General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
Shock:
Better just to change them to unique strong passwords and then check your old ones if curious.
These websites are also used by people who already have leaked data so in those cases a partial password hash and resulting full plain text data matched password could be found and used to identify them. Other submitted credentials as well as connection identifiers can further this.
Halcyon:
--- Quote from: madires on January 15, 2023, 12:23:45 pm ---Such password checks give me stomachache. How many users are able to check the website's JS to make sure that nothing else is done with the password entered? It could be just another phising web page. Users are educated to NOT enter their credentials on some random web page. Now they are encouraged to do so, in the name of security. Very confusing for users!
--- End quote ---
I completely understand your hesitation. I do agree with you, it kind of goes against everything we've been taught about "not putting your passwords out there". I felt the same way many years ago with HIBP was launched.
However the service itself has been vetted time and time again by people (and governments) much smarter than me. As I mentioned before, even NIST recommend you check your passwords against known data leaks. Few users have the resources, knowledge or time to do such things with completely offline password lists. This is why simple, yet effective services like this exist and it's why they are being integrated into several reputable password managers and web browsers.
Cybersecurity is constantly changing as new threats emerge, technology changes and threat actors get more sophisticated and sneaky. Users should stay up-to-date as well so they can better protect themselves. Remember when the advice was that a long, complex (and unmemorable) passwords was the recommendation? Whilst that's still true today, passphrases have emerged as a "just as good, if not better" alternative (if implemented properly, such as not using song lyrics that could easily be brute forced). Some people criticised passphrases because they appeared "too simple", but when you look into it further and do the maths, it actually makes sense.
I constantly see people making the mistake of "but this is the way we've always done it", time and time again and in some cases this can lead to disaster. I could tell you some stories from work about companies being breached and having sensitive data stolen because of this mentality. At the end of the day, whether you're an expert in a given field or an end-user, you should be prepared to adapt, otherwise you'll be left behind in the dark ages.
Halcyon:
Just for anyone following along at home, it looks like these kinds of credential stuffing attacks (as we've seen here on this forum) are on the increase. Paypal just suffered some authorised access to a "handful" of user accounts: https://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/
Since the original post was made here, we've seen another 2 or 3 accounts compromised on the forum, again, all being subject to data breaches in the past. Moderators have taken steps to secure those accounts.
nctnico:
AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password. The whole concept of login/password has been outdated for a while.
Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.
Halcyon:
--- Quote from: nctnico on January 21, 2023, 01:01:54 am ---AFAIK lots of companies have checked their user databases against these public records and pre-emptively deactivated the passwords for breached accounts. But let's be realistic here: for many websites you don't really need that much security. Who cares if a forum account gets used by somebody else? Or somebody can login into a webshop without being able to make a payment anyway? In fact, it would be better if many of such websites just send you a link through email when you login instead of needing yet another password.
Things are different ofcourse for websites like Paypal where you can do financial transactions and so on.
--- End quote ---
The problem is, "unimportant" websites, like forums etc... form part of the low-hanging fruit attackers love and that comes down to people being lazy, re-using the same email addresses and/or passwords for more important services.
I guess this forum is probably a little bit outside the norm as we have a large group of highly technical people who use their own domains and unique email addresses for different services, but the general population isn't like that. Most people have 1 email address for everything.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version