Slashdot Mirror

I still can't put my figure though on why it never went anywhere with anyone I knew,

i wrote about this at the time. facebook is known for being non-mission-critical. if facebook doesn't like your use of its service, and terminates your account, so what, big deal.

however as *actually happened* with several people, the forced requirement of an incredibly dangerous "real name" policy, if people joined up to google+ and refused to accept the dangerous requirement, ACCESS TO TEN YEARS OF EMAIL AND DOCS WAS TERMINATED WITHOUT WARNING. and there was absolutely no recovery mechanism.

i have over 50,000 messages dating back 12 years, on which i critically rely for business and for coordinating software libre projects. termination of access to all of that would be catastrophic.

i also wrote about why "real name" policies are incredibly dangerous. they break the rule that everyone knows: everyone KNOWS that you DO NOT TRUST an online identity. period.

any Corporation that sets itself up as the "God Of Identity" is just... so wrong on so many levels, it's just not funny. youtube data breach only a few months ago. equifax data breach. ashley madison data breach. cambridge analytica. dozens more that can be found on https://haveibeenpwned.com/Pwn...

*how many more* of these are we going to have to have before people start to wake up?

These are pretty common these days. It could be facebook, but more likely one of hundreds of other breaches (if you used the same password on another site) when the data gets posted to pastes on the net or "darknet."

If you're not already doing it, you should check have i been pwned using common usernames/email addresses you've used to see all of the ways your info has been compromised.

You can sign up to get notified if your info shows up in future breaches.

"MAGA"

Oh no — pwned! This password has been seen 62 times before

"MAGA bich"

Good news — no pwnage found!

https://haveibeenpwned.com/Pas...
Frosty Piss: Good news — no pwnage found!
FrostyPiss: Good news — no pwnage found!
Frosty_Piss: Good news — no pwnage found!

Keep on frosty pissing, friend. But you might want to consider some vacation time in a warmer country.

https://haveibeenpwned.com/Pas...
12345: This password has been seen 2333232 times before.
123456: This password has been seen 23174662 times before.

That's right: there's nearly ten times as many people using 123456 than 12345, so the password used in Spaceballs is actually the more secure one of the two!

I wonder if that's because a lot of websites require at least 6 characters.

A lot now require 8 so 12345678 is probably pretty common too.

https://haveibeenpwned.com/Pas...
12345: This password has been seen 2333232 times before.
123456: This password has been seen 23174662 times before.

That's right: there's nearly ten times as many people using 123456 than 12345, so the password used in Spaceballs is actually the more secure one of the two!

Everyone should try https://haveibeenpwned.com/ (no affiliation). It's scary how your old password that you used on some random website a decade ago has been leaked. Hopefully most "big" sites have moved to individually salted passwords so future password leaks will be less common or severe...

And based on that description, they are totally using this behind the scenes: https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange

They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
Though they're also probably stealing your passwords. It is Google, after all.

HIBP maintains a DB of credentials they find exposed in dumps.
HIBP hashes them with SHA1.
HIBP provides an API.
You hash your password with SHA1.
You send the first 5 characters of that hash to HIBP's API.
HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
You search through that list of SHA1 hashes and find the one that's a complete match.
You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

Go to https://haveibeenpwned.com/Pas... and open your network console.
Put "sexy" in the field.
The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
Your browser sends a GET request for https://api.pwnedpasswords.com....
The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.

They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
Though they're also probably stealing your passwords. It is Google, after all.

HIBP maintains a DB of credentials they find exposed in dumps.
HIBP hashes them with SHA1.
HIBP provides an API.
You hash your password with SHA1.
You send the first 5 characters of that hash to HIBP's API.
HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
You search through that list of SHA1 hashes and find the one that's a complete match.
You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

Go to https://haveibeenpwned.com/Pas... and open your network console.
Put "sexy" in the field.
The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
Your browser sends a GET request for https://api.pwnedpasswords.com....
The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.

Troy Hunt has a really nice solution for this on his HaveIBeenPwned site. He has an API that allows you to submit a partial hash of your password (the first half of the SHA1 of your password) and then the API returns a list of complete hashes that have appeared in a breach. You can check it out his about page here.

The reasoning is that you are not providing your complete password hash, so both his site and an eavesdropper would not know if your password actually appears in that list or not. Only you know, and the list that is returned averages about 450-500 complete hashes. It would give an attacker with a rainbow table a starting point, but then you'd also know if your password appears in a dictionary or breach and should be changed.

