• Over 3/4 a billion accounts compromised in yahoo/gmail/hotmail security breach
    86 replies, posted
https://twitter.com/Reioumu/status/1085960222898876421 https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/
HIBP have a page you can enter your password into to tell if it's on the compromised list of if you're a lot more security conscious you can download the list and check it yourself. Have I Been Pwned
Holy fuck, this is massive. Seems only 2 out of the 11 PW I used got hit so now I gotta hunt them down and change it.
"You're password has not been found anywhere on the internet... but it is now!"
You sure they have these passwords yet? I'm pretty sure they don't have it in their list of breaches yet
"As of now, all 21,222,975 passwords from Collection #1 have been added to Pwned Passwords bringing the total number of unique values in the list to 551,509,767." In the article, is this what you mean?
thank christ i use a different password for everything
I used to have three passwords I used for different things. Two are now on the Pwnd list.
It said my one email might be compromised but my password wasn't. I changed it anyway.
This is why I love using Keepass. Keep it synced to the cloud and you never have to worry.
Until they're hacked.
That's why you use a strong master password for the database.
A lot of my old passwords I used on multiple sites (for like forum logins etc, not important stuff) ended up in those lists. Its a real shame how the security of so many sites is just bad. Actually going through the lists of sites he gives, so many of them are practically dead forums on those sites. Meaning they are probably just left to rot and outdated for 4-10+ years.
2FA only will help a breach if it's used in an encryption process. If it's just used for login authentication, you can just steal someone else's valid session one way or another
I still don't get why people are more willing to place all their passwords on one single online service rather than actually writing them down and keeping it in a safe place. I'd have more trust in keeping a slip of paper stuffed in a book than having one password keeping everything.
It's a lot harder to hack a Stick-it note stuck to the top of your desk drawer than it is to hack a cloud service. And if you have ill-intending people in your room going through your desk drawer, then you've got a lot more immediate concerns on your mind than someone getting your login credentials.
this xkcd comic is always going to be relevant https://files.facepunch.com/forum/upload/224422/84878926-b461-4db8-8153-9487d72b7386/password_strength.png if you don't think this is correct no worries, just check the explain xkcd wiki page to discover why you're very, very wrong
Isn't that not as secure since common words like that are known and often used and combined as guesses when trying to brute force a password? Just a low budget PC by today's standards can run through several million guesses per second
Because of the sheer amount of accounts everyone tends to have, you'd end up with a long, long note of passwords if you wanted to keep each one unique for the absurd amount of services that you're likely to use, plus all those services trying to get you to sign up with more garbage exclusives, such as all the new streaming services each company is launching while taking their shows out of netflix, or other platforms like Origin/Epic Launcher.
I use same password for everything but I have 2FA enabled everywhere. Occasionally I get SMS from uber with code, or EA (In Russian) or Ubi. Cant be arsed to change
That XKCD strip at least heads in the right direction. Increasing entropy of a password makes it harder to attack in general. Dictionary attacks using combined words are still slower than standard dictionary attacks on common passwords after all. But it's still really shitty advice. Just get a password manager (Lastpass and 1Password are great cloud solutions. Keepass is a great locally stored one) and use random generation. Coming up with your own passwords is rife with issues. Eventually you'll forget one, or start getting lazy with how you come up with them. At least with a password manager you only need one secure password to authenticate yourself (or a key file if you want using Lastpass).
Any words/opinions about Authy? I used google authenticatr once - but I lost phone and turns out I was fucked. While with Authy - I was able to login and get all my accounts back instantly, it seems a bit too good to be true/free?
Personally, I open Notepad, and just mash my keyboard at random to make something like so: 9s;d9Jsa89^aklfmAS<, I copy paste it as my password, then I write it down on a paper I keep. And then that's it. What can use 2FA has 2FA. I can recover my passwords no problem if need be. I know Lastpass and all that exists, but the only way I KNOW my password stays with ME is by doing it this way. I don't trust any cloud. Ever. If the data from the place I have the account with gets leaked, it's a simple change
KeePassXC my dude. You don't have to upload it to ~the cloud~ and you can instead keep it on a USB something
Keepass would probably be my preference if I wasn't a lazy fuck who can't be bothered to remember to install Dropbox on every machine I touch. Just because of the extra step of not needing to rely on a cloud. Also you could encrypt the already encrypted password vault even more if you're super paranoid.
Some fuck ass started playing Spanish music on spotify while I was in the shower and ruined my time. Also made a bunch of playlists.
This is why I use a password manager
That's fuckin terrible, never store passwords in plain text KeePass is absolutely the way to go if you want the most secure password manager.
4 random word passwords are by no means bad. They're not as secure as equal length fully random passwords, but 3-4 random words are miles more secure than 1-2 words with common symbol substitution, and much more usable. You're not going to get your password brute-forced at 4 words unless someone's explicitly targetting you. These people have a quarter of a billion passwords to chew through, they're not going to spend a long time cracking your password when cracking thousands of passwords like P@ssw0rd is easy. Meanwhile, a password like "swash measure mollusk cast" is significantly easier to remember and type compared to "jrWrKfVBCinAgnCUCKsLvd". The whole point of that xkcd is to say that 4 word passwords are both better and more usable than the shitty 1 word passwords most people use. There's no tradeoff there, which is rare when it comes to security. The fact that there are more secure alternatives doesn't make 4 words any worse.
I'm not sure why that guy on Twitter mentioned about Hotmail, Yahoo and Gmail being breached but I've been searching anywhere and I haven't found anything that tells me that they were in that list. Even going with the last resort of typing in your password on haveibeenpwned has given no result (no mention of any passwords I've used on Gmail or Hotmail). Not sure if I'm just bad at reading or that guy who made the Twitter post relayed false information. There's this list at least: https://pastebin.com/UsxU4gXA
Sorry, you need to Log In to post a reply to this thread.