They're not booing. They're saying... no, wait, they're booing.
July 12, 2012 1:31 PM   Subscribe

Single-serving website to see if your credentials were compromised in the recent posting online of "usernames and passwords for what appeared to be 453,492 accounts belonging to Yahoo, but also Gmail, AOL, Hotmail, Comcast, MSN, SBC Global, Verizon, BellSouth and Live.com users." [via mefi projects]
posted by davidjmcgee (83 comments total) 12 users marked this as a favorite

 
I do not trust any website with "thatsaspicymeatball" in the address with my information. Mods?
posted by eurypteris at 1:39 PM on July 12, 2012 [4 favorites]


Some interesting statistics (pastebin).

You'll note that 117 people had 1 character passwords.
posted by tommasz at 1:40 PM on July 12, 2012 [5 favorites]


I would assume that the mods would never have let this go up on Projects if it weren't legit.
posted by Faint of Butt at 1:42 PM on July 12, 2012 [1 favorite]


Mods?

domainist.
posted by Avenger50 at 1:43 PM on July 12, 2012 [2 favorites]


Thanks!
posted by probably not that Karen Blair at 1:44 PM on July 12, 2012


"hunter2" has apparently be compromised.
posted by ODiV at 1:44 PM on July 12, 2012 [16 favorites]


I would assume that the mods would never have let this go up on Projects if it weren't legit.

How would they know?
posted by Blazecock Pileon at 1:44 PM on July 12, 2012 [2 favorites]


Yeah, I didn't notice the url until I sent it to my mother with the suggestion that she check her gmail account.
posted by ChuraChura at 1:44 PM on July 12, 2012


Are projects posts approved?
posted by eyeballkid at 1:44 PM on July 12, 2012


I mean, any site that asks me to submit my password for some other account sounds totally legit amirite?
posted by eyeballkid at 1:45 PM on July 12, 2012 [4 favorites]


Here is the source code of the link. You put in your email address, and it checks your email address against the list of lost addresses. Helpful! Safe! Enjoy!
posted by davidjmcgee at 1:47 PM on July 12, 2012 [5 favorites]


You don't have to give it your password...just check an email address.
posted by emjaybee at 1:47 PM on July 12, 2012 [5 favorites]


If you send me your full name, date of birth, SSN, mother's maiden name, name of your first pet, the name of the best man at your wedding, the city you were born in, and the make of your first car, your e/mail address, bank account number, credit card number (with security code and expiration date), and the name of your favorite high school teacher, I will make sure that you'll never need to worry about your retirement funds, your bank balance, your credit limit, or making posts to your facebook page... trust me.
posted by HuronBob at 1:48 PM on July 12, 2012 [9 favorites]


I don't even know any of my passwords now- they're all crazy jumbles of characters generated from LastPass.

Time to go hit the button and generate new random jumbles I guess.
posted by winna at 1:48 PM on July 12, 2012 [2 favorites]


Yeah, it's fine and done by a longtime member that has tons of cool programming projects. You might remember them from such super hits as MetaFilter Comments vs. YouTube Comments.

This is a helpful tool to check if you showed up in the compromised data dump, it's a good tool and serves to warn users to change their passwords asap (like the gawker password checker a few years ago).
posted by mathowie at 1:48 PM on July 12, 2012 [12 favorites]


omg, my password "1" has been compromised
posted by found missing at 1:49 PM on July 12, 2012 [6 favorites]


The code on the site appears to only run locally, your email/password is not actually sent anywhere. The site works just as well if you load up the page and then unplug your internet.

FWIW I'd trust a silly URL like that over something like www.check-your-yahoo-password-here.com
posted by theodolite at 1:49 PM on July 12, 2012 [6 favorites]


But good news! "y" has not been compromised.
posted by mrnutty at 1:50 PM on July 12, 2012 [1 favorite]


Hey guys, I made this site. Whatever you type in the input box is MD5 hashes and only the prefix of that hash is sent to my server to pull a set of hashes that match that prefix and perform the check. Feel free to examine the source code on github if you have any concerns, or let me know if you'd like me to answer any questions about it. Thanks!
posted by bertrandom at 1:50 PM on July 12, 2012 [59 favorites]


It's things like this that remind me that Yahoo still exists.
posted by NotMyselfRightNow at 1:53 PM on July 12, 2012 [10 favorites]


Oh I guess I'm wrong, it transmits five characters, each more terrifying than the last
posted by theodolite at 1:53 PM on July 12, 2012 [2 favorites]


Thanks bertrandom!
posted by culberjo at 1:55 PM on July 12, 2012 [1 favorite]


Feel free to examine the source code on github if you have any concerns

That, of course, doesn't prove anything, since there's no reason the site has to be using the same source as what's on the git repository.

