• Over 3/4 a billion accounts compromised in yahoo/gmail/hotmail security breach
    86 replies, posted
Yeah I've gotta start doing that. I at least do it for important financial shit
Q. How long ago were these sites breached? It varies. The first site on the list I shared was 000webhost who was breached in 2015, but there's also a file in there which suggests 2008. These are lots of different incidents from lots of different time frames. So if you were in any previous breach there might just be that old info.
Fucking hell gmail was like the only one I'd trust with my main password. I swear the only place which didn't get hacked is Steam. Unless I'm wrong.
I got a notepad file on a hdd
2FA over SMS is still insecure https://motherboard.vice.com/en_us/article/vbawv8/sim-swapping-hacking-victims-want-telephone-companies-protect-customers-edited https://youtu.be/caVEiitI2vg?t=63 Timestamped
I don't store it in notepad, I just mash my keyboard in notepad so I can see what it creates to write down
I'm coming to your house to steal your post it notes
You had to physically delete the part were he says that he doesn't do this.
Biggest problem is you cannot absolutely rely on Password Managers always. Your domain login at work/school? Yeah a password manager will not help you there. It may not even help you when your logged in, depending on policies set. In those cases, this advice is the best possible advice, because the alternative is the sticky note/notepad method. But agreed that when you can use a Password Manager, do so. Its made my life a lot easier for sure.
What’s the best password manager?
Probably keepass if you're afraid of the cloud people Lastpass is very convenient
I don't know about other password managers since I use Keepass, but the advantage of a password manager isn't just the random password generation. You can also manually type in your own passwords, which means it's easy to keep track of them if a breach happens. Nothing stops you in Keepass from still using weak/same passwords for services that you don't care about.
Picking up a password manager (Keepass) was probably one of the better decisions I've made in life. Got a decent amount of accounts on there, all with generated passwords. https://files.facepunch.com/forum/upload/109818/40a42156-35dc-4e22-80c6-7d5d94e584d3/2019-01-18_19-12-48.png
Password managers handle creating the complex and safe passwords for you, while also remembering them for you. That way, each password is unique, and there's also no way you could forget or lose a password somewhere, or be more inclined to create easily cracked password patterns. Or, have someone break into your house/apartment and just have instant access to all your online accounts because of a pile of sticky notes you have in a drawer. At least with a password database, they'll need to know the password to the database before they can get your info. You can choose to store it in the cloud behind a service with a strong password and 2FA for convenience, but with password managers like KeePass which are more local machine based, you can also choose to store that data in something like an encrypted USB drive that you can keep on you at all times. That way, your passwords aren't stored on an online storage service that can get hacked, but they're also not out in plain sight or easily obtainable by someone who can just break in. The only way they'd be able to get your passwords is to rob it from you directly, and even if they somehow did and got away with it, they'd have to decrypt the drive and then figure out the password for the database.
So putting my email in pwned search won’t tell me much? It said said my old facepunch was breached, but that’s it.
What I mean is, you can't just run a Password Manager in those situations. Its useless on a domain login screen, and many organizations have restrictions on what software can run on their systems. Some have a corporate approved password manager, but not all do. And I wouldn't trust it with anything non-work related for obvious reasons.
For my passwords I usually like to just combine random product names and objects on my desk or somewhere nearby. For example, z97xSLIGTx1070!LivesaversDrPepper
Keepass database files are already AES-256 encrypted. You could certainly encrypt the drive you keep it on for extra security, but I think unless your passwords are of unusually high value so that you have a determined adversary specifically targeting you, it's basically paranoid to encrypt your purely-local database twice (just use a stronger password for the database instead).
It's a pain when you find things you can't use a manager for. Like a login for the OS or something. I have a few weak passwords in my Lastpass due to this and it loves to remind me of that fact. It's such a pain having to pull out the app, login, Auth and then manually type in a password. But for everything else using a manager has been a huge improvement to my life for the most part.
