#31 2019-01-31 14:39:16

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

tuia wrote:

Here is the first five digits of my super secret password hash:  4BC4A

Find the password, if you think it is possible. smile

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Sorry, didn't notice there were the rest 35 digits of 40.

I am 95% sure you mean:

SHA1

4BC4A + 6B00AA1DFEFA3D3D451834744EE593A9460

nameless

Offline

    Positive reputation 1   Negative reputation 0

#32 2019-01-31 14:46:20

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

big_smile

Offline

    Positive reputation 0   Negative reputation 0

#33 2019-01-31 14:47:19

tuia
BFSoldier
Portugal
Reputation: +1065
Location: Lisbon
Registered: 2012-02-20
Posts: 6,295
Website
Linux Firefox 65.0

Re: Pwned Passwords

Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Offline

    Positive reputation 0   Negative reputation 0

#34 2019-01-31 14:47:37

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 10 Firefox 65.0

Re: Pwned Passwords

So? Seems I was right.

Offline

    Positive reputation 0   Negative reputation 0

#35 2019-01-31 15:04:52

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 71.0

Re: Pwned Passwords

Arkos wrote:

Just add some special symbols to your PW and the hack would take ~5 years or so.

And to the point and topic of this thread, "Not if it exists in this list."

What would have been a brute force effort will be short-circuited by trying a bunch of real-word, known-compromised passwords.  i.e. You might have thought "maG18w@tm3m3" was the most secure password you've been able to remember.  But if someone else thought so too, and their info got compromised, it's in this list of password hackers may be "trying first" rather than taking the normal amount of time to reach that particular combination.

This is not a list of "weak passwords."  It's a list of compromised passwords, as strong or as weak as they may have been.

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Agreed, and every "bad possibility" is contingent upon "because my password actually is in this list."  If someone in a position to see the Cloudflare logs, or pwnedpasswords.com's own Apache logs, or (what we don't think is happening) pwnedpasswords.com itself was malicious, the issue would be "the user at telcomuser3092.vodaphone.es just looked up the hash 4BC4A.  If we know or can figure out who that is and start looking at his accounts, definitely start with the passwords which had generated the 528 SHA-1 hashes represented by https://api.pwnedpasswords.com/range/4BC4A."

In your case, no harm: Because your password isn't actually in that list that generated these 528 SHA-1 hashes.  Someone who's password is in that list just potentially gave away a hint as to which passwords should be attempted against their accounts first.  A set even smaller and more optimal than "the entire list of compromised passwords."

So maybe that's the end-game here: If you do decide to look up your password here -- either on the web site or using the 5-prefix API -- "commit to it."  Meaning if there is a match, don't ignore or rationalize anything trying to keep your favorite password.  Don't wait.  Immediately change every instance where you had used that password.  Meaning, mitigate the small risk of having shown "a hint" to someone, by making sure that hint will be 100% useless going forward.  The risk only exists by not following through.

Whatever small risk might exist in the technology in play here, the real point is "people are entering their current passwords because a web site asked them to."  This is, literally, the only case I'm aware of where such a prompt wasn't malicious.  The alarm bells in everyone's head should have been deafening; and in terms of social engineering, it would be better if the web site didn't exist.

Having to justify "in this case, there actually is a site into which you should enter all your current passwords" is a terrible, terrible precedent that will be exploited later.

Offline

    Positive reputation 1   Negative reputation 0

#36 2019-01-31 20:06:21

YoMama
Player
Serbia
Reputation: +64
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

nämeless wrote:

So? Seems I was right.

Did you just crack the owners password?

Offline

    Positive reputation 0   Negative reputation 0

#37 2019-01-31 20:13:12

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

There you see how busy shämeless is on his working place big_smile

...

Offline

    Positive reputation 0   Negative reputation 0

#38 2019-02-01 09:12:31

joint
Member
Ukraine
Reputation: +1378
Location: Dnepropetrovsk, Ukraine
Registered: 2012-05-24
Posts: 5,940
Android Chrome 71.0

Re: Pwned Passwords

Arkos wrote:

...

There you see how busy shämeless is on his working place big_smile

...

What else him to do when its a no interfearing into an election, attaking democracy or trampling values day on the work wink

Offline

    Positive reputation 1   Negative reputation 0

#39 2019-02-01 11:36:52

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

Hehe, oh yes, good joke.

USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.

...

Offline

    Positive reputation 1   Negative reputation 0

#40 2019-02-02 21:22:20

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Unknown Firefox 65.0

Re: Pwned Passwords

Arkos wrote:

...

Hehe, oh yes, good joke.

USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.

...

They keep asking "who's your daddy?" seems the sluts dont even remember whom they had sex with, what else is new in the so called "free world"?! smile

Offline

    Positive reputation 0   Negative reputation 0

#41 2019-02-08 17:47:44

co0nic
H8
Germany
Reputation: +16
Registered: 2012-10-14
Posts: 56
OS X Firefox 65.0

Re: Pwned Passwords

tuia wrote:
Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Let's encrypt.

Offline

    Positive reputation 1   Negative reputation 0

#42 2019-02-08 18:48:18

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 72.0

Re: Pwned Passwords

tuia wrote:

I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:

I thought Google might have picked up on this, too.  But it appears their implementation is separate.  (And in Google fashion, based on even bigger data.)  But they do appear to use a variation of the same "k-anonymity" approach to check your credentials against the list without actually sending even a complete hash.

Google released an extension to check the username and passwords you're entering on any site:
https://support.google.com/accounts?p=password-checkup

Their blog announcement states "If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised."  To recall, as of January 2019, haveibeenpwned.com currently says it checks against 551 million.
https://blog.google/technology/safety-s … rotection/

Google's Security Blog appears to confirm they do use a similar "send only the prefix" approach which we've been discussing, as confirmed in their included infographic.
https://security.googleblog.com/2019/02 … -data.html

Offline

    Positive reputation 1   Negative reputation 0

#43 2019-02-10 12:31:16

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Ubuntu Firefox 65.0

Re: Pwned Passwords

co0nic wrote:
tuia wrote:
Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Let's encrypt.

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

Just do not use the same password everywhere and do not share your biggest secrets online on this forum. DUH

Oh seems like some laws here in Europe demand you to encrypt. But it is a little bit RETARDED to follow this silly law but brake other much heavier laws (spread and induce hate).

Good luck with that!

Last edited by iCQ (2019-02-10 12:31:51)

Offline

    Positive reputation 0   Negative reputation 0

#44 2019-02-10 16:57:00

Trench
Member
United States
Reputation: +129
Registered: 2014-05-05
Posts: 221
Windows 10 Chrome 72.0

Re: Pwned Passwords

iCQ wrote:

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

It certainly does open up some additional challenges, for seemingly low amounts of benefit in our particular context.  For example, once team-simple.org is being served as HTTPS, now those same user agents like Chrome will decline to show all of the non-HTTPS-linked images and videos that members have included in their messages over the years, because they're being referenced from a "secure" site.

The change would make your username be sent as encrypted from here on out, in addition to the password which was already being weakly encrypted before sending.  And it will make your Private Message content encrypted when posting and reading them.

But "everything else" on the site was already open to the public, and doesn't obviously benefit from "oh good, now prying eyes cannot capture this information unencrypted in transit."  They can simply browse the site as guest to see that same information, encrypted or not.

Offline

    Positive reputation 1   Negative reputation 0

#45 2019-02-10 22:19:26

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/

Not sure tho

Offline

    Positive reputation 0   Negative reputation 0

#46 2019-02-13 14:24:42

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Unknown Firefox 65.0

Re: Pwned Passwords

bud wrote:

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/

Not sure tho

link tax and upload filter laws

OMG how they dream about being able to speed ticket us online, THE easy way for traffic police to make an extra buck.

Now irl i do hate speeding people...

Offline

    Positive reputation 0   Negative reputation 0

#47 2019-02-14 23:22:17

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

tribune.jpg

Offline

    Positive reputation 1   Negative reputation 0

#48 2019-02-18 19:11:09

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
Ubuntu Firefox 65.0

Re: Pwned Passwords

OMG is this real? LMAOOOO... what a world!

