#31 2019-01-31 14:39:16

nämeless
Semi-corrupt admin
Reputation: 1477
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 7,951
Windows 10 Firefox 65.0

Re: Pwned Passwords

tuia wrote:

Here is the first five digits of my super secret password hash:  4BC4A

Find the password, if you think it is possible. smile

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Sorry, didn't notice there were the rest 35 digits of 40.

I am 95% sure you mean:

SHA1

4BC4A + 6B00AA1DFEFA3D3D451834744EE593A9460

nameless


Never underestimate the predictability of stupidity.

Online

    +1   Add Reputation to this user  Remove Reputation from this user

#32 2019-01-31 14:46:20

tuia
Born again
Portugal
Reputation: 582
Location: Lisbon
Registered: 2012-02-20
Posts: 5,842
Website
Linux Firefox 65.0

Re: Pwned Passwords

big_smile

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#33 2019-01-31 14:47:19

tuia
Born again
Portugal
Reputation: 582
Location: Lisbon
Registered: 2012-02-20
Posts: 5,842
Website
Linux Firefox 65.0

Re: Pwned Passwords

Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#34 2019-01-31 14:47:37

nämeless
Semi-corrupt admin
Reputation: 1477
Location: Nizhny Novgorod, Russia
Registered: 2012-09-30
Posts: 7,951
Windows 10 Firefox 65.0

Re: Pwned Passwords

So? Seems I was right.


Never underestimate the predictability of stupidity.

Online

    0   Add Reputation to this user  Remove Reputation from this user

#35 2019-01-31 15:04:52

Trench
Member
United States
Reputation: 74
Registered: 2014-05-05
Posts: 142
Windows 10 Chrome 71.0

Re: Pwned Passwords

Arkos wrote:

Just add some special symbols to your PW and the hack would take ~5 years or so.

And to the point and topic of this thread, "Not if it exists in this list."

What would have been a brute force effort will be short-circuited by trying a bunch of real-word, known-compromised passwords.  i.e. You might have thought "maG18w@tm3m3" was the most secure password you've been able to remember.  But if someone else thought so too, and their info got compromised, it's in this list of password hackers may be "trying first" rather than taking the normal amount of time to reach that particular combination.

This is not a list of "weak passwords."  It's a list of compromised passwords, as strong or as weak as they may have been.

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Agreed, and every "bad possibility" is contingent upon "because my password actually is in this list."  If someone in a position to see the Cloudflare logs, or pwnedpasswords.com's own Apache logs, or (what we don't think is happening) pwnedpasswords.com itself was malicious, the issue would be "the user at telcomuser3092.vodaphone.es just looked up the hash 4BC4A.  If we know or can figure out who that is and start looking at his accounts, definitely start with the passwords which had generated the 528 SHA-1 hashes represented by https://api.pwnedpasswords.com/range/4BC4A."

In your case, no harm: Because your password isn't actually in that list that generated these 528 SHA-1 hashes.  Someone who's password is in that list just potentially gave away a hint as to which passwords should be attempted against their accounts first.  A set even smaller and more optimal than "the entire list of compromised passwords."

So maybe that's the end-game here: If you do decide to look up your password here -- either on the web site or using the 5-prefix API -- "commit to it."  Meaning if there is a match, don't ignore or rationalize anything trying to keep your favorite password.  Don't wait.  Immediately change every instance where you had used that password.  Meaning, mitigate the small risk of having shown "a hint" to someone, by making sure that hint will be 100% useless going forward.  The risk only exists by not following through.

Whatever small risk might exist in the technology in play here, the real point is "people are entering their current passwords because a web site asked them to."  This is, literally, the only case I'm aware of where such a prompt wasn't malicious.  The alarm bells in everyone's head should have been deafening; and in terms of social engineering, it would be better if the web site didn't exist.

Having to justify "in this case, there actually is a site into which you should enter all your current passwords" is a terrible, terrible precedent that will be exploited later.

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#36 2019-01-31 20:06:21

YoMama
Player
Serbia
Reputation: 62
Location: Belgrade
Registered: 2019-01-14
Posts: 125
Android Chrome 65.0

Re: Pwned Passwords

nämeless wrote:

So? Seems I was right.

Did you just crack the owners password?


Game name [2nd SS] YO MAMA

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#37 2019-01-31 20:13:12

Arkos
Member
Switzerland
Reputation: 1443
Registered: 2014-06-06
Posts: 4,049
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

There you see how busy shämeless is on his working place big_smile

...

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#38 2019-02-01 09:12:31

joint
Член
Ukraine
Reputation: 656
Location: Dnepropetrovsk, Ukraine
Registered: 2012-05-24
Posts: 4,832
Android Chrome 71.0

Re: Pwned Passwords

Arkos wrote:

...

There you see how busy shämeless is on his working place big_smile

...

What else him to do when its a no interfearing into an election, attaking democracy or trampling values day on the work wink

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#39 2019-02-01 11:36:52

Arkos
Member
Switzerland
Reputation: 1443
Registered: 2014-06-06
Posts: 4,049
Windows 7 Chrome 71.0

Re: Pwned Passwords

...

Hehe, oh yes, good joke.

USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.

...

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#40 2019-02-02 21:22:20

iCQ
Player
Norway
Reputation: 314
Location: i exist only in ur ❤️
Registered: 2017-07-31
Posts: 1,167
Website
Unknown Firefox 65.0

Re: Pwned Passwords

Arkos wrote:

...

Hehe, oh yes, good joke.

USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.

...