I don't think you're doing anything nefarious, but really, it probably would've been better to only check email addresses, not passwords. People should never get in the habit of typing passwords into any site or program other than the one the password is for.
posted by jedicus at 1:59 PM on July 12, 2012 [7 favorites]


Yeah, thanks bertrandom!

I'd probably be less enthusiastic if my gmail account showed up in that dump.
posted by figurant at 1:59 PM on July 12, 2012 [1 favorite]


Look at those folks with 20+ character passwords. Doesn't matter how strong you make your passwords if you can't trust the other end to maintain good security, I guess.
posted by Justinian at 1:59 PM on July 12, 2012


bertrandom: "Hey guys, I made this site. Whatever you type in the input box is MD5 hashes and only the prefix of that hash is sent to my server to pull a set of hashes that match that prefix and perform the check. Feel free to examine the source code on github if you have any concerns, or let me know if you'd like me to answer any questions about it. Thanks!"

I was about to write the same thing. Unless there's something really nonobvious and underhanded going on in the crypto lib, as far as I can tell, the source code is legit (and provides a very clever layer of anonymity; you're only sending him the first two characters of the hash of your username/password, and doing the rest of the matching client-side; it's bandwidth-heavy, but should be extremely secure)
posted by schmod at 2:01 PM on July 12, 2012


I made an account on a site recently that had a max character limit of 12 on passwords. That was a bit weird.
posted by ODiV at 2:01 PM on July 12, 2012


Okay, I'm convinced, not a scam. But for real davidjmcgee, a web page with a silly URL and a box asking for email or password looks pretty sketchy to those of us who don't know what to make of source code (well at least it did to me).

Unless... it's all a conspiracy to steal my precious identity and davidjmcgee, bertrandom, theodolite, and mathowie are all in on it! How far back does it go?! DAMN YOU METAFILTER!!!
posted by eurypteris at 2:01 PM on July 12, 2012 [4 favorites]


I was about to write the same thing. Unless there's something really nonobvious and underhanded going on in the crypto lib, as far as I can tell, the source code is legit

Again, this doesn't prove much. First, you're asking people to trust you, both to be honest and to be competent. Second, who's to say the author won't switch the source code at a later time? Or that they serve one version to people coming from MetaFilter and another to everyone else? Or that they play the odds by only serving the evil version to a small random percentage of site visitors?

I'm not saying you're dishonest or that your assessment of the code wasn't accurate. I'm just explaining why this kind of site has questionable utility: they can't be trusted except by experts who can dissect the code themselves each time they load the site, and it teaches everyone else bad habits.

And anyway, the only real use of the site is to know if your username has been compromised. Your password is not necessarily unique, so simply getting a "yup" doesn't tell you if your particular account was compromised.
posted by jedicus at 2:10 PM on July 12, 2012 [4 favorites]


Disagree; if your password is not unique it means your password is far too weak and should be changed immediately.
posted by Justinian at 2:12 PM on July 12, 2012 [4 favorites]


I'm going to assume it's not kosher to post a link to a pastebin of the compromised username/password list here, but from a security standpoint, it's probably safer to access that and use your browser's Find feature to see if your info is there. Submitting your username or password to another third-party is missing the forest for the trees...
posted by antonymous at 2:12 PM on July 12, 2012


Well that's why I only buy software boxed in a store and shipped by a manufacturer, because clearly that's the only way you can know something's never been corrupted. I wouldn't touch that open source stuff with a 10 foot pole.
posted by symbioid at 2:14 PM on July 12, 2012 [2 favorites]


Thanks to whoever sent me the email offering to check if I'd been compromised for me. I hope I provided enough information since I only replied with my email addresses and passwords and mother's maiden name.
posted by Justinian at 2:14 PM on July 12, 2012 [1 favorite]


12345.

