Troy Hunt: Password reuse, credential stuffing and another billion records in Have I been pwned - Sensationalist Headlines

[QUOTE]The short version: I'm loading over 1 billion breached accounts into HIBP. These are from 2 different "combo lists", collections of email addresses and passwords from all sorts of different locations. I've verified their accuracy (including my own record in one of them) and many hundreds of millions of the email addresses are not already in HIBP. Because of the nature of the data coming from different places, if you're in there then treat it as a reminder that your data is out there circulating around and that you need to go and get yourself a password manager and create strong, unique passwords. Read on for full details...[/QUOTE] [URL="https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/"]https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/[/URL]

Troy is genuinely gods gift to computer security. Running HIBP for as long as he has is fucking awesome in itself. But his blog is really quite interesting and explains a lot of the issues that case the leaks he stores. Shit, sometimes he even goes further in depth and explains methods to mitigate it for any developers who happen to be reading his blog. Despite the fact he also runs courses that cost shitloads of money that cover security.

Hm, two of my three regularly used emails have been pwned like 5-6 times. I should really stop using the same password everywhere.

Mine's been cracked on 4 sites (and a false alarm, a site I never registered on), and on all of them it's when I used a weird-ass password that I don't use anywhere else. :v:

one of my emails has been 7 times, though at least 2 of those are sites I've never signed up for (some game hacks forum, and modern business solutions one but idk). I've been getting better with my passwords recently.

My address turned up in the Exploit.In list. Too bad I can't see which password's associated with it, since I'm pretty sure I could tell from where it is.

[QUOTE=Tamschi;52195208]My address turned up in the Exploit.In list. Too bad I can't see which password's associated with it, since I'm pretty sure I could tell from where it is.[/QUOTE] Try e-mailing Troy on this, i think he may be glad to help on this one because from the article, he also seems to be curious where from they are.

[QUOTE=Teddybeer;52195170]Yeah you should, them just getting one account still sucks but is better than nothing. Pwned on 10 breached sites and found no pastes Pwned on 2 breached sites and found no pastes[/QUOTE] Tbh I just kind of distinguish between dumb throw away registrations I probably never gonna as much as login twice with, and then things I actually care about, which each get their own password, but it would be probably cleaner to just separate everything proper.

Would be nice to know which of my accounts are in that Anti Public list. There's already accounts of mine that have been previously cracked, but they are either accounts I don't care about/dead sites, and the ones I do care about have already had their passwords changed.

none of my usernames have been pwned, my e-mail had 14 times but all from sites using different or outdated passwords.

[QUOTE=Zet;52195337]Would be nice to know which of my accounts are in that Anti Public list. There's already accounts of mine that have been previously cracked, but they are either accounts I don't care about/dead sites, and the ones I do care about have already had their passwords changed.[/QUOTE] That's the biggest issue with Have I Been Pwned in my opinion. I understand why he wouldn't want to provide easy access to this sort of data but it makes it a huge pain in the ass to actually check at times. I'm not going to go and change my password on every single thing because one account got compromised. If it's an account using one of my insecure passwords then I don't care but if it's a secure account then I'd like to know which one it is so I can go change it rather than all of them.

3 hits on one of my emails, but they're all before I changed to new and unique passwords, and on websites I don't care for. Including myspace, I didn't even know I still had an "active" account on there. I was afraid to check, but seeing my secondary email only bring up 3 outdated hits, and my primary bring up none, is some good peace of mind.

Well there's a new one for the Unreal Engine forum since the last time I checked, but the article states that the passwords were all scrambled and it would be hard to crack them. I guess I should change all my passwords to be different anyways...it's just a pain in the ass when you're lazy. :v:

[QUOTE=cartman300;52195237]Try e-mailing Troy on this, i think he may be glad to help on this one because from the article, he also seems to be curious where from they are.[/QUOTE] According to the comments 000Webhost is confirmed as being in there, so that should be the record it has on me. Besides, [URL="https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/#comment-3291362673"]looks like he's completely swamped with emails right now[/URL] and I'd rather not add to that pile.

