Thanks for that; I had ignored the Adobe leak, because why would I have created an Adobe account? Turns out I did at some point, so I guess I'm the goat there.
Often you need to create an account or somehow register your email at sites, just to get something very basic, like a free download, or use a feedback form.
I entered my address out of curiosity and it told me I had an Adobe account. I can't remember ever creating one so I tried the password reset process. Adobe tells me there doesn't exist an account under that address.
How is this possible? How did Adobe leak my address if I don't even have an account?
Passwords: I’m not storing them. Nada. Zip. I just don’t need them
and frankly, I don’t want the responsibility either. This is all
about raising awareness of the breadth of breaches.
I have a question...how big is the backend to this site? Its average response is about 100ms, which, to me, seems impressively fast considering the number of bulk records and the amount of concurrent traffic that such a site is getting. Besides the obvious indexing of the email field...anything special behind the curtains? Lots of machines? Something else besides a simple key lookup? Or am I just vastly overestimating how slowly a properly maintained DB will respond in such a situation?
Looking forward to it! The raising of awareness about security is alone pretty awe-inspiring, so the fact that I'm equally piqued by such technical details as the site's backend is really saying something about the impressiveness of the execution
They have a mobile site, and if you get the premium subscription ($12/year?) you can use their mobile apps - I use the iOS and Windows Phone apps and both are very smooth. (They also have Android and Blackberry).
Yup, works great, I've been using it for over a year. To login to banking on your phone, you first go to the Lastpass app, login to that, then copy the password to your bank, open their app, and paste the password in. Lastpass for Android also now has a notification that stays up while you're logged in, to remind yourself to log back out when you're done.
That's the way that it worked when I first started using it, but am I the only person using the full Lastpass browser these days? It's far more convenient than the old Authenticator -> Lastpass -> Browser authentication workflow that I had to use before the upgrade.
It’s a bummer to find my e-mail between the leaked Adobe accounts. Especially after the ordeal I had to go through to have my Adobe account “deleted” months ago:
You have requested that we deactivate your Adobe account. We have sent a request to the relevant team to process your request. Please note that you will lose access to Adobe services and support for which you have registered or paid for. You will not be able to obtain serial numbers for past purchases and the deactivation process may take up to ninety (90) days. Once completed, your adobe.com membership and all personal data will be deleted from our database.
Adobe, every single time I had anything to do with you it sucked. Big time.
The 120+ days thing with ebay is allegedly because they need to make sure any outstanding deals are closed and accounts settled.
Of course that is absolute bullshit, it took them 120+ days to close my account and I had not used it for over 4 years at that point. They actually emailed me telling me that they were closing the account due to inactivity. They gave me 3 or 4 months to log on before it would be killed, so I thought to myself "good, saves me the hassle of doing it myself". Fast forward 3-4 months and I get an email telling me my account was compromised. Weird... so I log on, confirm any payment info I had was long since expired, confirmed nothing had happened and that my password was intact... then I scrambled the security question and password just to be safe and told Ebay to delete the account. Cue "this will take 120+ days" bullshit... but whatever.
At nearly the end of that 120+ days I get emailed again telling me the account was compromised. I'm convinced this is a scam they run to trick you into logging into your account, thus resetting the the countdown.
Ebay and paypal are among my least trusted companies. I have a higher opinion of even Comcast or Halliburton.
Common tactic as far as I can tell, other companies do the same thing. eg: My Blizzard account that I can't sign in to because it's cancelled has somehow been 'compromised' multiple times.
I think my story pretty much echos yours; I'd stopped using paypal for a couple of years, and stopped using Ebay.
I cancelled and about three months later I was "compromised". At that point I reset the data to random values, deleted my "ebay@example.com" email alias, and just resigned myself to forgetting about it.
The Adobe leaks list is mostly made up of verified emails, so...
Coming to think of it, there has been some spam lately (though that hasn't happened in years now at gmail), and I wonder whether it's related to that Adobe leak.
On a risk / reward basis the benefit to checking here is actually pretty high.
I don't find any of several accounts I use on there, but did find a friend's email listed (and just notified him). I'd actually appreciate a way to query my mailing list in an automated fashion.
That's been the conventional wisdom for decades, but I don't actually think it's true. I wonder if anyone has done any tests.
