RockYou2021: largest password compilation of all time leaked online with 8.4 billion entries

[StDragon]

1 hour ago, AndreiArgeanu said:

And there's absolutely no indication of where these passwords came from or how legitimate they are. Not to mention that there is absolutely nothing connecting those passwords to anything, like an email, or a name, or an account name from the looks of it. Not to mention that there are repeats.

It's interesting. Over the weekend I received an alert on my iPhone that cached credentials have been found to have been compromised online. Apple never states the source, other than to change your passwords.

 

I've had a number of them show up, and they were all randomly complex passwords generated. No way they got leaked through malware or fishing. The sites that I know the passwords were used with were for things like toll tags and energy utility providers with very shoddy web UI front-ends. They say you can't judge a book by its cover, but if the site was that badly designed, I can only imagine how (un)secure the backend was. It probably got hacked with SQL injection or some other exploit scraped my credentials.

 

....would also explain fraudulent charges on my CC in the distant past as they're used for auto-payment. 

[Master Disaster]

55 minutes ago, WolframaticAlpha said:

laughs in emacs

Oh, you're "one of those" types

 

On Linux I actually prefer Vi/Vim though I tend to stick with Nano because its included with almost everything.

[Master Disaster]

*deleted double post*

 

Forum spazzed out as I hit submit?

[Kisai]

2 hours ago, StDragon said:

This is why it's important to use unique passwords; and this is where a password manager with 2FA/MFA comes in handy. And yes, you should enable multiple recovery options as cell numbers have been known to be hijacked (social engineering) too for SMS recovery.

 

Good luck with that. 

 

We're at a point where people just ignore this advice because it's such a huge pain in the ass. My banking stuff alone is half a dozen passwords, and if I had to change those every month, I would just reset the password every time I needed to login rather than write one down.

 

See the problem? The password is not the weakness, the reset functionality is.

 

[StDragon]

21 minutes ago, Kisai said:

Good luck with that. 

 

We're at a point where people just ignore this advice because it's such a huge pain in the ass. My banking stuff alone is half a dozen passwords, and if I had to change those every month, I would just reset the password every time I needed to login rather than write one down.

 

See the problem? The password is not the weakness, the reset functionality is.

 

Yes, even Microsoft has done a 180 on this too. It used to be O365 accounts had a password expiration as the default policy, now it's the exact opposite; they're set to never expire.

 

Per Microsoft's password policy recommendations and the FTC.

 

"Password expiration requirements do more harm than good, because these requirements make users select predictable passwords, composed of sequential words and numbers which are closely related to each other. In these cases, the next password can be predicted based on the previous password. Password expiration requirements offer no containment benefits because cyber criminals almost always use credentials as soon as they compromise them." -Microsoft

[Neftex]

2 hours ago, SlidewaysZ said:

Yeah it's old stuff but a good reminder to do another password reset. Honestly though 2fa is better IMHO than trying to keep your passwords from being breached. I have a physical 2fa USB key that I use for my stuff. 

what do you do when you cant use the usb (like phone)

[StDragon]

2 minutes ago, Neftex said:

what do you do when you cant use the usb (like phone)

2FA cuts both ways. It's secure, but if you lose access to the device, you're also locked out.

This is why you should have a MFA backup recovery option and plan accordingly.

[TetraSky]

Ever since a few years ago, when yet another hack happened and my passwords leaked... I switched to using unique passwords for every, single, services, with Keepass. None are the same. So assuming any of mines are in there, it will at least be very easy to change it.

[FloRolf]

I am soooo glad I switched to LastPass with unique 16+ character passwords for all my accounts in combination with Yubicos physical 2FA keys. 

 

While it sometimes makes logging in a little complicated, i definitely sleep better at night

 

[Bombastinator]

12 year old passwords or a file containing passwords that is still updated but has been in use for 12 years?

[Kisai]

2 hours ago, FloRolf said:

I am soooo glad I switched to LastPass with unique 16+ character passwords for all my accounts in combination with Yubicos physical 2FA keys. 

 

While it sometimes makes logging in a little complicated, i definitely sleep better at night

 

My preferred mechanism is typing in your username/email address and then either

a) an authentication app (not the site's app) prompts you with either a single-use password or "yes this is me" prompt

b) you enter your username/password and you get an email if it comes from a device/browser other than the last one you used.

 

Like I hate how some sites (Eg kickstarter) make it incredibly hard to stay logged in, that I just stop bothering and wait for email updates.

 

Here is what I would like to see happen on the greater grand scheme of things:

- No more passwords. Register your account with one of (several) authentication providers. That third party pings your phone, second device or encrypted usb key, and you have to respond within 15 seconds. If you actually were trying to login, it wouldn't even take you that long to hit "yep, that's me"

- No more usernames. Let's be honest, the reuse of usernames is probably the entire reason why people get hacked in the first place, everyone wants to "use their name" but there are a dozen other people who maybe have that name as well. Using emails are even worse here, because it gives the hackers something to check against. Instead "permit" logging in with the email, but really what you want is for the site to give a QR code, you login on your phone, without actually entering anything on the PC. 

 

Have sites audit their login records and report the ip address and geographical location of every login in "self-expiring" emails to the owner of the account, this can be done by sending the email as a html email with an image to a key and deleting the image after a set amount of time. If you want the full list, login and download it.

 

That way, users know who is logging into their accounts. Then you have sites that login to your accounts for you to provide a service (eg money transfer services) which are surprisingly less secure than the banks they login to. These sites should be required to list every login to your account as well as every login they've made to your accounts.