Dammit.
posted by Old'n'Busted at 2:14 PM on July 12, 2012 [1 favorite]


Thank you, you lovely people! I just got a phone call in which I was told, by a heavily accented voice, that my computer had been compromised, (untelligible spiel) concluding "Would I please shut down your computer so I can guide you?" Through my stab of panic I blurted "NO!" and hung up the phone. The most cursory search would, of course, reveal me to be an elderly person with no tech skills at all but I did figure that doing whatever he said would get me in more trouble than I might already be in! Then I came here and --- lo and behold and bless you -- this post lets check my e-mail was not compromised in that fiasco.
posted by Anitanola at 2:21 PM on July 12, 2012 [1 favorite]


Unless... it's all a conspiracy to steal my precious identity and davidjmcgee, bertrandom, theodolite, and mathowie are all in on it!

It doesn't have to be a conspiracy. It can be one clever bad actor (the author) and a bunch of people who were successfully deceived. Again, I don't think that's what's going on here, but it would've been better to just leave off the password-checking feature.

Disagree; if your password is not unique it means your password is far too weak and should be changed immediately.

First, not necessarily. Your password could be a randomly generated 32 character string drawing from all printable ASCII characters and it could still, theoretically, not be unique.

Second, a weak password doesn't prove that your account was compromised, which is a different issue (e.g. someone could have a weak password, or a non-unique password, and yet still not have been in the compromised group). And even so, I think that limited utility is far outweighed by the fact that the site teaches people bad habits. If people want to learn how to make strong passwords there are ways to do it that don't involve trusting strangers on the internet with their existing passwords.
posted by jedicus at 2:22 PM on July 12, 2012 [3 favorites]


If it asks for email OR password, why on earth would you put in your password? Can't you just put in your email address if you're not sure if it's legit?
posted by rabbitrabbit at 2:26 PM on July 12, 2012 [1 favorite]


Your password could be a randomly generated 32 character string drawing from all printable ASCII characters and it could still, theoretically, not be unique.

In the same sense that, theoretically, I could let go of an apple and have it fall upwards. But we both know that wouldn't happen in practice.

You're right that I think the site teaches bad habits, though, I just was making the point that all passwords should in practice be unique.
posted by Justinian at 2:26 PM on July 12, 2012


12345.

That's amazing. I've got the same combination on my luggage!
posted by JHarris at 2:28 PM on July 12, 2012 [5 favorites]


You're right that I think the site teaches bad habits, though.

Yeah, I've seen a number of sites like this in recent months, with each big security compromise on sites like LinkedIn. They all look completely squeaky-clean and legit. But you can't go around telling people to put their email address / password into [random website]. It's just very bad practice.
posted by Jimbob at 2:29 PM on July 12, 2012


It doesn't have to be a conspiracy. It can be one clever bad actor (the author) and a bunch of people who were successfully deceived. Again, I don't think that's what's going on here, but it would've been better to just leave off the password-checking feature.

So, assuming a user doesn't successively enter both their username and the password for that same account, if this site were malicious the attacker would get 1) your password 2) your IP address. What's an attacker going to do with a contextless password and an address?
posted by junco at 2:30 PM on July 12, 2012


What's an attacker going to do with a contextless password and an address?

Build a database of passwords to try that might not be covered by existing dictionaries or rainbow tables? Scan the web for forums that tack the user's IP address next to every posting and use that as a jumping off point for tracking down associated email addresses?

Or, alternatively, ignore them and only worry about people who enter both a username and a password.
posted by jedicus at 2:38 PM on July 12, 2012 [1 favorite]


Many people are not computer savvy and don't spend much time thinking about things like that. They'll just learn that sometimes it is okay to type your email into a third party site and that sometimes it's okay to do the same with your password.

