
500M of “Have I been Pwned” hashes broken - pjf
https://hashes.org/leaks.php?id=515
======
esnard
Just a reminder: HIBP password list only includes passwords from already
cracked / plaintext sources.

[https://www.troyhunt.com/ive-just-launched-pwned-
passwords-v...](https://www.troyhunt.com/ive-just-launched-pwned-passwords-
version-2/#theresnow501636842pwnedpasswords)

~~~
pishpash
But maybe not in one place.

~~~
astura
If you think, even for a moment, that nobody has ever compiled and distributed
a compilation of leaked credentials then I have a bridge to sell you.

~~~
pishpash
So what? Now you have one more unnecessary compilation than before.

------
Mortiffer
There is always this 1.4 billion plaintext email:password compilation
magnet:?xt=urn:btih:7ffbcd8cee06aba2ce6561688cf68ce2addca0a3&dn=BreachCompilation&tr=udp%3A%2F%2Ftracker.openbittorrent.com%3A80&tr=udp%3A%2F%2Ftracker.leechers-
paradise.org%3A6969&tr=udp%3A%2F%2Ftracker.coppersurfer.tk%3A6969&tr=udp%3A%2F%2Fglotorrents.pw%3A6969&tr=udp%3A%2F%2Ftracker.opentrackr.org%3A1337

~~~
chatmasta
Totally unrelated, but something I've been wondering for a while. Isn't the
whole point of magnet links that they use a distributed hash table (DHT)? Why
do they need trackers appended to the URL? Is it strictly necessary, or does
it just help in bootstrapping the DHT?

I always remove those when downloading torrents because I'm paranoid they're
obvious markings of torrent traffic, more-so than DHT connections.

~~~
wjh_
Nope, it isn't necessary. It just helps with peering, and the actual download
will start faster.

~~~
brad0
Are you sure? I always thought that the peers have to be seeded by the
trackers.

How would you as a peer connect to any other peers without some kind of seed?

What IPs do you connect to?

~~~
martinml
Clients usually have some public, harcoded nodes to bootstrap the search:
[https://stackoverflow.com/questions/1181301](https://stackoverflow.com/questions/1181301)

------
kennydude
Troy Hunt said this doesn't really matter - [https://www.troyhunt.com/here-
are-all-the-reasons-i-dont-mak...](https://www.troyhunt.com/here-are-all-the-
reasons-i-dont-make-passwords-available-via-have-i-been-pwned/)

The hashes are about not storing or giving out the passwords freely, more as a
way to verify if your password is in there.

------
bahjoite
Someone should add a "Has my hashed password been broken?" and an opt-in
notification when one's password is eventually revealed.

Last person standing gets a prize.

~~~
wepple
Everyone who uses a password manager would win

~~~
y4mi
Using a password manager doesn't make you immune to having your credentials
leaked if a sites database is breached...

~~~
Ajedi32
It actually does, provided the passwords aren't stored in plaintext.

Even something ridiculously weak like a SHA-1 hash isn't going to be cracked
if the password is 16 characters long and completely random.

~~~
ianseyer
provided:

\- the passwords aren't stored in plaintext or any other compromised hashing
mechanism

\- you autogenerated your password

\- your password manager does not get compromised

saying "it actually does" is a bit of absolutist stretch...

~~~
arghwhat
Furthermore, none of this is a side-effect of using a password manager. It
just makes doing so more convenient.

~~~
aidenn0
Within a margin of error, zero people can remember 20 16-character random
alphanumeric passwords. Therefore it is only possible using some sort of
password manager, whether it be something like 1password or an old-fashioned
notebook.

~~~
majewsky
> Within a margin of error, [the value of a measure is] zero.

Nitpick: Zero does not have a magnitude, so "a margin of error" is not
remotely well-defined here.

~~~
aidenn0
Nitpick nitpick: margin of error can be either absolute or relative.

~~~
arghwhat
Nitpick nitpick nitpick: "margin of error" without any value effectively means
"the following value has no meaning at all", as the margin of error is
unspecified.

------
AdmiralAsshat
Having faith in the security of the hash that has been leaked was always a
ticking clock. Better to just rotate any password you know to have been
compromised.

~~~
gmuslera
Those hashes comes from leaked plain text passwords lists originally. They
were already released in plain text. The hashing of Have I been Pwned are just
a way to not release even further those passwords (to newcomers, hobbysts and
general public), but the hacking community was already using them in
dictionary attacks.

~~~
kevin_thibedeau
Seems like HIBP should be using a fixed salt on its hashes.

~~~
__david__
Because of the way HIPB works the salt would need to be both constant and
known by the client which makes it rather useless as a salt. It only would
stop rainbow tables, but that's not the issue here.

------
tgragnato
Oh, HIBP do not include the data from the MyFitnessPal breach. 150m users are
affected!

> [https://content.myfitnesspal.com/security-
> information/FAQ.ht...](https://content.myfitnesspal.com/security-
> information/FAQ.html)

~~~
Ajedi32
Breaches can only be added to HIBP if Troy gets his hands on a copy of the
data that was stolen.

Most of the passwords probably won't get added to the HIBP password list
either, since only plaintext passwords ever end up on that list, and
MyFitnessPal claims that most of the passwords in their database were hashed
with Bcrypt. (So probably difficult to crack.)

------
janklimo
How would an attacker use this information? Brute force attack on an account
with known email address?

~~~
bpicolo
> Brute force attack on an account with known email address

Yup. These days I get a ton of break-in attempts for random accounts. My Epic
Games account is disabled weekly due to failed login attempts from random
actors.

Use a password manager and 2fa folks!

~~~
ReverseCold
> My Epic Games account is disabled weekly due to failed login attempts from
> random actors.

Everyone has this (source: some thread on Reddit with a bunch of "me too"
answers). It's a bug with their system and I don't think they know about
it/care/(?)

~~~
bpicolo
> It's a bug with their system

Confident about that? It's certainly not the only service I get break in
attempts on, fwiw

~~~
ReverseCold
Well first of all, someone else knowing your username should not be able to
lock you out of your account. So even if it isn't a bug it's bad design.

It looks like you can still sign in even if your account is "locked" which
further adds to the theory that it is a bug.

Here are a few threads with a bunch of "me too"s. [0][1]

[0] [https://www.epicgames.com/fortnite/forums/battle-
royale/roya...](https://www.epicgames.com/fortnite/forums/battle-
royale/royale-with-cheese/232340-account-locked) [1]
[https://www.epicgames.com/fortnite/forums/battle-
royale/roya...](https://www.epicgames.com/fortnite/forums/battle-
royale/royale-with-cheese/250598-account-locked)

------
paulpauper
Don't put your email into this unless there is a way to download the database
for offline use. The reason is, if HIBP is compromised, the hackers will know
that even if your email is not pwned, it is likely important and will try to
brute force it or use it to build a larger profile if you, such as for other
services.

------
s3inlc
First Torrent for just the plains from the list is available:

[https://hashes.org/torrent/hibp_plain.torrent](https://hashes.org/torrent/hibp_plain.torrent)

