New tools against (old) data breaches
February 5, 2019 10:25 AM   Subscribe

On January 17, 2019, 'Collection #1' revealed 773 million email addresses and passwords (PC World), followed by Collections #2-5, plus two more, which together dwarfed Collection #1 (Computer World). Though daunting in scale, it seems these collections are made up of individual breaches from thousands of different sources (Troy Hunt, security researcher), and may not contain newly compromised accounts (Recorded Future, US security firm). Hunt runs the free service, Have I Been Pwned (previously), where you can check email addresses or passwords against published breaches like these, or get notified if your email address is included in newly published breaches. Google partnered with HIBP in Password Checkup, a new Chrome extension (Wired), similar to Firefox Monitor, another HIBP coordination (Sophos Naked Security).
posted by filthy light thief (13 comments total) 31 users marked this as a favorite
 
I have recently started using a password manager (LastPass), only to discover that it doesn't have HIBP integration and no plans to provide one. Changing my passwords after the latest breach was therefore a bit more of a bother that it might have been, but much, much less of one than it would have been if I hadn't used any password manager at all.

So... I can recommend starting to use one now. Like, right now.
posted by hat_eater at 10:34 AM on February 5, 2019 [3 favorites]


Does anyone know where you can conveniently (preferably without going down the darknet/Tor rabbithole) get at the actual data?

I'd like to see what password they have associated with my email address. Unfortunately, the HaveIBeenPwned site just gives you a thumbs up/down on whether a particular username is listed; you can't see the data associated with it.

Telling people "you should change your passwords" is fine advice, right up until you have a thousand+ accounts created over decades. It'd be nice to be able to run a search against my password manager and know definitively that there aren't any accounts out there still using a password that's been compromised. But without knowing exactly what was in the breach(es) it's difficult to do that.
posted by Kadin2048 at 10:40 AM on February 5, 2019 [3 favorites]


I'd like to see what password they have associated with my email address. Unfortunately, the HaveIBeenPwned site just gives you a thumbs up/down on whether a particular username is listed; you can't see the data associated with it.

I just want to know the website associated with the breach; I'm showing that one of my emails has been in one of the dumps once, and it would be great to know which site that was from. I try pretty hard to not use the same passwords across multiple sites, so it would be good to just change that one.
posted by nubs at 10:44 AM on February 5, 2019 [1 favorite]


Well, one sure-fire way to tell is wait for the sextorsion scam emails to arrive!

I have received three, all proffering the same password -- which, to be fair, was a real password -- but I only used it on one site ever, and it was changed YEARS ago.

Still, good to know that the Stratfor breach is still being used to make hay for scammers, years and years on.
posted by wenestvedt at 10:58 AM on February 5, 2019 [4 favorites]




I'd like to see what password they have associated with my email address. [...] Telling people "you should change your passwords" is fine advice, right up until you have a thousand+ accounts created over decades.

I think the general advice is to change your passwords, say, once a year. I'm terrible at this myself.

Alternatively, from Troy Hunt's article:
1Password's Watchtower feature [...] can take all your stored passwords and check them against Pwned Passwords in one go. The same anonymity model is used (neither 1Password nor HIBP ever see your actual password) and it enables bulk checking all in one go.
But it looks like Troy Hunt/HIBP has an API that other sites and services can use to query the HIBP password list, and if you have a password list, you should probably just spend some time and do that yourself. The pairing of email address or user name with password only matters for someone trying to replicate an exact pair, but chances are, that's not the only way these data breach dumps are used.

Finding if one of your passwords is in the database, even it's used by someone else, is good to know because that means this is not a password you should be using at all. It could be used in a dictionary attack, based on known passwords instead of an actual dictionary. So even multi-word passwords, like correct horse battery staple (oblig. XKCD), are no longer safe because someone used it.
posted by filthy light thief at 11:29 AM on February 5, 2019 [7 favorites]


For people who are adverse to following links, a "dictionary attack" doesn't just use a published dictionary, it uses a collection of words and phrases along with trivial substitutions culled from prior attacks and popular media. So according to Ars Technica, brute-force uncrackable phrases like "there is no fate but what we make" and "Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn1" have been cracked by security experts using pop-culture quotes as a dictionary.

