Over 3/4 a billion accounts compromised in yahoo/gmail/hotmail security breach
86 replies, posted
I generally use a fairly unique passphrase whenever possible, as it ends up easier to remember a longer password that way. I retired "Dirty Debbies Dingy Dungeons 1234!@#$" recently.
The bad title is confusing people. To make it clear yahoo/gmail/hotmail were not breached. This list comes from various other sites, and only affects people that reused their password from those breached sites on their yahoo/gmail/hotmail accounts.
, FUCK SAKES
Read the link right above your post
no they're not, because a brute forcer isn't going to include every possible permutation because they won't know the exact layout of your password. for instance, varying case at random can exponentially increase the time it takes to crack the password. the entropy calculations on it are just flat wrong. if people use that advice literally, and use 4 random words with spacing in between, assuming 100,000 of the most common words the number of permutations would be 1.0e20 -- compared to just a 10 symbol password with any combination of random case and just using symbols available on an english US keyboard, results in roughly 1m fewer permutations, which may sound like a huge weakness but there's still WAY over 10 quadtrillion possibilities someone would have to brute force through, not including the time it'd take to do so based on the hashing algorithm (and not including hashing potential weaknesses with predictable hashes like using lowercase letter words)
Wow, I hadn't changed my google password since 2007 apparently. Changed it anyway.
Fortunately I've been using unique passwords on sites since forever.
Guys, remember this comic was made in 2011. Password managers just weren't as well know or ubiquitous back then.
It was purely to demonstrate that a passcode that is hard for a human to remember could be easy for a computer to guess and inversely a 4 random words password would be easy for a human to recall yet be difficult for a computer to guess.
The actual example given is that even if the attacker knows that the password was generated using 4 random (NON-USER CHOSEN) words from a list of 2048 common english words, it would still be more secure than a simple 11 characters password.
makeamericagreatagain isn't on the pwned list if anyone wants to use it.
Two of my emails were in the breach but neither password were affected. Changed them anyways. A sample size of 3 is pretty small but I wonder if this breach is a hoax.
Echoing what others have said, using a password manager is a good idea. Makes it simple to create and manage unique passwords for every service. Plugins are available that let you generate passwords like the xkcd example (which are hard to bruteforce, but easier to type)
The easiest free way to check all your passwords is to import them into KeePass (if that's not already the password manager you use) and install the HIBP plugin. That plugin will batch submit all the passwords to HIBP without revealing the passwords to the service (read about k-Anonymity for how, basically it hashes the password and sends just the first part of the hash). If you have 1Password it natively supports submitting passwords to HIBP, as does BitWarden if you have premium.
oh shit my main email is in the list, changed the password anyway
So my current passwords are fine, but my email showed up as pwned. Does that mean I need to change everything anyway or just my email password?
It is just big collection of older breaches and has nothing to do with gmail/hotmail(Outlook rather) directly, there might be some old info of some of your old account from some other site and the info can be old as 2008.
The reason for password length limits is that to store/decode a password in a hashed format ( as should be done), it takes exponentially more computer power to process with every character. At a certain point it becomes so much that it has been used as an amplification method in DDOS attacks
Yeah, I use Keepass. Installed the plugin and looks like none of my passwords are affected. Guess its from an old breach, or maybe from a service I abandoned using long before I started using Keepass.
I keep getting calls from Washington DC (1 202 455 8888) for account verification number. Looks like its time to change all my passwords again.....
Using which hash function? PHP's password_hash and password_verify simply ignore anything beyond the first 72 characters when using bcrypt. Most password hashing algorithms do the same. Unless you're using plain SHA-256 for some reason, this isn't a viable attack.