Shit. Looks like I got caught up in the adobe breach. Let this be a lesson to all engineers in charge of such situations to implement strong security. You are partially responsible for these disasters.
I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.
Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.
This should be a lesson not to manage your own passwords, use a password manager there are many to choose from. I was also caught up in the Adobe breach but my password was randomly generated by my password manager.
I second this. I've been using it for a few years now. It gives me great peace of mind knowing that my password on a site like HN is something like "e5wLoMB1kZ". I only have to remember a few passwords and yet each site has a unique password.
Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.
However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.
Yeah, I did not hear about pwdhash and it sounds like a nice idea.
One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.
Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.
The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.
That is an extremely bad idea. Any site you use can put the following JavaScript in their site to obtain your master password next time you use the bookmarklet:
I like https://oneshallpass.com/ better since it lets you change some attributes about the passwords generated. So if a site is compromised you can just increment the generation field and get a totally new hash.
pwdhash uses a weak hashing mechanism, making it possible to brute-force master passwords. It is OK to use, but make sure that you have a cryptographically strong master password.
printf "/" ; openssl rand -base64 32 | sed 's/.$//'
The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.
Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.
Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.
Crap, looks like my wife's email was caught up in the Adobe breach. I think she created an account for reading ebooks with Adobe DRM downloaded from our library.
Consider this a heads up for married HN'ers, you should check their emails too.
In Australia, both my wife and I got mailed out letters from Adobe regarding our accounts being potentially compromised. Did that happen elsewhere as well?
I use a yubikey that outputs half of the password used to unlock my keypass database, the other half is in my head (so even if they steal my yubi they can't do much).
The database is backed on my own owncloud which is hosted on my own vps and replicated on other 3-4 servers (all mine). My little personal cloud setup.
Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.
Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".
(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)
For some logins, the answer is "Sorry Dave, I can't do that." If I don't have the private cert, or the ssh cert, or the right hole in the firewall - there are many thing I've chosen intentionally to not be able to log in to using someone else's computer.
For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)
Private SSL/TLS certs, ssh keys, and 1Password database are all stored on encrypted fiesystems (EncFS) and synced across four machines (two at work, one at home, and my laptop) using Dropbox (which is another off-site copy, and has revision archives) and/or BTSync. Those four copies are all OS X Time Machine backed up (and revision archived) - and two of those Time Machine backups are rsynced nightly to separate drives in opposite locations - so all up (not couning Dropbox) I've got copies on 10 separate spindles in two physical locations, two of them in a locked filing cabinet (the work time machine and rsync disks).
I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)
My first question would be "how often does that really happen?". It's a legitimate concern at first sight, but for me, I pretty much never need to do that since I always have my phone with me.
But if I do need to, I have 1Password on my phone as well and can get the passwords from it.
I wouldn't want to use a webservice to look at my passwords. I want to open my password safe locally. Less likely to be snooped upon (though still possible, obviously).
I have the encrypted password file on a usb thumb drive. I remember the master password. I view as fatally flawed any password store that uploads the encrypted password file to a remote server.
I carry a little piece of paper in my wallet that has my private key further encrypted by myself, and that encrypted key is used to decrypt other passwords through a private web/mobile app I made. The top encryption key I have is just some sort of simple algebraic mumbo jumbo formula I used to scramble my private key just a bit, and I change it up once in awhile, and have that written down. What's in my memory is how I jumbled it.
Well until the recent 4.x / 3.x screwup [1] that 1Password did it has been quite useful (and like you, my 16 character password at Adobe, even if guessed, would not be useful anywhere else)
[1] My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.
Then use a local storage one, like password-safe (Win & Mac. password-gorilla for Linux). Combine that with spideroak, dropbox, google drive or whatever file syncing utility you want.
Anyone know what adobe's password requirements were? I don't know which password I used there: Adobe forced me to change it without letting me test the old one.
For the Adobe breach specifically, you might try the site set up by Last Pass, which checks your email against the breached data: https://lastpass.com/adobe/
The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.
P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.
You can just torrent users.tar.gz (the leaked list of encrypted passwords) and then grep the file for your email address, which will give you the encrypted version of your password.
Same here. I used my throw-away email to sign up at Adobe, along with my weak throw-away password. I don't have any Adobe licenses or such. The only Adobe product I use is the Flash plugin.
The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.
Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.
I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)
I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.
But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.
It was lucky in a sense that if adobe required complex passwords more important password would have been leaked. It was also lucky in a sense that adobe itself got hacked instead of entity that has one of my more sophisticated and thus valuable passwords.
