Make sure you sign yourself up for something like https://haveibeenpwned.com if you haven't already. Sometimes being timely in responding to leaks can make a big difference on any further leaks.
Also, LastPass uses a similar site, plus it's specific knowledge of your passwords (last time it was changed), to let you know if a password has been compromised.
Not sure if 1Password does as well, but it seems like a fairly obvious feature to add.
Can't upvote hard enough. Also, it is shocking how bad security is for all these games I've played over the years. The publishers seem to be the source of the vast majority of these leaks I've been caught in.
Thankfully the notification emails from this service are prompt and helpful (not to mention totally free).
Ironically, https://haveibeenpwned.com certificate is signed by StarCom, which is the same as WoSign https://news.ycombinator.com/item?id=12411870 which means it basically trusts a known scammer to provide its security and one should not be giving this site any information you don't want to see in public.
I think it should hash entered email client-side in JS to be more trustworthy.
I am a bit worried about giving my various email addresses to some random site.
I'm not sure how much I can trust the results of a site that claims an email address I only use for one site has been breached on sites and services I've never been to. However it's calculating if what you enter into the form appears in the leaked content sure gives a lot of false positives.
Which I suppose forces more awareness, but it doesn't instill a lot of confidence.
Fun fact: Have I Been Pwned neither salts nor hashes the creds which it stores on its website, potentially making itself an interesting target for hackers[0]
Dropbox should absolutely be held to the flame for trying to downplay the severity of this. Their communication says 'This is purely a preventative measure', but if you had/have reused this password on any other sites (let's face it a huge proportion of non tech savvy people do this) then your entire online presence may be exposed.
It was pretty obvious the dropbox hack was real several years ago, because lots of spam mail started arriving at my dropbox-unique email almost immediately after the breach. I changed my email to another unique address quickly back then. Unique-per-service email addresses work pretty well as a canary for breaches. Just make sure there is more uniqueness than just the service name to such addresses, or someone could see your pattern and start spamming by guessing popular services.
> Unique-per-service email addresses work pretty well as a canary for breaches
I do this too, but it taught me everything is breached - the local ambulance service, the local computer store, the local car share, small businesses overseas that I've placed orders with.
Some of the big names don't seem to be, which is lucky because otherwise I'd be wondering if it was the ISPs that had been breached. Either large chunks of SMTP routes are breached and picking up confirmation emails, or there's a giant iceberg of pwnage floating beneath the surface out of view.
I do the unique address thing, but I also have another system for giving out temporary email addresses. If I want to hand an email address which I know should not receive email after say, this Saturday, I'll just give them "[email protected]" - I don't have to do anything to set that up, it will accept mail as long as the date isn't after 3rd September 2016. I blogged it up a while ago here:
> Unique-per-service email addresses work pretty well
and they're so easy with Gmail - anything following a '+' character after your username (or alias, if using your own/company domain) will go to the same box, but keep the distinct address.
Unfortunately, depressingly many sites validate email fields, and get it wrong - thinking '+' is not allowed.
IMO it's not even worth trying to get an email regex (or other validation) right - you're probably going to send out an activation email anyway!
unique-per-service email addresses sound indeed interesting. How did you set it up?
I am a google apps customer and already have a few 20 aliases in there but having to go through their UI every time I sign up seems very tiresome.
Can I create a wildcard email in the terms of service-*@bar.com being a alias of email [email protected]?
Do you know of a non-selfhosted provider that is able to do that?
/EDIT: Looks like fastmail, a service many on HN recommended is able to do something similar [0], though if one email gets added into a spam list, it seems to be not possible to remove one particular one.
/EDIT2: Fastmail just confirmed to be on Twitter that it is possible to set individual emails to rejected. Though this requires effectively creating a new alias and setting it to bounce which falls under the account limitations [1], so 600 for a single person account.
I do the same, but some companies don't seem to be interested. I've had two different emails linked to a magazine's website and had spam to both.
When I've contacted them about it, they've been absolutely adamant that the spammer must have (twice) guessed the exact email address that I've had there.
Yes but at the time, there was only evidence of password reuse leading to some comprised email lists... Not that password hashes themselves had been stolen. Sigh.
50% of the leaked hashes were bcrypt and the other 50% were salted sha1.
So, asking the HNers who crack passwords or follow the tech closely and have a good feel:
Salted sha1 can be brute forced much quicker, but in practical terms what kind of complexity of password is vulnerable today if it was stored salted sha1 vs bcrypt?
And how can this be projected to change in the next couple of years?
