bendejo Posted September 10, 2014 Share Posted September 10, 2014 In case you haven't heard: Five million Gmail addresses and passwords dumped onlinehttp://www.pcworld.com/article/2605400/five-million-gmail-addresses-and-passwords-dumped-online.html Link to comment Share on other sites More sharing options...
jybkk Posted September 11, 2014 Share Posted September 11, 2014 It's important to note that the data does not come from breaches into Google/Gmail. It comes from various breaches into much less secured systems (random forums, shady websites which ask you to create a login, etc...) on which people used their gmail address as username... and also used the same password as their gmail account. NEVER use the same password across websites, and if you can't be bothered with a different each time, at least keep the password from your email different from the others. Otherwise, things like that happen, because not every website is as careful with your password as they should be (typically, those passwords are leaked because they were stored unencrypted in the servers databases, which is the most basic security feature and is for sure implemented by the main companies like Google, Facebook, Apple, etc...). Link to comment Share on other sites More sharing options...
phazey Posted September 11, 2014 Share Posted September 11, 2014 Is it against forum rules to paste a URL which contains a download link to a txt file (in tar.gz archive format) that contains a list of email addresses for people to search only? This is far safer than entering your email address into a random site. If a mod can get back to me and let me know... (and yeah, i found a few friends addresses on there already)... Link to comment Share on other sites More sharing options...
phazey Posted September 11, 2014 Share Posted September 11, 2014 (edited) fwiw; Karls-MacBook-Pro:Goog karls$ ls -al total 286784 drwxr-xr-x 4 karls staff 136 10 Sep 20:04 . drwx------+ 114 karls staff 3876 10 Sep 20:04 .. -rw-r--r--@ 1 karls staff 108763323 9 Sep 22:50 google_5000000.txt -rw-r--r--@ 1 karls staff 38064684 10 Sep 20:03 google_5000000.txt.tar.gz Karls-MacBook-Pro:Goog karls$ cat google_5000000.txt| wc -l 4929090 Edited September 11, 2014 by phazey Link to comment Share on other sites More sharing options...
Chicog Posted September 11, 2014 Share Posted September 11, 2014 (edited) Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Edited September 11, 2014 by Chicog 1 Link to comment Share on other sites More sharing options...
Tywais Posted September 11, 2014 Share Posted September 11, 2014 Is it against forum rules to paste a URL which contains a download link to a txt file (in tar.gz archive format) that contains a list of email addresses for people to search only? This is far safer than entering your email address into a random site. If a mod can get back to me and let me know... (and yeah, i found a few friends addresses on there already)... I believe Chicog's link above should do the job and simpler as many member wouldn't have a clue about tar.gz format. Link to comment Share on other sites More sharing options...
phazey Posted September 11, 2014 Share Posted September 11, 2014 Noted Tywais - see my second comment Link to comment Share on other sites More sharing options...
manarak Posted September 11, 2014 Share Posted September 11, 2014 Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. It means any forum admin can access your email and then also access all other forums where you have an account. When you want to use the same password, at least try to use a different strong one for the email and a variant of a simple one for the forums, choose for example a simple word like "security", then put in some special characters, such as "s3cur!ty" (special characters are nowadays required in passwords of many sites, so putting special chars in by default ensures your password can be used everywhere), and then count the vowels and consonants contained in the forum's domainname, for thaivisa these numbers would be 4 and 4, and put them at the start and end of your standard password, so your password for thaivisa would be "4s3cur!ty4". This makes sure the password for every forum is different, but remains re-constructible by yourself. Of course you should imagine your own algorythm to vary passwords. Link to comment Share on other sites More sharing options...
h90 Posted September 11, 2014 Share Posted September 11, 2014 Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. It means any forum admin can access your email and then also access all other forums where you have an account. When you want to use the same password, at least try to use a different strong one for the email and a variant of a simple one for the forums, choose for example a simple word like "security", then put in some special characters, such as "s3cur!ty" (special characters are nowadays required in passwords of many sites, so putting special chars in by default ensures your password can be used everywhere), and then count the vowels and consonants contained in the forum's domainname, for thaivisa these numbers would be 4 and 4, and put them at the start and end of your standard password, so your password for thaivisa would be "4s3cur!ty4". This makes sure the password for every forum is different, but remains re-constructible by yourself. Of course you should imagine your own algorythm to vary passwords. That is a good idea..... Link to comment Share on other sites More sharing options...
