Chrome Can Tell You if Your Passwords Have Been Compromised

An anonymous reader shares a report: Given the frequency of hacks and data leaks these days, chances are good at least one of your passwords has been released to the wild. A new Chrome extension released by Google today makes it a little easier to stay on top of that: Once installed, Password Checkup will simply sit in your Chrome browser and alert you if you enter a username / password combination that Google "knows to be unsafe." The company says it has a database of 4 billion credentials that have been compromised in various data breaches that it can check against. When the extension detects an insecure password, it'll prompt you with a big red dialog box to immediately update your info. It's handy, but users might wonder exactly what Google can see -- to that end, Google says that the extension "never reveal[s] this personal information."

Old Solution

The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.

Re:Old Solution

[Oswald+McWeany]

The correct way to go about it would be to advise users if their password is on known data breaches whether it is associated with the username or not. Otherwise this extension could be used to mine credentials out of whatever database google is using.

Indeed; I don't want to give Chrome my username or credentials. Granted, it could scrape my username when I log in places, but I'm assuming that is too low, even for Google.

Re:Old Solution

[sabri]

Why link to Engadget when you can link to the actual article itself? https://security.googleblog.co...

Must be kickbacks to msmash.

Re:Old Solution

[Immerman]

> I don't want to give Chrome my username or credentials.
Then don't use Chrome. Google is a surveillance-and-marketting company, and you have absolutely no idea what their browser might be doing behind the scenes.

As it is though, there's no particular reason to believe Chrome is sending your username and password anywhere but to the website you intended - that would be a liability nightmare, and I'm not seeing any profit to be made. The proper way to do this would be to generate an irreversible hash of your username and password pair, and send that to be looked up in their database. Then they send back any pairs found with a matching hash for comparison on your computer.

Re:Old Solution

[Immerman]

>Otherwise this extension could be used to mine credentials out of whatever database google is using.

Except that the database is of credentials already known to be compromised - there's no need to "mine" them, just go download the same publicly available databases of compromised credentials that Google did.

It would likely be good to also let people know if their password alone is compromised - but given the difficulty of composing a short, memorable password, the answer for most people most of the time will probably usually be "yes". Because someone else used the same password in some other account that was compromised.

More valuable would be to let you know how popular your password really is - if it appears in the list of top 100 passwords (or even 1 million), then the security it offers is likely minimal if someone tries to brute-force the account.

Re: Old Solution

There goes my plan to use the same password at every site but a different email address. Thanks.

So, how does it work?

How does it work? Does it keep a local database of 4 billion compromised credentials and checks against them? Or, let me guess, it uploads all of my passwords to a Google-controlled server to check if they are secure? Hmm, I wonder what could go wrong with this plan.

Re:So, how does it work?

[jellomizer]

I guess you could just download them by login name. And then match it locally. Still bad, but not as bad as sending up your credentials to Google and trust they will be doing the right thing with them.

Of course... I wonder if you could use it to gain access to someone elses account who has been hacked... Still a bad idea.

Re:So, how does it work?

[darkain]

they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.

Re:So, how does it work?

[Dynedain]

You could read the article or the original blog post:
https://security.googleblog.co...

Basically they hash your passwords locally, and compare the first few characters of the hash against the hashes in the database. If there are possible matches the full hashes are downloaded to your browser for further comparison.

Your full plaintext password and full hashed password are never set to Google.

There's a nice diagram on the blog post that explains everything at a fairly deep level.

Re:So, how does it work?

[Oswald+McWeany]

they are called hashes, and have been used forever. google doesn't need to store user passwords in their database or transmit them over the wire at all. google simply stores a hash of the username+password combination. when you enter credentials, that same hash is generated locally, then the resulting hash is transmitted over the wire and checked against the database. this is trivial to implement these days.

True, but "doesn't need to" does not equal "won't".

Re:So, how does it work?

[DickBreath]

> Your full plaintext password and full hashed password are never set to Google.

Let's try this experiment. But for real.

I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.

Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)

Using the Pixelbook (which is Chrome OS, of course, and thus Chrome), I am able to go to my favorite web sites, and -- like magic! -- Chrome conveniently knows my login credentials to those sites. How do you suppose that happened. My Pixelbook is on my home or other network. My Chrome browser which originally learned the credentials is on a much more secure network at work.