The reply address for spam is almost certainly bogus. And I don't think it makes sense to target people who unsubscribe for more spam. They ain't likely to buy anything.
Secret, probably not. But in most cases I'm reasonably confident that each email address I use is currently only known by me, the one site I registered it with and the NSA.
I have a couple of email addresses that thanks to that address either having been sold, hacked or given away by including in the to/cc field of a mass mailing are now out in the public domain, and I get spam (and almost certainly malware attempts) on those two on a pretty regular basis. I'd prefer to not have the rest of my email addresses end up in the same situation.
If you wanted to collect likely-valid email addresses to sell to spammers, this would be a good way to go about it. I doubt they are, but can understand the suspicion.
I don't appreciate you stalking me and posting that here (just because it's accessible somewhere on the internet doesn't mean I want to make it more public), but as a matter of fact I wasn't talking about that email address in the first place.
This is an impressive service (the speed, especially)...collation of different data sources into one easily accessible form is a hugely useful and underrated service. That said...there's no such thing as better security without an equal tradeoff. Here, it's now much easier (especially with the site response speed) for a third party to look up email addresses, see who they've patronized, and aggregate them into a database of less noble intent.
To check if a given email address was an Adobe/Gawker/whatever customer, you would've not only had to query every separate form but you would also not be guaranteed to get a definitive response (because some services will be ambiguous to whether you got a password wrong or whether the account exists at all). With the OP's service, with positive hits, you not only get confirmation of patronage, but knowledge that they are vulnerable, even if in a small, outdated way.
It's likely something Troy has anticipated but didn't want to outright say...In the end, knowledge is better than ignorance, and the correct response is for more rapid response to hacked victims and better security awareness. But I also wonder if there's a way to provide the OP's service with more (beneficial) obfuscation?
Whoa, slow your roll buddy. This could be really easily done by preprocessing the data and creating simple objects in redis. One object = email, sub objects of email could just be flags for the service it's on.
It's not the processing that's the bottleneck, it's the gathering and the initiative to do that gathering which is rare. For example, criminal records and notices have always been collectable and, once collectable, searchable. But the incidence of "a prospective employer googled me and found a 5 year old article of me publicly urinating in college" became more of an issue in the age of Google.
This isn't an indictment of Troy at all, just an observation (and I'm also just curious about what mitigation could be done, if any, that wouldn't severely inconvenience the end user). The security that exposed people had was security through obscurity, which is in the end, not enough security.
I disagree with your thesis; anyone with malicious intent can be assumed to already have their own copy. Even the Adobe dump is under 4gb compressed - a trivial amount of storage.
Additionally, there is a huge long tail of publicly available user databases that are not included in this site, which along with the lack of hashes makes it worthless for the purpose you envision.
It's also extremely easy to tell if an email is registered on a website if you aren't concerned about the victim being notified. You just need to attempt to either reset the password (it'll say whether the email exists) or register a new account with their email.
Troy Hunt has been blogging about this for a while. Troy is a good guy who blogs extensively on security matters. I don't see any risk in putting your details in here.
His recent posts on pwning peoples phones and tablets while they were at his conference talk are pretty amusing. Shows just how insecure things really are.
If the website is important (ex. government), I use <sitename><4_numbers>@<private_domain>. My filtering rules are extremely strict, and every mail that doesn't come from the expected website gets automatically flagged as spam and deleted. If their DB leaks, I just change the 4 numbers.
If I know the website and it's not an startup, I use <sitename>@<public_domain>, ex. facebook@example.com. My filtering rules only flag the messages as "maybe spam" when the sender is not in my contacts. If their DB leaks, I change the filter from "maybe spam" to "spam".
If it's a website I don't know, or a startup, I use <full_domain>@<publc_domain>, ex. mystartup.io@example.com. I don't filter them, but if I start getting spam, I just simply set the email as an alias to my wormhole (an account I never check that flags anything it receives as spam).
If it's a spam blog, or a website that forces me to create an account by no apparent reason, I just use the wormhole address.
That seems like a lot of overhead to manage. Also, you're going to have a bad day if a spam bot decides to spam thousands of <common_user_name>@yourdomain.com. Maybe that's fallen out of practice, but I've seen it happen before.
Not really, in this year I had changed only 1 filter, the initial setup may be cumbersome, but the end result is worth the effort.