Chicog Posted September 11, 2014 Share Posted September 11, 2014 Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. Actually it's not. If you aren't worried about accounts being compromised (for example you have a fake account on a forum on which you only lurk), it is better just to use a one-off password so you don't have trouble remembering it. You can then focus your attention on using strong passwords where they are needed. Don't just take my word for it. Although I've been doing it for years, someone has finally explained the merits (link to the paper at the end). Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites. The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access. Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF). The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf Link to comment Share on other sites More sharing options...
manarak Posted September 11, 2014 Share Posted September 11, 2014 Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. Actually it's not. If you aren't worried about accounts being compromised (for example you have a fake account on a forum on which you only lurk), it is better just to use a one-off password so you don't have trouble remembering it. You can then focus your attention on using strong passwords where they are needed. Don't just take my word for it. Although I've been doing it for years, someone has finally explained the merits (link to the paper at the end). Microsoft has rammed a research rod into the security spokes of the internet by advocating for password reuse in a paper that thoroughly derails the credentials best practise wagon. Password reuse has become a pariah in internet security circles in recent years following a barrage of breaches that prompted pleas from hacked businesses and media outlets to stop repeating access codes across web sites. The recommendations appeared logical; hackers with email addresses and passwords in hand could test those credentials against other websites to gain easy illegal access. Now Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada, have shot holes through the security dogma in a paper Password portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts (PDF). The trio argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. http://research.microsoft.com/pubs/217510/passwordPortfolios.pdf It doesn't contradict what I am saying - BTW, if you think about it, what I do is also re-using the same password at all low-risk sites, but with a twist ! Link to comment Share on other sites More sharing options...
Tywais Posted September 11, 2014 Share Posted September 11, 2014 Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. It means any forum admin can access your email and then also access all other forums where you have an account. The majority if not all forums the password is stored encrypted so even Admin can not read them. Of course the data itself is usually sent 'in the clear' and can use a packet sniffer to grab them coming in before the encryption. Link to comment Share on other sites More sharing options...
manarak Posted September 11, 2014 Share Posted September 11, 2014 (edited) Interesting subject. I generally use throwaway emails with a single, simple passwords for many sites, on the basis that if they get compromised I don't care. Re-using passwords isn't necessarily a bad thing, except on stuff you want to protect like your personal email, banking, etc., and you should look at two-factor authentication on those anyway. Added: You can check if you're on the list at the link below. https://isleaked.com/en Re-using passwords is 100% a bad thing. It means any forum admin can access your email and then also access all other forums where you have an account. The majority if not all forums the password is stored encrypted so even Admin can not read them. Of course the data itself is usually sent 'in the clear' and can use a packet sniffer to grab them coming in before the encryption. amending the forum's code to store an unencrypted version of the password in an additional database field is even easier. Edited September 11, 2014 by manarak Link to comment Share on other sites More sharing options...
innerspace Posted September 11, 2014 Share Posted September 11, 2014 And even easier is comparing regular words against known md5 hashes if no salts or advanced encryptions used. Link to comment Share on other sites More sharing options...
manarak Posted September 13, 2014 Share Posted September 13, 2014 And even easier is comparing regular words against known md5 hashes if no salts or advanced encryptions used. aaah - why use the simple solution if a complicated way works too ? :-) Link to comment Share on other sites More sharing options...
Chicog Posted September 14, 2014 Share Posted September 14, 2014 Moral of the story is save your complex passwords for where you need them, and use two factor authentication where possible. Link to comment Share on other sites More sharing options...
robblok Posted September 14, 2014 Share Posted September 14, 2014 I use lastpass it keeps all your data and you generate passwords with it so you never use the same password. Question is of course do you trust lastpass not to get hacked. I do know that if you loose your lastpass password your screwed as they dont ever give it back to you. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now