Re:So, how does it work?

[darkain]

Did you enable profile syncing between devices? Chrome already supports password sync features, which can 1) be disabled, and 2) be entirely unavailable if not logged into the syncing services at all.

Re:So, how does it work?

Not sure why you're ignoring the context of the reply, since this is a post about a new extension...

It happened because you configured it to do so, it's right there in the Sync settings. Even then, Google does not receive the plaintext password, it is encrypted.

You can even change the encryption key used for those passwords.

Re:So, how does it work?

[chispito]

google simply stores a hash of the username+password combination.

No, the user name is ignored. All that matters is if the password appears in a breach and is likely to be in a dictionary.

Re:So, how does it work?

You could read the article or the original blog post:

Speaking of security: it's amusing that I had to tell FF uMatrix to allow a bunch of JS on that page just to read it.

Re:So, how does it work?

[sexconker]

They're probably stealing HIBP's work. https://haveibeenpwned.com/Pas...
Though they're also probably stealing your passwords. It is Google, after all.

HIBP maintains a DB of credentials they find exposed in dumps.
HIBP hashes them with SHA1.
HIBP provides an API.
You hash your password with SHA1.
You send the first 5 characters of that hash to HIBP's API.
HIBP looks up all of its SHA1 password hashes and finds all the ones starting with those 5 characters.
HIBP returns those matching hashes (excluding the first 5 characters, which you already know) and a count of how many times each was found in a dump.
You search through that list of SHA1 hashes and find the one that's a complete match.
You then know your password (or something that produces a SHA1 collision with it) has been exposed X times, or not at all.

Go to https://haveibeenpwned.com/Pas... and open your network console.
Put "sexy" in the field.
The SHA1 hash of "sexy" is BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990.
Your browser sends a GET request for https://api.pwnedpasswords.com....
The response includes C18DFBCA6FF28E36AC47BDA8AB40D47C990:104937.

Passwords with a SHA1 hash of BF5AFC18DFBCA6FF28E36AC47BDA8AB40D47C990 (such as "sexy") have been found in credential dumps 104937 times.

If you don't trust HIBP with even a partial hash of your PW, you can download the 30+ GB text file and do it your damned self. Or use a program locally. Several password managers offer functionality (natively or via plugins) for this.

Re:So, how does it work?

[sexconker]

Ah yes, change the encryption key for the passwords, then send that key to Google so they can update the encryption on your other devices.

Anyone using that shit is so fucking stupid.

Re:So, how does it work?

[Anubis+IV]

You just bought a new car and asked the dealership to move everything from your old car over to the new car, and now you're shocked—shocked—that they actually did so, despite their repair shop's promise that it will never touch their clients' stuff while doing repairs?

I'm no fan of Google, but what you're saying is absurd. You literally asked Google to move your passwords from one device to another (which they do via encrypted communication, as an aside), so it should come as no surprise that they did so. That they did so in their sync service speaks in no way to how this unrelated extension handles its data.

Re:So, how does it work?

[Immerman]

Indeed.

Firefox has a similar option. Very convenient, so long as you don't mind your passwords, bookmarks being stored in their database where they can be hacked or mined by bad actors.

Firefox used to have the option of locally encrypting everything so that it would be completely inaccessible on the server without the encryption key that only you knew. Of course that also means that if you forgot your key there was no way for them to help you recover the synced data, which as I recall was the excuse they gave when they removed the option.

Re:So, how does it work?

And based on that description, they are totally using this behind the scenes: https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange

Re:So, how does it work?

Your full plaintext password and full hashed password are never set to Google.

So says Google. As a user you either have to trust them, or monitor their activity to confirm. I don't trust Google.

Re:So, how does it work?

[thegarbz]

Let's try this experiment. But for real.

I use Chrome on a work computer. I log in to some web sites and Chrome conveniently remembers my passwords for those sites.

Last April I get a shiny new Google Pixelbook. (think: glorified web browser with 8 GB, core i5 and 128 GB SSD -- unless you put it in developer mode effectively rooting it so it can do useful things)

Using the Pixelbook (which is Chrome OS, of course, and thus Chrome), I am able to go to my favorite web sites, and -- like magic! -- Chrome conveniently knows my login credentials to those sites.

Hmmm didn't work for me. But then I didn't enable the completely optional feature of password synchronisation which is literally the second setting in Chrome underneath where you select your Google account.