I highly recommend Troy's HIBP service, hiding your e-mail from showing up in public searches (important for opsec), and donating whatever you can to Troy. He's doing excellent work. This is the first time it's notified me and it was great, because I completely forgot I signed up. I appreciate a service that low maintenance.
HIBP is a truly essential service and I'd be happy to pay more. Even with good password discipline it's useful knowledge on your exposure and I cannot recommend it enough. He mentions it near the end but this is one of those no brainers that should be repeated very loudly.
> As for Dropbox, they seem to have handled this really well.
I'm biased, but I can't agree with this. From what I can tell, there are two communications from Dropbox -- one in 2012 [1] and one last week [2].
In 2012 they did not disclose that hashes were stolen, so I don't see how it's really relevant. In the latest communication, they don't actually explain the risk to the user. They say it is "purely as a preventative measure" but if salts and hashes were accessed, then that is not the case.
Just because Troy doesn't have access to some of the salts, doesn't mean the attacker doesn't have access. We don't know how many iterations of SHA-1, but SHA-1 can be run by a single GPU on the order of billions of times per second. So unless Dropbox is coming out and saying they know for certain that random 128-bit salts were definitely not accessed by the attacker, almost all of the SHA1 hashed passwords are getting cracked. Users need to know their passwords are exposed, and must be reset not as a preventative measure, but because they are almost certain to be compromised.
As for the salted/bcrypt passwords, we can see from Troy's hash they used $2a$08$ which is bcrypt with a cost factor of 8 -- 2^8 iterations. Gosney's latest rig [3] could crack these bcrypt hashes at about 105,700 / 8 = 13,212 per second. That's not terrible, but that's still 416 billion tries in a year for a modest investment.
Dropbox is about the only service I use a memorable password for, as it has my 1Password file in it, which has my Google one-time-auth codes in it. If I lose my phone while on the road, only remembering my Dropbox password is going to get me out of the mess. Any sensible other solutions here? It's still ~14 characters, but other than making it more random, what are my options?
Can someone in the know indicate how to BEST manage passwords for different services in a secure way in 2016? Should I be using password managers (à la 1Password, LastPassword and others), or use something like Keychain Access on Mac OS X (what are the Windows equivalents?), anything else? It's important to note that not everyone is well-educated on the matter, despite the fact that most people on HN are technical people.
EDIT: Thanks everyone for your answers, this is a good example of the power of communities.
What really bothers be about this is that Dropbox hasn't bothered to reset the sessions. Even after I manually reset my password (which I wasn't prompted or forced to do btw), all my apps (iPhone, desktop etc) that have existing sessions wasn't expired. So for all I know, a hacker might already have an open session to my Dropbox and changing the password will not fix that
Clarification edit: I did receive the e-mail from Dropbox letting me know that I should change my password, but when visiting dropbox.com I was already logged in and wasn't prompted to perform the pw reset
How is it possible for Hashcat to crack a 20 character long random password in 6ms? That is mind boggling.
I thought he was just going to hash the password and see if it fit the leaked hash, but no, it looks like he actually did the reverse and cracked the hash to see if it fit the password, right?
Edit: oh it looks like he provided the password to hashcat in the form of a psudo 'dictionary' to use. So Hashcat was not really cracking it - just iterating through a 1 word dictionary - like he said.
> My wife uses a password manager. If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
How about...not? There are tiny open source tools for every OS. You can do it locally, save it on a stick or on your damn phone...why taking more risks especially facing this massive fail here?
that's true, but 1p is far better than the open source options. it also has wifi sync between devices, so your fault never leaves your devices via anything but trusted, local connections if that's what you want
What sites does everyone have two step verification on? I'm trying to figure out where I need to setup two step verification that also accounts for a phone being stolen/lost.
Between gmail, dropbox (1password is synced here), and apple, I'm not sure where I should be enabling it. It seems like everywhere but gmail and apple is probably the right move...
Funny, I just got an email a week ago saying they had noticed my password hadn't been changed in awhile (2012, which was interesting based on the article). Sounds like they knew about this and beefed up security.Or, they beefed up security on newer passwords but didn't cut over the old ones? The email did not mention any data theft, kinda wish it did. Too little, too late.
You have to wonder if all those grumbling whitehats were on to something when they said bug bounties should pay a lot more than what they do and that there IS a black market interest for them.
[+] [-] oxplot|9 years ago|reply
[+] [-] netule|9 years ago|reply
[+] [-] thieving_magpie|9 years ago|reply
[+] [-] rajathagasthya|9 years ago|reply
[+] [-] hatsix|9 years ago|reply
Not sure if 1Password does as well, but it seems like a fairly obvious feature to add.