Troy Hunt has a really nice solution for this on his HaveIBeenPwned site. He has an API that allows you to submit a partial hash of your password (the first half of the SHA1 of your password) and then the API returns a list of complete hashes that have appeared in a breach. You can check it out his about page here.

The reasoning is that you are not providing your complete password hash, so both his site and an eavesdropper would not know if your password actually appears in that list or not. Only you know, and the list that is returned averages about 450-500 complete hashes. It would give an attacker with a rainbow table a starting point, but then you'd also know if your password appears in a dictionary or breach and should be changed.

If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ can be pretty useful.

It's only marginaly usefull. Yes, I have been pwned, my email address is listed in the "Anti Public Combo List".
So? With what password? I have to use my email address at many sites to log on and of course I do not reuse my passwords, so one of them is compromised. It doesn't tell me which. So I don't know which password to change.

Or they could just integrate their system with Pwned Passwords, which is a service set up for this very purpose already.

If you reuse passwords - and even if you don't - https://haveibeenpwned.com/ can be pretty useful. It alerts you if your passwords are found in that never ending stream of hacker data dumps. A new feature was added recently where you can enter the it directly to determine if it's been compromised. Whether or not you trust that is another matter. But for the attentive, it's a good service overall for knowing when to retire a password.

https://haveibeenpwned.com/Pwn... you won't but if you're really unsure about that site's security you can browse the list of sites here, but there's no database around except in the darknet or some other file sharing service.

Assuming you're not having a laugh. Troy Hunt does this.

https://haveibeenpwned.com/

I feel susceptible to being pwned, if I enter in my data; is there a database I can download instead and check where I trust?

I'm sure there are others, but here's one:
https://haveibeenpwned.com/

Assuming you're not having a laugh. Troy Hunt does this.

https://haveibeenpwned.com/

https://haveibeenpwned.com/ asks for your e-mail address and then tells you if it's included in any known e-mail / password pair dumps. Entertainingly, it also tells you which dumps, and, if it's known, which organizations they came from.

They could be harvesting e-mail addresses I suppose, but I pretty much assume that ship sailed a long time ago.

Maybe you were entering your credentials into the wrong shady website?

> Go to the "Passwords" tab and scroll down to the bottom.

Thanks for the info!

Here is the link in question that has the .torrent / .7z file: https://haveibeenpwned.com/Passwords

The only entrapment is not knowing. https://haveibeenpwned.com/Pwn... You could just manually browse this list if you are really that paranoid though.

Try Have I Been Pwned website to check your email address against known data breaches.

Yeah or maybe just read the article.

Meanwhile, Linux users rest easy assuming no harm can penetrate Fortress Europe.

I dual boot; going to https://haveibeenpwned.com/ says my Email address is public domain because of Linux Mint, I thought damn...
How this happened: https://www.zdnet.com/article/...

I don't really see why people are so against to hashes that they need to shout.

My main reason was for commically over-exagerated "hysteria".

The actual reason why people are against hashes, is a combination of three factors :

1. Brute forcing :
   • The computational power has vastly increased recently. Noticed the "Tera hash" that bitcoin ASIC miner have been advertising ? That's trillion of SHA256 hashes computed by second. GPU and FPGA are widely available and are good at brute forcing millions, perhaps billions of hashs per second.
   • We humans suck at picking passwords. You don't need to actually scan the whole vast 256bits space (would be difficult to achieve before end-of-life of our solar system), you can scan a few million of the most popular password and variation there of and/or scan password patterns(*)

   So guessing passwords out of (fast) hashes is completely doable for anyone with a little bit of ressource (paying a tiny sum to rent GPUs on the Cloud).

2. Big data bases leaks:
   Just have a look at http://haveibeenpwned.com/ . Very often (though not always), attacker manage to get the password hashes. If you've been using a fast hashing function like SHA, guessing a significant proportion of the passwords is largely possible (like the point 1. above) at the cost of some GPU cloud-renting.
3. Password reuse :
   we human are stupid and tend to reuse passwords. Once you managed to successfully guess a password from point 2, you can try to see if it unlocks the e-mail account associated with the account in the database, or any other account you can find online associate with the same email and/or username and/or real identity (depending on what the leaked db provides to you).

That last one gives you tons of social engineering and identity theft/impersonation possibility to "profit!!!" from. So you can guess it is something that could happen in the wild.