Re:So, how does it work?

You appear to be disagreeing with the article summary: "and alert you if you enter a username / password combination that Google 'knows to be unsafe.'"

Re:So, how does it work?

[skids]

Obligatory wish-i-had-mod-points reply.

Always good to know who should get credit for an idea, and whether there are alternative services. Thanks.

Re:So, how does it work?

[chispito]

You appear to be disagreeing with the article summary: "and alert you if you enter a username / password combination that Google 'knows to be unsafe.'"

I looked and I also appear to be disagreeing with the source Google blog post. I guess they are matching UN/PW.

Re:So, how does it work?

[DickBreath]

I'm not shocked at all. I expected it to behave that way. And yes, I did have Sync turned on. I'm just pointing it out that Google ultimately can get your plaintext passwords.

Re:So, how does it work?

[brunes69]

Chrome lets you sync your passwords to the cloud. They are encrypted with your Google account password, Google can't read them.

Re:So, how does it work?

Troy Hunt is the guy behind HIBP. Based on his track record, I'd rather trust HIBP than Google. He also has a good blog.

Re:So, how does it work?

Google doesn't update the key on your other devices, you have to enter it separately each time you log in on a new device.

You're not nearly as clever as you think you are.

Re:So, how does it work?

I'm a bit doubtful they're using this data. Google says they are combining your email and the password used, HIBP does not combine these anywhere, you can see if your email appeared somewhere or if your password appeared somewhere, but not both. Google would constantly be getting false positives.

Re:So, how does it work?

Google can read them if you encrypt with your account password, it's one of the reasons they can be viewed on passwords.google.com. Google cannot read them if you use a sync key, and they will only end up synchronized between browsers. Look up Google Chrome Privacy Whitepaper, there are quite a few features that stop working or work differently if you use your own sync passphrase instead of your Google Password.

Re:So, how does it work?

Fucking retard.

If you use this extension, you are *already running Google's Chrome browser* and *trusting it with everything* including *passwords, CC numbers, name, address, SSN etc.*.

So regardless of Google's evil level, this gives them *nothing* they do not already have.

Understand?

The stupidity level of /. increases every fucking day.

Is the check done locally?

Is the check done locally or does it query a remote db/host ? If it is the latter, it means that it transmits your password to a 3rd party. This is a big no-no for me.

interesting...

[CrimsonAvenger]

So, if I try name/password combinations till I get a hit, Google will tell me I've gotten a hit (on someone's account, somewhere).

If it tells me where the UID/Pwd combo exist, I can then change someone's password for them? That could be useful....

Re:interesting...

They have brute force limitations to make that difficult.

Re:interesting...

[Zmobie]

Kind of my thoughts. If the right script were used this is essentially a massive rainbow table... Even if they have brute forcing limitations, with the right proxies and such it could be circumvented. Hell even a group of hackers could do some coordinated efforts and essentially unmask much of their database without having to do all that pesky pre-computing or data hosting... Not sure I like this idea...

Re:interesting...

Somebody could put in the effort to do that, or they could go the much easier route of using the original password dumps found on various nefarious websites.

Re:interesting...

[sexconker]

Do they? Has it been tested? Google isn't exactly known for their rigor.

Re:interesting...

[Immerman]

Why go through all that effort? Just go download the same database(s) Google did and get all the compromised credentials in plain text - it's publicly available on various hacker sites after all.

That's the whole point - Google is warning you that your credentials are already public knowledge among criminals and intelligence agencies.

Re:interesting...

> criminals and intelligence agencies.

Redundant.

What *can* Google see?

[Immerman]

Google *can* see everything you do with Chrome - every click, every keystroke, every image you linger on a bit longer than is seemly. That capability is well within their ability, aka they *can* do it. The real question is how much of that they *choose* to collect and send back home, rather than simply having the ability to do so.

This seems like it should be benign enough though - not much advantage to be gained collecting this information (and a lot of potential liability and bad PR), and it's simple enough to hash a name/password combination and send it back to the server in order to retrieve any/all pairs with a matching hash for comparison on your computer.

Re:What *can* Google see?

[110010001000]

Why is this a surprise? Any software can *see* what you are doing. That is why you run closed source software at your own risk. You have zero idea what it could be doing. The only closed source software I use is the HOST FILES ENGINE by Apk.

