Check your email address(s) and passwords for cyber security breaches

[mendip_discovery]

<hat=tin_foil>
One good practice is to use different email addresses and different passwords for things. I'm getting close to using a password generator to generate really random email addresses.

My old trick was to use a name that would give me a clue at to who leaked. BinDivingAustralian@my.domain.com for this forum as an example. As a leaky site would usually mean that email getting hammered and I could block it and move on.

Not a big fan of over use of 2FA becuase when my mobile gets leaked that means the attackers have another vector to attack me via. Reducing 2FA redundant. I use it only on stuff I care about.

Also I wouldn't worry about the pwned site I can vouch it fairly safe for use.

[Halcyon]

@Halcyon: ever feel you're p*ssing in the breeze with some of these guys?

Yes, sometimes, but I don't mind. Sometimes pissing in the wind can feel cathartic.

Like many people on this forum, my focus and energy goes into the vast majority of people who contribute positively and learn something new from others. The IT industry as a whole is so opinionated. Some people are quick to forget that there is more than one right way to do most things, but if it's not their way, it's somehow "wrong". I mostly ignore those people. Likewise people who criticise someone else's opinion without providing a proper explanation and have a lack of proper understanding of what's being discussed.

I don't mind engaging once in a while, if it means only 1 person learns something they didn't know before, then it's a win in my books.

I also don't mind being proven wrong, because it means I learned something new and am better off for it. But so far, from the loud minority, I've only received "nope you're wrong" with no in-depth analysis or substance to their argument. It always amuses me when people come at me with a counter-argument, but then want me to do their homework for them. I guess this is why flat-earthers exist?

[Black Phoenix]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

[Halcyon]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

Really good advice. It's amazing how many user accounts people accumulate over the years. I did a full audit of all my accounts last year when I replaced my old KeePass database with Bitwarden. I think I ended up cancelling about 30 or so accounts that I never used (or at least sanitised them of any personal data and changed the email address to a "blackhole" Gmail account I only use for abandoned accounts).

Reputable password managers like 1Password and Bitwarden, also integrate with the HIBP API so you can check your passwords automatically against any known data disclosures. I believe Firefox and Chrome also have similar integration.

[SeanB]

I will add that you can download the password list from HIBP, and use it locally. It is a zip file, and will take a good few minutes to extract to the massive text file. Yes I found some of my passwords in there, and did change them a while ago, but looks like with the latest LP breach I will have to do a good number of updates as well on the lot soon.

[Shock]

Like many people on this forum, my focus and energy goes into the vast majority of people who contribute positively and learn something new from others. The IT industry as a whole is so opinionated. Some people are quick to forget that there is more than one right way to do most things, but if it's not their way, it's somehow "wrong". I mostly ignore those people. Likewise people who criticise someone else's opinion without providing a proper explanation and have a lack of proper understanding of what's being discussed.

I don't mind engaging once in a while, if it means only 1 person learns something they didn't know before, then it's a win in my books.

I also don't mind being proven wrong, because it means I learned something new and am better off for it. But so far, from the loud minority, I've only received "nope you're wrong" with no in-depth analysis or substance to their argument. It always amuses me when people come at me with a counter-argument, but then want me to do their homework for them. I guess this is why flat-earthers exist?

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

The fools we are for considering the risks associated with this.

@All

As with what SeanB posted, offline searches a way better idea. I have no problem with obfuscated or partial data matching (with caveats) but typical users aren't controlling their email domains for a catch all solution which is far more appropriate.

I also agree with what Mendip_discovery was saying, this is very accurate advice until he got to the bit about "vouching" for websites.

I think Eevblog/Dave has made good ethical choices on policy. Until as previously mentioned Halcyon advised (if he feels entitled to do so) he may submit your private credentials to an exploit data matching website (or elsewhere) without your permission. We know it was likely done under limited circumstances but still it's a concerning breach of trust and has potential legal consequences. Of course trust is the modern dilemma and many companies and governments use personal data like their own play toys these days and give zero fucks about damage caused by it.

[Black Phoenix]

Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.

Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).

Really good advice. It's amazing how many user accounts people accumulate over the years. I did a full audit of all my accounts last year when I replaced my old KeePass database with Bitwarden. I think I ended up cancelling about 30 or so accounts that I never used (or at least sanitised them of any personal data and changed the email address to a "blackhole" Gmail account I only use for abandoned accounts).

Reputable password managers like 1Password and Bitwarden, also integrate with the HIBP API so you can check your passwords automatically against any known data disclosures. I believe Firefox and Chrome also have similar integration.

I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.

Also there is only one person who knows the pass of my database other than me, in case something happens to me and it's needed to access any account for whatever purpose.

[Shock]

I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.

If you are doing this for disaster recovery purposes, keep some older backups as well as periodic copies of the installation software. Test the full software installation and recovery of an old backup on another device or vm to ensure it can be restored. It's easy to mistake backups for redundancy and vice versa.

[Halcyon]

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117

Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.

But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.

As someone who works in cybersecurity, it's good practice to check your passwords against existing data breaches using services like HIBP (there are others which I don't use personally so I can't recommend them). In fact, this advice is recommended by organisations such as the US National Institute of Standards and Technology (NIST) under their SP 800-63 (Identify and Access Management) framework.

Myself along with my government and non-government employees have conducted our own assessments of this service and use it regularly for both internal and external client matters.

I hope others have found this advice as useful as I have.

[Shock]

Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.

Disappointed with your response (relating to the points I and others have already made).

[m k]

5 characters of HIBP against big numbers is pretty exponential.
5+5 is already 10G pieces and remaining part just few still pictures.
How long ago it was when majority of global traffic was SPAM.

For the privacy I'd say that name, address, phone number, email address, social security number, username and password hash are public information.
Private information is not shared around the globe.

