Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.
And yet they get pwned so easily.
So much effort into violating user privacy, so little effort into enforcing user security.
and receive no meaningful legal consequences. These people should be on the hook for all damage done with this dump, but they won't be, so it doesn't really matter. It's not ironic, it's just business as usual.
Collecting data on users should be extremely risky, even if they consent to it's collection.
Troy won’t store the passwords associated with the username, which is a choice I can absolutely respect.
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
He has the "Pwned Password" search to allow you to narrow it down and he has a really good article that he links to explaining why despite its inconvenience.
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.
For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".
---------
Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.
The slightly annoying thing here is that I already use a password manager, so while the impact to me is minimal, I wish I knew which password specifically I have to rotate, instead of assuming that I need to rotate, like, all of them...
>So I guess just assume all your passwords are cracked and use a password manager.
I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.
Troy's site does indicate which site breach it came from generally. I ran my emails and found it funny when myspace came up (and others I was aware of). I guess I did have an account there after all but I've used password safe for over a decade and always have unique passwords including that one from 2007.
I took the habit of giving a unique random alias to every website or service who requires my email. The additional benefit is that I can single out where the breach (or spam) came from if I see that unique alias. I only started doing that about 3-4 years ago and so far only the dailymotion breach popped up.
You can also do that with gmail by using the [email protected] syntax but it's well known and trivial for a hacker to defeat.
> So I guess just assume all your passwords are cracked and use a password manager.
Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.
I know which passwords were breached by all the emails I get telling me "we know your password is XXXXXXXXX. Pay up or else". There's 4 or 5 in the first 30 messages in my email spam folder. >:(
> Collection #1 is a set of email addresses and passwords totalling 2,692,818,238 rows. It's made up of many different individual data breaches from literally thousands of different sources. (And yes, fellow techies, that's a sizeable amount more than a 32-bit integer can hold.)
I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.
From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.
It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.
Someone from a well-known leak forum is claiming that the "Collection #1" discovered by Troy Hunt is only part #1 of all available collections (there are at least 5, and additional other dumps).
He also posted a screenshot of the original sales thread of the owner.
The dumps together seem to have a total size of almost 1TB.
Not sure whether it's cool to post any links here.
What's the latest consensus on the best password manager these days. I see he is recommending 1Password, but I recently found Bitwarden which looks quite good.
Bitwarden (https://bitwarden.com/) is great and scores well in feature comparisons -- there was one on here recently. It's open source and has recently been audited too. It's free for the basic service, and really cheap for additional features. Great mobile apps and a web vault. And you can self-host. No bad points really.
- long history - to me it's the original password manager
- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/
There is the rumor that it is called Collection #1 because it was part of a larger dump consisting of Collection #1, Collection #2, etc. There is also the rumor that the whole set was sold for - now hold on tight - the ginormous sum of $45.
Let say my email appeared on Pwned list. And given most ( at least I think most ) people have zillions of web forums, services, sites, services using the email address.
What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.
I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?
Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.
Got a few 'hacker' emails on one of my throwaway addresses on this list the last few days. That account was leaked before in another list so this was not worrisome as I get those all the time for this address.
What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?
Oh, it must be Tuesday. I've just updated my blog post[0] with some password best practices and it's amazing how little has changed in the last 4 years.
Funny, I downloaded about 700GB of password dumps last week trying to figure out how someone got one of my passwords (no big deal, they never managed to access anything)
HIBP doesn't protect the privacy of searched passwords!
Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.
[+] [-] priansh|7 years ago|reply
Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.
And yet they get pwned so easily.
So much effort into violating user privacy, so little effort into enforcing user security.
[+] [-] durub|7 years ago|reply
This post looks almost like an ad. I hope, then, you are putting effort into "enforcing user security".
[+] [-] markovbot|7 years ago|reply
Collecting data on users should be extremely risky, even if they consent to it's collection.