Re:What *can* Google see?

a lot more information gets sent to google than anyone, including you, realizes or understands.

facebook, amazon, microsoft, google, apple. the five (corporate) eyes.

give them nothing. if you must, give them as little as fucking possible.

Re: What *can* Google see?

If you use the web at all you're giving them something. Fonts, frameworks, libraries, browser fingerprints, et cetera.

You aren't avoiding Scroogle and Bookface, period.

But not being a dumbass and not using the shitware that is Chrome is still a good idea.

Re:What *can* Google see?

If you're going to shill, the least you can do is get the file name right.

etc> cat /etc/host
cat: /etc/host: No such file or directory
etc> cat /etc/hosts
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#

Re:What *can* Google see?

[Oswald+McWeany]

Why is this a surprise? Any software can *see* what you are doing. That is why you run closed source software at your own risk. You have zero idea what it could be doing. The only closed source software I use is the HOST FILES ENGINE by Apk.

Yes, because that's guaranteed not to contain a Trojan. He has told us so many times to trust him and his software that he must be trustworthy.

Re:What *can* Google see?

[110010001000]

Obviously. No one would lie on the Internet.

And the common passwords too?

[gurps_npc]

Most useful if it also stops people from using 1234567 as their password

Re:And the common passwords too?

Shit, I need to change the combination on my luggage...

Re:And the common passwords too?

[Ksevio]

The blog post says they don't alert you if you use a weak password like "123456", just if it matches credentials found in a breach

Info.

[grep+-v+'.*'+*]

Google Security Blog Info.

Chrome Extension

Re:Info.

Yeah, I really believe Google when they say they don't spy on me.

So a hash of your password goes to the cloud?

Anyone with a copy of Google's back end database (such as an intelligence service) and who is also able to intercept the database query, will know your password.

Re:So a hash of your password goes to the cloud?

And depending on the hash, one might not even need the database but a rainbow table.

Re:So a hash of your password goes to the cloud?

[Immerman]

Only if your compromised credentials are in the database, in which case they already have them and nothing is gained by monitoring your query.

Besides which, the database is itself already publicly available on cracker sites, that's the point. Google is simply checking to see if your credentials are already public knowledge.

Can it do the opposite?

[apoc.famine]

If I need a throwaway or temporary account, can it hook me up?

Give me all your passwords

[rtkluttz]

I'll monitor my own shit thank you. I trust YOU (Google) even less than the bad guys.

Re:Give me all your passwords

Anyone who uses the save password feature on Chrome is an id10t.

Re:Give me all your passwords

Anyone who uses Chrome at all is an id10t.

Re:Give me all your passwords

[swillden]

I'll monitor my own shit thank you. I trust YOU (Google) even less than the bad guys.

If you use Chrome, you trust Google.

You may not trust Google in the sense of "trust" that means you have a feeling of confidence that they are likely to act correctly. But you absolutely trust Google in the sense that you're performing actions that depend on their acting correctly. Anyone who is willing to type passwords into Chrome, but unwilling for security reasons to let this extension check their passwords in the careful, secure way that it does (which doesn't involve sending a copy of your information to Google, RTFA) hasn't thought the question through.

Anything you type into network-connected application or device X is potentially revealed to whoever built X. So you place deep trust in the author(s) of whatever browser you use, unless you don't use your browser for anything important.

Re:Give me all your passwords

I let it save one of my passwords.

Admittedly, its to an intranet site, and the user/pw combo is shared by everyone in the department, and it would be so easy to rainbow table.

Re:Say...

Exactly why you shouldn't trust google!

Could just be a hash...

[SuperKendall]

It could just upload a hash of your password... but even so I would not want my username going up with even just a hash to anywhere but where I am logging in.

Re:Could just be a hash...

[Immerman]

More likely it uploads a hash of your combined username+password. After all, there's nothing to be gained by sending the username in plain text.

Re:Could just be a hash...

[SuperKendall]

That seems like a good idea, although the full statement is there is nothing to be gained by YOU sending the username in plain text...

I still would be uncomfortable even with that though, because in theory someone could brute-force reverse the hash and then they would have both things.

Re:Could just be a hash...

