Having faith in the security of the hash that has been leaked was always a ticking clock. Better to just rotate any password you know to have been compromised.
Those hashes comes from leaked plain text passwords lists originally. They were already released in plain text. The hashing of Have I been Pwned are just a way to not release even further those passwords (to newcomers, hobbysts and general public), but the hacking community was already using them in dictionary attacks.
Because of the way HIPB works the salt would need to be both constant and known by the client which makes it rather useless as a salt. It only would stop rainbow tables, but that's not the issue here.
> Brute force attack on an account with known email address
Yup. These days I get a ton of break-in attempts for random accounts. My Epic Games account is disabled weekly due to failed login attempts from random actors.
> My Epic Games account is disabled weekly due to failed login attempts from random actors.
Everyone has this (source: some thread on Reddit with a bunch of "me too" answers). It's a bug with their system and I don't think they know about it/care/(?)
There is always this 1.4 billion plaintext email:password compilation magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337
Totally unrelated, but something I've been wondering for a while. Isn't the whole point of magnet links that they use a distributed hash table (DHT)? Why do they need trackers appended to the URL? Is it strictly necessary, or does it just help in bootstrapping the DHT?
I always remove those when downloading torrents because I'm paranoid they're obvious markings of torrent traffic, more-so than DHT connections.
DHT isn't magic.. every peer builds a cache of other DHT peers over time, but for a new client it'll have no such cache, so falling back to trackers is still important. (IIRC older DHT clients also fell back to a hardcoded "bootstrap.bittorrent.org" or somesuch DNS name)
You might observe when trimming the tracker list off the URL that sometimes you can't find a peer, that's because you've never used the same client to contact what effectively amounts to a subnetwork that has no overlap with any previous subnetwork you leeched from in the past.
Especially if you're always fetching the same content (e.g. Game of Thrones episodes) it'll probably just work, but you may find it breaks when you suddenly decide to grab e.g. an old copy of OS/2 or similar, representing a set of BitTorrent users with entirely different interests.
I was puzzled about why would someone spend power cracking this, but apparently Troy was as well:
> One of the things that did surprise me a little in V1 was the effort some folks went to in order to crack the passwords. I was surprised primarily because the vast majority of those passwords were already available in the clear via the 2 combo lists I mentioned earlier anyway, so why bother? Just download the (easily discoverable) lists! The penny that later dropped was that it presented a challenge - and people like challenges!
Within a margin of error, zero people can remember 20 16-character random alphanumeric passwords. Therefore it is only possible using some sort of password manager, whether it be something like 1password or an old-fashioned notebook.
Nitpick nitpick nitpick: "margin of error" without any value effectively means "the following value has no meaning at all", as the margin of error is unspecified.
You need to specify your margin of error. ± the full population of humans on Earth is "a margin of error".
I may be an outlier, but I certainly remember 10+ 20-25 character random full-printable-ASCII passwords, some of which don't let a password manager handle them, others which I don't want to have in a manager. And then there's my password manager master password, which is close to 70 characters long.
And I have shitty memory—I wouldn't be able to remember what happened more than a few days ago if my life depended on it.
"Even something ridiculously weak like a SHA-1 hash isn't going to be cracked if the password is 16 characters long and completely random."
Uh, yea, about that - that's how we cracked 4chan Tripcodes. 16-character SHA-1 is dead in just a few seconds with a GPU and that was, what, a decade ago?
then why would that password tresor user win, after his credentials were leaked by a database breach -- before other select people that weren't compromised but abstained from said software.
Its generally incomprehensible to me why some people don't want to use password tresors -- its so much easier after all - but his argument was flawed.
I still think algorithmic passwords are safer. I could get access to all of your passwords via a simple keylogger to scrape your manager's master password. There's no way you can get at mine because the master password is the algorithm in my brain. You could try to get 2-3 of my existing passwords and reverse engineer my algorithm, but in the words of Liam Neeson: "Good luck"
Breaches can only be added to HIBP if Troy gets his hands on a copy of the data that was stolen.
