# Password Alerts



## horseUSA (Oct 7, 2021)

The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords

*If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.*

FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download



> Password reuse and credential stuffingPassword reuse is normal. It's extremely risky, but it's so common because it's easy and people aren't aware of the potential impact. Attacks such as credential stuffing take advantage of reused credentials by automating login attempts against systems using known emails and password pairs.
> 
> NIST's guidance: check passwords against those obtained from previous data breachesThe Pwned Passwords service was created in August 2017 after NIST released guidance specifically recommending that user-provided passwords be checked against existing data breaches. The rationale for this advice and suggestions for how applications may leverage this data is described in detail in the blog post titled Introducing 306 Million Freely Downloadable Pwned Passwords. In February 2018, version 2 of the service was released with more than half a billion passwords, each now also with a count of how many times they'd been seen exposed. A version 3 release in July 2018 contributed a further 16M passwords, version 4 came in January 2019 along with the "Collection #1" data breach to bring the total to over 551M. Version 5 landed in July 2019 with a total count of 555M records, version 6 arrived June 2020 with almost 573M and finally, version 7 arrived November 2020 bringing the total passwords to over 613M.

Reactions: Like Like:
4 | Like List reactions


----------



## fubar57 (Oct 7, 2021)

Thanks Mr. Horse. Just checked my own password and it’s secure. My password is •••••••

Reactions: Funny Funny:
4 | Like List reactions


----------



## horseUSA (Oct 7, 2021)

Just like these folks

Reactions: Funny Funny:
2 | Like List reactions


----------



## ThomasP (Oct 7, 2021)

Hey 

 horseUSA
,

What does "Your password is known to be compromised on at least 1,636 other accounts." and/or "your password was found to be exposed" indicate?

Does it mean that upto 1,636 other people use the same password on one or more of their accounts?

Does it mean that someone has hacked this website and can log in under my name? (The password I use to log in on this forum is the only time I have used that particular password.)

Or does it mean something else?


----------



## Crimea_River (Oct 7, 2021)

Hey Geo, my password is 7 dots too!


----------



## at6 (Oct 7, 2021)

Just changed my password. It was PWNED 56000 times.


----------



## GrauGeist (Oct 7, 2021)

A password Pro-Tip:
Just about every electronic device in your household has a serial number, most often alphanumeric, which makes the best passwords.

They are extremely hard to "crack", easy to remember and change (October is DVD player month, November is coffee maker month, December is guest bedroom TV month, etc.) and manufacturer's serial number archives are rarely hacked and almost never connected to a consumer purchase.

Reactions: Like Like:
1 | Informative Informative:
1 | Creative Creative:
1 | Like List reactions


----------



## Marcel (Oct 8, 2021)

My password is “safe” so it’s always safe

Reactions: Like Like:
1 | Funny Funny:
4 | Like List reactions


----------



## GrauGeist (Oct 8, 2021)

Marcel said:


> My password is “safe” so it’s always safe


I've heard that using the word "password" is easy to remember, too!

Reactions: Funny Funny:
1 | Like List reactions


----------



## Marcel (Oct 8, 2021)

But on a serious note. Longer passwords are more difficult to break. So it’s good practice to use a password sentence instead of a word, for instance: “ThisPasswordIsDifficultToBreak” 

Having said that, no secure password is really secure if it gets stolen. So rule number one is: *never reuse a password.* Using the same password on different sites is asking to be hacked. David’s tool is helping you to recognise that your password has leaked somewhere. If you get the alert you probably used your password multiple times. Make sure you won’t make that mistake again.

Reactions: Like Like:
1 | Like List reactions


----------



## N4521U (Oct 8, 2021)

Champion you arrrrrr!!


----------



## Snautzer01 (Oct 8, 2021)

now that is a password if i ever saw one. Dibs on it.

Reactions: Funny Funny:
1 | Like List reactions


----------



## horseUSA (Oct 8, 2021)

ThomasP said:


> What does "Your password is known to be compromised on at least 1,636 other accounts." and/or "your password was found to be exposed" indicate?