One of my addresses was also in the Adobe breach. No idea what password I used there, but I'm fairly sure it must have been either my common "junk" password, shared with tons of forums, but nothing that poses any serious risk to me (just to those forums). Or if they had stricter requirements, some variation on it that I always forget, so I have to ask them for a new password every time anyway.
I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.
But those forums? I'm just not going to keep track of a new password for every site I visit.
If you're using a forum, outré in front of a computer. Keeping track of things is one of the things computers are _best_ at. Get yourself a password manager. I use 1Password, but I hear good things about KeyPass and LastPass too.
Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)
Get a tool to help, computers are wonderful tools.
I've got KeePass, but I haven't used it remotely as long as I've used many websites. Also, I don't have my KeePass DB in Dropbox, so I can't access it from other computers.
More than that, I'd rather not put my KeePass DB on someone else's machine in the first place. But I'll easily trust strange computers with a password for some crappy forum.
There's always something you risk compromising. I prefer some forum account to be compromised.
My wife was on the Adobe list, the same credit card she used at Adobe was charged from Amazon or paypal ( I can't remember which ) couple of weeks after the leak. She called the bank they closed it right away and took the charges off the card.
I woke up this Thanksgiving with a bunch of email notifications from Paypal that my account had been hacked and taken over. I (also shame on me) tend to reuse some of my passwords, and figured someone got into my Paypal account using my adobe credentials, not even being sure if I had created an account with adobe for anything in the past.
I checked my email address on this site and it didn't find any pwnage.
I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...
If you reuse passwords, separate throw-away accounts (like Adobe or pretty much anything that's not your email, your bank or PayPal), from the important stuff.
Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.
Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.
I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message [1] to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.
I think it's a great thing to do by third-parties when leaks of this magnitude happen.
Have fun closing your account by the way, I went through that fiasco recently. I regularly run the LastPass security challenge and an old email of mine was in the Adobe breach too.
49 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you. ARG!
After the Macrumors breach (I had only signed up about 2 weeks before it happened), I decided it was time to make all my passwords unique and to use a credentials manager like 1Password. I too shared the same password for multiple sites/services (shame on me too).
Fuck me. Ditto. The reason I checked? I unknowingly, until today, had a domain name transferred away from me -- or rather, ownership changed, for a domain I bought years ago for $3,000. Email address used for that domain in Adobe breach.
They were encrypted, but with no variation between the hashes for per email. https://lastpass.com/adobe/ will show you the password hints associated with the (in my case) 200 people with the same (hashed) password. The clues would be sufficient to guess the password.
I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).
I much prefer using the program `pwgen`. It's installed on all my Linux boxes and it's available from Cygwin too, and it generates a 'pronounceable' password, which makes it a lot easier to remember and also much easier to copy.
There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.
It’s a bummer to find my e-mail between the leaked Adobe accounts. Especially after the ordeal I had to go through to have my Adobe account “deleted” months ago:
You have requested that we deactivate your Adobe account. We have sent a request to the relevant team to process your request. Please note that you will lose access to Adobe services and support for which you have registered or paid for. You will not be able to obtain serial numbers for past purchases and the deactivation process may take up to ninety (90) days. Once completed, your adobe.com membership and all personal data will be deleted from our database.
Adobe, every single time I had anything to do with you it sucked. Big time.
The 120+ days thing with ebay is allegedly because they need to make sure any outstanding deals are closed and accounts settled.
Of course that is absolute bullshit, it took them 120+ days to close my account and I had not used it for over 4 years at that point. They actually emailed me telling me that they were closing the account due to inactivity. They gave me 3 or 4 months to log on before it would be killed, so I thought to myself "good, saves me the hassle of doing it myself". Fast forward 3-4 months and I get an email telling me my account was compromised. Weird... so I log on, confirm any payment info I had was long since expired, confirmed nothing had happened and that my password was intact... then I scrambled the security question and password just to be safe and told Ebay to delete the account. Cue "this will take 120+ days" bullshit... but whatever.
At nearly the end of that 120+ days I get emailed again telling me the account was compromised. I'm convinced this is a scam they run to trick you into logging into your account, thus resetting the the countdown.
Ebay and paypal are among my least trusted companies. I have a higher opinion of even Comcast or Halliburton.
I think my story pretty much echos yours; I'd stopped using paypal for a couple of years, and stopped using Ebay.
