General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
m k:
5 characters of HIBP against big numbers is pretty exponential.
5+5 is already 10G pieces and remaining part just few still pictures.
How long ago it was when majority of global traffic was SPAM.
For the privacy I'd say that name, address, phone number, email address, social security number, username and password hash are public information.
Private information is not shared around the globe.
Halcyon:
--- Quote from: Shock on January 15, 2023, 04:26:49 am ---Caveats like I said, I wouldn't have done what you did and posted a thread like this. I think people raised valid points and I'd expect it to illicit the same reaction elsewhere.
Disappointed with your response (relating to the points I and others have already made).
--- End quote ---
I agree, people did make valid points and I haven't disregarded them. However for the purposes of security of the forum and security of the information that you provide as part of your individual profile, I felt it more important to investigate what happened, with the tools available to me AND to report on it openly and honestly, rather than not.
Based on all the feedback and discussions both here in the thread and privately with others, I still maintain that the decisions made were the right ones. I would certainly be recommending a similar response were it to happen again. So far, no one has presented any evidence or a valid argument that any of the actions taken were risky, or exposed any user/personally identifiable data. No data was "disclosed" or stored outside of EEVblog (as previously explained).
I'm sorry that you and a small number of others were disappointed, but as far as I'm concerned the matter has been resolved with a positive outcome with no risk to the rest of the forum users. Whilst I don't like to disappoint people, the integrity of this forum and its users comes before preserving your personal feelings.
magic:
--- Quote from: Halcyon on January 15, 2023, 12:49:57 am ---But since you still don't seem to understand how this works, allow me to correct some misinformation for everyone's benefit.
By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset). You can test this out for yourself and see what this looks like, in fact, I'll use a password that I previously used which was compromised in the Trillian data breach in 2015: https://api.pwnedpasswords.com/range/B3117
Your browser/application then compares the returned suffixes against your password hash and determines whether a match (AKA a compromised password) has been found. For all intents and purposes, this is your offline checking of leaked passwords without having to download, update and compare against an enormous password list.
But again, don't simply take my word for it, take the time to review what other organisations are saying about this useful and reputable service. The API is also very well documented, and since it's open source, you can download and examine the source code yourself from their Github page (if that's your thing). If you decide this isn't something that is useful to you, that's completely OK too.
--- End quote ---
Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.
Halcyon:
--- Quote from: magic on January 15, 2023, 10:07:52 am ---Correct me if I'm wrong, but I presume you didn't use any vetted client to access their API, but instead simply punched the email addresses into their website, which may or may not be compromised at any given time and you have zero control over it. You presumably don't bother verifying the embedded MalwareScript each time you use the website, either.
--- End quote ---
You're wrong.
The method was via the API on a known-clean forensic workstation (same process as I would undertake for clients with sensitive data, or data subject to a Government security classifications or protective markings).
The image of that particular workstation undergoes constant assessment. On top of that, we deploy the VMware Carbon Black EDR tool.
As I said, no data was put at risk. Feel free to provide any evidence to the contrary and I'll review it. As I said early on, guess-work and assumptions is not evidence.
madires:
--- Quote from: Halcyon on January 15, 2023, 12:49:57 am ---By entering your password for checking via the HIBP service, neither your password nor a hashed copy of it is ever submitted outside your computer. Your password is hashed within your browser/application and only the first 5 characters of the SHA-1 hash are sent to the HIBP server. These first 5 characters are then checked against a list of known data breaches and if a partial match is found, HIBP returns a HTTP 200 response along with a list of that remaining suffixes for all password hashes that begin with the same 5 characters as your password hash (as well as how many times that password hash appears in the dataset).
--- End quote ---
Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version