Seems I was on the list. Just went through and changed all my passwords because I don't know which of my three passwords was compromised.

Oh god i was anxious to check and only found 1 pwn, and i have long since changed my password at least a few times for that site, so that's a relief.

Never been pwned, doubtful I will since my emails and accounts all have different, strong passwords and such.

[QUOTE=F.X Clampazzo;52196284]Never been pwned, doubtful I will since my emails and accounts all have different, strong passwords and such.[/QUOTE] It doesn't really matter if your password is strong or if it is literally password if everything is stored in plain text anyway.

[QUOTE=F.X Clampazzo;52196284]Never been pwned, doubtful I will since my emails and accounts all have different, strong passwords and such.[/QUOTE] To reiterate on what combine said, strong passwords dont mean shit if they get stolen from the site they're stored on.

[QUOTE=F.X Clampazzo;52196284]Never been pwned, doubtful I will since my emails and accounts all have different, strong passwords and such.[/QUOTE] All that having different strong passwords accomplishes is localizing the extent of the damage when you're compromised. As Combine and The MrFailz said that doesn't prevent them from being compromised if they're stored on the server in a retarded way.

Most people here should consider starting to use a password manager. I had about 150 accounts floating around online most of which used the same 4-5 passwords and usernames. Over a couple of weeks I changed every single one of them to have a unique password with the help of lastpass.

Thought I'd check mine - why is this the first time I'm hearing about Epic's forum breach? I just recently went through my emails, nothing.

Nine hits on my email address. About a year ago, I started using a cipher for my passwords. Letter Substitution, different cipher for each site.

Shit, hackers got my Evony account

I'll say what I've said on every similar thread so far: Use a password manager. Use a password manager. Use a password manager. [B]Use a password manager.[/B] Oh, and if the site supports 2-factor authentication, that could be a good addition as well. But don't rely on every site providing 2-factor authentication, and at the very least use an unique password for every site. According to HIBP I've been in seven breaches so far, and it's a huge relief only having to change a single password on a single site when that happens. The effort in setting up a password manager is minuscule compared to the amount of ass pain you have to endure if your credentials get leaked. That and being able to login using a single keyboard shortcut is also great.

[QUOTE=StrawberryClock;52197240]Most people here should consider starting to use a password manager. I had about 150 accounts floating around online most of which used the same 4-5 passwords and usernames. Over a couple of weeks I changed every single one of them to have a unique password with the help of lastpass.[/QUOTE] That's pretty much the best thing. It's so nice to be able to go "Oh bummer, my password has been breached. Better change that password" instead of going "Oh no, my password have been breaced. Better change the password on all of my accounts"

no breaches on all my usernames and accounts which share the same shit password still gonna get a password manager

This topic has convinced me to go out and install Lastpass. Now I'm in the process of updating all of my passwords. I had already tried once before to keep different passwords for every site, but I inevitably got lazy and fell back on just repeating a select few.

i use unique passwords but store them in a plaintext obscure text document in a random folder while keeping a flash drive backup am i risk

[QUOTE=Combine 177;52197089]It doesn't really matter if your password is strong or if it is literally password if everything is stored in plain text anyway.[/QUOTE] It matters in the sense that since I don't use the same password twice, I'm literally not going to get compromised other than on some probably completely inconsequential account. Oh no, they might get the email address I openly have posted on my stuff for people to contact me. Big whoop. Call me when my bank's servers are compromised and we'll chat about how it's a problem, but if you're not retarded and use the same password for everything, being compromised on one site isn't a huge deal at all. Oh no, someone might be able to make posts on some dumb internet forum with my handle. It's not like I'm 100% unique and have somehow reserved all rights to using the names I use online. The ability for me to be damaged by a server compromise, unless it's something like Amazon, Paypal, or my bank (the only 3 places that have my CC info stored), is basically negligible beyond even bothering to care about. Like yeah it localises the damages. Localises them to the point that it's 200% inconsequential to me if it's it ever happens for 99% of the stuff I'm on.