The password you are using has been found in password dumps from various data breaches a total of 1,636 times. These breaches and password dumps are complied at https://haveibeenpwned.com and this site checks that database for possible hits on users password.



ThomasP said:


> Does it mean that upto 1,636 other people use the same password on one or more of their accounts?


It means the password, which you may think is unique, has been seen in these data breaches 1,636 times. It does not mean that an account you setup was part of a data breach, but the password you are using has been exposed and thus is not as secure as you would think.



ThomasP said:


> Does it mean that someone has hacked this website and can log in under my name? (The password I use to log in on this forum is the only time I have used that particular password.)
> 
> Or does it mean something else?


No this site has not been compromised. It is a big internet with a lot of people and something you thought was unique might with large numbers be not so unique.

Like was state above some of the best password are a sentence like setup with words that are known to you but in combination would be hard to discern.

Reactions: Like Like:
3 | Agree Agree:
1 | Funny Funny:
2 | Like List reactions


----------



## vikingBerserker (Oct 8, 2021)

Have I Been Pwned: Pwned Passwords - So by using this you test your password by giving them it. Anybody see the irony of this?????

Reactions: Like Like:
3 | Like List reactions


----------



## horseUSA (Oct 8, 2021)

vikingBerserker said:


> Have I Been Pwned: Pwned Passwords - So by using this you test your password by giving them it. Anybody see the irony of this?????


No. From first post.



horseUSA said:


> FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download


Your password gets hashed into a hexadecimal string. Then the first 5 characters are queried against the database. Which returns a set of complete hashes for those with matching starting characters. So a typical query against the database will return 300+ hashes. However since we only sent first few characters, the exchange doesn’t compromise your password. We then see if the hashes returned to us have your password hash included. If so the password you are using has at some point been compromised.


----------



## Crimea_River (Oct 8, 2021)

Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?


----------



## GrauGeist (Oct 8, 2021)

Crimea_River said:


> Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?


"Pwned" is an old gamer's term for "Owned".
It actually started as a typo and blew up (like most things on the interwebs).

Reactions: Like Like:
1 | Informative Informative:
1 | Like List reactions


----------



## Marcel (Oct 8, 2021)

Crimea_River said:


> Will this alert come up in the future if the site finds your password "Pwned" (never heard that word til now) or is this alert a one time thing?


Yes, it will pop-up again if your password is still insecure.

Reactions: Agree Agree:
1 | Informative Informative:
2 | Like List reactions


----------



## Ralph Haus (Oct 8, 2021)

horseUSA said:


> The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords
> 
> *If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.*
> 
> FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download


I stated this earlier on a different thread, but I will repeat here. I did change my password. But most disturbing is the reported 1956 password compromises! Where does this data come from?


----------



## horseUSA (Oct 8, 2021)

Have I Been Pwned: Pwned websites


Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.




haveibeenpwned.com





This list shows most recent breaches. 


https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches



The collection of accounts and passwords comes from data breaches, which happen more often than you'd think. The number of password compromises is high for weaker passwords that many users are using.

As example years ago Linkedin was breached and the password I used showed up on this list, but it was only a count of 1

However if you check the password: "password" on the site you get a count of 3,861,493

The difference was the password I used was unique thus one hit, but "password" was used by many more accounts thus more hits. So the higher the count the more the password has showed up in breaches, which typically means it's weaker and simultaneously used by more people.


----------



## fubar57 (Oct 8, 2021)

Simple easy to remember passwords can be made hard if you insert punctuation marks in them, ie….?fubar?57? Not that that’s my password…..nope….that is for sure


----------



## Ralph Haus (Oct 8, 2021)

horseUSA said:


> Have I Been Pwned: Pwned websites
> 
> 
> Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.
> ...


So, that doesn't necessarily translate into compromised, as in some one else has stolen it? If I use the same password on, say 5 different accounts, then I will get 5 hits, right? I would consider that as still secure. If I get 25 hits, then the password definitely needs changing.


