Over 1 Billion Login Credentials Leaked

Chat about just about anything else
Forum rules
Do not post support questions here. Before you post read the forum rules. Topics in this forum are automatically closed 30 days after creation.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: Over 1 Billion Login Credentials Leaked

Post by Pepi »

I remember a site a few years ago that asked ... "How secure is your password(s). They would have you type in your password(s) and it would tell you the strength. :mrgreen: Not going there for sure.
User avatar
Pepi
Level 6
Level 6
Posts: 1308
Joined: Wed Nov 18, 2009 7:47 pm

Re: Over 1 Billion Login Credentials Leaked

Post by Pepi »

Went ahead and used an email account I don't really care about. It has a bunch of leaks ... Look at this one in it :mrgreen:
Last edited by Pepi on Sun Jan 20, 2019 4:15 pm, edited 1 time in total.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

Pepi wrote: Sun Jan 20, 2019 1:04 pm I remember a site a few years ago that asked ... "How secure is your password(s). They would have you type in your password(s) and it would tell you the strength. :mrgreen: Not going there for sure.
+1
redlined

Re: Over 1 Billion Login Credentials Leaked

Post by redlined »

MrGrimm wrote: Sun Jan 20, 2019 10:33 am are you friggin serious a list of the current sites that were breached, NOT everything from the beginning of time.
open page smurphos linked to: https://haveibeenpwned.com/PwnedWebsites
then hit Ctrl+f and type in 2018, you'll find the dozens of reported and author verified breaches that data has gone up for sale on. It is a lot of info, but even everything since the beginning of time will be useful in determining where and when any online persona could have been compromised.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

redlined wrote: Sun Jan 20, 2019 1:56 pm
MrGrimm wrote: Sun Jan 20, 2019 10:33 am are you friggin serious a list of the current sites that were breached, NOT everything from the beginning of time.
open page smurphos linked to: https://haveibeenpwned.com/PwnedWebsites
then hit Ctrl+f and type in 2018, you'll find the dozens of reported and author verified breaches that data has gone up for sale on. It is a lot of info, but even everything since the beginning of time will be useful in determining where and when any online persona could have been compromised.
ok fair enough, but that should of been part of the first post not just a page making a statement without any links to back it up. how-to-geek or not prooff please or don't post the story.
redlined

Re: Over 1 Billion Login Credentials Leaked

Post by redlined »

smurphos wrote: Sun Jan 20, 2019 1:16 am Make your own mind out about whether it's a trustworthy service or not - I'm satisfied that it is and it returns correct info for my email address (i.e. it was included in the data sold on the darknet after the Mint forum hack of 2016)

https://haveibeenpwned.com/About
https://haveibeenpwned.com/Privacy
yah, I trust the fella, and his project (especially appreciating the verifications he does before listing) and want to say I first learned of the site some year or two ago- if I recall correctly was led there by a story in NewYorkTimes to which I was a subscriber at the time. I did confirm some email(s) were databased but haven't been back there in well over a year and do see some more sites I need to delete or change account for :evil:

For any wanting to check for info "safely" consider using k-Anonymity:
https://blog.cloudflare.com/validating- ... anonymity/
redlined

Re: Over 1 Billion Login Credentials Leaked

Post by redlined »

MrGrimm wrote: Sun Jan 20, 2019 2:08 pm
redlined wrote: Sun Jan 20, 2019 1:56 pm
MrGrimm wrote: Sun Jan 20, 2019 10:33 am are you friggin serious a list of the current sites that were breached, NOT everything from the beginning of time.
open page smurphos linked to: https://haveibeenpwned.com/PwnedWebsites
then hit Ctrl+f and type in 2018
ok fair enough, but that should of been part of the first post not just a page making a statement without any links to back it up. how-to-geek or not prooff please or don't post the story.
first post was by philotux, which includes this (besides the quotes and link for article from how-to-geek):
I found another site which, beside Have I been Pwned, lists some other resources as well:
https://www.digitaltrends.com/computing ... en-hacked/

My question is if you have used these services and do you find them legit and trustworthy?
The link to breached websites on HIBP website was from smurphos (a different penguin) and a good place for the conversation to shift focus to as OP asked for folks opinions on "these services" (referring to using online have I been hacked/pwned/sold checks websites, of which HIBP is a popular, and IMO trustworthy, data check spot.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

sorry but i clicked the link in the post and no list. what is there is the how-to-geek article with out a link to the lisy, and a link to a sire to enter your email address. personally i want a list of the sites, THEN if i see one i'm on i can go into the site and change my password and email.
redlined

