General > General Technical Chat
Check your email address(s) and passwords for cyber security breaches
madires:
--- Quote from: Halcyon on January 22, 2023, 02:03:02 am ---All of those types of offences require solid evidence that the person being accused of the crime was the person actually behind the keyboard. It's not good enough to say "it was your account, so therefore you're in trouble" and that kind of thing would be extraordinarily easy to disprove or introduce doubt. For example, the EEVblog forum stores your IP address alongside every post you make (but this information is only visible to yourself and moderators/admins).
Speaking from personal experience, investigating crimes like child exploitation on the internet can be extremely difficult. In Australian courts, it's not even good enough to rely on the IP address of the user, you need additional evidence on top of all of those types of records to say "this is the person that did the bad thing", you can't just assume.
--- End quote ---
Of course, innocent until proven guilty. On the other side is the public opinion on the person accused. Local media has reported multiple cases of destroyed reputations because of false allegations (child exploitation), causing social exclusion, loss of job, vandalism and more unpleasant experiences. People can be cruel.
vad:
--- Quote from: james_s on January 12, 2023, 11:28:26 pm ---
--- Quote from: SiliconWizard on January 12, 2023, 09:12:11 pm ---Oh, a website that asks for passwords to see if your passwords have been stolen, what a nice idea! :-DD
--- End quote ---
What are they going to do with it? Knowing a password is useless if you don't know what it's the password to.
--- End quote ---
Stolen passwords can be added to ‘“password dictionaries” of known passwords. Such dictionaries are traded on darknet to hackers who use them for dictionary attacks.
Imagine you are a victim of infamous LastPass leak, and your vault with all your passwords to your banks, to websites that have your personal information (your shipping address at Amazon, your mobile phone number, your SSN, your W-2s from your employer’s payroll provider, … ) is now in hands of hundreds of hacker teams ranging from bored school kids to Russian military. They bought your vault on darknet, and all that stops them from taking a full advantage of passwords stored in the stolen LastPass vault is your master password that was used to encrypt the vault. You can either use your own imagination to picture what could happen to you if the hackers succeed in guessing the master password, or read fiction books and watch popular movies to get artistic picture.
Now, LastPass uses pretty strong AES-256 algorithm, and if you followed LastPasses advice carefully and had a very long random master password - you are relatively safe.
Your laptop most likely has hardware AES-256 acceleration. Modern Intel and AMD CPUs can decrypt AES-256 at speeds of order of magnitude of 10 GB/s. Serious hacker can have access to hardware that is several orders of magnitude faster than a modern laptop.
If your vault was 100KB long (thousands of passwords), hackers can apply brutal force, testing 100,000 passwords per second using a laptop, and maybe 10 million passwords per second using a farm of 100 servers.
If your memorized master password was 20 characters long, contained upper and lower caps, digits and special characters (96 ANSII characters), the attacker would have to try about 10e40 passwords before breaking the vault. This would take 10e33 seconds - longer than the age of the Universe.
However, if your master password ends up in the “password dictionary”, the job would become much easier. Huge dictionary of 1 billion passwords can be checked in few minutes, or even faster, because they probably do not have to decrypt the entire 100KB vault to test validity of each password ( depends on vault’s data structure).
You should not trust your passwords to anyone. Definitely not to some “reputable” password checking website. You do not know who is behind it, and even if you know the owner personally - the website can be hacked tomorrow, JavaScript altered, etc. You should not trust moderators of this forum - you probably do not even know their real names. With all respect, you should not even trust Dave when it comes to your cyber security.
In my opinion, the advice that was given by the OP was unprofessional. What’s even worse, the mistake was not corrected despite people pointed out the obvious risk of checking passwords online.
madires:
More credential stuffing attacks are on the way. PayPal, sky.de, ...
alexanderbrevig:
I'll remind you once again: logging in here you send the password.
Checking on HIBP, you do not.
Ok? Ok.
nctnico:
--- Quote from: PlainName on January 22, 2023, 01:45:50 pm ---
--- Quote from: nctnico on January 21, 2023, 01:01:54 am ---Who cares if a forum account gets used by somebody else?
--- End quote ---
Your reputation on that site can be used to leverage a scam. Often, security fails because some seemingly innocuous thing is compromised that leads to better (for the scammer) access. What if someone you've previously dealt with here, say, sends you a PM with a fantastic offer of 80% off something you're after? You're far more likely to fall for that one and send money than the same thing from some random Ebay account (and people fall for those).
--- End quote ---
That is a bit of a strawman argument. The first rule of great offers: if it is too good to be true, it usually isn't real. There is a sucker born every minute and as you already wrote yourself: people don't need to impersonate trust in order to lure suckers in.
--- Quote from: alexanderbrevig on January 23, 2023, 02:38:04 pm ---I'll remind you once again: logging in here you send the password.
--- End quote ---
But only the password for this site.
--- Quote ---Checking on HIBP, you do not.
Ok? Ok.
--- End quote ---
That depends entirely on whether HIBP website you type your password in, is the real website or a fake. Even this forum makes it easy to provide a fake link:
https://haveibeenpwned.com/
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version