General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
Shock:
--- Quote from: Halcyon on January 14, 2023, 01:24:33 am ---Like many people on this forum, my focus and energy goes into the vast majority of people who contribute positively and learn something new from others. The IT industry as a whole is so opinionated. Some people are quick to forget that there is more than one right way to do most things, but if it's not their way, it's somehow "wrong". I mostly ignore those people. Likewise people who criticise someone else's opinion without providing a proper explanation and have a lack of proper understanding of what's being discussed.
I don't mind engaging once in a while, if it means only 1 person learns something they didn't know before, then it's a win in my books.
I also don't mind being proven wrong, because it means I learned something new and am better off for it. But so far, from the loud minority, I've only received "nope you're wrong" with no in-depth analysis or substance to their argument. It always amuses me when people come at me with a counter-argument, but then want me to do their homework for them. I guess this is why flat-earthers exist?
--- End quote ---
Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.
The fools we are for considering the risks associated with this.
@All
As with what SeanB posted, offline searches a way better idea. I have no problem with obfuscated or partial data matching (with caveats) but typical users aren't controlling their email domains for a catch all solution which is far more appropriate.
I also agree with what Mendip_discovery was saying, this is very accurate advice until he got to the bit about "vouching" for websites.
I think Eevblog/Dave has made good ethical choices on policy. Until as previously mentioned Halcyon advised (if he feels entitled to do so) he may submit your private credentials to an exploit data matching website (or elsewhere) without your permission. We know it was likely done under limited circumstances but still it's a concerning breach of trust and has potential legal consequences. Of course trust is the modern dilemma and many companies and governments use personal data like their own play toys these days and give zero fucks about damage caused by it.
Black Phoenix:
--- Quote from: Halcyon on January 14, 2023, 04:30:19 am ---
--- Quote from: Black Phoenix on January 14, 2023, 03:26:34 am ---Halcyon, thank you for the warning. My email was leaked in one of the data breaches of a Manga Website, Mangadex but I use a different password for each website, and that one was already replaced by a different one that is also not reused.
Although is almost time for me to change all the passwords again for all the websites I'm registered (and delete accounts from the ones I don't need anymore).
--- End quote ---
Really good advice. It's amazing how many user accounts people accumulate over the years. I did a full audit of all my accounts last year when I replaced my old KeePass database with Bitwarden. I think I ended up cancelling about 30 or so accounts that I never used (or at least sanitised them of any personal data and changed the email address to a "blackhole" Gmail account I only use for abandoned accounts).
Reputable password managers like 1Password and Bitwarden, also integrate with the HIBP API so you can check your passwords automatically against any known data disclosures. I believe Firefox and Chrome also have similar integration.
--- End quote ---
I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.
Also there is only one person who knows the pass of my database other than me, in case something happens to me and it's needed to access any account for whatever purpose.
Shock:
--- Quote from: Black Phoenix on January 14, 2023, 03:07:41 pm ---I'm still on the field of the Keepass. I have 3 copies of the database, one in my laptop plus one on my NAS plus one offsite. When I make changes in one, I sync with the other 2, so they are always up to date.
--- End quote ---
If you are doing this for disaster recovery purposes, keep some older backups as well as periodic copies of the installation software. Test the full software installation and recovery of an old backup on another device or vm to ensure it can be restored. It's easy to mistake backups for redundancy and vice versa.
Halcyon:
--- Quote from: Shock on January 14, 2023, 07:33:15 am ---Well some of us don't inherently trust websites enough to direct 60,000 users or their companies clients to them. Entering private authentication and recovery credentials which if monitored/misused may grant access to sensitive data, intellectual property. Then there is potential liability if they are not the full owner of the credentials or it results in further attacks or loss.
--- End quote ---
No one is talking about inherently trusting websites (such as HIBP), in fact, I explicitly said that you shouldn't just take my word and experience as the complete truth without doing your own research.
But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.
By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117
Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.
But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.
As someone who works in cybersecurity, it's good practice to check your passwords against existing data breaches using services like HIBP (there are others which I don't use personally so I can't recommend them). In fact, this advice is recommended by organisations such as the US National Institute of Standards and Technology (NIST) under their SP 800-63 (Identify and Access Management) framework.
Myself along with my government and non-government employees have conducted our own assessments of this service and use it regularly for both internal and external client matters.
I hope others have found this advice as useful as I have.
Shock:
Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.
Disappointed with your response (relating to the points I and others have already made).
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version