So if you can, use random character passwords where you can, and if you must have a human typable phrase there are the Electronic Frontier Federation lists and the diceware list.
posted by GenderNullPointerException at 11:52 AM on February 5, 2019 [3 favorites]


www.rempe.us/diceware/ is a nice web implementation of the EFF list.
posted by zamboni at 12:19 PM on February 5, 2019 [3 favorites]


So if you can, use random character passwords where you can

I've been known to literally slap the keyboard with both hands and then do it again with the shift button pressed. I figure something like fffff5ggbhb2fbgt7g7tygy2fbbfrG@T&GT^@ETVF^&*@RTF (not a real example) is reasonably unbreakable.

For passwords I actually have to remember, I like using an address and a postal code I have memorized but that doesn't go with that address (eg - again not a real example - 200MainStreetT6y7l9).

Tell me these aren't totally stupid approaches.
posted by joannemerriam at 1:56 PM on February 5, 2019


For passwords I actually have to remember, I like using an address and a postal code I have memorized but that doesn't go with that address (eg - again not a real example - 200MainStreetT6y7l9).

Cities are not exactly creative with street names, so it wouldn't be a big problem to scrape a good list from a postal or GIS database, and then iterate over a 4-digit prefix and 5-digit suffix. Since a homebrew rig can do millions of guesses per second for MD5 or SHA1, it wouldn't be difficult to try a large number of them.
posted by GenderNullPointerException at 2:32 PM on February 5, 2019 [2 favorites]


My old account has been Pwned *eleven* times, yikes! Thanks for this post, looks like I’ll be referring to it for some time.
posted by cotton dress sock at 6:33 PM on February 5, 2019


For passwords I actually have to remember, I like using an address and a postal code I have memorized but that doesn't go with that address (eg - again not a real example - 200MainStreetT6y7l9).

There are worse approaches, but it's not great. Particularly if someone knows your algorithm, they could run every address (hell, every reasonable number combined with every street name) in conjunction with every postal code, if an "offline attack" is possible.

Basically what you are doing is picking one element each from two (admittedly long, but still finite) word lists. You are better off choosing more elements at random, even if the underlying lists you're choosing from are smaller. Password complexity increases linearly with the number of options you're choosing from, but exponentially with the number of elements.

E.g., if you had the option of choosing a password comprised of two words at random from a 10,000-word list, the number of possible passwords is 10000^2 or 100M. But if you choose three words at random -- even from a much shorter list, say 1000 words -- you're at a billion (1000^3) possible passwords. So you've increased the search space by a factor of ten even though on casual inspection it might look like a more "simple" password.

This is why methods like Diceware produce very secure passwords (well, passphrases) even though the dictionary it uses isn't really that long. Six Diceware words yields 2.2*10^23 combinations (technically, permutations) using a word list that has 7,776 words (only about a dozen double-sided pages).

There are apparently around 1.2M addresses in the US and 42,000 ZIP codes, so picking any address at random and any ZIP code yields a search space of 5*10^11 options (if I did my napkin math right), less than what you'd get with four Diceware words.

All this said... up until a few years ago, and still in some places today (shame! shame!), you weren't allowed to use arbitrarily-long passphrases, leading to lots of crappy passwords, and encouraging mental tricks to create "good" passwords that satisfied cargo-cult password-complexity rules. I try to create good ones now whenever possible, but it's really hard and not entirely reasonable to expect users to go back and change passwords on every account they have every year or something. (The annual-password-change thing is a great idea, but I'd have to take a week off every year if I was actually going to do it. Good for a few key accounts though, certainly.)

Having a password keeper program that can do offline validation against the leaked-password lists seems like a really good idea; I'm playing with the HIBP hash list right now. Ideally, a password keeper should check against not just known data breaches but also all common data sources that you'd seed a password cracker with. Dictionaries, obviously, but also common English phrases, all valid phone numbers, all valid dates in various common formats, etc.
posted by Kadin2048 at 7:23 PM on February 5, 2019 [2 favorites]


> up until a few years ago, and still in some places today (shame! shame!), you weren't allowed to use arbitrarily-long passphrases

Yeah, this. My banks and credit cards had different, restrictive rules about what was acceptable and how long passwords could be. But Citibank took the cake - when I was trying to change my password, it ran the *old* password against their *new* rules, deemed it not good enough, and prevented me from applying the change. I finally had to go through a "I have forgotten my password" process to change it.

In general though, my philosophy for things like my ancient Zazzle account (last item on my tracked passwords list) is, have at it.
posted by RedOrGreen at 3:29 PM on February 6, 2019


« Older “But once you hear ‘swastika made of dicks’ it's...   |   above it all Newer »


This thread has been archived and is closed to new comments