Websites put so much effort into tracking every little thing about their users, from where they come from to what they do. Hotjar (https://hotjar.com) goes ahead and tracks mouse movements and now we even have crazy f-ed up startups like Peekmap (https://peekmap.com) that claim to predict eye gaze without the webcam.
And yet they get pwned so easily.
So much effort into violating user privacy, so little effort into enforcing user security.
This post looks almost like an ad. I hope, then, you are putting effort into "enforcing user security".
Emphasis on ‘claim’. Considering he built this product, it would insinuate they don’t actually have this capability and are instead selling lies, pipe dreams and bullshit.
This is very weird.....
EDIT: Nice to see their open development position is an unpaid internship.
Collecting data on users should be extremely risky, even if they consent to it's collection.
This, to me, is the most pivotal part. Data was stolen in relation to you? Too bad, so sad.
>Collecting data on users should be extremely risky, even if they consent to it's collection.
The problem is that it's been so normalised that it's become pedestrian. It's the new norm and no longer risky because "everyone's doing it".
Fines of up to 4% of yearly revenue area no joke: https://www.forbes.com/sites/bernardmarr/2018/06/11/gdpr-the...
I just can't imagine how you can reliably track a users eye gaze without a webcam - is it just some snake oil pretending to solve everything with AI?
Sounds synonomous with "scum bag" to me, priansch.
But as he discusses in the post, that leaves users knowing that their email address was in the data dump, but with no way of knowing which site it came from, or what password was breached.
So while this increases the number of records in HIBP, and perhaps makes the password popularity tracker a bit more comprehensive, it still leaves users exposed.
I know which password of yours was breached, and that information is now effectively public, but you probably don’t know where to find it yourself, and I won’t tell you which one it was. So I guess just assume all your passwords are cracked and use a password manager.
I don’t really hold it against Troy, because again, I respect his decision not to store plains directly associated with usernames. He did as much as he was willing to with the data, and it’s better than nothing, but not great all the same.
If I was him I'd do the same. HIBP is a side project of his and I wouldn't be able to sleep at night knowing I have the responsibility of securing billions of email & password combinations.
At the risk of the breach of those accounts adding fuel to the credential stuffing fire and reducing his overall credibility when providing security advice which is his primary occupation.
Too risky.
I know one of the weak password I stupidly reuse everywhere was compromised since I had someone buy something with my paypal account. But it comes up as clean in the password search. So it was probably cracked from one of the leaked hashes but the plain text was never entered into the public dumps.
If you're as paranoid as you should be about then you can use an API to search using k-anonymity: https://api.pwnedpasswords.com/range/{hashPrefix} There you can replace "{hashPrefix}" with the first 5 characters of the SHA-1 of your password. It will return a list of all SHA-1's that start with the given 5 character prefix, as well as how many times they've been 'busted'. Ideally it will not return the full SHA of the password you're testing, meaning you're in the clear.
For testing purposes, the SHA-1 of "Passw0rd" is "21BD12DC183F740EE76F27B78EB39C8AD972A757".
---------
Edit : I previously stated you could search directly by the SHA-1 of your pass alone (in the regular web interface). It looks like this feature has been removed since he's added the k-anonymity feature. So your options are searching directly by password, or using the k-anonymity hash prefix API.
https://gist.github.com/schmich/aeaffac922271a11b70e9a79a5fe...
You need to look at the request being generated. Here's how to do it:
1) The SHA-1 of P@ssw0rd is 21BD12DC183F740EE76F27B78EB39C8AD972A757: https://passwordsgenerator.net/sha1-hash-generator/
2) Pass the first 5 chars to the API here: https://api.pwnedpasswords.com/range/21BD1
3) Find the suffix in the response and it has the count next to it: 2DC183F740EE76F27B78EB39C8AD972A757:51259
[0]: https://www.troyhunt.com/the-773-million-record-collection-1...
I mean I do, and that's why I have 100+ passwords that MIGHT be compromised. I don't even know where to start? Seems like the password should be shareable if you control the email or something like that. Fuck, I'd take a cc style last four type redaction or something.