[Immerman]

I figured there's nothing to be gained by *them* by collecting it. They already get to watch everything you do on the website in question, how are they going to profit from storing your log-in credentials as well? I mean sure, "all surveillance data is good data", but in this case exposing it, or even collecting it without your permission, might put them in some legal hot water. What's the payoff to justify the risk?

LOL

It's the old, "Please enter your credit card details and we'll check to see if they're compromised" trick, except they're just swiping the logins from the browser without going to the trouble of social engineering the user.

What protection does the user have when the device itself is the threat, and not some nefarious third party?

Re:LOL

[Immerman]

Not quite - they're sending a partial hash of your credentials in order to look for matches in the already public databases of compromised accounts that they've assembled from hacker sites. If they find any possible matches, then they send those back to your browser for a full comparison.

That said, there's not much stopping them from doing what you suggest except some bad press

>What protection does the user have when the device itself is the threat, and not some nefarious third party?

None whatsoever. There's no possible defense against compromised hardware or operating system except not using it. Which is why the fact that there's reason to believe almost every microprocessor on the planet may be compromised is so worrying. And just how well do you trust Microsoft, Google, Apple, etc. to police their programmers and codebase to prevent anyone who's also working for an intelligence or criminal organization from burying intentional backdoors or other malicious code?

I'm safe

[bob4u2c]

I got an email that took me to a web page where they offered to check all my username/password combinations. I'm happy to say I'm good, no matches found.

Re:I'm safe

[dfsmith]

What a fantastic service! I wonder if they offer a password-changing option as well?

Hashed

[KalvinB]

Google is comparing against known username and passwords which means the passwords are salted and hashed.

When you put in a username and password, it's salts and hashes the same and then checks the database.

They don't need your plaintext password to check since they have the plaintext compromised passwords.

That allows them to hash both in a known secure method.

Re:Hashed

[Ksevio]

It's actually even better than that - you only send part of your hash and they return anything with that prefix encrypted. You then encrypt your username/password and send it to them, they encrypt it again and send it back, then you unencrypt it to get a string that can be compared against the list of encrypted passwords they sent originally.

Not the right solution

Doesn't make much sense to wait for a user to go to a site to alert him if his credentials have been compromised.

It seems to me it would make more sense for Chrome to *proactively* go over all of the credentials **it has already saved locally and knows about** and provide the user with a report showing which are known to have been compromised. If I only go to Yahoo Mail (I know, I know, just an example) once a month, then why wait a month for me to go to the site when they already have the credentials that could be checked at any time (since they've been saved and Chrome knows how to decrypt--since it can autofill them)?

HASHING, DUMBASS.

HASHING. LOOK IT UP.

HaveIBeenPwned (Troy Hunt) Has a Novel Solution

[chispito]

Troy Hunt has a really nice solution for this on his HaveIBeenPwned site. He has an API that allows you to submit a partial hash of your password (the first half of the SHA1 of your password) and then the API returns a list of complete hashes that have appeared in a breach. You can check it out his about page here.

The reasoning is that you are not providing your complete password hash, so both his site and an eavesdropper would not know if your password actually appears in that list or not. Only you know, and the list that is returned averages about 450-500 complete hashes. It would give an attacker with a rainbow table a starting point, but then you'd also know if your password appears in a dictionary or breach and should be changed.

Re:HaveIBeenPwned (Troy Hunt) Has a Novel Solution

If you read the blog post by Google: https://security.googleblog.com/2019/02/protect-your-accounts-from-data.html the way this works sounds suspiciously like the half-a-dozen similar extensions that also use that same HIBP password list.

Does anyone trust any of these?

They run entirely counter to everything we know about security.

> Give us your login ID and password and we'll tell you whether they've been compromised. (snicker, snicker)
type, type, type. Submit.

> Yup, that one's been compromised now. Give us another one.
type, type, type. Submit.

> Yup, that one's been compromised now. Give us another one. How about your bank this time?

Re:Does anyone trust any of these?

So, you're worried about giving your userid/password to a Google written Chrome Browser extension, but *not* concerned about giving it to the Google written Chrome browser itself?

Retardus maximus.

Haha

[KlomDark]

Hell no.

Trust your passwords to data miners? Even after their "we didn't mean to do it" escapade of scanning everyone's wifi while driving by with the google maps car.

About done with Chrome all the way. Currently posting with Firefox, it's gotten a lot better again.