I cancelled and about three months later I was "compromised". At that point I reset the data to random values, deleted my "ebay@example.com" email alias, and just resigned myself to forgetting about it.
Common tactic as far as I can tell, other companies do the same thing. eg: My Blizzard account that I can't sign in to because it's cancelled has somehow been 'compromised' multiple times.
Funny/scary anecdote I experienced a few days ago: most Linux flavors check against the cracklib database when changing passwords, and as I typed in an account password, a brand-new cracklib said it was based on a dictionary word. Now, my passwords are alphanumerical jumble, and they're usually comprised of an alphanumerical jumble "core" that I memorize and then a site-based or computer-based pre- and suffix.
So, let's say for example, my current core is "kgA85kjF3". Then for example, I'd morph that for my Hacker News account to "ZkgA85kjF39!" and my fileserver as "UkgA85kjF3O2". I thought this was a good method of having reasonably long passwords but I'd have to memorize very little per site.
So imagine my surprise, when I created a new password "NkgA85kjF3T3", cracklib found a dictionary word in it. It got worse from there. Through experimentation, I determined that it was indeed the core that was compromised. Any password containing "kgA85kjF3" was compromised.
I have no idea how this happened. If this was not a big cosmic coincidence, if this is not just a random regex filter accident, that means data from at least two known password databases containing my cores has been correlated, and put into cracklib no less. There is really no limit to the imagination regarding what illegitimate databases might contain...
I do something similar, but I then hash the result and use that as the password. That way, if someone gets hold of a couple of passwords, it's harder to derive the "core'.
That's a good procedure, a few weeks ago I'd have deemed you paranoid but obviously there is no practical limit to paranoia anymore ;)
However, the hashing step makes it impractical for me on different devices in certain situations. I don't want to rely on browser extensions or apps either. So I'm changing my passwords to the output of an algorithm I can do in my head now.
I do the same, and my "core" is less obscure than yours. I'm worried. What is this cracklib thing? Do I just provide it my password and it tells me stuff?
It's a linux library that checks passwords against a database of known words and patterns. You give it a password and it gives you basically one of two answers: "this is based on a known word" or "nope, never seen anything like it before". The database format looks highly obscure and doesn't lend itself to grepping without much effort.
It doesn't come with OS X, but I suppose there should be a port available somewhere. Otherwise, Virtualbox and some minimal distro are probably your best bet.
On Linux command line, you just feed the password to it:
You can also use an algorithm. I do something like create a 'base' that is used for all sites. And then something like take the number of letters in the url google = 6 and add it the beginning. Then take the second letter from the right and last, 'o' and 'e' and add it to the end. In the end you get 6baseoe. Unique password for each website.
Passphrases are a really good idea, but a lot of sites have very short length limits.
Granted if they have limits thats a really big red flag that they're storing your password in plain text, as a hash should always be the same length, so you probably shouldn't sign up there anyway. I remember a few years ago I was signing up for a TD account, and about 5 pages through the signup page it wouldn't allow me to continue because my password was /too secure/ (not their exact wording, but that was basically the problem). What makes it funnier is a lot of sites would reject the password I used at the time as not being secure enough.
I stopped signing up at that point, but I remember getting a phone call (!) from them a couple days later asking why I didn't finish the sign up, and my answer was: because I'm not giving my money to a company that doesn't know how to store passwords!
In Australia, our "welfare" system is taken care of by Centrelink. They have all of your personal details, as well as access to the amount you're getting per fortnight, and job history, resume etc. Lots of stuff you don't want compromised.
They also limit your password to 8 characters.
This is a huge government website that heaps of Australians have to access at least fortnightly.
One of the benefits of learning to program J for me has been to make it easy to remember hard to crack passwords. I have some passwords which are actually runnable J on-liner programs and contain all kind of '#!$' symbols. All I need to do is remember what they do so that I can recreate them.
I've memorized an algorithm instead of trying to remember passwords. I don't actually remember hardly any of my passwords, instead I use this mini algorithm that I came up with to create unique passwords for each site I go to. Each time I go to a site it just takes me a couple seconds to figure out what the password is. I find it a lot easier to remember that one algorithm rather than trying to remember a bunch of passwords or rotating through the same few passwords.
That's not the point. The idea is to have different passwords for each site and each device. So in this many-words scheme (which will run afoul of a lot of websites' length restrictions on passwords by the way) I'd have to find a good way to encode the site's name or I'd have to tack on at least four specific words to the existing core sentence. That's not something I'll remember with dozens of sites and devices.
