Pwned Passwords

nämeless · 2019-01-31 15:39:16

tuia wrote:

Here is the first five digits of my super secret password hash: 4BC4A
Find the password, if you think it is possible.

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Sorry, didn't notice there were the rest 35 digits of 40.

I am 95% sure you mean:

SHA1

4BC4A + 6B00AA1DFEFA3D3D451834744EE593A9460

nameless

tuia · 2019-01-31 15:46:20

tuia · 2019-01-31 15:47:19

Black Mamba wrote:

Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?

I will do that in about a month.

nämeless · 2019-01-31 15:47:37

So? Seems I was right.

Trench · 2019-01-31 16:04:52

Arkos wrote:

Just add some special symbols to your PW and the hack would take ~5 years or so.

And to the point and topic of this thread, "Not if it exists in this list."

What would have been a brute force effort will be short-circuited by trying a bunch of real-word, known-compromised passwords. i.e. You might have thought "maG18w@tm3m3" was the most secure password you've been able to remember. But if someone else thought so too, and their info got compromised, it's in this list of password hackers may be "trying first" rather than taking the normal amount of time to reach that particular combination.

This is not a list of "weak passwords." It's a list of compromised passwords, as strong or as weak as they may have been.

tuia wrote:

There are passwords: https://api.pwnedpasswords.com/range/4BC4A. But, the rest of the hash is not in that list.

Agreed, and every "bad possibility" is contingent upon "because my password actually is in this list." If someone in a position to see the Cloudflare logs, or pwnedpasswords.com's own Apache logs, or (what we don't think is happening) pwnedpasswords.com itself was malicious, the issue would be "the user at telcomuser3092.vodaphone.es just looked up the hash 4BC4A. If we know or can figure out who that is and start looking at his accounts, definitely start with the passwords which had generated the 528 SHA-1 hashes represented by https://api.pwnedpasswords.com/range/4BC4A."

In your case, no harm: Because your password isn't actually in that list that generated these 528 SHA-1 hashes. Someone who's password is in that list just potentially gave away a hint as to which passwords should be attempted against their accounts first. A set even smaller and more optimal than "the entire list of compromised passwords."

So maybe that's the end-game here: If you do decide to look up your password here -- either on the web site or using the 5-prefix API -- "commit to it." Meaning if there is a match, don't ignore or rationalize anything trying to keep your favorite password. Don't wait. Immediately change every instance where you had used that password. Meaning, mitigate the small risk of having shown "a hint" to someone, by making sure that hint will be 100% useless going forward. The risk only exists by not following through.

Whatever small risk might exist in the technology in play here, the real point is "people are entering their current passwords because a web site asked them to." This is, literally, the only case I'm aware of where such a prompt wasn't malicious. The alarm bells in everyone's head should have been deafening; and in terms of social engineering, it would be better if the web site didn't exist.

Having to justify "in this case, there actually is a site into which you should enter all your current passwords" is a terrible, terrible precedent that will be exploited later.

YoMama · 2019-01-31 21:06:21

nämeless wrote:

So? Seems I was right.

Did you just crack the owners password?

Arkos · 2019-01-31 21:13:12

...

There you see how busy shämeless is on his working place

...

joint · 2019-02-01 10:12:31

Arkos wrote:

...
There you see how busy shämeless is on his working place
...

What else him to do when its a no interfearing into an election, attaking democracy or trampling values day on the work

Arkos · 2019-02-01 12:36:52

...

Hehe, oh yes, good joke.

USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.

...

iCQ · 2019-02-02 22:22:20

Arkos wrote:

...
Hehe, oh yes, good joke.
USA interfeared somehow 127 times since WW2, killed presidents, aranged coups, etc. etc.
...

They keep asking "who's your daddy?" seems the sluts dont even remember whom they had sex with, what else is new in the so called "free world"?!

co0nic · 2019-02-08 18:47:44

tuia wrote:

Black Mamba wrote:
Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?
I will do that in about a month.

Let's encrypt.

