undefined | Better HN

0 pointsandris98y ago0 comments

In the age of password leaks it is really common that email accounts are easy targets and get hijacked – most users are probably still using the same password for their email as they used for LinkedIn in 2012. So it might happen from time to time that an otherwise normal account suddenly sends 20 000 emails to hotmail.com unless you have somehow predicted that and configured the mail server to not allow it.

0 comments

ryanlol8y ago

>most users are probably still using the same password for their email as they used for LinkedIn in 2012

This is absolutely not true.

andris9OP8y ago

Oh yes it is, we have around 200k users and fighting with old leaked passwords is like a full time job. Very easy to abuse as well, the attackers can make low frequency requests from scattered IPs and thus are almost impoasible to prevent

ryanlol8y ago

I made a very specific claim which I can back up with actual data if necessary.

I will make that claim even more specific:

Less than 5% of the email:password combinations in the linkedin dump work today as email logins. “most” suggests a far higher success rate.

2 more replies

nerpderp838y ago

Identity aware proxy. User has to auth over http, then mail client can connect to IAP and ultimately to mail. And or two factor. Giving the user 10% easier usage gives the sysadmins 200% harder job. Take away the 10%.

1 more reply

kakarot8y ago

What? That is totally true.

Most users that reuse passwords statistically did not rotate their passwords across all websites because most users that reuse passwords statistically do not rotate their passwords.

We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

ryanlol8y ago

>We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

I have absolutely no idea what you mean.

>most users are probably still using the same password for their email as they used for LinkedIn in 2012.

Suggests that more than 50% of all users currently use their 2012 linkedin password as their email password, which is absolutely not true.

j / k navigate · click thread line to collapse

0 comments

ryanlol8y ago

>most users are probably still using the same password for their email as they used for LinkedIn in 2012

This is absolutely not true.

andris9OP8y ago

ryanlol8y ago

I made a very specific claim which I can back up with actual data if necessary.

I will make that claim even more specific:

Less than 5% of the email:password combinations in the linkedin dump work today as email logins. “most” suggests a far higher success rate.

2 more replies

nerpderp838y ago

1 more reply

kakarot8y ago

What? That is totally true.

Most users that reuse passwords statistically did not rotate their passwords across all websites because most users that reuse passwords statistically do not rotate their passwords.

We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

ryanlol8y ago

>We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

I have absolutely no idea what you mean.

>most users are probably still using the same password for their email as they used for LinkedIn in 2012.

Suggests that more than 50% of all users currently use their 2012 linkedin password as their email password, which is absolutely not true.

j / k navigate · click thread line to collapse