It's not a huge leap from that to typing them both into the same third party site.
posted by Justinian at 2:38 PM on July 12, 2012


Oh, yeah, I completely agree that "give your login credentials to this random website" is a bad thing, but I was responding more to the way the thread started off with people instinctively assuming it was a scam. Which on further reflection I think is a good thing, I guess, in that suspicion is the default response.
posted by junco at 2:44 PM on July 12, 2012


Once again, Yahoo has confirmed what I always suspected: godawful cluttered web interfaces are built by incompetent programmers, who should not be trusted with things as important as casual personal emails.

As if the rest of my experiences with Yahoo mail didn't already cement that fact...
posted by IAmBroom at 2:45 PM on July 12, 2012


"hunter2" has apparently been compromised.

So has "*******". Poor AzureDiamond.
posted by Blue Meanie at 2:48 PM on July 12, 2012


Well, apparently I have an email on the list. (Thanks for the app, bertrandom.) I see most of the accounts were related to what used to be known as Associated Content, so to add insult to injury I was hacked for making a measly .03/word a few years back.

I didn't use my Yahoo account for much beyond playing with Pipes, but still. Grr!
posted by jess at 2:49 PM on July 12, 2012


My sincere thanks for this!
posted by Renoroc at 2:57 PM on July 12, 2012


It says an old account I had was compromised, but of course I can't figure out what postcode I registered with (security questions to reset) or what my password was. I haven't used that account in 2 years.
posted by discopolo at 3:01 PM on July 12, 2012


It says an old account I had was compromised, but of course I can't figure out what postcode I registered with (security questions to reset) or what my password was. I haven't used that account in 2 years.

There's one easy way to find out your password...
posted by kmz at 3:16 PM on July 12, 2012 [1 favorite]


Surely the point is you DONT give your login details to this site. You change your details as a matter of course, then test your old credentials to see if they were compromised.
posted by urbanwhaleshark at 3:29 PM on July 12, 2012 [1 favorite]


People should never get in the habit of typing passwords into any site or program other than the one the password is for.

How is it going to know what the password is for? If you input monkeymuffinsareass how is the application going to tie that with an email address you didn't give it and know it's the password to your account?

It's not asking for both so I is there some thing I'm missing here? Is there some way an application can associate a word i submit to a form with an email I haven't given it?
posted by juiceCake at 3:34 PM on July 12, 2012


It's not asking for both so I is there some thing I'm missing here? Is there some way an application can associate a word i submit to a form with an email I haven't given it?

See above.
posted by jedicus at 3:36 PM on July 12, 2012 [1 favorite]


I understand that databases can built. I understand that I can take joeblow@gmail.com (which I got from an IP on a forum) and try to login to that account via a script or directly that takes from said database the specific password input from that IP, and if that doesn't work, all the passwords real or not that people have input into this system. I have my doubts that a script could attack a gmail account and try millions of passwords until it got a match unless login systems everywhere just allow this sort of thing. In my experience, multiple failed logins is a common red flag that locks down the account.

How often has this and does this happen?

That said, I'd have to agree that inputting a password you use and getting a positive match doesn't necessarily mean you've been compromised, only that someone else or many, use the same password. I don't really see the point of inputting a password at all for this reason alone.
posted by juiceCake at 3:47 PM on July 12, 2012


How often has this and does this happen?

Who knows? Probably not often, but better safe than sorry. And many people who might learn a bad habit from this site may turn around the next time there is a large site hack and happily fill out a form that asks for both their username and password.
posted by jedicus at 3:55 PM on July 12, 2012


The following passwords have been compromised:

assmunch, assmaster, butthead, buttmunch, and taters.

While these have not been compromised:

choadsmoker, knobgobbler, dongface, donghead, weredonkey, and snickerdoodle
posted by euphorb at 3:58 PM on July 12, 2012 [5 favorites]


Here's another site that checks to see if your account was in the leak. (It only accepts e-mail addresses, so the main risk is that you get signed up for spam.)
posted by asterix at 4:08 PM on July 12, 2012


I type my email into random sites all the time. An email address is not protected information.

I agree that the "or password" should be removed. Alternately, maybe just send this website to web savvy people and not to web unsavvy people.
posted by muddgirl at 4:21 PM on July 12, 2012


I told that site that I was feeling mediocre today, and asked if things are going to get better. It said "nope." (sigh)
posted by davejay at 4:23 PM on July 12, 2012 [1 favorite]


Ok, I have been working in web development/systems/IT since 1997. I felt ok putting my (naked, exposed!) password into this box to see if it had been compromised. Before that, I tried really hard to think what my Yahoo! username was. I could not remember, so I used two passwords I would have used to check. No.