Re: Over 1 Billion Login Credentials Leaked

Post by redlined »

MrGrimm wrote: Sun Jan 20, 2019 3:02 pm sorry but i clicked the link in the post and no list. what is there is the how-to-geek article with out a link to the lisy, and a link to a sire to enter your email address. personally i want a list of the sites, THEN if i see one i'm on i can go into the site and change my password and email.
got it, and wise course of action. Just keep in mind there are huge chunks of datas purchased that are not directly tied to any one or other website breach, however still useful to a cracker/hacker type from a "credential stuffing list" such as this note about his "Collection #1 accounts" which is listed under breaches on the lower half of main page: https://haveibeenpwned.com
or in the details of all pwned sites:
https://haveibeenpwned.com/PwnedWebsites#Collection1
In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.
best/safest bet is to never use same password for more than one account/persona space. Another option is use unique email, which some email providers make real easy allowing for anything before the @ with your custom address after the @ to get it to you. Making it easy to identify both the source of breach (e.g. well I only used that email addy here... and then blacklist the breached email address used to make the online account.

A quick check with k-anon using this service will further remove potential doubts in the moral character of HIBP website:
https://blog.cloudflare.com/validating- ... anonymity/
Faust

Re: Over 1 Billion Login Credentials Leaked

Post by Faust »

rene wrote: Sun Jan 20, 2019 12:50 pm
I had a test run with it a few months ago and was fairly satisfied. A major downside for me was missing Thunderbird support, a major upside the possibility to host the Bitwarden server locally. In the end it for me fell short of simply using e.g KeePassXC but that in part due to me simply not reacting all that favourably to the web technologies it's built with; Javascript largely. As far as I've looked at things it fundamentally seemed solid, though.
@rene - Thanks for that feedback .

As mentioned above , I'll start a new thread about Bitwarden shortly
.... I've already taken this thread OT - :oops:
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

Faust wrote: Mon Jan 21, 2019 4:04 am As mentioned above , I'll start a new thread about Bitwarden shortly
.... I've already taken this thread OT - :oops:
please add at least a couple of reviews from sites you feel mores of us trust, cause doing a google search myself didn't turn up a review from any site i trust. thanks
philotux

Re: Over 1 Billion Login Credentials Leaked

Post by philotux »

Faust wrote: Mon Jan 21, 2019 4:04 am
rene wrote: Sun Jan 20, 2019 12:50 pm
I had a test run with it a few months ago and was fairly satisfied. A major downside for me was missing Thunderbird support, a major upside the possibility to host the Bitwarden server locally. In the end it for me fell short of simply using e.g KeePassXC but that in part due to me simply not reacting all that favourably to the web technologies it's built with; Javascript largely. As far as I've looked at things it fundamentally seemed solid, though.
@rene - Thanks for that feedback .

As mentioned above , I'll start a new thread about Bitwarden shortly
.... I've already taken this thread OT - :oops:
I am interested in this as well and it is not totally unrelated to this thread. After all whether one's account has been pwned or not, I think most of us want to know how we can secure them best we can for preventing them to become pwned in the future.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

@philotux

+1
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: Over 1 Billion Login Credentials Leaked

Post by rene »

Let me in that case comment...

For Bitwarden every thing I looked at seemed solid; note that it is in this context to be noted that Bitwarden does not have your passwords even when you use their servers to store them. They have your encrypted password database; are fundamentally unable to retrieve your passwords for you when you forget/lose your master password. This is clearly important for judging needed level of trust.

Lastpass, a very trustworthy and very widely used password manager, is no different in that sense but where the two do in my views significantly differ is Bitwarden being open source; being able to be independently verified, both to in fact correctly adhere to that system, and as to the encryption itself. Don't get me wrong, Lastpass is absolutely trustworthy, and shenanigans are as or more easily found with a network sniffer than through source code review, but still. Fundamentally I would say this kind of thing needs to be open source.

I.e., if I'd choose between Lastpass and Bitwarden, latter it would be, even though former will undoubtedly have more and better plugins available.