[+] [-] shostack|9 years ago|reply
Thankfully the notification emails from this service are prompt and helpful (not to mention totally free).
[+] [-] smsm42|9 years ago|reply
[+] [-] garaetjjte|9 years ago|reply
[+] [-] thwarted|9 years ago|reply
Which I suppose forces more awareness, but it doesn't instill a lot of confidence.
[+] [-] DavideNL|9 years ago|reply
[+] [-] SerialBusiness|9 years ago|reply
[+] [-] nstj|9 years ago|reply
[0]: http://risky.biz/RB388
[+] [-] achr2|9 years ago|reply
[+] [-] gshulegaard|9 years ago|reply
Everything I know about it (this article included) places the Dropbox leak very low in my sense of severity.
[+] [-] Swizec|9 years ago|reply
Sure most of us have a few passwords we reuse, but I know less than 5 people with truly unique passwords.
[+] [-] 0x0|9 years ago|reply
On a side note, don't forget the time dropbox accepted ANY password during logins - http://www.cnet.com/news/dropbox-confirms-security-glitch-no...
[+] [-] CookieMon|9 years ago|reply
I do this too, but it taught me everything is breached - the local ambulance service, the local computer store, the local car share, small businesses overseas that I've placed orders with.
Some of the big names don't seem to be, which is lucky because otherwise I'd be wondering if it was the ISPs that had been breached. Either large chunks of SMTP routes are breached and picking up confirmation emails, or there's a giant iceberg of pwnage floating beneath the surface out of view.
[+] [-] Sephr|9 years ago|reply
1. https://gist.github.com/eligrey/5084991
[+] [-] mike-cardwell|9 years ago|reply
https://grepular.com/Automatically_Expiring_Email_Addresses
[+] [-] lnrdgmz|9 years ago|reply
I've not forgotten, and this glitch has kept me from ever considering opening a Dropbox account.
I'm surprised everyone else seems so forgiving of this massive screw up.
[+] [-] cm2187|9 years ago|reply
- Useful as a canary of which website has been breached
- Useful as a canary of which website sold your details
- and if your details are in the wild, you can stop the spam by deleting the address
Credit cards should work the same way: a unique authorization code specific to this vendor or this transaction and useless to any other actor.
[+] [-] Neil44|9 years ago|reply
[+] [-] OJFord|9 years ago|reply
Unfortunately, depressingly many sites validate email fields, and get it wrong - thinking '+' is not allowed.
IMO it's not even worth trying to get an email regex (or other validation) right - you're probably going to send out an activation email anyway!
[+] [-] dvcrn|9 years ago|reply
I am a google apps customer and already have a few 20 aliases in there but having to go through their UI every time I sign up seems very tiresome. Can I create a wildcard email in the terms of service-*@bar.com being a alias of email [email protected]?
Do you know of a non-selfhosted provider that is able to do that?
/EDIT: Looks like fastmail, a service many on HN recommended is able to do something similar [0], though if one email gets added into a spam list, it seems to be not possible to remove one particular one.
/EDIT2: Fastmail just confirmed to be on Twitter that it is possible to set individual emails to rejected. Though this requires effectively creating a new alias and setting it to bounce which falls under the account limitations [1], so 600 for a single person account.
[0]: https://www.fastmail.com/help/receive/alias-catchall.html
[1]: https://www.fastmail.com/help/account/limits.html
[+] [-] prof_hobart|9 years ago|reply
When I've contacted them about it, they've been absolutely adamant that the spammer must have (twice) guessed the exact email address that I've had there.
[+] [-] terraforming|9 years ago|reply
Sadly, it doesn't support 2FA.
[+] [-] pingec|9 years ago|reply
[+] [-] dgoldstein|9 years ago|reply
[+] [-] willvarfar|9 years ago|reply
So, asking the HNers who crack passwords or follow the tech closely and have a good feel:
Salted sha1 can be brute forced much quicker, but in practical terms what kind of complexity of password is vulnerable today if it was stored salted sha1 vs bcrypt?
And how can this be projected to change in the next couple of years?
[+] [-] jsmthrowaway|9 years ago|reply
I highly recommend Troy's HIBP service, hiding your e-mail from showing up in public searches (important for opsec), and donating whatever you can to Troy. He's doing excellent work. This is the first time it's notified me and it was great, because I completely forgot I signed up. I appreciate a service that low maintenance.