---
(*) -- (when asked to follow password rules, humans will generally put the capital letter at the beginning, use 5-to-6 letters, then put 2-to-4 numbers, and the special at the end, most of the time it will be "!". The number of combination that follow this rules is vastly smaller than what "[A-Za-z0-9_!#@-]{8,16}" would imply)

Yes, bcrypt and similar are better and should be used. But I'd consider a hash, if properly used, still reasonably secure.

The vast difference is that bcrypt, scrypt and argon2 are on purpose designed to slow down bruteforcing and make FPGA and ASICs difficult (by using lots of iterations, and by requiring lots of memory)

The point 1. from the list above doesn't hold true anymore, so if the KDF's hash get laked in point 2. you can't gain much from them.

By properly used I mean hash(hash(password + salt) + salt), where + stands for concatenation. Even better if it has some concatenated pepper, too.

You don't even need to remember that formula if you remember the letters "hmac"...

For a typical /. geek who :
  - generated purely random string from /dev/random+base64 (good luck using patterns or common password lists on that !)
  - and uses 1 different password for each typical site (no password reuse)
( - and uses a secure password manager to keep them organised)
  - and has activated 2-factors-auth (like Google Auth) on each website that supports it (so even if a password is somehow guessed correctly by shear luck, it's not useful on its own).

Yup, salted hashes are good enough.

For the rest of normal the humans, the 3 points I've listed above a re a real danger.

Searching for yourself only draws more attention. Each query is added to the database. Google picks up on those things when they scrape the site. Suddenly your name is everywhere in every search engine.

Um, yeah. They just may have thought of that one. Here's the robots.txt:

User-agent: *
Sitemap: https://haveibeenpwned.com/sit...
Disallow: /Account/*
Disallow: /account/*
Disallow: /Verify/*
Disallow: /verify/*
Disallow: /HowFastIsAzureTableStorage/*
Disallow: /DomainSearch/*
Allow: /DomainSearch/$

The best I know of is https://haveibeenpwned.com/. You can search for a single email address, or set up monitoring for your domains.

If this collection has email addresses, I wouldn't be too surprised to find it added to the collection there.

So now, Firefox will be tracking and harvesting the sites I visit? Wow, Mozilla really is turning Firefox into a Chrome clone.

Having looked at the code: No, it downloads a breach list from here: https://stage.haveibeenpwned.c... It does not send all your browsing history to them.
If you enter your email address that will be the sent to the site for checking, but that's obviously optional.

Why am I reading this as "Firefox will share your browsing history with another partner."

Probably because you have a bias.

Is this list downloaded and compared locally? I doubt it too.

Yes, this is exactly how it works. It downloads a list from here: https://stage.haveibeenpwned.c...

The beauty of open source code is you can see how it works, if you aren't too lazy to just not bother.

Since this is a good post I'll promote it to a whopping zero score.

Check out "Have I Been Pwned" website. You can enter all your email addresses and get notifications if a particular email address got exposed in a data breach. I've gotten several email in recent days informing me of data breaches at Kickstarter and Pinterest.

https://haveibeenpwned.com/

This way we can all benefit from the only good post you made all year without having to mod you up where you'll spam your amazon affiliate links all over.

Check out "Have I Been Pwned" website. You can enter all your email addresses and get notifications if a particular email address got exposed in a data breach. I've gotten several email in recent days informing me of data breaches at Kickstarter and Pinterest.

https://haveibeenpwned.com/

Just go to my handy website to enter your email to see if you've been affected, link will be up shortly. :^)

Too late - the "security researcher" here already has put up https://haveibeenpwned.com/
Only a gullible fool would enter his own e-mail address in a site like that, but then again, there's no shortage of those...

You're missing the point.

There have been hundreds of database breaches in the past few years. Every password in those databases should be considered compromised. However, it's most likely that an attacker will use the dumped passwords as a dictionary, or at most try a few simple variations for a known user. It's far less likely that they will be able to guess the "simple" password if it's different and random for every organization.

Password reuse is a threat, and it's becoming more prevalent every day. The best defense is to utilize a password manager to keep a strong and unique password on every domain. The second-best defense is to force password changes, to minimize the chance of a user still having a password that was in a dumped database.

What if I don't have any social media accounts.

"Just don't lie. It's 10 years in Gitmo if you lie. Remember Martha Stewart. She went to prison because she lied to Federal agents. You're not a Martha Stewart? Are you?"

"Is that your iPhone? Please unlock it for us. Yes, my colleague will return your iPhone shortly to you. It just takes a few minutes."