And about the spam to random addresses, in 8 years the most extreme problem I had faced is spam to censored addresses like git...@domain.com (thanks google code).
That's actually a very unadvisable scheme. By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks). If you have your own domain (which I assume you do based on your scheme), I suggest not doing this. You would be better off coming up with a random account name for each and using a password manager to keep track of these.
FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had his computer remotely wiped because he used his name in every domain/service as his account name or email account name.
the downside is that using random accounts on your domain requires a catch-all email rules on your server (unless you add each address by hand, but frankly that's too much of a hassle)
I never use a catch-all. Deleting email would quickly exceed available time.
I go through the trouble of creating a new email each time. I've considered writing a script to make it easier, but my current mail provider makes that difficult.
>By doing this you make yourself a target. If any one of those are compromised, attackers will attempt to try that against a lot of popular sites (including banks).
And if you use the same email for everything (as is the alternative), attackers can attempt to try that against popular sites. So I don't see the downside of this method?
The real key is to not use the same email address across accounts. If you have your own domain, then it's easy.
I actually don't like the idea of using email addresses as user IDs. I believe that was a lazy approach in the first place and this causes too many problems. I'm sure it all started that way because someone wanted your contact info, and since the only way to guarantee a valid email was to make you verify it. It has nothing to do with security.
Nobody said security was easy or convenient.
Anyway, to each his own. I have my own domains and do, unfortunately, have about 100 email addresses/aliases. Yeah, it can be inconvenient to maintain. I originally started using the aliases because I wanted to know who was giving out my email to spammers. I caught a few and stopped doing business with them.
The key motivation is not security, but if any account starts receiving spam, I will have a good idea where it is coming from. It also lets me shut off mail from any source.
Some services will use that as the username, others allow me to pick my own. Using a password manager helps this whole scheme. Now that I do that, I could go to random email addresses and usernames.
The only problem I've found with this method is the spammers that try to guess your email, so they end up sending emails to "admin@domain.com", "webmaster@domain.com", etc. The catch-all forwards them all to me.
The only way around this, I think, is to only have uncommon emails, like instead of admin@domain.com, use contactadmin@domain.com. Put a block on the common ones and you're good to go.
It's not that spammers try to guess your email, but that if you accept any email address as valid they'll notice that you are accepting delivery.
Once i figured this out i just created wildcard aliases that end with a static prefix: netflix-blah@example.com, adobe-blah@example.com, etc. This cuts down on 99% of the random spam.
If someone is directly targeting you, then yes it's an issue (but even so, it's less of an issue than using exactly the same email address for all of your accounts).
In a mass compromise like the Adobe one, it's highly unlikely that the hackers are going to go out of their way to attack people who use this method when there's millions of much easier targets already in their list.
Using this approach also makes it a lot easier to spot spam - if I get an email to "hackernews@myaccount.com" claiming to be from my bank, it's highly unlikely to be genuine. If it's coming to "mybank@myaccount.com", there's at least a fair chance that it's real - I still treat it with a fair amount of caution, but as I've filtered out the obvious junk I can spend more time checking out these reasonably genuine-lookuing one. Using a random email like hhj4378@myaccount.com would make this quick filtering a lot harder.
Is it possible to apply the same hash function to a string as it’s done in the users database of the Adobe breach? I think it is 3DES. I’ve been able to obtain my (hashed) credentials, but as it seems my account is deactivated at adobe.com (probably due to inactivity?), so I’m not able to test which password I used. :(
Shit. Looks like I got caught up in the adobe breach. Let this be a lesson to all engineers in charge of such situations to implement strong security. You are partially responsible for these disasters.
I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.
Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.
I woke up this Thanksgiving with a bunch of email notifications from Paypal that my account had been hacked and taken over. I (also shame on me) tend to reuse some of my passwords, and figured someone got into my Paypal account using my adobe credentials, not even being sure if I had created an account with adobe for anything in the past.
I checked my email address on this site and it didn't find any pwnage.
I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...
If you reuse passwords, separate throw-away accounts (like Adobe or pretty much anything that's not your email, your bank or PayPal), from the important stuff.
Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.
Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.
This should be a lesson not to manage your own passwords, use a password manager there are many to choose from. I was also caught up in the Adobe breach but my password was randomly generated by my password manager.
I wouldn't want to use a webservice to look at my passwords. I want to open my password safe locally. Less likely to be snooped upon (though still possible, obviously).