Offline

    Positive reputation 0   Negative reputation 0

#49 2019-02-18 22:19:21

bud
maestro
Reputation: +1835
Location: shangri la
Registered: 2012-07-07
Posts: 3,941
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

Yeah, there is more and its just starting

http://bfo.pm/morepics/sentinel.jpg

Offline

    Positive reputation 0   Negative reputation 0

#50 2019-02-18 22:58:27

Arkos
Sedmin
Switzerland
Reputation: +2778
Registered: 2014-06-06
Posts: 7,041
Windows 7 Chrome 72.0

Re: Pwned Passwords

...

Yeah, they have enough passwords for the next decade to hack those millions of PC's  smile

Or they got hacked and so they have to shut down the service silently smile

...

Last edited by Arkos (2019-02-18 22:59:35)

Offline

    Positive reputation 1   Negative reputation 0

#51 2019-04-12 23:39:04

Sepp
Player
England
Reputation: +80
Registered: 2014-02-07
Posts: 309
Windows 7 Internet Explorer 11.0

Re: Pwned Passwords

I'm pretty sure a D-Wave can handle passwords that haven't even been used yet. Science wont admit that it has more in common with majick than it wants to.

Offline

    Positive reputation 0   Negative reputation 0

#52 2019-10-29 08:47:09

nämeless
Semi-corrupt admin
Russia
Reputation: +2598
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 9,767
Windows 7 Firefox 70.0

Re: Pwned Passwords

Offline

    Positive reputation 1   Negative reputation 0

#53 2019-10-30 05:23:00

seventy
Playor
North Korea
Reputation: +809
Location: Pyongyang
Registered: 2014-03-06
Posts: 1,842
Ubuntu Firefox 70.0

Re: Pwned Passwords

That's a very good site, thanks.

Offline

    Positive reputation 0   Negative reputation 0

#54 2019-11-08 13:56:12

iCQ
Spammer
Netherlands
Reputation: +544
Location: Netherlands
Registered: 2017-07-31
Posts: 1,967
BeOS SeaMonkey 1.5

Re: Pwned Passwords

seventy wrote:

That's a very good site, thanks.

haveibeenpwned has some "issue's"//// better use moz://a people! great new feature (but no clue how complete their db is)

IMPORTANT tips:

1 use password manager (better yet on SD card or usb stick)
2 unless u really know what u are doing (or u have a "insurance plan") use DIFFERENT PASSWORDS for each site
3 if possible change passwords of important sites AT LEAST each half year

important sites, i am not talking about simple forum or suchlike things... im talking about your mailbox, banksites, insurance sites, crypto services, mobile phone site!!! and such...

Beware most of the hacks where real hard damage is done these days is with sim swapping.. it is hilariously easy to do and gain/profits are high... seldom such idiots (thieves) get caught.

BUT... most of the time these hackers come from countries where IF they get caught they will end their stupid life quite fast in jail. Hackers are not real men... hackers are usually guys that would wish to rob your grandma... they prey on little girls.. but when they see a man THEY RUN LIKE HELL

I caught many hackers (and script kiddies) in my life... from the 100's only one was man enough NOT TO RUN... but that pedo had a REAL hard time in jail. Also his wife and kids never want to see him again, he lost his house, his job (he was a security guard in a discotheque). Beautiful court case i tell you that. He should never have touched Niels (that time 13 year old kid) and also his mistake was to ignore my kind request... fine... do as u please. Watch us...

At first the police called me "leave him alone, we know him"... now i asked the police man (silly detective) why... he couldn't tell me. After pulling some strings i found out he was "an informant" for the police. We also call that a "snitz" .... he refused to stop his endeavors. He really thought he could enjoy his police buddy... the judge thought different DUH.

To have a doorman loser big mouth sportschool Johnny be a snitz on kids (that use drugs) being a proven pedofile (yeah want to see the photos?) is not an excuse to let him go. I heard this police man that called me also never would get a salary/rank upgrade. Suits him... i hate these half baked pricks (and half baked cops). Especially when they act online and oh boy big mouth! But see them cry when u publish their photo/face... their home address... their employer... their family. Yeah have a big mouth hide and seek buddy... FVCK YOU ASSHOLE you are not A MAN. Ur a sneaky no-good predator!

We got a few of those figures too right here on simple.. i tell you... puke

time will tell, victims do not sleep

Last edited by iCQ (2019-11-08 14:18:48)

Offline

    Positive reputation 0   Negative reputation 0

Board footer