I do not think that the creator of this site is interested in doing anything with my passwords.
posted by waitangi at 4:25 PM on July 12, 2012


It's my turn now to laugh at the people who criticized me for naming my first dog A7th$Qi9.
posted by vidur at 4:56 PM on July 12, 2012 [7 favorites]


None of my passwords have been compromised. HUZZAH FOR PEOPLE NOT GUESSING RANDOM WORDS AND/OR NAMES OF OTHER PEOPLE'S PETS AND DATES OF RANDOM NON-IMMEDIATE FAMILY MEMBER'S BIRTHDAYS!

This is seriously my metric for creating passwords that I can remember that people are unlikely to guess. Seems to be working thus far.
posted by sonika at 5:09 PM on July 12, 2012


If it asks for email OR password, why on earth would you put in your password?

I put in my passwords because I've used the same passwords for multiple accounts and it was honestly quicker to check the passwords than each account individually.

I know, I know, not the most secure. I know. My husband is constantly trying to get me to use a random password generator app thing that remembers crap for you and I'm just... well, I have no excuse other than "Hey! It's worked so far!"
posted by sonika at 5:15 PM on July 12, 2012


Also entering my passwords with absolutely *zero* other identifying data didn't seem to me to be too dangerous in terms of "crap that could come back to haunt me" but as you can see from my previous two comments, I might be something of an idiot.
posted by sonika at 5:17 PM on July 12, 2012


Looks like "passwerd," "pasword," "passwordd," "passward," "pastword" and my personal favorite "pissword" were all compromised! Is no one safe?
posted by Uppity Pigeon #2 at 5:20 PM on July 12, 2012


No "passw0rd?" I'm safe, woohoo!
posted by entropicamericana at 5:21 PM on July 12, 2012


Not sure about the value of the "password" check. Might be useful to verify that your password isn't common, but a "yep" doesn't indicate you were compromised, only that one or more of the compromised accounts used the same password. (You will be pleased to know that Pennsylvania65000 is still safe.)
posted by SPrintF at 5:29 PM on July 12, 2012


My husband is constantly trying to get me to use a random password generator app thing that remembers crap for you

sonika, the last go-round of this I bought LastPass (as mentioned above) and while it has issues you can research, in terms of ease of use it is really magical. I write down my main email passwords so if something crazy happened I could still get to them, but otherwise I don't have to remember or even type my passwords any more. They're all thirty-character random gibberish strings I can generate with the click of a button if I need a new one. I have like seventy of them, and for the things that are important I just have saved the password without the corresponding site.

He might be using something else, but he is right to try to get you to use it. It is infinitely easier than trying to make a bunch of passwords and remember them.
posted by winna at 5:40 PM on July 12, 2012


(I am not an expert, but I'm a layman who is concerned with password security) The long and the short of it is, if your passwords are over a certain length, they're not going to be 'cracked' anytime soon with dictionary attacks or rainbow tables. The biggest vulnerabilities right now are (1) your password is too short/common in a database that gets hacked, (2) your password is stored somewhere in a plaintext database, and you also use that password in other databases, or (3) you have a computer virus operating a keylogger or you use a public computer with a keylogger.

Using a unique password system of any kind is better than the longest, most complex password reused everywhere, because of #2 and #3. Nerds recently have started using the "4 random words shoved together" technique advocated by nerd darling Randall Monroe. Some people also think of a unique phrase and take the first letter of every word. I like KeePass because I have a good tactile and visual memory, but not a very good memory for words or phrases. Remembering one complex password is easier for me than 10 "mnemonic" passwords.
posted by muddgirl at 5:52 PM on July 12, 2012


Back when Gawker had its security issue, I took the opportunity to start using different made up passwords for each site and keeping them logged in a text file. It's greatly annoying, but that could also be a plus because it's made me aware of and enraged at how many websites demand that you give them a username and password before you can do anything on them, even if it's just to comment on a blog post or download a file.
posted by JHarris at 6:17 PM on July 12, 2012


... the last go-round of this I bought LastPass (as mentioned above) and while it has issues you can research, in terms of ease of use it is really magical

Another good one in the vein of LastPass and available for Mac and Windows is 1Password:

You can store usernames and passwords, and it also allows you to keep encrypted text notes or records of non-Web logins (e.g. MySQL logins, ftp servers, ssh logins). It has iPad/iPhone apps to go with it, and can store everything in a securely encrypted database on Dropbox for syncing. If you're paranoid about letting Dropbox have even an encrypted password database, you can just sync over your home Wi-Fi network.