I carry a little piece of paper in my wallet that has my private key further encrypted by myself, and that encrypted key is used to decrypt other passwords through a private web/mobile app I made. The top encryption key I have is just some sort of simple algebraic mumbo jumbo formula I used to scramble my private key just a bit, and I change it up once in awhile, and have that written down. What's in my memory is how I jumbled it.
I use a yubikey that outputs half of the password used to unlock my keypass database, the other half is in my head (so even if they steal my yubi they can't do much).
The database is backed on my own owncloud which is hosted on my own vps and replicated on other 3-4 servers (all mine). My little personal cloud setup.
Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.
Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".
(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)
For some logins, the answer is "Sorry Dave, I can't do that." If I don't have the private cert, or the ssh cert, or the right hole in the firewall - there are many thing I've chosen intentionally to not be able to log in to using someone else's computer.
For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)
Private SSL/TLS certs, ssh keys, and 1Password database are all stored on encrypted fiesystems (EncFS) and synced across four machines (two at work, one at home, and my laptop) using Dropbox (which is another off-site copy, and has revision archives) and/or BTSync. Those four copies are all OS X Time Machine backed up (and revision archived) - and two of those Time Machine backups are rsynced nightly to separate drives in opposite locations - so all up (not couning Dropbox) I've got copies on 10 separate spindles in two physical locations, two of them in a locked filing cabinet (the work time machine and rsync disks).
I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)
My first question would be "how often does that really happen?". It's a legitimate concern at first sight, but for me, I pretty much never need to do that since I always have my phone with me.
But if I do need to, I have 1Password on my phone as well and can get the passwords from it.
I have the encrypted password file on a usb thumb drive. I remember the master password. I view as fatally flawed any password store that uploads the encrypted password file to a remote server.
I second this. I've been using it for a few years now. It gives me great peace of mind knowing that my password on a site like HN is something like "e5wLoMB1kZ". I only have to remember a few passwords and yet each site has a unique password.
Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.
However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.
Yeah, I did not hear about pwdhash and it sounds like a nice idea.
One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.
Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.
The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.
That is an extremely bad idea. Any site you use can put the following JavaScript in their site to obtain your master password next time you use the bookmarklet:
I like https://oneshallpass.com/ better since it lets you change some attributes about the passwords generated. So if a site is compromised you can just increment the generation field and get a totally new hash.
pwdhash uses a weak hashing mechanism, making it possible to brute-force master passwords. It is OK to use, but make sure that you have a cryptographically strong master password.
Well until the recent 4.x / 3.x screwup [1] that 1Password did it has been quite useful (and like you, my 16 character password at Adobe, even if guessed, would not be useful anywhere else)
[1] My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.
Crap, looks like my wife's email was caught up in the Adobe breach. I think she created an account for reading ebooks with Adobe DRM downloaded from our library.
Consider this a heads up for married HN'ers, you should check their emails too.
In Australia, both my wife and I got mailed out letters from Adobe regarding our accounts being potentially compromised. Did that happen elsewhere as well?
Then use a local storage one, like password-safe (Win & Mac. password-gorilla for Linux). Combine that with spideroak, dropbox, google drive or whatever file syncing utility you want.
printf "/" ; openssl rand -base64 32 | sed 's/.$//'
The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.
Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.
Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.
After the Macrumors breach (I had only signed up about 2 weeks before it happened), I decided it was time to make all my passwords unique and to use a credentials manager like 1Password. I too shared the same password for multiple sites/services (shame on me too).
My wife was on the Adobe list, the same credit card she used at Adobe was charged from Amazon or paypal ( I can't remember which ) couple of weeks after the leak. She called the bank they closed it right away and took the charges off the card.
It was lucky in a sense that if adobe required complex passwords more important password would have been leaked. It was also lucky in a sense that adobe itself got hacked instead of entity that has one of my more sophisticated and thus valuable passwords.
I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)
I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.
But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.
Same here. I used my throw-away email to sign up at Adobe, along with my weak throw-away password. I don't have any Adobe licenses or such. The only Adobe product I use is the Flash plugin.
The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.
Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.
Anyone know what adobe's password requirements were? I don't know which password I used there: Adobe forced me to change it without letting me test the old one.
You can just torrent users.tar.gz (the leaked list of encrypted passwords) and then grep the file for your email address, which will give you the encrypted version of your password.
