General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
alexanderbrevig:
Come on people!...
--- Quote from: jpanhalt on January 12, 2023, 10:26:06 pm ---Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
--- End quote ---
https://en.wikipedia.org/wiki/Apophenia
--- Quote from: madires on January 12, 2023, 10:28:30 pm ---Searching the HIBP database for matches of your email address is fine, but I wouldn't use my passwords as search key.
--- End quote ---
The password is not the search key. The first five characters of the sha1 of the password is.
--- Quote from: madires on January 12, 2023, 10:28:30 pm ---BTW, SHA1 is a bit outdated and shouldn't be used anymore.
--- End quote ---
It's perfectly fine to use! Just don't use it to encrypt passwords in its entirety and expect it to be safe. Here it's used and then stripped to the first five characters. There is no way to retrieve anything compromising from that.
Perfectly usable for https://en.wikipedia.org/wiki/K-anonymity
--- Quote from: madires on January 12, 2023, 10:28:30 pm ---And just because it happens all the time I strongly recommend to use different passwords for each service/website, or if supported hardware tokens.
--- End quote ---
Yes! I take it for granted that we use different passwords for different services in 2023. :) Wholeheartedly agree :-+
madires:
--- Quote from: jpanhalt on January 12, 2023, 10:26:06 pm ---Call me gullible? I checked my email address shortly after reading Halcyon's post. I assumed he had thoroughly vetted it. Then a little bit ago I got this spam email from: mailto:recruitilluminatii@gmail.com
--- End quote ---
If you tell someone your email address you have to consider it being published. Some people use this as a feature and create a different email address for each website/shop/whatever and see which ones get SPAM. Then they know who has a data breach issue.
Halcyon:
--- Quote from: JohanH on January 12, 2023, 01:08:01 pm ---I don't know what to say, but RoGeorge got practically everything wrong in his post here... (at least if nothing was edited away in Halcyon's post, because the answer doesn't make sense).
--- End quote ---
Exactly.
RoGeorge: With all due respect, you have no idea what you're talking about. Secondly, your email address wasn't checked (I'll leave that up to you), only the compromised accounts were (those addresses have already been leaked and are out in the wild). Unless you choose to sign up to the "notification" service on HIBP, email addresses are not stored anywhere.
--- Quote from: jpanhalt on January 12, 2023, 10:26:06 pm ---Safe? Rarely, very rarely do I get such emails because I am very stingy about giving out my address. Coincidence or ploy? Maybe Halcyon will address what he did to vett the site.
--- End quote ---
Coincidence. Spam and fraudulent calls and SMS's have only increased over the last few years. I now get spam emails to my personal email address (which isn't published anywhere), which I can only assume is a complete accident/guess by throwing names at my domain name. Same with my mobile, previously I might get 3 or 4 dodgy messages or per year, that's now up to about 3 to 4 per month, and again my number is rarely disclosed outside Government organisations.
Submitting passwords for checking against known-breached passwords, as others have pointed out, is done by using part of the SHA-1 hash, not the actual password itself. Furthermore email addresses/account information are not stored together with the password. If your email comes back on HIBP as being breached, it's already out there, available in a list for anyone to download (along with who knows what other information), but it's still not perfect. Not every breach is made public in this way and it's possible that your email address has been sourced from somewhere and sold to spammers/scammers. There is plenty of information here about the use of SHA-1 https://www.troyhunt.com/understanding-have-i-been-pwneds-use-of-sha-1-and-k-anonymity/
Of some of the governments using this service includes New Zealand, Canada, Finland, Switzerland, and of course some government and cybersecurity agencies in Australia.
At the end of the day, I don't expect anyone to blindly trust what I, or anyone else on this forum says. Do your own homework and come to your own conclusions. If I have said something incorrect, I stand to be corrected provided you can prove to me what I was saying was wrong. Guesswork and assumptions are not forms of proof.
jpanhalt:
Not all of us are as savvy as you and a few others are about such spoofs. Nor do I intend to become that savvy. If the site you presented as safe is not safe, then that assertion needs to be corrected. Fact is, I have rarely gotten such clearly dangerous emails. The temporal relation to "checking" as you suggest cannot be ignored. Whether that is important to Dave is his choice. My decision has already been made. The link you provided has been deleted and my trust in you has been affected. Not that that any of that matters to a site this size.
james_s:
--- Quote from: SiliconWizard on January 12, 2023, 09:12:11 pm ---Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea! :-DD
--- End quote ---
What are they going to do with it? Knowing a password is useless if you don't know what it's the password to. If you search for it and it comes up in a database of known leaked passwords then you already know that it's in a database that likely includes associated usernames.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version