I know because every time I register for a site I use site@mydomain.com as my email.
You can also do that with gmail by using the login+alias@gmail.com syntax but it's well known and trivial for a hacker to defeat.
Even if it's not in the HIBP base, you should always assume that. That's why you should always enable MFA everywhere it's possible and consider all services where it's not already compromised.
HIBP is quickly becoming a critical piece of the Internet security infrastructure, and Troy should be lauded for undertaking it basically by himself.
I hate to be that guy [1], but no, that does fit in a 32-bit integer - as long as it's unsigned.
From the tweet, it seems like SQL Server puts the result of a COUNT into a signed 32-bit integer, which really surprises me.
[1] I lied, i love being that guy.
But as far as I can see it is gibberish spam-mails. I see 500+ entries such as:
fkdsjlfjldsf@example.com
spamkdsjf31@example.com
fsdjlfsdjkl@example.com
That said if you allow password-based authentication on a server which is shared you might consider using my PAM module:
https://github.com/skx/pam_pwnd
It does lookups of previously-leaked passwords. Best practice these days is SSH-keys for authentication, but this would cover weak sudo passwords too, etc.
Not sure whether it's cool to post any links here.
I'm gonna download the passwords offline and try this plugin: https://github.com/mihaifm/HIBPOfflineCheck
(you can grab the offline passwords from here: https://haveibeenpwned.com/Passwords )
This of course could happen in a company like 1Password and there is at some point that I need to make the call and trust the person(s) coding the password manager. I feel that with 1Password there's at least the large size of the company which would mean more eyeballs and accountability. There is also the history of the company at 12~ years. This includes vetting and buy in from larger companies, which inspires a vote of confidence.
FWIW Bitwarden checks off nearly all the other boxes for me and I think the single dev has done a seriously bang up job.
- long history - to me it's the original password manager
- frequent updates and always keeping up with relevant OS features, like iOS AutoFill which allows 1Password to be set as the default iOS password store: https://support.1password.com/ios-autofill/
- flawless experience
It's better than using the same password.
1. People are bad at making new passwords 2. Someone might clear their browser history and delete the logins as a result. 3. Lock-in into the Chrome ecosystem.
I personally use KeePass, but I understand it is a bit cumbersome to carry around a USB stick.
I'd recommend LastPass to those who don't understand simply because it has a free tier, but everyone else should seriously consider paying the 2$ a month for whichever service they use.
All my passwords are randomly generated so they are different for all websites.
i’ve checked again if i was pwned and on the top there is a service i’ve never signed up - Apollo, a sales acceleration platform
i’m a simple dev and never subscribed to a sales service ....
What should you do now? I mean editing and changing password in everyone of them seems like a daunting task. And many of those services I no longer use anyway.
I am thinking of completely giving up the identity and start over, which seems easier. Or any other thoughts and comments?
Edit: I will definitely pay Apple a monthly fee if there is some simple and easy way to have online identity using email along with FaceID or Touch ID as 2FA. Getting rid of password while increasing security is something that should have happened but has yet to happened.
What did strike me as odd this time is that they did not end op in my spam folder but in my inbox. I'm using Gmail which normally for me has a very good spam/phishing detection. Somehow these mails came through though? Maybe its just an instance and Google was late to catch up with the cat/mouse game on this attack. Or these phishers are getting more sophisticated?
http://www.mediafire.com/file/mluhkk4dpqi8vfm/Collection_1.t...
I found the link via a comment on /r/pwned [1]. I think it originally came from RaidForums [2].
[1] https://www.reddit.com/r/pwned/comments/agsjie/troy_hunt_the...
[2] https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPub...
[0] https://darekkay.com/blog/another-password-leak-oh-must-tues...
Maybe it was this one.
Showing 20 bits of the password hash narrows down the possible passwords to one millionth. You should check it locally by downloading the password hash list.
... but with a non-trivial risk of someone else locking you out from your own account.