I know. If I wanted my information to be "safe", I wouldn't have an online profile at all. For starters, I wouldn't use Google services. It's a matter of limiting exposure at this point. I know the NSA reads my email and can probably log into my home router, but I don't want everybody else to do the same. Otherwise, let's all change our passwords to "password" and be done with it. Just because protection isn't close to 100% doesn't mean I don't want any at all.
can you tell me more about what you mean? for instance if your wife sends you a nude picture through something like oovoo does that guarantee someone has stolen it?
If you're connected to the world wide web and you send/receive data, there's a strong chance that either:
a) Either sending/receiving machine is broken into
b) Someone or something is intercepting your message
c) The service you are using is broken into
There's just too many holes to plug and too many people with expertise in these domains orders of magnitude above ours that they can use to either be malicious, or help our cause.
Your computer/device needs to be secure. Your other parties devices need to be secure. Your connection needs to be secure. Your third parties service needs to be secure. The internet the third party uses needs to be secure. Their data centre needs to be secure. Then their ISP needs to be secure.
Thanks for that; I had ignored the Adobe leak, because why would I have created an Adobe account? Turns out I did at some point, so I guess I'm the goat there.
Often you need to create an account or somehow register your email at sites, just to get something very basic, like a free download, or use a feedback form.
I entered my address out of curiosity and it told me I had an Adobe account. I can't remember ever creating one so I tried the password reset process. Adobe tells me there doesn't exist an account under that address.
How is this possible? How did Adobe leak my address if I don't even have an account?
For those freaking out about somebody "misusing" this information (your e-mail address) .... I have some bad news.
E-mail addresses are not secret. They cross the wire in plaintext, they get stored in various mail server logs in various relays across the globe, they get passed around by spam analysis services, anti-virus services, and any company you submit it to has the right to sell it and any other information about you to anyone they want, without your consent.
"Although partial regulations exist, there is no all-encompassing law regulating the acquisition, storage, or use of personal data in the U.S. In general terms, in the U.S., whoever can be troubled to key in the data, is deemed to own the right to store and use it, even if the data were collected without permission." [1]
California is one of the few (only?) states with privacy laws, and it basically just says companies must post a privacy policy and follow it - and that policy could, for example, say they are allowed to sell on your information, which i'm sure 99% of companies would opt for.
Your e-mail address alone is not worth much in a general sense. In terms of spammers, they already have all the e-mail addresses in this list. And if on the off chance this guy's service is "selling" e-mail addresses to spammers (at what... $0.10 per e-mail address?), are you really so afraid of someone sending you spam?
People knowing that you have account yyy@example.com at example.net could use that information in a spear-fishing attack, or know that you're involved in a controversial website, prohibited website, etc.
Emails were not the only things that were stolen. For example, in the Adobe breach, encrypted passwords were stolen. If your email address is shown as being in the Adobe breach, that also means that your encrypted password, password hint, etc. were stolen. For Sony, maybe credit card information.
If this website was only about whether email addresses were leaked, then why would anyone type in their email address into this website (thus leaking your email)?
I'd prefer not to use this site since, if I'm affected, it signals to whoever owns the site that I'm a live person whose accounts might be worth probing.
Troy Hunt has been blogging about this for a while. Troy is a good guy who blogs extensively on security matters. I don't see any risk in putting your details in here.
His recent posts on pwning peoples phones and tablets while they were at his conference talk are pretty amusing. Shows just how insecure things really are.
As someone who was 'pwned' by the Adobe leak, I have no idea how bad the pwnage was. That is, I don't recall what my Adobe password was, and so I have no idea which of my many passwords was compromised.
Also, I partially went through the Adobe password reset procedure two or three times--each time guessing at what my original password was. Unfortunately, they accepted all of my guesses, so I was still none the wiser about which password was compromised.
To top the entire ordeal off, Adobe was not the one to tell me that my password was compromised. Instead, my hosting provider and some other services notified me.
Yeah, I'm downloading the leak and trying to check if I can deduce whether it was the common I-don't-care password I think it was. A couple other people had used the same password, but the hints didn't help me.
That's actually a very unadvisable scheme. By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks). If you have your own domain (which I assume you do based on your scheme), I suggest not doing this. You would be better off coming up with a random account name for each and using a password manager to keep track of these.
FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had his computer remotely wiped because he used his name in every domain/service as his account name or email account name.
The key motivation is not security, but if any account starts receiving spam, I will have a good idea where it is coming from. It also lets me shut off mail from any source.