They keep asking "who's your daddy?" seems the sluts dont even remember whom they had sex with, what else is new in the so called "free world"?! smile


To be or Not to be i wish i had more + votes 4u, sorry ladies and gents

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#41 2019-02-08 17:47:44

co0nic
H8
Germany
Reputation: 14
Registered: 2012-10-14
Posts: 50
OS X Firefox 65.0

Re: Pwned Passwords

tuia wrote:
Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Let's encrypt.

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#42 2019-02-08 18:48:18

Trench
Member
United States
Reputation: 74
Registered: 2014-05-05
Posts: 142
Windows 10 Chrome 72.0

Re: Pwned Passwords

tuia wrote:

I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:

I thought Google might have picked up on this, too.  But it appears their implementation is separate.  (And in Google fashion, based on even bigger data.)  But they do appear to use a variation of the same "k-anonymity" approach to check your credentials against the list without actually sending even a complete hash.

Google released an extension to check the username and passwords you're entering on any site:
https://support.google.com/accounts?p=password-checkup

Their blog announcement states "If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised."  To recall, as of January 2019, haveibeenpwned.com currently says it checks against 551 million.
https://blog.google/technology/safety-s … rotection/

Google's Security Blog appears to confirm they do use a similar "send only the prefix" approach which we've been discussing, as confirmed in their included infographic.
https://security.googleblog.com/2019/02 … -data.html

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#43 2019-02-10 12:31:16

iCQ
Player
Norway
Reputation: 314
Location: i exist only in ur ❤️
Registered: 2017-07-31
Posts: 1,167
Website
Ubuntu Firefox 65.0

Re: Pwned Passwords

co0nic wrote:
tuia wrote:
Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

Let's encrypt.

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

Just do not use the same password everywhere and do not share your biggest secrets online on this forum. DUH

Oh seems like some laws here in Europe demand you to encrypt. But it is a little bit RETARDED to follow this silly law but brake other much heavier laws (spread and induce hate).

Good luck with that!

Last edited by iCQ (2019-02-10 12:31:51)


To be or Not to be i wish i had more + votes 4u, sorry ladies and gents

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#44 2019-02-10 16:57:00

Trench
Member
United States
Reputation: 74
Registered: 2014-05-05
Posts: 142
Windows 10 Chrome 72.0

Re: Pwned Passwords

iCQ wrote:

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

It certainly does open up some additional challenges, for seemingly low amounts of benefit in our particular context.  For example, once team-simple.org is being served as HTTPS, now those same user agents like Chrome will decline to show all of the non-HTTPS-linked images and videos that members have included in their messages over the years, because they're being referenced from a "secure" site.

The change would make your username be sent as encrypted from here on out, in addition to the password which was already being weakly encrypted before sending.  And it will make your Private Message content encrypted when posting and reading them.

But "everything else" on the site was already open to the public, and doesn't obviously benefit from "oh good, now prying eyes cannot capture this information unencrypted in transit."  They can simply browse the site as guest to see that same information, encrypted or not.

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#45 2019-02-10 22:19:26

bud
.
Reputation: 1002
Registered: 2012-07-07
Posts: 3,012
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/

Not sure tho


172.245.186.156:14567.png37.187.19.136:14568.png

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#46 2019-02-13 14:24:42

iCQ
Player
Norway
Reputation: 314
Location: i exist only in ur ❤️
Registered: 2017-07-31
Posts: 1,167
Website
Unknown Firefox 65.0

Re: Pwned Passwords

bud wrote:

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/

Not sure tho

link tax and upload filter laws

OMG how they dream about being able to speed ticket us online, THE easy way for traffic police to make an extra buck.

Now irl i do hate speeding people...


To be or Not to be i wish i had more + votes 4u, sorry ladies and gents

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#47 2019-02-14 23:22:17

bud
.
Reputation: 1002
Registered: 2012-07-07
Posts: 3,012
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

tribune.jpg


172.245.186.156:14567.png37.187.19.136:14568.png

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#48 2019-02-18 19:11:09

iCQ
Player
Norway
Reputation: 314
Location: i exist only in ur ❤️
Registered: 2017-07-31
Posts: 1,167
Website
Ubuntu Firefox 65.0

Re: Pwned Passwords

OMG is this real? LMAOOOO... what a world!


To be or Not to be i wish i had more + votes 4u, sorry ladies and gents

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#49 2019-02-18 22:19:21

bud
.
Reputation: 1002
Registered: 2012-07-07
Posts: 3,012
Website
Windows 7 Firefox 65.0

Re: Pwned Passwords

Yeah, there is more and its just starting

http://bfo.pm/morepics/sentinel.jpg


172.245.186.156:14567.png37.187.19.136:14568.png

Offline

    0   Add Reputation to this user  Remove Reputation from this user

#50 2019-02-18 22:58:27

Arkos
Member
Switzerland
Reputation: 1443
Registered: 2014-06-06
Posts: 4,049
Windows 7 Chrome 72.0

Re: Pwned Passwords

...

Yeah, they have enough passwords for the next decade to hack those millions of PC's  smile

Or they got hacked and so they have to shut down the service silently smile

...

Last edited by Arkos (2019-02-18 22:59:35)

Offline

    +1   Add Reputation to this user  Remove Reputation from this user

#51 2019-04-12 23:39:04

Sepp
Flamer
England
Reputation: 63
Registered: 2014-02-07
Posts: 243
Windows 7 Internet Explorer 11.0

Re: Pwned Passwords

I'm pretty sure a D-Wave can handle passwords that haven't even been used yet. Science wont admit that it has more in common with majick than it wants to.

Offline

    0   Add Reputation to this user  Remove Reputation from this user

Board footer