HIBP is a truly essential service and I'd be happy to pay more. Even with good password discipline it's useful knowledge on your exposure and I cannot recommend it enough. He mentions it near the end but this is one of those no brainers that should be repeated very loudly.
https://haveibeenpwned.com
[+] [-] donw|9 years ago|reply
I recommend Authy as your 2FA app, as it lets you set a backup password, which you can use to move your 2FA tokens between devices.
For your critical services, keeping encrypted copies of your backup codes is a must.
[+] [-] lllorddino|9 years ago|reply
Don't pay for this people. Use the open source password manager Keepass http://keepass.info/
[+] [-] zaroth|9 years ago|reply
I'm biased, but I can't agree with this. From what I can tell, there are two communications from Dropbox -- one in 2012 [1] and one last week [2].
In 2012 they did not disclose that hashes were stolen, so I don't see how it's really relevant. In the latest communication, they don't actually explain the risk to the user. They say it is "purely as a preventative measure" but if salts and hashes were accessed, then that is not the case.
Just because Troy doesn't have access to some of the salts, doesn't mean the attacker doesn't have access. We don't know how many iterations of SHA-1, but SHA-1 can be run by a single GPU on the order of billions of times per second. So unless Dropbox is coming out and saying they know for certain that random 128-bit salts were definitely not accessed by the attacker, almost all of the SHA1 hashed passwords are getting cracked. Users need to know their passwords are exposed, and must be reset not as a preventative measure, but because they are almost certain to be compromised.
As for the salted/bcrypt passwords, we can see from Troy's hash they used $2a$08$ which is bcrypt with a cost factor of 8 -- 2^8 iterations. Gosney's latest rig [3] could crack these bcrypt hashes at about 105,700 / 8 = 13,212 per second. That's not terrible, but that's still 416 billion tries in a year for a modest investment.
[1] - https://blogs.dropbox.com/dropbox/2012/07/security-update-ne... [2] - https://blogs.dropbox.com/dropbox/2016/08/resetting-password... [3] - https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a27...
[+] [-] peteretep|9 years ago|reply
[+] [-] VeejayRampay|9 years ago|reply
EDIT: Thanks everyone for your answers, this is a good example of the power of communities.
[+] [-] watson|9 years ago|reply
Clarification edit: I did receive the e-mail from Dropbox letting me know that I should change my password, but when visiting dropbox.com I was already logged in and wasn't prompted to perform the pw reset
[+] [-] randyrand|9 years ago|reply
I thought he was just going to hash the password and see if it fit the leaked hash, but no, it looks like he actually did the reverse and cracked the hash to see if it fit the password, right?
Edit: oh it looks like he provided the password to hashcat in the form of a psudo 'dictionary' to use. So Hashcat was not really cracking it - just iterating through a 1 word dictionary - like he said.
[+] [-] sordidfellow|9 years ago|reply
[+] [-] aluhut|9 years ago|reply
> My wife uses a password manager. If your significant other doesn't (and I'm assuming you do by virtue of being here and being interested in security), go and get them one now! 1Password now has a subscription service for $3 a month and you get the first 6 months for free.
How about...not? There are tiny open source tools for every OS. You can do it locally, save it on a stick or on your damn phone...why taking more risks especially facing this massive fail here?
[+] [-] thomasahle|9 years ago|reply
Because you can secure it better than them? Or because you'll be less of a target?
[+] [-] cel1ne|9 years ago|reply
[+] [-] 10011100|9 years ago|reply
[+] [-] rickycook|9 years ago|reply
[+] [-] maherbeg|9 years ago|reply
Between gmail, dropbox (1password is synced here), and apple, I'm not sure where I should be enabling it. It seems like everywhere but gmail and apple is probably the right move...
[+] [-] cimnine|9 years ago|reply
[1] https://en.wikipedia.org/wiki/HMAC-based_One-time_Password_A...
[+] [-] microtonal|9 years ago|reply
https://blogs.dropbox.com/dropbox/2012/07/security-update-ne...
[+] [-] chinathrow|9 years ago|reply
He goes on to say that 1Password has a subscription now and that you should signup for it.
No. I will never, ever put all my passwords into a cloud based password store. I simply do not trust them to not fuck it up at one point in time.
Am I alone with this view?
[+] [-] raverbashing|9 years ago|reply
Oh well, another HIBP entry with my email address...
[+] [-] jorblumesea|9 years ago|reply
[+] [-] update|9 years ago|reply
You have to wonder if all those grumbling whitehats were on to something when they said bug bounties should pay a lot more than what they do and that there IS a black market interest for them.