Jump to content

bad news for (some) gmail users


Recommended Posts

Posted

It's important to note that the data does not come from breaches into Google/Gmail.

It comes from various breaches into much less secured systems (random forums, shady websites which ask you to create a login, etc...) on which people used their gmail address as username... and also used the same password as their gmail account.

NEVER use the same password across websites, and if you can't be bothered with a different each time, at least keep the password from your email different from the others.

Otherwise, things like that happen, because not every website is as careful with your password as they should be (typically, those passwords are leaked because they were stored unencrypted in the servers databases, which is the most basic security feature and is for sure implemented by the main companies like Google, Facebook, Apple, etc...).

Posted

Is it against forum rules to paste a URL which contains a download link to a txt file (in tar.gz archive format) that contains a list of email addresses for people to search only?

This is far safer than entering your email address into a random site.

If a mod can get back to me and let me know...

(and yeah, i found a few friends addresses on there already)...

Posted (edited)

fwiw;

Karls-MacBook-Pro:Goog karls$ ls -al
total 286784
drwxr-xr-x 4 karls staff 136 10 Sep 20:04 .
drwx------+ 114 karls staff 3876 10 Sep 20:04 ..
-rw-r--r--@ 1 karls staff 108763323 9 Sep 22:50 google_5000000.txt
-rw-r--r--@ 1 karls staff 38064684 10 Sep 20:03 google_5000000.txt.tar.gz
Karls-MacBook-Pro:Goog karls$ cat google_5000000.txt| wc -l
4929090
Edited by phazey
Posted (edited)

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Edited by Chicog
  • Like 1
Posted

Is it against forum rules to paste a URL which contains a download link to a txt file (in tar.gz archive format) that contains a list of email addresses for people to search only?

This is far safer than entering your email address into a random site.

If a mod can get back to me and let me know...

(and yeah, i found a few friends addresses on there already)...

I believe Chicog's link above should do the job and simpler as many member wouldn't have a clue about tar.gz format. smile.png

Posted

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

It means any forum admin can access your email and then also access all other forums where you have an account.

When you want to use the same password, at least try to use a different strong one for the email and a variant of a simple one for the forums, choose for example a simple word like "security", then put in some special characters, such as "s3cur!ty" (special characters are nowadays required in passwords of many sites, so putting special chars in by default ensures your password can be used everywhere), and then count the vowels and consonants contained in the forum's domainname, for thaivisa these numbers would be 4 and 4, and put them at the start and end of your standard password, so your password for thaivisa would be "4s3cur!ty4".

This makes sure the password for every forum is different, but remains re-constructible by yourself.

Of course you should imagine your own algorythm to vary passwords.

Posted

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

It means any forum admin can access your email and then also access all other forums where you have an account.

When you want to use the same password, at least try to use a different strong one for the email and a variant of a simple one for the forums, choose for example a simple word like "security", then put in some special characters, such as "s3cur!ty" (special characters are nowadays required in passwords of many sites, so putting special chars in by default ensures your password can be used everywhere), and then count the vowels and consonants contained in the forum's domainname, for thaivisa these numbers would be 4 and 4, and put them at the start and end of your standard password, so your password for thaivisa would be "4s3cur!ty4".

This makes sure the password for every forum is different, but remains re-constructible by yourself.

Of course you should imagine your own algorythm to vary passwords.

That is a good idea.....thumbsup.gif

Posted

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

Actually it's not. If you aren't worried about accounts being compromised (for example you have a fake account on a forum on which you only lurk), it is better just to use a one-off password so you don't have trouble remembering it.

You can then focus your attention on using strong passwords where they are needed.

Don't just take my word for it. Although I've been doing it for years, someone has finally explained the merits (link to the paper at the end).

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon.

Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites.

The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access.

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf

Posted

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

Actually it's not. If you aren't worried about accounts being compromised (for example you have a fake account on a forum on which you only lurk), it is better just to use a one-off password so you don't have trouble remembering it.

You can then focus your attention on using strong passwords where they are needed.

Don't just take my word for it. Although I've been doing it for years, someone has finally explained the merits (link to the paper at the end).

Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon.

Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites.

The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access.

Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF).

The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites.

http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf

It doesn't contradict what I am saying - BTW, if you think about it, what I do is also re-using the same password at all low-risk sites, but with a twist !

Posted

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

It means any forum admin can access your email and then also access all other forums where you have an account.

The majority if not all forums the password is stored encrypted so even Admin can not read them. Of course the data itself is usually sent 'in the clear' and can use a packet sniffer to grab them coming in before the encryption.

Posted (edited)

Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care.

Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway.

Added: You can check if you're on the list at the link below.

https://isleaked.com/en

Re-using passwords is 100% a bad thing.

It means any forum admin can access your email and then also access all other forums where you have an account.

The majority if not all forums the password is stored encrypted so even Admin can not read them. Of course the data itself is usually sent 'in the clear' and can use a packet sniffer to grab them coming in before the encryption.

amending the forum's code to store an unencrypted version of the password in an additional database field is even easier.

Edited by manarak
Posted

And even easier is comparing regular words against known md5 hashes if no salts or advanced encryptions used.

aaah - why use the simple solution if a complicated way works too ?

:-)

Posted

I use lastpass it keeps all your data and you generate passwords with it so you never use the same password. Question is of course do you trust lastpass not to get hacked. I do know that if you loose your lastpass password your screwed as they dont ever give it back to you.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...