[Halcyon]

Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.

Disappointed with your response (relating to the points I and others have already made).

I agree, people did make valid points and I haven't disregarded them. However for the purposes of security of the forum and security of the information that you provide as part of your individual profile, I felt it more important to investigate what happened, with the tools available to me AND to report on it openly and honestly, rather than not.

Based on all the feedback and discussions both here in the thread and privately with others, I still maintain that the decisions made were the right ones. I would certainly be recommending a similar response were it to happen again. So far, no one has presented any evidence or a valid argument that any of the actions taken were risky, or exposed any user/personally identifiable data. No data was "disclosed" or stored outside of EEVblog (as previously explained).

I'm sorry that you and a small number of others were disappointed, but as far as I'm concerned the matter has been resolved with a positive outcome with no risk to the rest of the forum users. Whilst I don't like to disappoint people, the integrity of this forum and its users comes before preserving your personal feelings.

[magic]

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117

Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.

But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.

Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.

[Halcyon]

Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.

You're wrong.

The method was via the API on a known-clean forensic workstation (same process as I would undertake for clients with sensitive data, or data subject to a Government security classifications or protective markings).

The image of that particular workstation undergoes constant assessment. On top of that, we deploy the VMware Carbon Black EDR tool.

As I said, no data was put at risk. Feel free to provide any evidence to the contrary and I'll review it. As I said early on, guess-work and assumptions is not evidence.

[madires]

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset).

Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!

[nctnico]

Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.

No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.

But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.

By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

[alexanderbrevig]

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

You are simply wrong.

[nctnico]

Just the use of SHA-1, which is known to be broken for a long time, is a red flag. With 5 characters (I assume you mean bytes) you already have 25% of the entire hash that makes up your password. You might just as well send your password in plain text to the server.

Make a proof of concept script that shows the plaintext based on the first five bytes of the SHA-1 and you will be an over-night infosec celebrity. It's not doable. It's more than good enough for its use here.

No. With 25% of the hash you can limit the pool of passwords you need for a brute force attack and thus accellerate such an attack on a password. With SHA1 being broken you can accellerate the process of reversing the hash and thus reduce the computational time needed.

[alexanderbrevig]

https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

Congrats on hashing all the plausible clear texts only to guess the next 15 bytes from the numerous matches you will get from the first five.

You are still wrong.

I find it funny that people on here think they can challenge Cloudflare on security practices and implementation.
The math speaks for itself.

[nctnico]

https://en.m.wikipedia.org/wiki/Avalanche_effect

Still need the entire search space for finding a collision. What's worse, you will get many collisions with no true way of knowing which is the original clear text.

You can insist I'm wrong but I'm definitely not. You are not getting the actual point I'm making here. With part of the hash you can determine offline which may be suitable passwords to try a brute force attack with. Most websites require a password that is like 6 or 8 characters long. Most of these passwords will be text (names, places, regular words, etc), maybe a special character and some numbers. This creates a rather limited pool of passwords to try but you don't know which ones to try. If you have a partial hash for the correct password, you suddenly can filter the pool of passwords to try with the ones that match the hash. So the number of passwords you have to try reduces from trillions to millions. Probably even less. From there use an algorithm that sorts the passwords in order of likely hood (maybe mix in some info that has been obtained through phising social engineering) and you stand a pretty good chance of using the right password after only a few tries.

[Shock]

Better just to change them to unique strong passwords and then check your old ones if curious.

These websites are also used by people who already have leaked data so in those cases a partial password hash and resulting full plain text data matched password could be found and used to identify them. Other submitted credentials as well as connection identifiers can further this.

[Halcyon]

Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!

I completely understand your hesitation. I do agree with you, it kind of goes against everything we've been taught about "not putting your passwords out there". I felt the same way many years ago with HIBP was launched.

However the service itself has been vetted time and time again by people (and governments) much smarter than me. As I mentioned before, even NIST recommend you check your passwords against known data leaks. Few users have the resources, knowledge or time to do such things with completely offline password lists. This is why simple, yet effective services like this exist and it's why they are being integrated into several reputable password managers and web browsers.

Cybersecurity is constantly changing as new threats emerge, technology changes and threat actors get more sophisticated and sneaky. Users should stay up-to-date as well so they can better protect themselves. Remember when the advice was that a long, complex (and unmemorable) passwords was the recommendation? Whilst that's still true today, passphrases have emerged as a "just as good, if not better" alternative (if implemented properly, such as not using song lyrics that could easily be brute forced). Some people criticised passphrases because they appeared "too simple", but when you look into it further and do the maths, it actually makes sense.

I constantly see people making the mistake of "but this is the way we've always done it", time and time again and in some cases this can lead to disaster. I could tell you some stories from work about companies being breached and having sensitive data stolen because of this mentality. At the end of the day, whether you're an expert in a given field or an end-user, you should be prepared to adapt, otherwise you'll be left behind in the dark ages.

[Halcyon]

Just for anyone following along at home, it looks like these kinds of credential stuffing attacks (as we've seen here on this forum) are on the increase. Paypal just suffered some authorised access to a "handful" of user accounts: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/

Since the original post was made here, we've seen another 2 or 3 accounts compromised on the forum, again, all being subject to data breaches in the past. Moderators have taken steps to secure those accounts.

[nctnico]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password. The whole concept of login/password has been outdated for a while.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

[Halcyon]

AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password.

Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.

The problem is, "unimportant" websites, like forums etc... form part of the low-hanging fruit attackers love and that comes down to people being lazy, re-using the same email addresses and/or passwords for more important services.

I guess this forum is probably a little bit outside the norm as we have a large group of highly technical people who use their own domains and unique email addresses for different services, but the general population isn't like that. Most people have 1 email address for everything.