undefined | Better HN

0 pointsryanlol8y ago0 comments

>most users are probably still using the same password for their email as they used for LinkedIn in 2012

This is absolutely not true.

0 comments

Oh yes it is, we have around 200k users and fighting with old leaked passwords is like a full time job. Very easy to abuse as well, the attackers can make low frequency requests from scattered IPs and thus are almost impoasible to prevent

ryanlolOP8y ago

I made a very specific claim which I can back up with actual data if necessary.

I will make that claim even more specific:

Less than 5% of the email:password combinations in the linkedin dump work today as email logins. “most” suggests a far higher success rate.

Godel_unicode8y ago

You added a predicate not present in the statement you replied to, "where mailprovider like LinkedIn_dump.mailprovider". Anecdotally, in authorized enterprise password audits I am frequently forced to remind people who were part of that breach that they need to change all instances of their compromised password, not just the one for the email they used in the breach. Maltego is a thing.

Also, with regard to your claim to have data about which passwords work. You should be aware that accessing someone's account with their username:password without permission (even a breached password) is likely illegal in the United States under the CFAA.

nerpderp838y ago

Identity aware proxy. User has to auth over http, then mail client can connect to IAP and ultimately to mail. And or two factor. Giving the user 10% easier usage gives the sysadmins 200% harder job. Take away the 10%.

1 more reply

kakarot8y ago

What? That is totally true.

Most users that reuse passwords statistically did not rotate their passwords across all websites because most users that reuse passwords statistically do not rotate their passwords.

We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

ryanlolOP8y ago

>We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

I have absolutely no idea what you mean.

>most users are probably still using the same password for their email as they used for LinkedIn in 2012.

Suggests that more than 50% of all users currently use their 2012 linkedin password as their email password, which is absolutely not true.

j / k navigate · click thread line to collapse

0 comments

andris98y ago

ryanlolOP8y ago

I made a very specific claim which I can back up with actual data if necessary.

I will make that claim even more specific:

Less than 5% of the email:password combinations in the linkedin dump work today as email logins. “most” suggests a far higher success rate.

Godel_unicode8y ago

nerpderp838y ago

1 more reply

kakarot8y ago

What? That is totally true.

Most users that reuse passwords statistically did not rotate their passwords across all websites because most users that reuse passwords statistically do not rotate their passwords.

We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

ryanlolOP8y ago

>We aren't talking about the overall Linkedin userbase, just that specific subset that reuses passwords for secure services.

I have absolutely no idea what you mean.

>most users are probably still using the same password for their email as they used for LinkedIn in 2012.

Suggests that more than 50% of all users currently use their 2012 linkedin password as their email password, which is absolutely not true.

j / k navigate · click thread line to collapse