----------



## Marcel (Oct 8, 2021)

The more it occurred, the higher chance it will be guessed. But the fact that it’s there gives criminals a clue to your password s that you use. You should make sure you get no hit on the pwned database.

And if you use the same password on 5 accounts, all those accounts will be compromised. Btw criminals use the the same list to guess your passwords quicker.


----------



## horseUSA (Oct 8, 2021)

Like 

 Marcel
said, if it shows up in the database whether 1 or 10,000 that password is known to nefarious actors, thus compromised. Maybe they use it maybe they don't.



 Ralph Haus
if you're looking for an analogy to better understand let me try this. It'd be like leaving the windows down in your vehicle. Maybe people walking by don't grab anything, but maybe some do. It's not much effort for a third party to gain access. Best would be to put up the windows, and make access a much more difficult endeavor.

Reactions: Like Like:
1 | Like List reactions


----------



## Ralph Haus (Oct 8, 2021)

horseUSA said:


> Like
> 
> Marcel
> said, if it shows up in the database whether 1 or 10,000 that password is known to nefarious actors, thus compromised. Maybe they use it maybe they don't.
> ...


Totally understood and the heads-up is much appreciated. In my case the passwords that have hits are not associated with any financial or personal (medical for instance) sites. Although a few sites that have passwords that have hits are ones that I have done e-commerce through. I will change these for sure even though my CC info is not stored on any of them..


----------



## Marcel (Oct 8, 2021)

It’s not only your own security, but also for others. Hacked accounts are used to spread spam, malware or misinformation and used for other mischief. And you are responsible for the accounts you have and what happens to them.

Reactions: Agree Agree:
1 | Winner Winner:
1 | Like List reactions


----------



## Graeme (Oct 8, 2021)

horseUSA said:


> The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords
> 
> *If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.*
> 
> FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download



Thanks for that! Password compromised - now changed. 👍

Reactions: Like Like:
1 | Like List reactions


----------



## ThomasP (Oct 8, 2021)

Hey horseUSA,

Thanks for the clarification.


----------



## Marcel (Oct 9, 2021)

One suggestion for keeping track of many passwords is using a password manager like LastPass, or if you want to keep things in your own hands Keepass2. They can store your passwords securely and encrypted and can even help you to come up with new ones.


----------



## Dimlee (Oct 9, 2021)

I use Bitwarden currently on most of my devices. Everything is synced.
1Password with a "travel mode" is a good choice if you move across the borders often.
Also browser password managers, - but only if I'm confident that nobody else can open that browser in my profile.

But s**t happens. My passwords were compromised on several sites in past.


----------



## gumbyk (Oct 10, 2021)

Wait? Your internet browsers don't regularly check this?
What are you using?


----------



## Fascinated (Oct 11, 2021)

Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.


----------



## Marcel (Oct 11, 2021)

Fascinated said:


> Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.


No. The hash is not what leaks. It’s the password. A hacker cannot do anything with the hash as it’s virtually impossible to regenerate the password from the hash. You cannot login with the hash. Every site uses a different hash as they all have different seeding.


----------



## Fascinated (Oct 11, 2021)

Subject: Senior trying to set a password 


WINDOWS: Please enter your new password.

USER: cabbage

WINDOWS: Sorry, the password must be more than 8 characters.

USER: boiled cabbage

WINDOWS: Sorry, the password must contain 1 numerical character.

USER: 1 boiled cabbage

WINDOWS: Sorry, the password cannot have blank spaces.

USER: 50bloodyboiledcabbages

WINDOWS: Sorry, the password must contain at least one upper case character.

USER: 50BLOODYboiledcabbages

WINDOWS: Sorry, the password cannot use more than one upper case character consecutively.

USER: 50BloodyBoiledCabbagesShovedUpYourAssIfYouDon'tGiveMeAccessNow!

WINDOWS: Sorry, the password cannot contain punctuation.

USER: ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourAssIfYouDontGiveMeAccessNow

WINDOWS: Sorry, that password is already in use.