It can also store multiple identities for things like registration forms, so when you come across forms asking for name/address/phone etc., you can fill out the form with a click, choosing whichever persona you care to use. I've got a work identity (work email, phone, address, title, etc.), a casual identity (my Gmail account and less info for places that demand a signup but that I don't want a long-term relationship with), a freelancer identity with all my dba information, and a "real me" identity with the very most specific, accurate and personal info.

Oh ... it also has special records for software licenses and credit cards. It's just an all around personal online information storage tank, and it makes password management really easy.
posted by mph at 6:23 PM on July 12, 2012


The password "compromise" is compromised.
posted by orme at 6:51 PM on July 12, 2012


Well, "login" is a compromised password, but at least its not for the "login" account.
posted by porpoise at 7:29 PM on July 12, 2012 [1 favorite]


Thanks for this great utility, bertrandom!

[And that's an awesome post title, by the way.]
posted by wenestvedt at 7:42 PM on July 12, 2012


Good news, everyone! "skynet" has been compromised!
posted by maryr at 9:53 PM on July 12, 2012


Nerds recently have started using the "4 random words shoved together" technique advocated by nerd darling Randall Monroe.

It's not new with Randall Monroe; I assume the xkcd strip was making an uncredited reference to diceware (which I think A. Reinhold published in 1996). Anyway, even if you use a password keeper, using something like a diceware password for the master password is not a bad idea.
posted by hattifattener at 11:48 PM on July 12, 2012 [1 favorite]


Good news, everyone! "skynet" has been compromised!

oh yeah, well so has "yourmom" !
posted by hattifattener at 11:50 PM on July 12, 2012 [2 favorites]


Passwords "internet", "yahoo", "gmail", "stupid", and "shit" all compromised. "Email" was not.
posted by Night_owl at 12:41 AM on July 13, 2012


Unless... it's all a conspiracy to steal my precious identity and davidjmcgee, bertrandom, theodolite, and mathowie are all in on it! How far back does it go?! DAMN YOU METAFILTER!!!
Oh. My. God.
posted by fullerine at 1:05 AM on July 13, 2012


Because it seems to have been missed thus far, here is the danger in putting one of your actual passwords into a form like this: When a database is compromised from some site that holds your login information, what the attackers often get are logins and HASHED passwords. The nature of a hash function is that it is relatively easy to go from plaintext->hash, but not the other way around. So, this is where dictionary-based brute force attacks are employed to try and generate hashes which match those in the database. See also rainbow tables. Alternatively, you can put a form up on the internet claiming to be a "compromise checker", and use it to gather potential passwords for hashing. So basically, don't ever put any real password into something like this.
posted by sophist at 3:23 AM on July 13, 2012 [1 favorite]


asdf, asdfg, qwerty all compromised.

obama compromised, romney not compromised.

manutd, liverpool, arsenal, chelsea all compromised. spurs and mancity not compromised (you'll never be a big club, etc).
posted by Infinite Jest at 3:59 AM on July 13, 2012


So basically, don't ever put any real password into something like this.

...without first checking the source code.
posted by muddgirl at 7:07 AM on July 13, 2012


I got some spammy spam e-mails after the hack and I was worried — even though it is hardly uncommon for me to get spammy spam e-mails and I have never touched Yahoo Voices in their bathing suit area with my bathing suit area. This made me breathe easier, like double-checking the front door lock in the middle of the night. Whew! Thanks.
posted by steef at 3:25 PM on July 13, 2012


« Older "Truman told Jack that he was frankly surprised th...  |  The Dunlap broadside was the f... Newer »


This thread has been archived and is closed to new comments