 

 

 

[Mark Kaine]

What i dont get why do we not get unique passwords for anyone already , like you get a number / passport kinda thing. Sure *if* someone hacks you thats bad, *but* the difference to now is: you can get it back. Also "services" like google shouldn't be allowed to nilly willy nuke your stuff, at least not without compensation. 

 

And if you dont agree with the above then whatever, but how the "internet" currently works is a joke and that has to be improved by a lot because  like this… it will only end in chaos and disaster (of course im aware thats exactly what some people want, stupidly)

 

 

Basically this:

5 hours ago, Kisai said:

The password is not the weakness, the reset functionality is.

.

 

7 hours ago, AndreiArgeanu said:

And there's absolutely no indication of where these passwords came from or how legitimate they are. Not to mention that there is absolutely nothing connecting those passwords to anything, like an email, or a name, or an account name from the looks of it. Not to mention that there are repeats.

yeah, sure are repeats, the amount of people with password "password123" is probably astonishing.

 

 

 

[ARikozuM]

9 hours ago, WolframaticAlpha said:

F*ck blackhat hackers. They are the worst thing to happen to the cyberspace. F*ck them.

 

 

 

Hackers like Kevin Mitnick are overpunished for just leaking documents. People gain sympathy for hackers. But the malicious blackhats get the sympathy, and f*ck the general public.

If everyone was a whitehat nobody would care if there was a hack or not. That's simply the way things go. The companies must be held responsible for having shit security just like the rest of us are held liable. 

[StDragon]

52 minutes ago, Kisai said:

Here is what I would like to see happen on the greater grand scheme of things:

- No more passwords. Register your account with one of (several) authentication providers. That third party pings your phone, second device or encrypted usb key, and you have to respond within 15 seconds. If you actually were trying to login, it wouldn't even take you that long to hit "yep, that's me"

- No more usernames. Let's be honest, the reuse of usernames is probably the entire reason why people get hacked in the first place, everyone wants to "use their name" but there are a dozen other people who maybe have that name as well. Using emails are even worse here, because it gives the hackers something to check against. Instead "permit" logging in with the email, but really what you want is for the site to give a QR code, you login on your phone, without actually entering anything on the PC. 

MFA apps such as Authenticator by Microsoft and LastPass provide both push notification (Allow / Deny) response in addition to the classic 6 digit pin that lasts 60 seconds. Or, you can use the YubiKey.

 

Regardless, that's the entire point of MFA; it's comprised of three of four fundamentals

• Who you are (Identifier such a username or account number)
• What you are (biometrics)
• What you know (passwords)
• What you have (authenticator app or physical key)

You can get away with losing identifier portion so long as you've met the other three requirements. Biometrics would essentially take the place of the identifier in that scenario.

 

[poochyena]

8 hours ago, StDragon said:

This is what happens when people use the same password for different sites.

also a lot of people using simple passwords for throwaway accounts they care nothing about

[ARikozuM]

This is going to suck for people using the same password or updating to the next number; password123 and password124.

[WolframaticAlpha]

19 hours ago, Master Disaster said:

Oh, you're "one of those" types

 

On Linux I actually prefer Vi/Vim though I tend to stick with Nano because its included with almost everything.

nano is pretty good. Idk why so many people hate it. Nice for beginners. 

 

 

DISCLAIMER: THE WRITER IS AN EMACS+TABS ZEALOT.

Vim takes an eternity to learn. emacs just has so much built in, and you can put actually non-idiotic keybindings in it. I had like 5 keybindings in emacs when I started. Now I have 70. I use them. Vim forces you to use those keybindings, no matter what. emacs is customizable AF. A person using stuff like sublime text or vsc for the past x years, can easily switch to emacs. A beginner can start programming in emacs too. For vim, you need to spend some time to learn it.

 

I use uemacs+doomemacs(just to switch configs and stuff)+erc(haven't used it in years)+sx.el(JUST PLAIN AWESOME)+newsticker(configged to verge, cnn, bbc all that good stuff)+orgmode(ofc)+mu4e. It's where I am comfiest at. 

 

 

 

If you like vim, then use it. But remember, god loves those who use emacs. Vim is for satan.^/s

 

 

Well, it's time to change my password. G'day mates.

[MultiGamerClub]

Good thing my password is a string of blurr and random shit so i dont even remember them myself and need to check on firefox and log in to even fathom what i wrote in the first place. A bunch of gibberish and an internal norwegian joke on the end does make it too complicated.

[Elvara]

I'm now using 2FA everywhere I can even if I have different email and password depending on the importance of the website so it gives me less trouble, I know one of my email is part of a leak but I don't really use it for anything too important but I do get a lot of spam...

[Fasterthannothing]

20 hours ago, Neftex said:

what do you do when you cant use the usb (like phone)

They have NFC tags on the keys 

[WolframaticAlpha]

On 6/8/2021 at 3:28 PM, jaslion said:

Eventually it will come to a point that there will be automatic password changers. Which then in turn get breached and then you are super screwed.

I smell a new youtube megasponsor coming

[Giganthrax]

Damn. I guess it's time to set up even more two-factor authentications.

[MultiGamerClub]

38 minutes ago, Giganthrax said:

Damn. I guess it's time to set up even more two-factor authentications.

More like 3FA is needed if that is even a thing..

[Stahlmann]

I'm at a point where it's just not physically possible to change passwords for every account every month or so. At least not if i plan to do anything else in my free time. The problem starts with needing 10 accounts if you want to fully use 10 websites. It's just not realistic to expect people to regularly change all their passwords anymore. There has to be a better solution?!

[WkdPaul]

6 hours ago, MultiGamerClub said:

More like 3FA is needed if that is even a thing..

after 2FA it's MFA (Multi factor authentication) ... it's a thing, yes.