Some services will use that as the username, others allow me to pick my own. Using a password manager helps this whole scheme. Now that I do that, I could go to random email addresses and usernames.
The only problem I've found with this method is the spammers that try to guess your email, so they end up sending emails to "admin@domain.com", "webmaster@domain.com", etc. The catch-all forwards them all to me.
The only way around this, I think, is to only have uncommon emails, like instead of admin@domain.com, use contactadmin@domain.com. Put a block on the common ones and you're good to go.
It's not that spammers try to guess your email, but that if you accept any email address as valid they'll notice that you are accepting delivery.
Once i figured this out i just created wildcard aliases that end with a static prefix: netflix-blah@example.com, adobe-blah@example.com, etc. This cuts down on 99% of the random spam.
>By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks).
And if you use the same email for everything (as is the alternative), attackers can attempt to try that against popular sites. So I don't see the downside of this method?
The real key is to not use the same email address across accounts. If you have your own domain, then it's easy.
I actually don't like the idea of using email addresses as user IDs. I believe that was a lazy approach in the first place and this causes too many problems. I'm sure it all started that way because someone wanted your contact info, and since the only way to guarantee a valid email was to make you verify it. It has nothing to do with security.
Nobody said security was easy or convenient.
Anyway, to each his own. I have my own domains and do, unfortunately, have about 100 email addresses/aliases. Yeah, it can be inconvenient to maintain. I originally started using the aliases because I wanted to know who was giving out my email to spammers. I caught a few and stopped doing business with them.
If someone is directly targeting you, then yes it's an issue (but even so, it's less of an issue than using exactly the same email address for all of your accounts).
In a mass compromise like the Adobe one, it's highly unlikely that the hackers are going to go out of their way to attack people who use this method when there's millions of much easier targets already in their list.
Using this approach also makes it a lot easier to spot spam - if I get an email to "hackernews@myaccount.com" claiming to be from my bank, it's highly unlikely to be genuine. If it's coming to "mybank@myaccount.com", there's at least a fair chance that it's real - I still treat it with a fair amount of caution, but as I've filtered out the obvious junk I can spend more time checking out these reasonably genuine-lookuing one. Using a random email like hhj4378@myaccount.com would make this quick filtering a lot harder.
the downside is that using random accounts on your domain requires a catch-all email rules on your server (unless you add each address by hand, but frankly that's too much of a hassle)
I never use a catch-all. Deleting email would quickly exceed available time.
I go through the trouble of creating a new email each time. I've considered writing a script to make it easier, but my current mail provider makes that difficult.
If the website is important (ex. government), I use <sitename><4_numbers>@<private_domain>. My filtering rules are extremely strict, and every mail that doesn't come from the expected website gets automatically flagged as spam and deleted. If their DB leaks, I just change the 4 numbers.
If I know the website and it's not an startup, I use <sitename>@<public_domain>, ex. facebook@example.com. My filtering rules only flag the messages as "maybe spam" when the sender is not in my contacts. If their DB leaks, I change the filter from "maybe spam" to "spam".
If it's a website I don't know, or a startup, I use <full_domain>@<publc_domain>, ex. mystartup.io@example.com. I don't filter them, but if I start getting spam, I just simply set the email as an alias to my wormhole (an account I never check that flags anything it receives as spam).
If it's a spam blog, or a website that forces me to create an account by no apparent reason, I just use the wormhole address.
That seems like a lot of overhead to manage. Also, you're going to have a bad day if a spam bot decides to spam thousands of <common_user_name>@yourdomain.com. Maybe that's fallen out of practice, but I've seen it happen before.
Not really, in this year I had changed only 1 filter, the initial setup may be cumbersome, but the end result is worth the effort.
And about the spam to random addresses, in 8 years the most extreme problem I had faced is spam to censored addresses like git...@domain.com (thanks google code).
I don't appreciate you stalking me and posting that here (just because it's accessible somewhere on the internet doesn't mean I want to make it more public), but as a matter of fact I wasn't talking about that email address in the first place.
The Adobe leaks list is mostly made up of verified emails, so...
Coming to think of it, there has been some spam lately (though that hasn't happened in years now at gmail), and I wonder whether it's related to that Adobe leak.
On a risk / reward basis the benefit to checking here is actually pretty high.
I don't find any of several accounts I use on there, but did find a friend's email listed (and just notified him). I'd actually appreciate a way to query my mailing list in an automated fashion.
That's been the conventional wisdom for decades, but I don't actually think it's true. I wonder if anyone has done any tests.