If it doesn't mention Collection #1 on hibp, you're not in this breach. If you want to be sure you're safe, make sure you don't reuse your passwords across any of your important sites. Change them if you do. This is an excellent chance to start using a password manager. I personally use 1password, and that's the one that Troy Hunt recommends. See this blog post. You don't need to add your sites manually to the password manager, so there's no effort to get started. You just install, and let it save accounts when you log in to websites. If you want to double-check a password(and aren't going to use 1password which does it for you), use pwned passwords, which has been linked multiple times in this thread. If you're paranoid about typing your password on a website(you should be), use the api: Hash your password to SHA1. ShareX has a tool that easily does this for you. "password" would become "5BAA61E4C9B93F3F0682250B6CF8331B7EE68FD8" Copy the five first characters to the end of this link: https://api.pwnedpasswords.com/range/ (ie https://api.pwnedpasswords.com/range/5BAA6 for "password") Search for the rest of the hash using CTRL+F. In the case of "password", search for "1E4C9B93F3F0682250B6CF8331B7EE68FD8". Oh, that one 's been pwned 3645804 times! If you can't find the end of the hash on the resulting list, your password is still safe.
https://files.facepunch.com/forum/upload/222257/3e758d97-bd7a-4ccd-86f4-56642cc6f3b5/image.png Another one on the list...This is why I use both 2FA on everything and moved over to Keepass with unique passes on everything. Tbh stuff like Keepass is also great for just keeping track of accounts/usernames in general, I use the account notes to put all of my security answers, 2FA reset codes and other info in there so I never need to worry about forgetting it or storing it somewhere else. If you use Chrome and are signed in/synced with everything but have a weak Google password/no 2FA just remember if someone gets into your account they can literally download your entire saved password list as well as if you haven't disabled it, any location/Google search data you have stored on your account. If they get into your Facebook they can generate a link to download all conversations and images you have ever sent on the service as well.
That is absolutely not how bruteforcing works. What you're thinking of is a dictionary attack combined with bruteforcing. Bruteforcing as a method itself is exactly how you described, where every single character is checked until the solution is found, though usually it's from a much smaller table of characters than the full unicode set. That's the reason you're supposed to add special characters and numbers into your passwords, as it screws up dictionary attacks and makes it much harder for bruteforcers to find a password by pure chance. Also you severely underestimate the strength of passwords. Even just using a standard 8 character long password with only the latin alphabet, that's 26^8, or about 210 billion combinations. A low budget pc of 5 million guesses per second would take 12 hours to crack using bruteforcing. That doesn't seem like much, but when you use the standard table of special characters and numbers (95), the number of combinations sky rockets to 6.6 quintillion. A low budget pc would take 42 years to crack your typical password in that case. Only if you used a specialized computer such as the one that password analysts built of 350 billion guesses would that time come down to anything reasonable (5 hours in this case). Using 4 completely random 4 letter words from the english language, something that's incredibly unlikely because bigger words are much more common, gives you a combination of 44 sextillion (26^16), which would take a specialized computer as mentioned previously 4000 years to bruteforce. And remember that you as long as you use 4 completely random words then they couldn't use a dictionary attack on you, unless they knew you were using this method, and that means they'd HAVE to bruteforce it. Add a single special character into your 4 random word password and congratulations, you've just stopped them from ever guessing your password before the heat death of the universe. Only once quantum computers come around will we have computers that could theoretically crack a 16 character password reasonably. Feel free to check my work btw, I just did these numbers off hand and might have gotten something wrong, but the point still stands, a 16 character password will almost never be broken as long as it's random enough. Things are a lot more secure than we think they are, but only if we take the proper measures to secure them.
Accidentally misread the post, was in bed at about 0430 and on mobile at the time My apologies
Ah good, looks like I'm in the clear. I try to mix up my password every site, but having Gmail of all places hit would've been worrying regardless.
https://krebsonsecurity.com/2019/01/773m-password-megabreach-is-years-old/ https://krebsonsecurity.com/wp-content/uploads/2019/01/collection1.jpg Collection #1 - the dump referenced in this article - well, lets just say it's far from the largest available.
Not to mention what if you used a short sentence interspaced with numbers/punctuation. 12Happymolesontheir1sttripetovenice! would be easy as piss to remember but good luck bruteforcing that in any reasonable amount of time.
Kinda wondering how old the data in this collection is. My email is on the list but my most common password is not.
I generally use a fairly unique passphrase whenever possible, as it ends up easier to remember a longer password that way. I retired "Dirty Debbies Dingy Dungeons 1234!@#$" recently.
The bad title is confusing people. To make it clear yahoo/gmail/hotmail were not breached. This list comes from various other sites, and only affects people that reused their password from those breached sites on their yahoo/gmail/hotmail accounts.
JAIL , FUCK SAKES
Sorry, you need to Log In to post a reply to this thread.