For the Adobe breach specifically, you might try the site set up by Last Pass, which checks your email against the breached data: https://lastpass.com/adobe/
The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.
P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.
One of my addresses was also in the Adobe breach. No idea what password I used there, but I'm fairly sure it must have been either my common "junk" password, shared with tons of forums, but nothing that poses any serious risk to me (just to those forums). Or if they had stricter requirements, some variation on it that I always forget, so I have to ask them for a new password every time anyway.
I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.
But those forums? I'm just not going to keep track of a new password for every site I visit.
If you're using a forum, outré in front of a computer. Keeping track of things is one of the things computers are _best_ at. Get yourself a password manager. I use 1Password, but I hear good things about KeyPass and LastPass too.
Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)
Get a tool to help, computers are wonderful tools.
I've got KeePass, but I haven't used it remotely as long as I've used many websites. Also, I don't have my KeePass DB in Dropbox, so I can't access it from other computers.
More than that, I'd rather not put my KeePass DB on someone else's machine in the first place. But I'll easily trust strange computers with a password for some crappy forum.
There's always something you risk compromising. I prefer some forum account to be compromised.
They were encrypted, but with no variation between the hashes for per email. https://lastpass.com/adobe/ will show you the password hints associated with the (in my case) 200 people with the same (hashed) password. The clues would be sufficient to guess the password.
I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).
I much prefer using the program `pwgen`. It's installed on all my Linux boxes and it's available from Cygwin too, and it generates a 'pronounceable' password, which makes it a lot easier to remember and also much easier to copy.
There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.
Fuck me. Ditto. The reason I checked? I unknowingly, until today, had a domain name transferred away from me -- or rather, ownership changed, for a domain I bought years ago for $3,000. Email address used for that domain in Adobe breach.
I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message [1] to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.
I think it's a great thing to do by third-parties when leaks of this magnitude happen.
Have fun closing your account by the way, I went through that fiasco recently. I regularly run the LastPass security challenge and an old email of mine was in the Adobe breach too.
49 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you.
..5 mins..
48 customers are in line ahead of you. ARG!
293 comments
[ 1.9 ms ] story [ 291 ms ] thread* https://lastpass.com/adobe/
* https://lastpass.com/linkedin/
* https://lastpass.com/lastfm/
* https://lastpass.com/eharmony/
This demonstrates nicely why that's a bad idea.
How is this possible? How did Adobe leak my address if I don't even have an account?
http://blog.lastpass.com/2012/01/new-years-resolutions-with-...
The LastPass checker is really nice. Whats scary is that it found a few other people that had the same password as me.
For the Adobe breach, LastPass also emails you a sample of the password hints of others -- its kind of funny how people remember a certain string.
http://www.bbc.co.uk/news/technology-25213846
[1] http://www.troyhunt.com/2013/12/introducing-have-i-been-pwne...
I'm writing up how the back end is done and will post it in the next day or two, IMHO it's massively impressive but also very easy :)
Does lastpass work great for checking banking on cellphones and other logins that would require a cut and paste on a desktop?
http://www.yubico.com/products/yubikey-hardware/yubikey-neo/
You have requested that we deactivate your Adobe account. We have sent a request to the relevant team to process your request. Please note that you will lose access to Adobe services and support for which you have registered or paid for. You will not be able to obtain serial numbers for past purchases and the deactivation process may take up to ninety (90) days. Once completed, your adobe.com membership and all personal data will be deleted from our database.
Adobe, every single time I had anything to do with you it sucked. Big time.
Of course that is absolute bullshit, it took them 120+ days to close my account and I had not used it for over 4 years at that point. They actually emailed me telling me that they were closing the account due to inactivity. They gave me 3 or 4 months to log on before it would be killed, so I thought to myself "good, saves me the hassle of doing it myself". Fast forward 3-4 months and I get an email telling me my account was compromised. Weird... so I log on, confirm any payment info I had was long since expired, confirmed nothing had happened and that my password was intact... then I scrambled the security question and password just to be safe and told Ebay to delete the account. Cue "this will take 120+ days" bullshit... but whatever.
At nearly the end of that 120+ days I get emailed again telling me the account was compromised. I'm convinced this is a scam they run to trick you into logging into your account, thus resetting the the countdown.
