Password Alerts

[fubar57]

Simple easy to remember passwords can be made hard if you insert punctuation marks in them, ie….?fubar?57? Not that that's my password…..nope….that is for sure

 

[Ralph Haus]

Have I Been Pwned: Pwned websites

Have I Been Pwned allows you to search across multiple data breaches to see if your email address or phone number has been compromised.

haveibeenpwned.com

This list shows most recent breaches.

https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches

The collection of accounts and passwords comes from data breaches, which happen more often than you'd think. The number of password compromises is high for weaker passwords that many users are using.

As example years ago Linkedin was breached and the password I used showed up on this list, but it was only a count of 1

However if you check the password: "password" on the site you get a count of 3,861,493

The difference was the password I used was unique thus one hit, but "password" was used by many more accounts thus more hits. So the higher the count the more the password has showed up in breaches, which typically means it's weaker and simultaneously used by more people.

So, that doesn't necessarily translate into compromised, as in some one else has stolen it? If I use the same password on, say 5 different accounts, then I will get 5 hits, right? I would consider that as still secure. If I get 25 hits, then the password definitely needs changing.

 

[Marcel]

The more it occurred, the higher chance it will be guessed. But the fact that it's there gives criminals a clue to your password s that you use. You should make sure you get no hit on the pwned database.

And if you use the same password on 5 accounts, all those accounts will be compromised. Btw criminals use the the same list to guess your passwords quicker.

 

[horseUSA]

Like Marcel said, if it shows up in the database whether 1 or 10,000 that password is known to nefarious actors, thus compromised. Maybe they use it maybe they don't.

Ralph Haus if you're looking for an analogy to better understand let me try this. It'd be like leaving the windows down in your vehicle. Maybe people walking by don't grab anything, but maybe some do. It's not much effort for a third party to gain access. Best would be to put up the windows, and make access a much more difficult endeavor.

 

[Ralph Haus]

Like Marcel said, if it shows up in the database whether 1 or 10,000 that password is known to nefarious actors, thus compromised. Maybe they use it maybe they don't.

Ralph Haus if you're looking for an analogy to better understand let me try this. It'd be like leaving the windows down in your vehicle. Maybe people walking by don't grab anything, but maybe some do. It's not much effort for a third party to gain access. Best would be to put up the windows, and make access a much more difficult endeavor.

Totally understood and the heads-up is much appreciated. In my case the passwords that have hits are not associated with any financial or personal (medical for instance) sites. Although a few sites that have passwords that have hits are ones that I have done e-commerce through. I will change these for sure even though my CC info is not stored on any of them..

 

[Marcel]

It's not only your own security, but also for others. Hacked accounts are used to spread spam, malware or misinformation and used for other mischief. And you are responsible for the accounts you have and what happens to them.

 

[Graeme]

The forum software was updated on October, 7th 2021. With the update came a feature which checks your password against a database of exposed passwords. If your password is found to have been exposed at some point in time the system will alert you. You can perform your own password check against the same database at Have I Been Pwned: Pwned Passwords

If you receive an alert it means your password was found to be exposed. For security it would be best to change your password.

FYI your password is not checked in the clear but via a anonymized hashing process I've Just Launched "Pwned Passwords" V2 With Half a Billion Passwords for Download

Thanks for that! Password compromised - now changed.

 

[ThomasP]

Hey horseUSA,

Thanks for the clarification.

 

[Marcel]

One suggestion for keeping track of many passwords is using a password manager like LastPass, or if you want to keep things in your own hands Keepass2. They can store your passwords securely and encrypted and can even help you to come up with new ones.

 

[Dimlee]

I use Bitwarden currently on most of my devices. Everything is synced.
1Password with a "travel mode" is a good choice if you move across the borders often.
Also browser password managers, - but only if I'm confident that nobody else can open that browser in my profile.

But s**t happens. My passwords were compromised on several sites in past.

 

[gumbyk]

Wait? Your internet browsers don't regularly check this?
What are you using?

 

[Fascinated]

Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.

 

[Marcel]

Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.

No. The hash is not what leaks. It's the password. A hacker cannot do anything with the hash as it's virtually impossible to regenerate the password from the hash. You cannot login with the hash. Every site uses a different hash as they all have different seeding.

 

[Fascinated]

Subject: Senior trying to set a password


WINDOWS: Please enter your new password.

USER: cabbage

WINDOWS: Sorry, the password must be more than 8 characters.

USER: boiled cabbage

WINDOWS: Sorry, the password must contain 1 numerical character.

USER: 1 boiled cabbage

WINDOWS: Sorry, the password cannot have blank spaces.

