanism, that means your key is stored on the server and would be compromised in a breach. If that’s the case, I highly recommend changing password managers.
The ideal way a password manager works is by having all encryption done client-side and never sending the password to the server. If the server cannot decrypt your password data, neither can an attacker. That’s how my password manager works (Bitwarden), and I highly recommend restricting your options only to password managers with that property.
If you need a backup, write it in a notebook and keep it in a safe. If your house gets broken into, change your password immediately before the thief has a chance to rifle through the stuff they stole. My SO and I have shared passwords to all important credentials, so that’s out backup mechanism.
You are mostly correct it is length * (possible char values).
See passphrase generator.
https://www.keepersecurity.com/features/passphrase-generator
Correct horse battery staple
That was my sisters name!
And when that password manager gets cracked?
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
LastPass recently, check Addie Lamarr’s channel on YouTube.
LastPass is the maximum shit. They got hacked like 3 times in a year and my company‘s password notes got leaked.
We are now with Bitwarden and this was the biggest security hardening measure we have taken.
Yeah, I left LastPass after like 15 years when I’ve come across some news headlines that it had got breaches more than once while I was using it O.o
Been a happy user of Bitwarden for a couple years now. I love that little “copy custom field name” function, so I don’t have to go hunting around in the HTML code if a site is using weird field names.
Make sure whatever password manager you use doesn’t store the key on their servers. Bitwarden does this correctly (if you lose your PW, Bitwarden can’t recover it), and I’m sure some competitors do as well. LastPass apparently didn’t.
Which one works on all browsers including mobile safari and mobile Firefox?
Bitwarden has been good for me, but I actually don’t know about safari…
Yes and no; they have their own issues:
https://cybersecuritynews.com/hackers-weaponize-keepass-password-manager/
A password manager is still a good idea, but you have to not use a hacked one. So only download from official sites and repositories. Run everything you download through VirusTotal and your machine’s antivirus if you have one. If it’s a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there’s no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
Doing these things will at least reduce your risk of installing compromised software.
I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
I’ve only really been in one breach. This one is actually a breach of a “security firm” (incompetent idiots) who aggregated login data from the dark web themselves, essentially doing the blackhats’ work for them.
This is also EXACTLY why requiring online interactions to be verified with government ID is a terrible idea. Hackers will similarly be able to gain all possible wanted data in a single location. It’s simply too tempting of a target not to shoot for.
If you think you’ve only been in one breach, you’re probably mistaken or very young. I don’t know how many breaches I’ve been involved in, but it’s at least double digits.
I’m American, and my Social Security number has been leaked multiple times. Each time I’ve done everything possible to secure my accounts (random passwords, TOTP 2FA where possible, randomized usernames, etc), yet there’s always a new breach that impacts me.
I’m not too worried though. My important accounts are pretty secure. I use one of the few banks (brokerage actually) that provides proper 2FA. My email and password manager use 2FA. My credit is frozen. Breaches happen, the important thing is to limit the impact of a breach.
You’ve only been in one breach that you know about so far!
Are we supposed to pronounce the two "data"s differently when reading aloud? Asking for a friend…
It’s day-ter not da-ta.
One is like data from Ten Forward.
The first one is like Mister, the second one is like “that, uh…”
Let’s make a master list of all the emails leaked with their passwords, what could go wrong?
That’s not how it works
It’s exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked
Synthient wasn’t hacked, as a security company, they aggregated tons of stealer logs dumped to social media, Telegram, etc.
They found 8% of the data collected was not in the HIBP database, confirmed with some of the legitimate owners that the data was real.
They then took that research and shared it with HIBP which is the correct thing to do.
I was also thrown off by the title they gave it when I first saw it, a security company being hacked would be a terrible look. but they explain it in the article. Should probably have named it “list aggregation” or something.
so why hibp calls them data breach??? Ultra misleading, almost defamation, everyone including me only reads the headlines
Someone should make a list of all the leaked credentials that got leaked.
I think that’s HIBP basically?
Yeah gotta make sure you never use the same password in multiple places, use a password manager.
Comprised of email addresses and passwords from previous data breaches,
So these are previously “hacked” data, and now the aggregator has been hacked?
The aggregator wasn’t hacked, they essentially hacked the hackers and put together this list. This ain’t a data breach per se, it’s just putting together a bunch of past breaches and patching it up to HIBP.
Proud that my only pwned password is three decades old.
I’ve been “pwned” four times.
None of them due to my end. Every single fucker was a piss poor company security
The thing about this one is no one seems sure of the source (it appears to be from multiple sources, including infostealer malware and phishing attacks), so you don’t know which passwords to change. To be safe you’d have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
And of course don’t reuse passwords. If you have access to an email masking service you can not only use a different password for every site, but also a different email address. Then hackers can’t even easily connect that it’s your account on different sites.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
More details about the k-anonimity process. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
The short answer is that they download a partial list of passwords that hash to values starting with the same 5 characters as yours and then check if your password hash is in that list locally. This gives the server very little information about your password if it was not breached and more if it was (but then you should change it anyway), making an elegant compromise
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.
Oh no, some Russian troll farm now knows my favorite color.
Stuffing? Just in time for the holiday season!
moans “stuff me santa”
Santa: “we are skipping that house”
This is the type of unhinged shit I signed up for!