Trench · 2019-02-08 19:48:18

tuia wrote:

I think it is a very good service by Troy Hunt and I may add this to the forum registration and login pages, with a very simple method:

I thought Google might have picked up on this, too. But it appears their implementation is separate. (And in Google fashion, based on even bigger data.) But they do appear to use a variation of the same "k-anonymity" approach to check your credentials against the list without actually sending even a complete hash.

Google released an extension to check the username and passwords you're entering on any site:
https://support.google.com/accounts?p=password-checkup

Their blog announcement states "If we detect that a username and password on a site you use is one of over 4 billion credentials that we know have been compromised." To recall, as of January 2019, haveibeenpwned.com currently says it checks against 551 million.
https://blog.google/technology/safety-s … rotection/

Google's Security Blog appears to confirm they do use a similar "send only the prefix" approach which we've been discussing, as confirmed in their included infographic.
https://security.googleblog.com/2019/02 … -data.html

iCQ · 2019-02-10 13:31:16

co0nic wrote:

tuia wrote:
Black Mamba wrote:
Tuia, I know you are working hard to maintain this website but have you ever thought of implementing a SSL certificate on your domain? Wouldn’t it make the forums safer?
I will do that in about a month.
Let's encrypt.

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

Just do not use the same password everywhere and do not share your biggest secrets online on this forum. DUH

Oh seems like some laws here in Europe demand you to encrypt. But it is a little bit RETARDED to follow this silly law but brake other much heavier laws (spread and induce hate).

Good luck with that!

Last edited by iCQ (2019-02-10 13:31:51)

Trench · 2019-02-10 17:57:00

iCQ wrote:

I personally not see any reason why to encrypt everything. Other than apps like Chrome and such demand you to do it.

It certainly does open up some additional challenges, for seemingly low amounts of benefit in our particular context. For example, once team-simple.org is being served as HTTPS, now those same user agents like Chrome will decline to show all of the non-HTTPS-linked images and videos that members have included in their messages over the years, because they're being referenced from a "secure" site.

The change would make your username be sent as encrypted from here on out, in addition to the password which was already being weakly encrypted before sending. And it will make your Private Message content encrypted when posting and reading them.

But "everything else" on the site was already open to the public, and doesn't obviously benefit from "oh good, now prying eyes cannot capture this information unencrypted in transit." They can simply browse the site as guest to see that same information, encrypted or not.

bud · 2019-02-10 23:19:26

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/

Not sure tho

iCQ · 2019-02-13 15:24:42

bud wrote:

Those links might be effed anyway https://www.zdnet.com/article/eu-smacks … lter-laws/
Not sure tho

link tax and upload filter laws

OMG how they dream about being able to speed ticket us online, THE easy way for traffic police to make an extra buck.

Now irl i do hate speeding people...

bud · 2019-02-15 00:22:17

iCQ · 2019-02-18 20:11:09

bud wrote:

http://bfo.pm/morepics/tribune.jpg

OMG is this real? LMAOOOO... what a world!

bud · 2019-02-18 23:19:21

Yeah, there is more and its just starting

http://bfo.pm/morepics/sentinel.jpg

Arkos · 2019-02-18 23:58:27

...

Yeah, they have enough passwords for the next decade to hack those millions of PC's

Or they got hacked and so they have to shut down the service silently

...

Last edited by Arkos (2019-02-18 23:59:35)

Sepp · 2019-04-13 00:39:04

I'm pretty sure a D-Wave can handle passwords that haven't even been used yet. Science wont admit that it has more in common with majick than it wants to.

nämeless · 2019-10-29 09:47:09

https://monitor.firefox.com/

seventy · 2019-10-30 06:23:00

nämeless wrote:

https://monitor.firefox.com/

That's a very good site, thanks.

iCQ · 2019-11-08 14:56:12

seventy wrote:

nämeless wrote:
https://monitor.firefox.com/
That's a very good site, thanks.

haveibeenpwned has some "issue's"//// better use moz://a people! great new feature (but no clue how complete their db is)

IMPORTANT tips:

1 use password manager (better yet on SD card or usb stick)
2 unless u really know what u are doing (or u have a "insurance plan") use DIFFERENT PASSWORDS for each site
3 if possible change passwords of important sites AT LEAST each half year

important sites, i am not talking about simple forum or suchlike things... im talking about your mailbox, banksites, insurance sites, crypto services, mobile phone site!!! and such...