USER: 50bloodyboiledcabbages

WINDOWS: Sorry, the password must contain at least one upper case character.

USER: 50BLOODYboiledcabbages

WINDOWS: Sorry, the password cannot use more than one upper case character consecutively.

USER: 50BloodyBoiledCabbagesShovedUpYourAssIfYouDon'tGiveMeAccessNow!

WINDOWS: Sorry, the password cannot contain punctuation.

USER: ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourAssIfYouDontGiveMeAccessNow

WINDOWS: Sorry, that password is already in use.

 

[Wurger]

 

[horseUSA]

Wouldn't it make more sense if, instead of everyone having to come up with different passwords for every account, every website uses a different hash? Then, matching hashes would signify nothing and hackers would not be able to infer anything from them. Ah, but that would require them to assume some responsibility for securing their site.

Yea that does exist to this day. TLS is based on public/private key exchange. The thing is keeping track of your private and public keys is not as simple as a password.
It is a tremendously hard problem to solve. The big kids Google, Microsoft, Amazon, Apple etc have all thought hard about passwords and authentication. The best they have come up with is two-factor to make up for potentially weak passwords/hacks. Not super elegant and not bulletproof. Does Jack Dorsey's Twitter Account hack mean two factor authentication is waste of time? - Thales blog It's hard to verify identity across the internet in a non intrusive fashion. The real world still is best. It's like going to the bank and dealing with the same teller for ages. There is am implicit authentication that occurs that is very hard to seamlessly replicate on internet.

There are devices like yubikey which add a hardware authentication to the loop. However, that has only been adopted by the few and corporate access. Not a mainstream occurrence. If you can solve the problem w/o complication you'll ride the wave to big bucks!

 

[Fascinated]

Ok, I just got my alert. Some time ago, I decided that I have just too many accounts to have a unique password for every one. So I started using simple, disposable passwords for all those many accounts that are non-essential, or where it is just not a big deal if it got hacked. Most of these are even more simply the same password. Then I have complex, sometimes unique passwords for those sites that I consider critical. My list of password-"protected" sites numbers over 200. I suspect less than 10% of those I really care anything about. Don't take offense, but why should I care if my account on this forum is compromised? Someone's going to post something to make me look foolish? I can do that well enough myself. Money accounts, that's something else. What, really, do most passwords accomplish?

 

[Fascinated]

Yea that does exist to this day. TLS is based on public/private key exchange. The thing is keeping track of your private and public keys is not as simple as a password.
It is a tremendously hard problem to solve. The big kids Google, Microsoft, Amazon, Apple etc have all thought hard about passwords and authentication. The best they have come up with is two-factor to make up for potentially weak passwords/hacks. Not super elegant and not bulletproof. Does Jack Dorsey's Twitter Account hack mean two factor authentication is waste of time? - Thales blog It's hard to verify identity across the internet in a non intrusive fashion. The real world still is best. It's like going to the bank and dealing with the same teller for ages. There is am implicit authentication that occurs that is very hard to seamlessly replicate on internet.

There are devices like yubikey which add a hardware authentication to the loop. However, that has only been adopted by the few and corporate access. Not a mainstream occurrence. If you can solve the problem w/o complication you'll ride the wave to big bucks!

Your "real world" reminds me of one of my favorites:
pharmacy clerk: Mrs. Johnson says her doctor called in a new prescription, but I can't find it.
pharmacist: It's on the computer.
clerk (after a long search): I still can't find it.
Pharmacist walks over to the computer, pulls a Post-it note off the side of the monitor; Here it is.

 

[horseUSA]

Ok, I just got my alert. Some time ago, I decided that I have just too many accounts to have a unique password for every one. So I started using simple, disposable passwords for all those many accounts that are non-essential, or where it is just not a big deal if it got hacked. Most of these are even more simply the same password. Then I have complex, sometimes unique passwords for those sites that I consider critical. My list of password-"protected" sites numbers over 200. I suspect less than 10% of those I really care anything about. Don't take offense, but why should I care if my account on this forum is compromised? Someone's going to post something to make me look foolish? I can do that well enough myself. Money accounts, that's something else. What, really, do most passwords accomplish?

That's not an unrealistic application. I have some simple ones I use for stupid internal stuff. Passwords again not a great solution.

The main reason we have the alert is for the person who uses the password for everything. Or someone with a lot of content here, that on the highly unlikely chance that some nefarious person would take time/resources to access this site, who wouldn't want it to get corrupted. Even if I think it is a great site....it probably ain't high on the target list.

 

[at6]

It's a good idea to stop using any compromised password. It an outsider gets into this site, they can ruin the whole thing for us with malware.