
The 111M Record Pemiblanc Credential Stuffing List - johns
https://www.troyhunt.com/the-111-million-pemiblanc-credential-stuffing-list/
======
djsumdog
So in the past I've advocated password algorithms (sometimes called password
formulas):

[https://penguindreams.org/blog/password-
algorithms/](https://penguindreams.org/blog/password-algorithms/)

I felt like they could bridge the gap between a regular person who is weary of
having to look up every password using a password manager (although a lot of
them make it easier with browser plugins and phone apps, but it's still an
extra step).

However, in light of the recent Gentoo vandalism, it seems like a user had
their password formula figured out. Algorithms do guard against credential
stuffing; that particular person was most likely specifically attacked. If you
have a strong formula, it should take at least 7 or 8 passwords to begin to
figure it out.

At a minimum, if you have non-tech friends who use a single password for
everything, start them off easy: You should use a manager. It's the only way
to guard everything. But if they don't want to go that route, at a bare
minimum, recommend that they need three passwords. One that's highly secure
for banks, employment and government. One insecure for everything else. And
finally one for your e-mail which should be shared with nothing!

Password algorithms are a step up. It's a trade off of course: you are
protected against credential stuffing and you don't need a manager; you can
have a different password for every site without having to memorize a hundred
password; only the exceptions to stupid password rules. The trade off: your
algorithm probably sucks and if you're targeted specifically, someone can get
to everything.

Every aspect of security involves trade offs. The various password management
choices, along with their advantages and disadvantages, should be taught in
high school.

~~~
soared
As someone technically literate but doesn't use a password manager: I sign up
for a lot of services on one device (home laptop) and then need to use them on
another device (work laptop, phone). How does a password manager work for
this?

I currently have about ~15 different passwords I use. I know which to use
based on how long I've been using the service. Why is this strategy
ineffective?? At most a hacker could get 3-4 of the services I use, and even
then they'd need to find each of those services out of the hundreds I use. I
also have 4 different emails I use for logins.

~~~
markbnj
I use Google Smartlock, and it functions across all my (android) devices quite
well. It does sort of rely on your being all-in on the Google ecosystem. At
work we use LastPass, but since I only use it on the desktop in a browser I
can't speak to how it works across devices.

~~~
cgoecknerwald
LastPass works for multiple devices, including mobile - you can sync to 1
LastPass account, too.

------
chrisbolt
These data breaches where the source isn't known can be frustrating. As
someone who already uses unique passwords for everything, there's not much I
can do (change 500+ passwords?). And I can understand Troy's argument[1] for
not sharing the leaked password, so that doesn't leave many other options.

I guess I'll just start going through my saved passwords and use them to
delete all of the old accounts I rarely use, maybe with a little help from the
GDPR.

[1] [https://www.troyhunt.com/here-are-all-the-reasons-i-dont-
mak...](https://www.troyhunt.com/here-are-all-the-reasons-i-dont-make-
passwords-available-via-have-i-been-pwned/)

~~~
Samon
My solution for this is to use a unique email address for each site/ service.
That way if I see that hn@mydomain.com has appeared in a breach, I know both
where the leak came from and which password to change. Also helps identify the
source of any spam emails...

~~~
acover
You can also do this with Gmail by adding a . Or two randomly in your email.

~~~
djsumdog
Gmail and other MTAs support +something in the e-mail address user part too.
If you forget your password, you do have to dig through your e-mail and
figured out which one you used, but this method does let you track down when
someone sells/shares your e-mail address or 3rd parties.

~~~
kbenson
You just have to remember the exact username/email you used in case you forget
it. That can include the sitename itself, or some simple transform, but
sometimes services change names... so make sure to keep records of exactly the
email used for each service (or don't delete your email from them), forgetting
that is worse than losing the password, since there's often no helpful
recovery service they offer.