"Has anyone else used that iPhone other than yourself? Please write down their names, contact info, dates, and circumstances in which they did."

"What's your email address?"

"Any other email address? Keep in mind that the average traveler in your age group that comes to the United States has used at least 12 email addresses over the years. It would be very suspicious and we would probably require a full body cavity search if you only provided one, especially if it had very few messages in its inbox, and you'd probably miss your connecting flight delaying the rest of your family. "

"Ok, sexfocashmesohony at Yahoo dot com "

"We're almost done. One last question. Provide a list of your 10 closest Facebook friends and their contact information. "

"Yes, the ones that you're constantly bitching and complaining to because they've stopped inviting you to events since you're not on Facebook. "

I think I got a better plan. That would be staying in my own country, and not having to take part in these indignities.

My country is a continental one [it is also a democracy]. My country have treaties with all the nations in my continent, to the point I don't even need a passport to travel around. My continent is a rich and diversified one. It would take several lives to know it in detail. It has jungles, forests, very high mountains, prairies, stunning beaches, gorgeous women, unbelievably rich food, and a pretty good standard of living in most places. I just don't need to travel to the outside anymore. I have traveled the world, and have fond memories of the places I've been to [and I thank them for allowing me get to know them, and, I must say, being so kind].

Now I can rest and have a exciting life in my country's backyard [traveling by car -- the way I like it], expending my precious money where it is needed most, and where I can get better value for it.

So long Northern Hemisphere, and thanks for all the fish.

What if I don't have any social media accounts.

"Just don't lie. It's 10 years in Gitmo if you lie. Remember Martha Stewart. She went to prison because she lied to Federal agents. You're not a Martha Stewart? Are you?"

"Is that your iPhone? Please unlock it for us. Yes, my colleague will return your iPhone shortly to you. It just takes a few minutes."

"Has anyone else used that iPhone other than yourself? Please write down their names, contact info, dates, and circumstances in which they did."

"What's your email address?"

"Any other email address? Keep in mind that the average traveler in your age group that comes to the United States has used at least 12 email addresses over the years. It would be very suspicious and we would probably require a full body cavity search if you only provided one, especially if it had very few messages in its inbox, and you'd probably miss your connecting flight delaying the rest of your family. "

"Ok, sexfocashmesohony at Yahoo dot com "

"We're almost done. One last question. Provide a list of your 10 closest Facebook friends and their contact information. "

"Yes, the ones that you're constantly bitching and complaining to because they've stopped inviting you to events since you're not on Facebook. "

Nope, this is at least the second time for them. https://haveibeenpwned.com/PwnedWebsites#AdultFriendFinder

There have been rumblings of them leaking info much longer than this, but the admins just didn't seem to care enough to get off their asses, do their jobs and protect their users.

I played around with the https://haveibeenpwned.com/ website, confirming that very old email addresses were compromised in the last few years. But how legit is this website?

The site:
https://haveibeenpwned.com/

tells me that my MySpace account has been pawned, but I don't remember creating a MySpace account.

... anyone thought of this before?

How fucking clever.

Oh, wait ...

I had this goddam discussion with management back in 1996 all the way up until I retired in 2014.

They said, while it's a problem, it's an IT problem, and we get no funding for training, best-practice firewalls and shit like that.

My insistence that they change passwords at least once a decade, and to refrain from using the same simple password for EVERYTHING went ignored.

As a courtesy, I just sent them a mass email saying that I put every one of their emails into haveibeenpwned and they need to get their shit together.

They want me to CALL and explain.

If they won't listen in person over a period of years, a fucking phone call is a waste of my time.

I sent one more email pointing to retirement.

You could try Have I Been Pwned?

https://haveibeenpwned.com/

As always, make sure you check haveibeenpwned to see if you're affected. For those who are, please be absolutely sure to change your passwords as md5 isn't secure anymore. If that's a huge hassle, then you've been reusing the same password - a big no-no, take this opportunity to use multiple. Not only will it make your life much more secure, but it makes situations such as these much easier, and you'll be glad you did so next time.

In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned?

Isn't that site just an alias for the "pleasepownmeheresmyemailaddress.com"?

In the Ars story about this they pointed out a website that tracks beaches that I hadn't heard of before: ';--have i been pwned?

I plugged my email addresses into this and found out that I had been a part of the Adobe breach fro October 2013. And I don't remember Adobe telling me about it

https://haveibeenpwned.com/Pas...