Reactions: Bacon Bacon:
2 | Funny Funny:
5 | Like List reactions


----------



## Wurger (Oct 11, 2021)




----------



## horseUSA (Oct 11, 2021)

Fascinated said:


> Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.


Yea that does exist to this day. TLS is based on public/private key exchange. The thing is keeping track of your private and public keys is not as simple as a password.
It is a tremendously hard problem to solve. The big kids Google, Microsoft, Amazon, Apple etc have all thought hard about passwords and authentication. The best they have come up with is two-factor to make up for potentially weak passwords/hacks. Not super elegant and not bulletproof. Does Jack Dorsey’s Twitter Account hack mean two factor authentication is waste of time? - Thales blog It's hard to verify identity across the internet in a non intrusive fashion. The real world still is best. It's like going to the bank and dealing with the same teller for ages. There is am implicit authentication that occurs that is very hard to seamlessly replicate on internet.

There are devices like yubikey which add a hardware authentication to the loop. However, that has only been adopted by the few and corporate access. Not a mainstream occurrence. If you can solve the problem w/o complication you'll ride the wave to big bucks! 🤑🤑🤑

Reactions: Bacon Bacon:
1 | Like List reactions


----------



## Fascinated (Oct 11, 2021)

Ok, I just got my alert. Some time ago, I decided that I have just too many accounts to have a unique password for every one. So I started using simple, disposable passwords for all those many accounts that are non-essential, or where it is just not a big deal if it got hacked. Most of these are even more simply the same password. Then I have complex, sometimes unique passwords for those sites that I consider critical. My list of password-"protected" sites numbers over 200. I suspect less than 10% of those I really care anything about. Don't take offense, but why should I care if my account on this forum is compromised? Someone's going to post something to make me look foolish? I can do that well enough myself. Money accounts, that's something else. What, really, do most passwords accomplish?


----------



## Fascinated (Oct 11, 2021)

horseUSA said:


> Yea that does exist to this day. TLS is based on public/private key exchange. The thing is keeping track of your private and public keys is not as simple as a password.
> It is a tremendously hard problem to solve. The big kids Google, Microsoft, Amazon, Apple etc have all thought hard about passwords and authentication. The best they have come up with is two-factor to make up for potentially weak passwords/hacks. Not super elegant and not bulletproof. Does Jack Dorsey’s Twitter Account hack mean two factor authentication is waste of time? - Thales blog It's hard to verify identity across the internet in a non intrusive fashion. The real world still is best. It's like going to the bank and dealing with the same teller for ages. There is am implicit authentication that occurs that is very hard to seamlessly replicate on internet.
> 
> There are devices like yubikey which add a hardware authentication to the loop. However, that has only been adopted by the few and corporate access. Not a mainstream occurrence. If you can solve the problem w/o complication you'll ride the wave to big bucks! 🤑🤑🤑


Your "real world" reminds me of one of my favorites:
pharmacy clerk: Mrs. Johnson says her doctor called in a new prescription, but I can't find it.
pharmacist: It's on the computer.
clerk (after a long search): I still can't find it.
Pharmacist walks over to the computer, pulls a Post-it note off the side of the monitor; Here it is.

Reactions: Funny Funny:
2 | Winner Winner:
2 | Like List reactions


----------



## horseUSA (Oct 11, 2021)

Fascinated said:


> Ok, I just got my alert. Some time ago, I decided that I have just too many accounts to have a unique password for every one. So I started using simple, disposable passwords for all those many accounts that are non-essential, or where it is just not a big deal if it got hacked. Most of these are even more simply the same password. Then I have complex, sometimes unique passwords for those sites that I consider critical. My list of password-"protected" sites numbers over 200. I suspect less than 10% of those I really care anything about. Don't take offense, but why should I care if my account on this forum is compromised? Someone's going to post something to make me look foolish? I can do that well enough myself. Money accounts, that's something else. What, really, do most passwords accomplish?


That's not an unrealistic application. I have some simple ones I use for stupid internal stuff. Passwords again not a great solution. 

