Data breaches and password managers discussion

[rootyme]

Bad news for all. Reminder that everybody needs to use dedicated password managers these days. This dump is now infamously known as "the Naz.api stuffing list."

Deep dive: https://www.troyhunt.com/inside-the-massive-naz-api-credential-stuffing-list/
YCombinator Discussion: https://news.ycombinator.com/item?id=39028122
Enter your E-Mail ID here to check if you're part of the leak: https://haveibeenpwned.com/

Are you a Hathway consumer? There is yet-another-bad-news for you. In December 2023, hundreds of gigabytes of data allegedly taken from Indian ISP and digital TV provider Hathway appeared on a popular hacking website.

Relevant Reading: https://restoreprivacy.com/hacker-allegedly-holds-data-of-41-million-hathway-customers/
Enter your E-Mail ID here to check if you're part of the leak: https://haveibeenpwned.com/

 

[kartikoli]

If I am not mistaken wasn't a popular password manager was hacked few months back? I don't remember the exact name but it wasn't 1pass that my company uses (thats how I remember). Secondly how trustworthy are these checking websites if unknowingly we are providing more information to them by checking our emails

 

[rootyme]

Secondly how trustworthy are these checking websites if unknowingly we are providing more information to them by checking our emails

Tony Hunt is the guy behind that site. He is from Microsoft. Microsoft already has your mail ID. It's a reputed site running for around a decade now.

If I am not mistaken wasn't a popular password manager was hacked few months back?

It was lastpass.

 

[Rednekol]

Self hosting a password manager (like VaultWarden) is also a very viable method, if you don't wanna trust other corporations with your data

 

[Ramadhir Singh]

Reminder that everybody needs to use dedicated password managers these days

why anyone needs a pw manager ?
sorry it could be just me, but i fail to understand the need of a pw manager. where its can be just a simple logical pattern.
my shortest length of password would be 15char, unique for each site. no repetition in any site and non of them contains dictionary words.

based on my pattern, i make my password and check strength here https://www.security.org/how-secure-is-my-password/, my weakest password would need minimum "1 billion years' to crack according to this calculation.

Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

so please remind me again why everyone in this earth need password manager ?

--- About data breach --
nothing beats cowIN & adhar data breach.
Adhar data breach is like software upgrade cycle - https://www.thehindu.com/sci-tech/t...ns-got-breached-explained/article67505760.ece.
our Govt & Infosys might fire people if they don't do atlest twice a year.

 

[rootyme]

Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

You're not the only one doing that. I used to the same as well.

so please remind me again why everyone in this earth need password manager ?

Convenience and random 100+ character long passwords without any pattern that nobody can track or crack.

Your smart pattern still leaves you vulnerable in case somebody gets hold of it.

 

[n1r0]

Another advantage is if you have an autofill plugin in your browser, it's very easy to detect fake phishing sites. The plugin will autofill only on the real domain. There was this fake steam site that even I couldn't tell was fake, but when the autofill wouldn't work, I got wise.

 

[rootyme]

There was this fake steam site that even I couldn't tell was fake

Can you share the link?

 

[n1r0]

Can you share the link?

For obvious reasons I will not be sharing scam links, if you're so inclined google will help you find them.
Here's an example screenshot though:

 

[t3chg33k]

why anyone needs a pw manager ?
sorry it could be just me, but i fail to understand the need of a pw manager. where its can be just a simple logical pattern.
my shortest length of password would be 15char, unique for each site. no repetition in any site and non of them contains dictionary words.

based on my pattern, i make my password and check strength here https://www.security.org/how-secure-is-my-password/, my weakest password would need minimum "1 billion years' to crack according to this calculation.

Edit - here is one of my real password- Jib@ntoM@nush1958 - if one detect the pattern he understand which services it is related to and its too easy for me to change the password in the same pattern, let's say every 6 month, i would never run out of options.

so please remind me again why everyone in this earth need password manager ?

--- About data breach --
nothing beats cowIN & adhar data breach.
Adhar data breach is like software upgrade cycle - https://www.thehindu.com/sci-tech/t...ns-got-breached-explained/article67505760.ece.
our Govt & Infosys might fire people if they don't do atlest twice a year.

How many of your unique passwords would you remember all the time? I have nearly 500 unique entries in my password manager as of now and there is no way I was going to remember them unless I created a pattern.