Beware most of the hacks where real hard damage is done these days is with sim swapping.. it is hilariously easy to do and gain/profits are high... seldom such idiots (thieves) get caught.

BUT... most of the time these hackers come from countries where IF they get caught they will end their stupid life quite fast in jail. Hackers are not real men... hackers are usually guys that would wish to rob your grandma... they prey on little girls.. but when they see a man THEY RUN LIKE HELL

I caught many hackers (and script kiddies) in my life... from the 100's only one was man enough NOT TO RUN... but that pedo had a REAL hard time in jail. Also his wife and kids never want to see him again, he lost his house, his job (he was a security guard in a discotheque). Beautiful court case i tell you that. He should never have touched Niels (that time 13 year old kid) and also his mistake was to ignore my kind request... fine... do as u please. Watch us...

At first the police called me "leave him alone, we know him"... now i asked the police man (silly detective) why... he couldn't tell me. After pulling some strings i found out he was "an informant" for the police. We also call that a "snitz" .... he refused to stop his endeavors. He really thought he could enjoy his police buddy... the judge thought different DUH.

To have a doorman loser big mouth sportschool Johnny be a snitz on kids (that use drugs) being a proven pedofile (yeah want to see the photos?) is not an excuse to let him go. I heard this police man that called me also never would get a salary/rank upgrade. Suits him... i hate these half baked pricks (and half baked cops). Especially when they act online and oh boy big mouth! But see them cry when u publish their photo/face... their home address... their employer... their family. Yeah have a big mouth hide and seek buddy... FVCK YOU ASSHOLE you are not A MAN. Ur a sneaky no-good predator!

We got a few of those figures too right here on simple.. i tell you... puke

time will tell, victims do not sleep

Last edited by iCQ (2019-11-08 15:18:48)

SiMPLE | Forum

Announcement

#31 2019-01-31 15:39:16

Re: Pwned Passwords

#32 2019-01-31 15:46:20

Re: Pwned Passwords

#33 2019-01-31 15:47:19

Re: Pwned Passwords

#34 2019-01-31 15:47:37

Re: Pwned Passwords

#35 2019-01-31 16:04:52

Re: Pwned Passwords

#36 2019-01-31 21:06:21

Re: Pwned Passwords

#37 2019-01-31 21:13:12

Re: Pwned Passwords

#38 2019-02-01 10:12:31

Re: Pwned Passwords

#39 2019-02-01 12:36:52

Re: Pwned Passwords

#40 2019-02-02 22:22:20

Re: Pwned Passwords

#41 2019-02-08 18:47:44

Re: Pwned Passwords

#42 2019-02-08 19:48:18

Re: Pwned Passwords

#43 2019-02-10 13:31:16

Re: Pwned Passwords

#44 2019-02-10 17:57:00

Re: Pwned Passwords

#45 2019-02-10 23:19:26

Re: Pwned Passwords

#46 2019-02-13 15:24:42

Re: Pwned Passwords

#47 2019-02-15 00:22:17

Re: Pwned Passwords

#48 2019-02-18 20:11:09

Re: Pwned Passwords

#49 2019-02-18 23:19:21

Re: Pwned Passwords

#50 2019-02-18 23:58:27

Re: Pwned Passwords

#51 2019-04-13 00:39:04

Re: Pwned Passwords

#52 2019-10-29 09:47:09

Re: Pwned Passwords

#53 2019-10-30 06:23:00

Re: Pwned Passwords

#54 2019-11-08 14:56:12

Re: Pwned Passwords

Board footer