Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.

  • BombOmOm@lemmy.worldEnglish
    140·
    28 days ago

    Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.

    • blazeknave@lemmy.worldEnglish
      6·
      27 days ago

      Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?

      • Vigge93@lemmy.worldEnglish
        4·
        27 days ago

        I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).

        You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.

        • Jakule17@lemmy.worldEnglish
          1·
          27 days ago

          throwing in a special character

          Okay, but hackers don’t have to know whether I used special character or just lowercase? Or am I stoopid?

      • slumberlust@lemmy.worldEnglish
        1·
        27 days ago

        As always, the most secure password is the least convenient and accessible. It’s a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.

        Longer is better…giggitty.

    • Weslee@lemmy.worldEnglish
      32·
      27 days ago

      I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place

      • Joeffect@lemmy.worldEnglish
        71·
        28 days ago

        Don’t download shit from random websites… make sure its from legit places…

        • tburkhol@lemmy.worldEnglish
          61·
          28 days ago

          legit places…

          My university, 23andMe, Transunion, Equifax, CapitalOne, United Healthcare…

        • Ex Nummis@lemmy.worldOPEnglish
          42·
          28 days ago

          These kinds of breaches are at the site level. Not much you can do as a regular user if the company doesn’t hash or salt their passwords, for example.

          • Joeffect@lemmy.worldEnglish
            1·
            28 days ago

            Not from what the article says

            involves compromised download links and trojanized versions of the legitimate KeePass application that appear identical to the authentic software on the surface, while harboring dangerous capabilities beneath.

  • tym@lemmy.worldEnglish
    10·
    27 days ago

    As someone who consults in the IT Security space, It’s bad out there. Contractors and BYOD companies are downright sheepish in asking their outsourced employees to do anything security-related to their devices. The biggest attack vector is allowed unfettered remote access (and therefore the whole company and any bad actors are also granted unfettered remote access)

    I still can’t get over how quickly companies-at-large have abandoned VPN Servers (removing network trust from the list of options as well)

    I’m down to managed browsers via IdP, and I just can’t wait for the objections to that as well. People out here offering their faces to leopards. Certificate-based MFA on all the things IMO - passwords shouldnt matter (but six digit MFA codes aren’t immune to fake landing pages and siphoned MFA tokens that don’t expire)

    • tomkatt@lemmy.worldEnglish
      1·
      26 days ago

      I use utterly unique and very long passphrases for the most important stuff (banking, mortgage servicing, email, etc.), 2FA for those and most other things, and just throwaway crap passwords for things I don’t care about (web forums and most everything else).

  • Wispy2891@lemmy.worldEnglish
    144·
    27 days ago

    Let’s make a master list of all the emails leaked with their passwords, what could go wrong?

      • Wispy2891@lemmy.worldEnglish
        122·
        27 days ago

        It’s exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked

        • ChogChog@lemmy.worldEnglish
          10·
          27 days ago

          Synthient wasn’t hacked, as a security company, they aggregated tons of stealer logs dumped to social media, Telegram, etc.

          They found 8% of the data collected was not in the HIBP database, confirmed with some of the legitimate owners that the data was real.

          They then took that research and shared it with HIBP which is the correct thing to do.

          I was also thrown off by the title they gave it when I first saw it, a security company being hacked would be a terrible look. but they explain it in the article. Should probably have named it “list aggregation” or something.

          • Wispy2891@lemmy.worldEnglish
            21·
            27 days ago

            so why hibp calls them data breach??? Ultra misleading, almost defamation, everyone including me only reads the headlines

  • frostysauce@lemmy.worldEnglish
    71·
    26 days ago

    God fucking dammit, I fucking hate seeing people self-censor themselves on the internet.

  • RememberTheApollo_@lemmy.worldEnglish
    61·
    27 days ago

    Comprised of email addresses and passwords from previous data breaches,

    So these are previously “hacked” data, and now the aggregator has been hacked?

    • sicktriple@lemmy.mlEnglish
      2·
      26 days ago

      The aggregator wasn’t hacked, they essentially hacked the hackers and put together this list. This ain’t a data breach per se, it’s just putting together a bunch of past breaches and patching it up to HIBP.

  • Anas@lemmy.worldEnglish
    4·
    26 days ago

    Apparently my email was included in this breach, but none of the passwords I used with it were (before I started using randomly generated ones).

  • Bwaz@lemmy.worldEnglish
    4·
    26 days ago

    Possibly related question. Layely I’ve been getting email ‘replies’ from various businesses and services (all over the country, USA) all about an ‘inquiry’ that I never made. Apparently someone just got my email address and is using that for – what ? A couple questions:

    ** What is that someone up to, why doing that?

    ** Should I do something about that?

    ** What could I do? Don’t want to change email address.

    • Ex Nummis@lemmy.worldOPEnglish
      1·
      25 days ago

      That’s just your email address being sold by information brokers. Not illegal, not a reason to change your email address. Block, delete & move on.

  • ThisIsMyLemmyLogin@lemmy.worldEnglish
    3·
    26 days ago

    I got this email a few days ago. I don’t even know who these people are and why they have my details. But I’ve had to change my Google account passwords anyway.