The moment you start repeating, a single leak opens up a portal to multiple sites. If uniqueness is based only on symbols or characters, that is easy to cycle through.

As someone else mentioned, cross-platform auto-fill with site verification is a positive as is leak detection. Also, easy login makes it easier to not have cookies stored for most sites, reducing tracking.

May be passkeys will be the bigger step forward for most users.

 

[Darth Vader]

Set Password/MFA -> forget password -> reset password at every login = Winning at life ?

 

[rootyme]

Set Password/MFA -> forget password -> reset password at every login = Winning at life ?

This.

Step 0 - Become Ghajini

Step 1 - Launch notepad.

Step 2 - Close your eyes.

Step 3 - Run your finger throughout the keyboard as your heart pleases

Step 4 - Type the name of your paramour/spouse and her date of birth at the end

Step 5 - Copy

Step 6 - Paste in new/confirm new password

Step 7 - Save the notepad as ghajini-dump.txt

Step 8 - Repeat.

Step 9 - Remove the previous entry from ghajini_dump.txt

Step 10 - Repeat

Congrats, you're now immortal.

 

[ibose]

Step 1 - Launch notepad.

Step 7 - Save the notepad as ghajini-dump.txt

Now everybody knows.

 

[napstersquest]

Step 7 - Save the notepad as ghajini-dump.txt

 

[altair21]

what are yall's recommendations for password managers? I am pretty iffy after lastpass breach and self hosting is too expensive, I have just enabled mfa and have linked it to a Gmail id which in turn needs 2fa to be accessible and the password for that is around 15-20 characters even if they are duct words combined.
any advice for this approach?

 

[n1r0]

1. If you're using Gmail or have an Android, you should be using Chrome's auto fill to save your passwords. The advantage of this is:

• your passwords are sync'd across your devices, including Chrome on PC
• GBoard on Android will let you auto fill the credentials on any app
• added bonus is whenever a new sign in is detected on your account, your device will show you a notification

You end up using longer, random, patternless passwords for everything. And if there's ever a Gmail leak, you're gonna lose all your other accounts linked to it anyway.

--------------------------

2. Another non-Google option is using something like KeePass.

• On PC you use an app + browser plugin
• On Android you use a dedicated keyboard app which can auto type credentials directly to any app
• You can customize the character set and length for password auto generation. Some sites don't allow certain symbols, so easy to remove them from the set
• You can save other relevant data/notes apart from username & password

The issue here is the encrypted database file needs to be sync'd between PC & phone manually. You could put it on your GDrive, or set up an FTP on your home network to have auto sync. The obvious advantage is you are in full control of your database + decrytion key, so leaks are less likely/targeted than cloud based services.

 

[Salman Ahmad Khan]

what are yall's recommendations for password managers? I am pretty iffy after lastpass breach and self hosting is too expensive, I have just enabled mfa and have linked it to a Gmail id which in turn needs 2fa to be accessible and the password for that is around 15-20 characters even if they are duct words combined.
any advice for this approach?

I use Bitwarden. It's extremely simple and the extension is non-intrusive. In terms of security, it's open source and well audited.

Tbh, as long as you don't re-use passwords, you should be good with MFA. But a good password manager never hurts.

 

[ruseffraiun]

Thanks for sharing this https://haveibeenpwned.com/ website. I found out one of my accounts was leaked in Dubsmash leak which happened in 2018. Thank goodness I have been using Bitwarden for a long time and changed all of my passwords.

Btw, I highly recommend Bitwarden as PW manager, it's open source and comes with a lot of useful features.

 

[DewlanceWebHosting]

I think the Firefox built-in password manager is safe because it encrypts your passwords.

You can create a new 20MB partition and encrypt it. Then, store it in encrypted disk and use copy/paste for each website.

 

[rootyme]

boAt loses data of 7.5 million customers after being Hit with massive data breach​

Customer data for over 7.5 million boAt customers has appeared on the dark web. Personally identifiable information (PII)—like name, address, contact number, email ID, customer ID and more—is available for purchase. The threat actor has leaked around 2GB of data on the forum.

Hit With Massive Data Breach, BoAt Loses Data Of 7.5 Million Customers - Forbes India

The audio and wearables brand lost around 2GB of data on the dark web forum. Personally identifiable information like name, address and contact number is available for purchase

www.forbesindia.com