Collection 1 Breach - 773 Million Record Data Breach.

[KNAPPO]

https://www.troyhunt.com/the-773-millio ... ata-reach/

Looks like a pretty decent sized data breach happened the other day.
I received some extortion spam which I just found this arvo which said they knew my password, and yes the password WAS correct albeit very, very old and no longer in use.

Did some poking about and found the above link from Troy Hunt and my email pops up in haveibeenpwned.com with Collection #1 being one of the breaches.

It appears to comprise multiple breaches across a number of services including 2,000 databases.

Hunt says there are many legitimate breaches in the directory listing, but he cannot yet verify this further. “This number makes it the single largest breach ever to be loaded into HIBP,” he adds in a blog.

What’s more, his own personal data is in there “and it's accurate”, he says. “Right email address and a password I used many years ago. Like many of you reading this, I've been in multiple data breaches before which have resulted in my email addresses and yes, my passwords, circulating in public.”

https://www.forbes.com/sites/kateoflahe ... b0f33a2a2e

[Big Kev]

I received some extortion spam which I just found this arvo which said they knew my password, and yes the password WAS correct albeit very, very old and no longer in use.

I've had one of those. Ignored it, nothing happened.

[durbster]

Is that the ones that say they've hacked your account and have captured a video of you having some alone time that they'll send to your contacts?

I've had about 50 of them in the last few months although the spam filter catches most of them. They have two of my really old passwords (probably 6-7 years old) and I thankfully know enough about how it all works to recognise it was bullshit. I'm not sure where the breach was from but I'm guessing Adobe and/or Linked In.

All my passwords have been unique for years so I should be able to at least figure out where they came from if it happens again.

I bet they make a mass of money over it though. I would bet most people won't know it's a hoax.

[ysu]

Yeah, I've received a good bunch of those, too. My wife as well. The pw they had was the 'low importance' one - eg someone may take this forum account with it. So my guess is some stupid site stored the pw in non-encrypted format, and they've got that.

Since I re-use the low importance password quite a bit, there's no way I can tell where it came from. But they have sent a good number of spam along the same lines where the password was absolutely guesswork, so go figure.

[KNAPPO]

Is that the ones that say they've hacked your account and have captured a video of you having some alone time that they'll send to your contacts?

I've had about 50 of them in the last few months although the spam filter catches most of them. They have two of my really old passwords (probably 6-7 years old) and I thankfully know enough about how it all works to recognise it was bullshit. I'm not sure where the breach was from but I'm guessing Adobe and/or Linked In.

Thats the one

First time one slipped thru the spam filter, as this scam is pretty old but it was the first time I have actually received one. Screamed dodgy from the get go.
Looks like my details were in the Dropbox breach in 2012, my email address pops up in two similar lists since but they look to be redistributed details after the Dropbox hack.

I use unique alphanumeric PW's on all my high level accounts with 2 step authentication on every account that allows it, they are a a challenge to remember but none of them are used elsewhere. I dont use a PW manager, they might be 'safe' but the last thing ide want is the keys to the kingdom to be stolen...

[ysu]

I use unique alphanumeric PW's on all my high level accounts with 2 step authentication on every account that allows it, they are a a challenge to remember but none of them are used elsewhere. I dont use a PW manager, they might be 'safe' but the last thing ide want is the keys to the kingdom to be stolen...

The best pw manager is a piece of paper. Hack that, if you can

(not worky-worky if you got curious kids around, though)

[KNAPPO]

The best pw manager is a piece of paper. Hack that, if you can

Yep, thats exactly what I do. Did a huge password audit around 12 months ago. That was fun.
My Google password is hilarious, its around 40 upper, lower alphanumeric and special characters... Ive managed to memorise it finally.

[ysu]

The best pw manager is a piece of paper. Hack that, if you can

Yep, thats exactly what I do. Did a huge password audit around 12 months ago. That was fun.
My Google password is hilarious, its around 40 upper, lower alphanumeric and special characters... Ive managed to memorise it finally.

Nice
I use the xkcd method, for passwords that are worth making complex. It's quite good in my opinion
https://xkcd.com/936/

I've spiced it up occasionally but as a base it's good. Although it's recommended to avoid the spaces; they can be a small give-away.

[Cursed]

Nice
I use the xkcd method, for passwords that are worth making complex. It's quite good in my opinion
https://xkcd.com/936/

I've spiced it up occasionally but as a base it's good. Although it's recommended to avoid the spaces; they can be a small give-away.

I was about to link that xkcd comic myself. Basically, all the individual letter/number/special character substitutions will be tried in a dictionary type attack so they're not much in the way of protection. After you exceed a certain length you're no longer talking about a pass word, but a phrase. The complexity goes nuts and dictionary attacks become less effective and it just boils down to a straight up brute-force attack. In that case, all characters are going to be tested. Easier to make it long and make sense to you.

[hylas]

I was using keepass for a long time but a few years back I moved over to enpass as my pw manager.

Enpass allows me to sync all my devices easily with my passwords so it's not a hassle at all. Basically I have the database stored on my owncloud server and all my device sync to that. I don't know any of my passwords besides the one to unlock my password manager and that itself was random generated and took a bit to start remembering.

I don't like to have this kind of stuff in the hands of other people/companies so I was never going to use a service hosted elsewhere like lastpass but since enpass lets me host it myself and has support for android/iOS/Windows/Linux then I thought I would give it a look and since then I haven't seen a reason to change.

[durbster]

I use the xkcd method, for passwords that are worth making complex. It's quite good in my opinion
https://xkcd.com/936/

I've spiced it up occasionally but as a base it's good. Although it's recommended to avoid the spaces; they can be a small give-away.

The problem with this is it's so commonly shared that it's a legitimate attack vector now (so it's good you've adapted it)

Song or film lyrics are a good method for a string that's easy to remember but difficult to guess, especially if they include numbers.

I don't mean the full thing, just initials e.g.
I got 99 problems but the bitch ain't one = ig99pbtba1

Hard to guess, easy to remember, and not immediately obvious how it's formed. You need to do something to make them unique for different sites but it can make up part of one.

I've got a system that's easy for me to remember but is basically gibberish and unique for each site but breaches are so regular that I have to evolve it each time which is a pain. I'm pretty much ready to give up on it and jump to LastPass I think.

[ysu]

I use the xkcd method, for passwords that are worth making complex. It's quite good in my opinion
https://xkcd.com/936/

The problem with this is it's so commonly shared that it's a legitimate attack vector now (so it's good you've adapted it) ...

It's not really a help in attacks, even if you know 100% that it's used. Random world jumbles are extremely hard to guess. If you don't know anything, the variety can be incredible, pretty much impossible to brute force. If I may add; you don't even know the language.
I use it w/o spaces, just initial caps and numbers added in between. That helps with the usual requirement for passwords to include caps & numbers, too.

This is about as secure as you can get, so it's great to use for banking and other sites where your credit card or a lot of your personal details are stored.

But for your average site, I reckon with all the breaches, a pw manager may indeed be the best option. Thanks for the tip, Hylas, I'll check that enpass out!