But. Bitwarden being open source for me personally still fell a little short simply due to the used web technologies. The server is C# which is a nice enough language generally (if on Linux a bit of a mess) and/but the desktop application is a lot of Javascript. Moreover not just Javascript sec but Javascript using to me unfamiliar "Elektron" and "Angular" frameworks. I expect that if I were to invest a bit it'd not be too much of a problem to become familiar but for me investing in anything concerning web technologies tends to feel like work of the "Shall I go into the office or off myself today?" variety. Choices, choices, ...

Given that I had a fairly solid preference for keeping things local anyway this meant that Bitwarden's for me main competitor KeePassXC won out. It's also open source (C++) and although Bitwarden can be used locally that's not its core structure; with Bitwarden you'd just use a locally installed server. To in fact use KeePassXC you do need to be a bit of an open source masochist but, hey, whaddaya know...

I'll finish by saying that every other manager I looked at, a fair number, I did not consider for one or other reason. If you want an online password manager with the best plugins and support and what have you, go Lastpass. If Bitwarden does it for you, feel absolutely free. If you end up deciding that you don't in fact need an online password manager but do want a local one, try KeePassXC. And if you decide that it's all too much bother don't even just write off using e.g. Firefox's builtin password manager, potentially together with a Firefox account to sync passwords to and fro different instances of Firefox, with e.g. apg from the command line.

One other that I feel should at least be mentioned is "pass", https://www.passwordstore.org/, although anyone should feel free to make up their own mind as to that. The system keyrings for GNOME and KDE should definitely also be considered, but with Firefox nor Thunderbird able to in fact use them that was for me not a valid option. Last time I looked Chrome could in fact use the system keyring and I do myself add that to the for side of any Chrome vs. Firefox for-against comparisons.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

that's all and good, but still no credible reviews.
rene
Level 20
Level 20
Posts: 12240
Joined: Sun Mar 27, 2016 6:58 pm

Re: Over 1 Billion Login Credentials Leaked

Post by rene »

I conclude you find me noncredible.
philotux

Re: Over 1 Billion Login Credentials Leaked

Post by philotux »

rene wrote: Mon Jan 21, 2019 2:05 pm Let me in that case comment...
Thank you so much rene! Great write up. I feel being in a much better position to make an informed decision about all the available options you mention even though the more technical details of each is beyond my level of knowledge in such matters. A good start for further research and getting some hands on experience.

Speaking for myself, reading your posts on these forums, wherever and whenever I come across them, is a very rewarding experience, widening each time a little more my still limited understanding of things Linux. Thanks again for taking your time to share with us of your experience and knowledge.

greetings
"philotux"
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

rene wrote: Mon Jan 21, 2019 4:14 pm I conclude you find me noncredible.
to be blunt lastpass, dashlane, ect..... i can find TONS of reviews on from sites i trust. this none.
redlined

Re: Over 1 Billion Login Credentials Leaked

Post by redlined »

:shock:
:roll:
:lol:
+1 to what philotux posted.

@rene you have street cred and that is all that matters to me, I've seen a lot of your work in these forums and benefited directly from such often.

@MrGrimm you have choices, do your own due diligence or rely on those other "adam's" you do not know either, but trust because they publish, how to say it? well I'll let you say it, since you have the cred issue:
MrGrimm wrote:please add at least a couple of reviews from sites you feel mores of us trust, cause doing a google search myself didn't turn up a review from any site i trust. thanks
(my bold in your quote to highlight the real issue with what you expect, or somehow otherwise feel entitled to)

problem now is what sites do You trust? because no matter what anyone says here you need to decide who and what to trust. Me I'll give my time and efforts to determine on my own and rely upon experienced folks to help me decide when I lack experience and the cost of fail is high or process is otherwise confusing.

rene is one of many on these forums I see have that experience, not because of number of posts they have- but because they solve the chit here with ninja like Linux-fu that get's issues resolved and marked <SOLVED>

anyways, the review of options posted was good and thorough, and I felt urge towards the both online services mentioned in recent pasts, but will rely on keepassxc as it suits my desires just fine as I'm not much of a fan for online storage services and such anyways.
MrGrimm

Re: Over 1 Billion Login Credentials Leaked

Post by MrGrimm »

there is NOTHING wrong with what i expect and you damn well know it. do not try to bs me again. we all expect at least one review from sites like foss, fosshub, cnet, how-to-geeks, superuser. you know sites almost everyone knows, and yet not one out there for this.
Locked

Return to “Open Chat”