
LiveJournal data breach impacts 33M users with plaintext passwords - weleakinfo
https://twitter.com/weleakinfo/status/1149904387374026752
======
Fuccboi88
Plaintext passwords huh, that's about as bad as it gets when it comes to
breaches. The only upside is that this data is from 5 years ago so _hopefully_
a percentage of this breach is outdated.

~~~
thom
Even if everybody on LiveJournal has since changed their passwords (there and
everywhere they repeated it, which we know they won’t have), this now adds to
the dictionary of passwords which _other_ humans may have chosen elsewhere and
will certainly increase the hit rate of password spraying attacks etc.

While everyone recommends turning on 2FA everywhere, I’m increasingly
convinced we’d all be safer if the password was the second, optional factor.

~~~
ryanlol
>will certainly increase the hit rate of password spraying attacks etc

I do not see how this works in the context of _other_ humans.

~~~
thom
Because people don’t choose random passwords on the whole. So for every person
who is revealed to have used zxcvbnm1234567890 as a password, there is a
chance others have too. Obviously not for every password, but every large leak
of actual passwords adds some that will match elsewhere.

~~~
ryanlol
I don’t see how this leads to an increased hit rate, now you’ll just be making
more incorrect attempts.

Only way I see this kind of working is if you’re cracking the passwords
offline.

~~~
thom
Yes, that’s one use case. Let’s say you have a database of actually properly
hashed passwords. What passwords are you going to prioritise to try first?
Every plaintext leak adds to the list of passwords you’d be sensible to try
before brute forcing. Plus even for online attacks like password spraying,
you’ve got to get an idea of common passwords from _somewhere_ and this leak
inevitably adds to that. The only point I’m making is that humans are similar
and therefore there’s always a chance they pick similar passwords. Therefore
even if all LJ users have since changed their passwords, there are still many
risks.

------
GEBBL
Expect a knock on the door from the Information Commissioners Office.