[+] [-] alexgmcm|7 years ago|reply
I just can't imagine how you can reliably track a users eye gaze without a webcam - is it just some snake oil pretending to solve everything with AI?
[+] [-] Antonio123123|7 years ago|reply
[+] [-] hsbaut76|7 years ago|reply
Sounds synonomous with "scum bag" to me, priansch.
[+] [-] zaroth|7 years ago|reply
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
[+] [-] NoPicklez|7 years ago|reply
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
Too risky.
[+] [-] rjf72|7 years ago|reply
If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.
For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".
---------
Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.
[+] [-] AdmiralAsshat|7 years ago|reply
[+] [-] jethro_tell|7 years ago|reply
I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.
[+] [-] x0x0|7 years ago|reply
I know because every time I register for a site I use [email protected] as my email.
[+] [-] tfigment|7 years ago|reply
[+] [-] cm2187|7 years ago|reply
You can also do that with gmail by using the [email protected] syntax but it's well known and trivial for a hacker to defeat.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] damontal|7 years ago|reply
[+] [-] rbanffy|7 years ago|reply
Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.
[+] [-] tokyodude|7 years ago|reply
[+] [-] Angostura|7 years ago|reply
[+] [-] mpeg|7 years ago|reply
[+] [-] Darkstryder|7 years ago|reply
HIBP is quickly becoming a critical piece of the Internet security infrastructure, and Troy should be lauded for undertaking it basically by himself.
[+] [-] spacemanmatt|7 years ago|reply
[+] [-] hnuser12345|7 years ago|reply
[deleted]
[+] [-] twic|7 years ago|reply
I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.
From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.
[1] I lied, i love being that guy.
[+] [-] stevekemp|7 years ago|reply
But as far as I can see it is gibberish spam-mails. I see 500+ entries such as:
i.e. None of these emails at my domain are real, nor have they ever been real.That said if you allow password-based authentication on a server which is shared you might consider using my PAM module:
https://github.com/skx/pam_pwnd
It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.
[+] [-] mxscho|7 years ago|reply
Not sure whether it's cool to post any links here.
[+] [-] Fudgel|7 years ago|reply
I'm gonna download the passwords offline and try this plugin: https://github.com/mihaifm/HIBPOfflineCheck
(you can grab the offline passwords from here: https://haveibeenpwned.com/Passwords )
[+] [-] shmageggy|7 years ago|reply
[+] [-] amanzi|7 years ago|reply
[+] [-] thirdsun|7 years ago|reply
- long history - to me it's the original password manager
- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/
- flawless experience
[+] [-] unethical_ban|7 years ago|reply
[+] [-] jenscow|7 years ago|reply
It's better than using the same password.
[+] [-] dsl|7 years ago|reply
[+] [-] weinzierl|7 years ago|reply
[+] [-] randomthought12|7 years ago|reply
All my passwords are randomly generated so they are different for all websites.
[+] [-] csbartus|7 years ago|reply
i’ve checked again if i was pwned and on the top there is a service i’ve never signed up - Apollo, a sales acceleration platform
i’m a simple dev and never subscribed to a sales service ....
[+] [-] ksec|7 years ago|reply
What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.
I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?
Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.
[+] [-] aequitas|7 years ago|reply
What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?
[+] [-] markovbot|7 years ago|reply
[+] [-] darekkay|7 years ago|reply
[0] https://darekkay.com/blog/another-password-leak-oh-must-tues...
[+] [-] mpeg|7 years ago|reply
Maybe it was this one.
[+] [-] chkas|7 years ago|reply
Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.
[+] [-] hnuser1234|7 years ago|reply
[+] [-] eitland|7 years ago|reply
... but with a non-trivial risk of someone else locking you out from your own account.
[+] [-] chkas|7 years ago|reply
[+] [-] hnuser1234|7 years ago|reply
[+] [-] hnuser1234|7 years ago|reply