The reply address for spam is almost certainly bogus. And I don't think it makes sense to target people who unsubscribe for more spam. They ain't likely to buy anything.
Secret, probably not. But in most cases I'm reasonably confident that each email address I use is currently only known by me, the one site I registered it with and the NSA.
I have a couple of email addresses that thanks to that address either having been sold, hacked or given away by including in the to/cc field of a mass mailing are now out in the public domain, and I get spam (and almost certainly malware attempts) on those two on a pretty regular basis. I'd prefer to not have the rest of my email addresses end up in the same situation.
If you wanted to collect likely-valid email addresses to sell to spammers, this would be a good way to go about it. I doubt they are, but can understand the suspicion.
Am I the only one who is reminded of the "Has your credit card number been stolen? Check here!" phishing ads?
Isn't there a better way to check for stolen addresses than to enter your email on a dodgy (hey, I followed a link on Hacker News) website? Such as calculating a hash on the client, and sending the hash for verification?
This is an impressive service (the speed, especially)...collation of different data sources into one easily accessible form is a hugely useful and underrated service. That said...there's no such thing as better security without an equal tradeoff. Here, it's now much easier (especially with the site response speed) for a third party to look up email addresses, see who they've patronized, and aggregate them into a database of less noble intent.
To check if a given email address was an Adobe/Gawker/whatever customer, you would've not only had to query every separate form but you would also not be guaranteed to get a definitive response (because some services will be ambiguous to whether you got a password wrong or whether the account exists at all). With the OP's service, with positive hits, you not only get confirmation of patronage, but knowledge that they are vulnerable, even if in a small, outdated way.
It's likely something Troy has anticipated but didn't want to outright say...In the end, knowledge is better than ignorance, and the correct response is for more rapid response to hacked victims and better security awareness. But I also wonder if there's a way to provide the OP's service with more (beneficial) obfuscation?
I disagree with your thesis; anyone with malicious intent can be assumed to already have their own copy. Even the Adobe dump is under 4gb compressed - a trivial amount of storage.
Additionally, there is a huge long tail of publicly available user databases that are not included in this site, which along with the lack of hashes makes it worthless for the purpose you envision.
It's also extremely easy to tell if an email is registered on a website if you aren't concerned about the victim being notified. You just need to attempt to either reset the password (it'll say whether the email exists) or register a new account with their email.
Whoa, slow your roll buddy. This could be really easily done by preprocessing the data and creating simple objects in redis. One object = email, sub objects of email could just be flags for the service it's on.
It's not the processing that's the bottleneck, it's the gathering and the initiative to do that gathering which is rare. For example, criminal records and notices have always been collectable and, once collectable, searchable. But the incidence of "a prospective employer googled me and found a 5 year old article of me publicly urinating in college" became more of an issue in the age of Google.
This isn't an indictment of Troy at all, just an observation (and I'm also just curious about what mitigation could be done, if any, that wouldn't severely inconvenience the end user). The security that exposed people had was security through obscurity, which is in the end, not enough security.
For the last 12 years or so I've been using unique email addresses. I have a catchall domain and established patterns for giving out email addresses. Over the years I've witnessed many companies either getting hacked or selling out their mailing list. I know this because I start to receive spam to these unique email addresses.
Just this morning I discovered that Sirius XM has been hacked. Shame.
It would make an interesting project to analyze all this history that I've built up.
I am in the habit of making up email addresses on the fly when I register for things. Looking in my spam folder, in the last couple of days I've had spam to the email addresses I submitted to Adobe, Groupon and Abbey National Bank (now Santander). As people have pointed out email addresses are not secret, but if they've leaked out of these businesses' databases it's a bit worrying what else they might be leaking.
I've started to sign up to sites with a unique email address based on the websites URL.
E.g. If I signed up to Myspace I would use Myspace@exampledomain.com
I have the mail server at "www.exampledomain.com" set to accept all emails under the domain so I can see if someone has passed on my details legitimately or via hacking.
Since I've started about 12 months ago I've not found any cross pollination which seems a good sign for the industry in general.
It also adds a layer of security as your sign-up email changes for different websites if you use the same password across several.
Passwords: I’m not storing them. Nada. Zip. I just don’t need them
and frankly, I don’t want the responsibility either. This is all
about raising awareness of the breadth of breaches.