Re:Haha

[Immerman]

If you're using Chrome, then you're implicitly trusting Google with 100% of the information about everything you do with your browser. They *probably* aren't sending all that information home, but the only thing stopping them is their own integrity.

Ditto if you use Android - you're trusting Google not to monitor everything you do, they have the power.
And how do you feel about Microsoft? Apple? By using their OS you're trusting them with complete information about everything you do on your computer.

Re:Haha

[KlomDark]

And as I said: About done with Chrome all the way. Currently posting with Firefox, it's gotten a lot better again.

Strangely, I trust Microsoft more than I do Google.

I remember thinking the Internet was going to be this great thing that freed everyone's minds, but now it's just become a nasty surveillance trap. I has a sad. Especially for my grandchildren having to grow up in this world, never knowing the pre 9/11 mindset.

Nice try,

[LordHighExecutioner]

...NSA^H^H^HGoogle.

just. wow.

[kamakazi]

Way back when HTML was invented they specified an input type that browsers aren't even supposed to show on screen. The web wasn't secure, and a password input field didn't make anything safe, but it at least recognized the over the shoulder attack.
Since then web site operators have been doing things to attempt to make your communication with them more secure, various Javascript handlers and encrypted connections, etc. Of course these things range from well implemented to actually less secure, but at least the security or lack thereof was between you and the web site.
Now Google is actually releasing an official extension that is scraping those password fields on every website and handing off to a backend processor. I imagine that Google is passing hashes around, via an encrypted channel, but the fact is that at least on your computer that password exists in plain text in a browser extension that automatically processes every page you load.
They obviously can't put the database in the extension, so it has to pass identifiable information back to Google. Sure, it is encrypted information. Sure, it is probably some hash, not a clear text username and password, but it is a unique pair of tokens that have to remain unique going to a monstrous company along with a few billion other peoples unique identifiable tokens. Your password is no longer between you and the website, it is between you and the website and google.
I can't even find words.
There is now an attack surface which includes all of your web passwords. An efficient password harverter no longer has to look for vulnerabilities in Drupal, and WordPress, and PHPBB, and your favorite JS framework of the week, they have a single target to rule them all.
Geez, why don't we just issue goveernment assigned passwords with social security numbers at birth, It would be more convenient for everyone.
If Google wants to utilize this big dictionary of exploited passwords they should build a proper website where a person can go and type in their username and password, with clearly worded information explaining exactly what people are submitting and what will be done with it, and people can choose if they want to check their user/pass combinations.
I suppose the next thing they wil do with this extension is build a database of the most common actual passwords in use, stripped of usernames of course, so they can publish the authoritative list of passwords not to pick.

Re:just. wow.

Preach on brother. I won't be using it.

I wonder what the percentage of used possible combinations there are in that compromised list for all the variations (4 digits, 6 digits, 8 character, 8 character/number, etc). While that is insecure to begin with for a general password, some might still use it and there are other uses that do use lower limits like PINS. If someone uses this scheme for a 6 number PIN database lookup and 90% of the possible pins are already in some compromised database list, then the attacker only needs to guess 10% of the total. The user would be pushed to pull from a smaller number of combinations.

I can see the next attack... someone creates a database on purpose to get as many possible combinations on the do not use list.... leaving less combinations for hackers to go through. 100 years from now the only password left for a 10 character password might be 87&dfhjll(. Nope... everyone had to use that password and now it was compromised a few days later :).

Re:Bullshit ...

[Immerman]

>how do you test for existence of a record in a database without bleeding out what you are checking?
Easy.
1) You take the username+password pair to be tested and feed them through an irreversible hashing algorithm to generate a pseudo-random number
2) You query the database server for all compromised credentials matching that number
3) The server sends back any matches, encrypted for added security if you want
4) You compare all the potential matches found against your actual username and password.

If your credentials aren't in the database, then there's no way to figure out what they actually are from the information transferred between computers

If your credentials *are* in the database, then they're already public knowledge, and leaking them further has no effect. (other than possibly identifying you as the account user - which is really the only reason you'd want encryption in step 3)

It can also

It can also tell us that Trump and both his campaign and administration have been compromised by the Russians by serving up legitimate news sites and blocking propaganda sites like Fox News.

Like most major corporations these days

[nehumanuscrede]

What they SAY they're doing and what they ARE doing are likely Apples and Oranges.