This is a most excellent place for technology news and articles.
Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Why did you censor yourself in the title?
Probably because they primarily live in a censorship world, be it digital or in-person, and change is difficult for most people.
No one have you the memo?
what ******* memo?
This is why my password is hunter2, no one can see what is says under the asterix,
For me, if this happens, it has no impact since almost every page i sign up to has a unique password. The most important ones has mfa as well.
Use a password manager. Simple.
Same, but I do have some level of worry regarding portability. My solution isn't local or self hosted, as I was looking for easy and works across Linux/Windows/Mac/Android/iOS. I do not look forward to needing to change to a new password manager in the future, but given the way everything seems to be going it seems likely that I'll have to at some point.
KeePass and syncthing. I use Keepass2 on a Linux desktop and laptop, KeePassDX on Android, and use syncthing to keep everything synchronized and up to date, also using an old raspberry pi to act as a central server for syncthing.
Modifying the database on one device seamlessly updates the other devices once they're visible on the network, everything works beautifully and is very easy to set up on a local network.
Pretty much default configuration all the way around, just gotta make sure syncthing starts on boot. Just did a brief search, syncthing seems to have a MacOS fork, and iOS will need Möbius Sync, which is paid but the free tier offers 20MB storage sync which is overkill for KeePass.
Apparently my email was included in this breach, but my none of the passwords I used with it (before I started using randomly generated ones).
Comprised of email addresses and passwords from previous data breaches,
So these are previously “hacked” data, and now the aggregator has been hacked?
As someone who consults in the IT Security space, It's bad out there. Contractors and BYOD companies are downright sheepish in asking their outsourced employees to do anything security-related to their devices. The biggest attack vector is allowed unfettered remote access (and therefore the whole company and any bad actors are also granted unfettered remote access)
I still can't get over how quickly companies-at-large have abandoned VPN Servers (removing network trust from the list of options as well)
I'm down to managed browsers via IdP, and I just can't wait for the objections to that as well. People out here offering their faces to leopards. Certificate-based MFA on all the things IMO - passwords shouldnt matter (but six digit MFA codes aren't immune to fake landing pages and siphoned MFA tokens that don't expire)
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
I was thinking about this earlier. The password manager browser plugin I use (Proton Pass) defaults to staying unlocked for the entire browser session. If someone physically gained access to my PC while my password manager was unlocked, they'd be able to access absolutely every password I have. I changed the behavior to auto-lock and ask for a 6-digit PIN, but I'm guessing it wouldn't take an impractical amount of time to brute-force a 6-digit PIN.
Before I started use a password manager, I'd use maybe 3-4 passwords for different "risks," (bank, email, shopping, stupid shit that made me sign up, etc). Not really sure if a password manager is better (guess it depends on the "threat" you're worried about).
Edit: Also on my phone, it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff (or can unlock with fingerprints they have on file).
If someone can gain physical access to your PC you are done anyway, he van simply copy the file or do whatwver he want
Yes, it is better. The likelihood that someone will physically access your device is incredibly low, the likelihood that one of the services in your bucket gets leaked and jeopardizes your other accounts is way higher.
I set mine to require my password after a period of time on certain devices (the ones I'm likely to lose), and all of them require it when restarting the browser.
it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff
True, but it's also highly unlikely that LE will steal your passwords.
My phone requires a PIN after X hours or after a few failed fingerprint attempts, and it's easy to fail without being sus. In my country, I cannot be forced to reveal a PIN. If I travel to a sketchy country or something, i switch it to a password unlock.
And an email alias.
I hate how many places don't allow for + aliases. I want to know who leaked my email.
+ aliases are convenience aliases only. They are often stripped from ID datasets. Better to use a real alias.
At the same time, it is trivially easy to strip a + alias, so I'd not trust it to do anything much at all.
No + required. There are hundreds of companies offering aliases using their shared domain. You can also just generate a temporary email address if you don't require any ongoing communication and the account is not super important.
Let's make a master list of all the emails leaked with their passwords, what could go wrong?
That’s not how it works
It's exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked
Synthient wasn’t hacked, as a security company, they aggregated tons of stealer logs dumped to social media, Telegram, etc.
They found 8% of the data collected was not in the HIBP database, confirmed with some of the legitimate owners that the data was real.
They then took that research and shared it with HIBP which is the correct thing to do.
I was also thrown off by the title they gave it when I first saw it, a security company being hacked would be a terrible look. but they explain it in the article. Should probably have named it “list aggregation” or something.
so why hibp calls them data breach??? Ultra misleading, almost defamation, everyone including me only reads the headlines
Someone should make a list of all the leaked credentials that got leaked.
But then nothing has changed if they were just collating what was already leaked.