I have a question...how big is the backend to this site? Its average response is about 100ms, which, to me, seems impressively fast considering the number of bulk records and the amount of concurrent traffic that such a site is getting. Besides the obvious indexing of the email field...anything special behind the curtains? Lots of machines? Something else besides a simple key lookup? Or am I just vastly overestimating how slowly a properly maintained DB will respond in such a situation?
Looking forward to it! The raising of awareness about security is alone pretty awe-inspiring, so the fact that I'm equally piqued by such technical details as the site's backend is really saying something about the impressiveness of the execution
The email I used for Adobe was caught in their breach. Good news? I not only used a different password, but I use a new email for almost every site. I have a wildcard email and Adobe is the only site I've ever used that particular email on.
Meanwhile, my yahoo account (which I basically use for nothing) is not listed as being exposed, but I logged into that recently and had a note that it had recently been logged into from India. Good golly.
That Adobe got hacked isn't your fault - that you chose a weak password and reused it, is.
Showing a few more numbers might help more people realize that their passwords aren't actually unique, creative or safe. The data that came out of the Adobe hack is pretty interesting, and the results are much more tangible than "oh no, pwned!".
Something like:
"Your password was used by 8290 people.
Furthermore, 2615 persons gave a plain text hint as to what the password might be."
Feature request: Could you strip the dots from user input if the email address is @gmail.com, and similarly strip the dots from the records of pwned email addresses? Gmail usernames are dot agnostic, and I sometimes use xyz@gmail.com, x.yz@gmail.com, etc. This makes it hard to use the tool to check of my Gmail has been pwned. (Also, I assume you don't do this already).
This is what caused me to start using a password manager. I always knew that I should, but it seemed to be a major pain, if I had known how convenient it is, I would have switched to it long back.
Instead I first started off with my own "password generator":
import random
import string
import sys
def generate_random(length, simple):
chars = string.printable[:-6] if not simple else string.letters + string.digits
return ''.join(random.sample(chars, 1)[0] for x in range(length))
def username():
return generate_random(length=4, simple=True)
def password(length):
return generate_random(length=length, simple=False)
if __name__ == '__main__':
length = 6
if len(sys.argv) > 1 and sys.argv[1].isdigit():
length = int(sys.argv[1])
for i in range(20):
print username(), password(length)
I'd like to see a site which validates whether or not your password is exposed. Users should assume that it is exposed, but it would be nice to know wether or not it's floating around in some list somewhere.
Problem is, I can't think of a computationally efficient way to perform this check securely. I could see handing the user an nonce, asking them to manually hash their password concatenated with the nonce, and then comparing the user's response with a list you've hashed yourself, but I'm sure this won't scale well.
Is there such a thing as a secure, or "blind", bloom filter which allows a user to search for some chunk of text without exposing to the world what that chunk of text is?
It's possible to write a tool that will figure out all algorithms/salts used by compromised sites, and then hash your password with those algorithms/salts and see if that hash appears in the compromised password files.
Most of the compromised sites use worthless password storage mechanisms, like unsalted hashes or plaintext, so this level of sophistication is mostly unnecessary. For example, say you used the password "foobar".
Sorry, that was overly snarky and that wasn't warranted.
Are you talking about how you store your own passwords so that you may retrieve them in order to log into some service, or are you talking about how you store user credentials as part of an application?
If you're storing your own passwords, just use a well-rated password locker program, or store them in a TrueCrypt volume or similar. If you're storing your users' passwords... well, don't -- store the hash like that Atwood article suggests.
To your initial question, if you need to use the output of one program as an argument to another program, you can wrap it in backticks:
no, I am just storing my passwords in a text file and I don't want to do it plaintext, but I also don't want to have to encode the whole text file and have to decode it first to use it. Just make it more complicated if someone opens it.
Thanks for the reminder of ticks (`) I was accidentally using single quotes (')
Ah, then I stand by my original advice. Keep in mind, base64 encoded ascii/UTF-8/whatever encoding you like is still plaintext. If you want to be secure, use a password locker program or store them in a text file inside of a small encrypted volume which you unmount as soon as you're done with it (TrueCrypt is nice for this).
But if you don't care about them actually being secure, party on...
Aside from backticks, you can also use the dollar quote (I'm sure this has a better name):
$(some_command some arguments | some_other_command)
Finally, back to the original "how do I combine this with md5" question, you don't, as that won't do what you want. That is, you want to be able to recover the plaintext, but cryptographic hashes are designed specifically to make that practically impossible.
Many comments suggest to use password managers like lastpass, 1pass, etc. But I think that may not be a good idea:
a. What if lastpass/1pass is compromised?
b. You have to login to retrieve your password, which is inconvenient.