The main reason we have the alert is for the person who uses the password for everything. Or someone with a lot of content here, that on the highly unlikely chance that some nefarious person would take time/resources to access this site, who wouldn't want it to get corrupted. Even if I think it is a great site....it probably ain't high on the target list.

Reactions: Bacon Bacon:
2 | Like List reactions


----------



## at6 (Oct 11, 2021)

It's a good idea to stop using any compromised password. It an outsider gets into this site, they can ruin the whole thing for us with malware.

Reactions: Agree Agree:
1 | Like List reactions


----------



## ARTESH (Oct 13, 2021)

Well, I assume whoever wants to find any of my passwords, would have a nightmare. I use translations of Persian Poems to other languages as my passwords, just Shahname has over 60000 verses alone, just one poet, one book. And at least 5000 languages with more than 100000 native speakers around the world.

Reactions: Like Like:
1 | Winner Winner:
3 | Like List reactions


----------



## SaparotRob (Oct 13, 2021)

That's a great idea!

Reactions: Agree Agree:
1 | Like List reactions


----------



## cherry blossom (Oct 19, 2021)

I received an alert and realised that I had kept the same password since I joined and that it was a fairly obvious password that many other people will have used on other sites. Thus it would be nice to change it in case someone downloads the encrypted passwords from this site and quickly becomes me. Unfortunately, despite having no problem entering the site, on trying to change it, I always get:

Oops! We ran into some problems.
Your existing password is not correct. 

Any ideas? I could claim to have forgotten my password but then I wouldn't find out what is going on.

Reactions: Friendly Friendly:
1 | Like List reactions


----------



## Marcel (Oct 19, 2021)

cherry blossom said:


> I received an alert and realised that I had kept the same password since I joined and that it was a fairly obvious password that many other people will have used on other sites. Thus it would be nice to change it in case someone downloads the encrypted passwords from this site and quickly becomes me. Unfortunately, despite having no problem entering the site, on trying to change it, I always get:
> 
> Oops! We ran into some problems.
> Your existing password is not correct.
> ...


I think I can change your password if necessary. Seems like the password you enter as the old password is not correct.

Reactions: Agree Agree:
1 | Like List reactions


----------



## Wurger (Oct 19, 2021)

It seems that you could type your current password with an error. Please check if it is written correctly with the same letters, especially if you use the capital ones


----------



## SaparotRob (Oct 19, 2021)

I am not a robot.

Reactions: Funny Funny:
1 | Like List reactions


----------



## gumbyk (Oct 19, 2021)

SaparotRob said:


> I am not a robot.


Are you sure?

Reactions: Funny Funny:
3 | Like List reactions


----------



## cherry blossom (Oct 19, 2021)

You may well be part of a simulation as suggested by Nick Bostrom The Simulation Argument

Reactions: Funny Funny:
1 | Like List reactions


----------



## cherry blossom (Oct 19, 2021)

Returning to my earlier problem, I suspect that I was remaining logged in via a cookie. When I logged out explicitly rather than just closing the browser, I could not log in again and had to go through the password reset process. Thus I had probably changed my password in an earlier try but had not seen much effect.


----------



## GrauGeist (Oct 19, 2021)

SaparotRob said:


> I am not a robot.


To be sure, you must select all images containing a Groundhog to continue...

Reactions: Funny Funny:
2 | Winner Winner:
2 | Like List reactions


----------



## Marcel (Oct 20, 2021)

cherry blossom said:


> Returning to my earlier problem, I suspect that I was remaining logged in via a cookie. When I logged out explicitly rather than just closing the browser, I could not log in again and had to go through the password reset process. Thus I had probably changed my password in an earlier try but had not seen much effect.


Yeah, you can virtually be logged in forever through the cookies. So you probably had your password wrong.


----------



## horseUSA (Oct 20, 2021)

C
 cherry blossom
did you sort out the password setup?


----------



## Manne (Nov 11, 2022)

horseUSA said:


> Just like these folks



The gullibility…….

Reactions: Funny Funny:
2 | Like List reactions


----------