Most of the passwords probably won't get added to the HIBP password list either, since only plaintext passwords ever end up on that list, and MyFitnessPal claims that most of the passwords in their database were hashed with Bcrypt. (So probably difficult to crack.)
Don't put your email into this unless there is a way to download the database for offline use. The reason is, if HIBP is compromised, the hackers will know that even if your email is not pwned, it is likely important and will try to brute force it or use it to build a larger profile if you, such as for other services.
59 comments
[ 3.3 ms ] story [ 117 ms ] threadYup. These days I get a ton of break-in attempts for random accounts. My Epic Games account is disabled weekly due to failed login attempts from random actors.
Use a password manager and 2fa folks!
Everyone has this (source: some thread on Reddit with a bunch of "me too" answers). It's a bug with their system and I don't think they know about it/care/(?)
Confident about that? It's certainly not the only service I get break in attempts on, fwiw
It looks like you can still sign in even if your account is "locked" which further adds to the theory that it is a bug.
Here are a few threads with a bunch of "me too"s. [0][1]
[0] https://www.epicgames.com/fortnite/forums/battle-royale/roya... [1] https://www.epicgames.com/fortnite/forums/battle-royale/roya...
The hashes are about not storing or giving out the passwords freely, more as a way to verify if your password is in there.
I always remove those when downloading torrents because I'm paranoid they're obvious markings of torrent traffic, more-so than DHT connections.
How would you as a peer connect to any other peers without some kind of seed?
What IPs do you connect to?
You might observe when trimming the tracker list off the URL that sometimes you can't find a peer, that's because you've never used the same client to contact what effectively amounts to a subnetwork that has no overlap with any previous subnetwork you leeched from in the past.
Especially if you're always fetching the same content (e.g. Game of Thrones episodes) it'll probably just work, but you may find it breaks when you suddenly decide to grab e.g. an old copy of OS/2 or similar, representing a set of BitTorrent users with entirely different interests.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-v...
> One of the things that did surprise me a little in V1 was the effort some folks went to in order to crack the passwords. I was surprised primarily because the vast majority of those passwords were already available in the clear via the 2 combo lists I mentioned earlier anyway, so why bother? Just download the (easily discoverable) lists! The penny that later dropped was that it presented a challenge - and people like challenges!
Last person standing gets a prize.
Even something ridiculously weak like a SHA-1 hash isn't going to be cracked if the password is 16 characters long and completely random.
- the passwords aren't stored in plaintext or any other compromised hashing mechanism
- you autogenerated your password
- your password manager does not get compromised
saying "it actually does" is a bit of absolutist stretch...
Nitpick: Zero does not have a magnitude, so "a margin of error" is not remotely well-defined here.
I may be an outlier, but I certainly remember 10+ 20-25 character random full-printable-ASCII passwords, some of which don't let a password manager handle them, others which I don't want to have in a manager. And then there's my password manager master password, which is close to 70 characters long.
And I have shitty memory—I wouldn't be able to remember what happened more than a few days ago if my life depended on it.
Uh, yea, about that - that's how we cracked 4chan Tripcodes. 16-character SHA-1 is dead in just a few seconds with a GPU and that was, what, a decade ago?
Its generally incomprehensible to me why some people don't want to use password tresors -- its so much easier after all - but his argument was flawed.
And more specifically: https://trezor.io/passwords/
Sorry for that mix up.
My 16 char fully randomized passwords will not be cracked, so I win, along with everyone else using a password manager?
Source: https://support.1password.com/membership-billing-policy/
> https://content.myfitnesspal.com/security-information/FAQ.ht...
Most of the passwords probably won't get added to the HIBP password list either, since only plaintext passwords ever end up on that list, and MyFitnessPal claims that most of the passwords in their database were hashed with Bcrypt. (So probably difficult to crack.)
https://hashes.org/torrent/hibp_plain.torrent