Ebay and paypal are among my least trusted companies. I have a higher opinion of even Comcast or Halliburton.
I cancelled and about three months later I was "compromised". At that point I reset the data to random values, deleted my "ebay@example.com" email alias, and just resigned myself to forgetting about it.
Coming to think of it, there has been some spam lately (though that hasn't happened in years now at gmail), and I wonder whether it's related to that Adobe leak.
I don't find any of several accounts I use on there, but did find a friend's email listed (and just notified him). I'd actually appreciate a way to query my mailing list in an automated fashion.
The reply address for spam is almost certainly bogus. And I don't think it makes sense to target people who unsubscribe for more spam. They ain't likely to buy anything.
I have a couple of email addresses that thanks to that address either having been sold, hacked or given away by including in the to/cc field of a mass mailing are now out in the public domain, and I get spam (and almost certainly malware attempts) on those two on a pretty regular basis. I'd prefer to not have the rest of my email addresses end up in the same situation.
http://tools.ietf.org/html/rfc6761
To check if a given email address was an Adobe/Gawker/whatever customer, you would've not only had to query every separate form but you would also not be guaranteed to get a definitive response (because some services will be ambiguous to whether you got a password wrong or whether the account exists at all). With the OP's service, with positive hits, you not only get confirmation of patronage, but knowledge that they are vulnerable, even if in a small, outdated way.
It's likely something Troy has anticipated but didn't want to outright say...In the end, knowledge is better than ignorance, and the correct response is for more rapid response to hacked victims and better security awareness. But I also wonder if there's a way to provide the OP's service with more (beneficial) obfuscation?
This isn't an indictment of Troy at all, just an observation (and I'm also just curious about what mitigation could be done, if any, that wouldn't severely inconvenience the end user). The security that exposed people had was security through obscurity, which is in the end, not enough security.
Additionally, there is a huge long tail of publicly available user databases that are not included in this site, which along with the lack of hashes makes it worthless for the purpose you envision.
It's also extremely easy to tell if an email is registered on a website if you aren't concerned about the victim being notified. You just need to attempt to either reset the password (it'll say whether the email exists) or register a new account with their email.
I didn't even know I had an Adobe account, I don't use any Adobe products.
http://www.troyhunt.com/ http://www.intodns.com/haveibeenpwned.com (forwarded from haveibeenpwned.azurewebsites.net) http://www.whois.com/whois/haveibeenpwned.com
Seems legit.
His recent posts on pwning peoples phones and tablets while they were at his conference talk are pretty amusing. Shows just how insecure things really are.
EG: twitter@example.com, facebook@example.com, hackernews@example.com
It also makes it a little harder for people to find me on social media. Not sure if that's a bug or a feature ;)
I follow the following pattern with websites:
If the website is important (ex. government), I use <sitename><4_numbers>@<private_domain>. My filtering rules are extremely strict, and every mail that doesn't come from the expected website gets automatically flagged as spam and deleted. If their DB leaks, I just change the 4 numbers.
If I know the website and it's not an startup, I use <sitename>@<public_domain>, ex. facebook@example.com. My filtering rules only flag the messages as "maybe spam" when the sender is not in my contacts. If their DB leaks, I change the filter from "maybe spam" to "spam".
If it's a website I don't know, or a startup, I use <full_domain>@<publc_domain>, ex. mystartup.io@example.com. I don't filter them, but if I start getting spam, I just simply set the email as an alias to my wormhole (an account I never check that flags anything it receives as spam).
If it's a spam blog, or a website that forces me to create an account by no apparent reason, I just use the wormhole address.
And about the spam to random addresses, in 8 years the most extreme problem I had faced is spam to censored addresses like git...@domain.com (thanks google code).
I wish there was a Gmail like application that anyone could set up easily on its server and that would allow for : quick email generation.
You need to sign up to something ? Generate a quick mail that redirects automatically to your main inbox and that you can give away when signing up.
If you see that spam is arriving on this email, remove it.
* it's easy to get the real email address from it.
* most sign up form don't accept the "+" sign.
FYI, I used to do this too. And this is how (in a similar fashion) Mat Honan got Gizmodo's Twitter and his iCloud and Gmail accounts hacked and also had his computer remotely wiped because he used his name in every domain/service as his account name or email account name.
Edited for more information.