I think the best solution to this is to make sure your passwords ONLY exist in your head, nowhere else. And to NOT reuse your passwords, you have to create a unique and reasonably strong one for each service.
So how do I remember all these unique and strong passwords? I create an algorithm which takes two parameters as inputs: my username and the domain of the service, it will do some simple manipulation of the inputs and give me a reasonably strong password. Hence, all you need to do is to remember your algorithm and use it to compute your password when you need it. Of course, you want the algorithm simple enough to be done in your head.
For cases like these is why you should NEVER use the same password in different sites. While my email is in the Adobe list the password I used there is unique so I don't bother too much-other that I've lost any trust in Adobe and I'll think twice about doing any business with them in the future.
I got an email from LastPass about being caught up in the Adobe breach and it took me one evening, two cups of coffee, and a lot of patience to switch all my passwords to auto-generated strings and enable 2-factor where I could.
Only now in this fleeting moment do I realize that i'm now tied to LastPass's ecosystem.
For every different site I use a different email address, so I know when something fishy is going on. so I might have hackernews@mydomain.com. The form wont accept just @domainname.com :(
This database includes emails that were simply listed in these data breaches. Newer Adobe account emails were put in as entries in the database, but their associated password/hint data was not. There were quite a large number of these in the leaked db, including some of mine. I had to download the whole thing and search to realize that the only information revealed/stored was the email address.
Idea: Write a service that you pass the unsalted hash to (only salted hashes in the DB please), and the email address and hash type. Stop people if their hash matches any previous ones.
Obviously this would stop people providing the same password for all services... But might creep some people out!
Would hopefully highlight how insecure/guessable non salted hashes are. Does anyone know best practice for doing things like this?
Aside from those who enter fake addresses or addresses they do not control, the folks who set up websites like this can also connect each email address with an IP address. This might be useful, e.g., for determining geolocation. It is sad to think that naive users are falling for this every time a data breach makes the news, handing over their email address to total strangers.
Welp, I now know my login was apart of the Adobe leak.
Shouldichangemypassword.com sent me an email a few weeks ago saying my email address was found in a leaked database, although they couldn't say which one. Considering I have more than 100 accounts which use that particular email address, it didn't help at all. This site did!
Is it possible to apply the same hash function to a string as it’s done in the users database of the Adobe breach? I think it is 3DES. I’ve been able to obtain my (hashed) credentials, but as it seems my account is deactivated at adobe.com (probably due to inactivity?), so I’m not able to test which password I used. :(
Weird.
Flagged a hotmail addy I rarely use as having been compromised in the Adobe breach, but I don't recall ever using that address with Adobe and when I plug it into Adobe to reset the password for it, it says that they have no account associated with that address.
This site has done a good job highlighting just how badly Adobe screwed up with their data breach. Everyone in my office had their email address show up from the Adobe breach (including mine) and based on the comments, everyone else mostly did as well. Whoa.
This is a great service -- I've already shared it with my colleagues. But doesn't this tool now make it easier for those with a grudge to find their enemies' compromised accounts? ...all the more reason to change your passwords...
I always have an uncomfortable feeling these exist purely to harvest email addresses. Not that it stopped me using it, the results are of interest and my email address is already plastered all over the place.
My gmail was fine but my yahoo mail is compromised, but i actually changed the password a couple weeks back because yahoo asked me, so worked out fine. I have not used adobes services for over a year now.
Yup, works great, I've been using it for over a year. To login to banking on your phone, you first go to the Lastpass app, login to that, then copy the password to your bank, open their app, and paste the password in. Lastpass for Android also now has a notification that stays up while you're logged in, to remind yourself to log back out when you're done.
That's the way that it worked when I first started using it, but am I the only person using the full Lastpass browser these days? It's far more convenient than the old Authenticator -> Lastpass -> Browser authentication workflow that I had to use before the upgrade.
They have a mobile site, and if you get the premium subscription ($12/year?) you can use their mobile apps - I use the iOS and Windows Phone apps and both are very smooth. (They also have Android and Blackberry).
even if it was a BS email, it could have been a part of the db. you'd be surprised at the kind of BS email address in the adobe dump. there are ~1K people who provided an @a.com email address.
People put in bogus addresses when they register for things. I have a domain that is similar to a common mash on the keyboard, and I get a steady stream of backscatter from people signing up to things with crap@keyboardmash.org.
I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.
Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.