Password Re-user? Get Ready to Get Busy

Security reporter Brian Krebs writes: In the wake of megabreaches at some of the Internet's most-recognized destinations, don't be surprised if you receive password reset requests from numerous companies that didn't experience a breach: Some big name companies -- including Facebook and Netflix -- are in the habit of combing through huge data leak troves for credentials that match those of their customers and then forcing a password reset for those users. Netflix.com, for example, sent out a notification late last week to users who made the mistake of re-using their Netflix password at Linkedin, Tumblr or MySpace. All of three of those breaches are years old, but the scope of the intrusions (more than a half billion usernames and passwords leaked in total) only became apparent recently when the credentials were posted online at various sites and services.

Finally security done the right way

[Guybrush_T]

It is about time security is done from the attacker perspective. Yes, it is a good idea to think that "if an attacker can do it, we can do it too and disable accounts we can compromize". Running widespread password lists against your own password database is a good security practice and you are indeed helping your users much more than trying to enforce a stupid password policy.

Re: Finally security done the right way

[BlytheBowman]

How do I use one of those fobs with my Android phone?

Re:Both awesome and sad

[pla]

I keep track of over 200 passwords, using a password manager. Why aren't you?

You mean a password manager like KeePass, where the developer has explicitly and publicly chosen ad revenue over security?

Or just one like LastPass, that "only" suffered a plain ol' fashioned data breach?

Hey, I'll admit carrying all those eggs in the same basket looks a lot more convenient than carrying them one by one. But some of us would rather only risk dropping them one at a time, than all 200 at once.