I go through the trouble of creating a new email each time. I've considered writing a script to make it easier, but my current mail provider makes that difficult.
And if you use the same email for everything (as is the alternative), attackers can attempt to try that against popular sites. So I don't see the downside of this method?
I actually don't like the idea of using email addresses as user IDs. I believe that was a lazy approach in the first place and this causes too many problems. I'm sure it all started that way because someone wanted your contact info, and since the only way to guarantee a valid email was to make you verify it. It has nothing to do with security.
Nobody said security was easy or convenient.
Anyway, to each his own. I have my own domains and do, unfortunately, have about 100 email addresses/aliases. Yeah, it can be inconvenient to maintain. I originally started using the aliases because I wanted to know who was giving out my email to spammers. I caught a few and stopped doing business with them.
Some services will use that as the username, others allow me to pick my own. Using a password manager helps this whole scheme. Now that I do that, I could go to random email addresses and usernames.
The only way around this, I think, is to only have uncommon emails, like instead of admin@domain.com, use contactadmin@domain.com. Put a block on the common ones and you're good to go.
[1] - http://www.ietf.org/rfc/rfc2142.txt
Spammers effectively killed that RFC.
Once i figured this out i just created wildcard aliases that end with a static prefix: netflix-blah@example.com, adobe-blah@example.com, etc. This cuts down on 99% of the random spam.
In a mass compromise like the Adobe one, it's highly unlikely that the hackers are going to go out of their way to attack people who use this method when there's millions of much easier targets already in their list.
Using this approach also makes it a lot easier to spot spam - if I get an email to "hackernews@myaccount.com" claiming to be from my bank, it's highly unlikely to be genuine. If it's coming to "mybank@myaccount.com", there's at least a fair chance that it's real - I still treat it with a fair amount of caution, but as I've filtered out the obvious junk I can spend more time checking out these reasonably genuine-lookuing one. Using a random email like hhj4378@myaccount.com would make this quick filtering a lot harder.
Cool hack btw! The only thing missing is a "What to do" link which could be more useful for folks who are not so technically savy.
[0] https://shouldichangemypassword.com/
http://nakedsecurity.sophos.com/2013/11/04/anatomy-of-a-pass...
It would be irresponsible for anybody to share the key, it would reveal all the passwords.
I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.
Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.
I checked my email address on this site and it didn't find any pwnage.
I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...
Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.
Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.
Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.
Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".
(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)
For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)
I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)
But if I do need to, I have 1Password on my phone as well and can get the passwords from it.
But I would not really be comfortable using it on an unknown computer, unless I had good knowledge that it was properly administered.
Convenience provided via Chrome/Firefox extensions, portability provided by the website.
Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.
However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.
One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.
Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.
The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.
document.documentElement.addEventListener("DOMSubtreeModified", function() {$("#gp2_master").change(function() {location.href = "http://example.org/leak/" + $("#gp2_master").val()})})
They don't seem to mention anywhere which hashing algorithm they use. Also, the lengths are quite small. Any idea why?
[1] My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.
Consider this a heads up for married HN'ers, you should check their emails too.
Imagine how much that wallet could be worth... How much bribe does the weakest 1Password engineer need?
printf "/" ; openssl rand -base64 32 | sed 's/.$//'
The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.
Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.
Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.
edit more guff.
But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.
The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.
Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.
The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.
P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.
I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.
But those forums? I'm just not going to keep track of a new password for every site I visit.
Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)
Get a tool to help, computers are wonderful tools.
More than that, I'd rather not put my KeePass DB on someone else's machine in the first place. But I'll easily trust strange computers with a password for some crappy forum.
There's always something you risk compromising. I prefer some forum account to be compromised.
I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).
#!/bin/bash if [ $1 ] ; then a=$1 else a=16 fi dd if=/dev/urandom bs=1000 count=1 2>/dev/null | tr -d -c "[:alnum:]" | tr -d '`' | tr -d "'" | tr -d '"' | tr -d '\\' | head -c $a echo
I essentially use the following:
There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.
I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message [1] to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.
I think it's a great thing to do by third-parties when leaks of this magnitude happen.
[1] Full text: http://pastebin.com/2AkU0v98
49 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ARG!
Looks like no.
"Have I been pwned?" is by Troy Hunt http://www.troyhunt.com/
The OP's bio indicates that they are someone else. https://news.ycombinator.com/user?id=mountaineer