~~~
georgeappiah
The bigger problem is MANY MANY sites don't accept the (+) in an email
address.

~~~
jstarfish
Yes. More and more sites are using common frameworks and/or validation
libraries where a + is not considered to be an acceptable part of the
recipient name.

------
graystevens
If the term Credential Stuffing is new to anyone, we’ve done a deep dive into
what it is and the tools that are used here:
[https://breachinsider.com/blog/2017/credential-stuffing-
how-...](https://breachinsider.com/blog/2017/credential-stuffing-how-breached-
credentials-are-put-to-bad-use/)

We saw this pretty regularly at my old job, with attacks almost daily. They
range from ‘script kiddie’ who just use the default tool settings and do it
all from one IP making it easy to spot, to persistent attackers who would play
cat and mouse with our live defences. They’d switch IPs using huge proxy lists
found online every few minutes, as well as learn our alerting thresholds and
attempt to fly just under the radar. For some reason though, they always seems
to user UserAgents that were ancient, or weren’t real, allowing us to identify
attack traffic compared to our normal user activity.

~~~
namibj
Did you try to find attackers in the set of unconspicious UAs? If you did not
try hard to look for more skilled adversaries, expect some to be hiding from
your analysis. Once you don't see anything in a large range of
skill/sophistication, you can assume there to be no adversaries that don't
have the ability to pull a Stuxnet off. And if you need to guard against
those, and have the ressources to do so, you already know this.

~~~
graystevens
Agreed, based on other thresholds and alerts, we certainly saw some more
advanced actors - using in-country home broadband lines to conduct the
attacks. This made tracking and blocking them much harder, as there was a risk
of blocking genuine customers who simply didn’t conform to our idea of
‘normal’. We ended up finding another way to fingerprint them, but thank you
for calling that out, as you are entirely right that there is almost always
someone trying to be truly covert.

If anyone is suffering with these types of attacks (or isn’t and you think
you’re missing something) feel free to reach out, more than happy to help -
email is in my profile

~~~
namibj
I hope you have more than one distinct way to identify these more
sophisticated attacks, as you would want to be able to ensure there are no
others that are only a few steps better than them.

As said, you need to vet a range of sophistication above the most
sophisticated example you actually encountered, to assume there are no others
that you could reasonably detect with the techniques you could deploy. Always
make sure to know you'd see anyone who is only one level better than the best
you encountered, where the size of such a level should be estimated from the
density you see in the distribution of attacks.

You are also good if you don't automate defense with the best detection you
have, so that you prevent an attacker from automatically judging the quality
of your detection capabilities with you then believing the attacker got
stopped when he just deployed a technique you can no longer see.

I.e., make sure you don't alert an attacker that you can still see him when
you are just barely still able to do so, as you would not want him to up his
camouflage to the point where you won't see him anymore.

------
dannyw
Is anyone else annoyed by the native advertising for 1Password there, without
any disclosures that they are affiliate links?

I've lost pretty much all of my respect for Troy Hunt as he went from
maintaining a useful service to just being another ad for 1Password.

~~~
dublinben
His website has always read as thinly-veiled content marketing for Cloudflare
and Azure. If you can look past that at the actual informational content, and
disregard the specific products mentioned, it's worth reading.

------
duxup
>the rapid rise of the rapid rise of credential stuffing attacks

Maybe I was wrong but I always thought that was the "point"...

At least in the sense that as far as profitability goes the point of hacking
or gaining access to a list of hacked passwords from say a boring site like
some image sharing site was that you then take that and use it to do more
nefarious things like access banking stuff, more sensitive identity related
things, spying, etc.

Obviously there are folks out there hacking away for their own enlightenment
or fun, but ultimately anyone looking to do more than that, I always thought
the point was credential stuffing all along, otherwise who cares what
someone's Flickr username and password is?

------
qwerfasdcva
Where can I download the list? I want to see what password was shared.

~~~
sgarman
He loaded them into this site to check:
[https://haveibeenpwned.com/](https://haveibeenpwned.com/)

I'm not sure troy shares the lists - for obvious reasons.

~~~
craftyguy
His site is basically one big advertisement for 1password now. I would not
trust it.

~~~
ubernostrum
What do you distrust?

Do you believe he's lying about the existence of certain breaches? Returning
false results for whether a password is compromised? Be specific: what
untrustworthy things do you suspect him of?

~~~
craftyguy
Since his website is now an advertisement, it's wise to take everything he
says with skepticism.. is he pushing the product, or is he providing good
advice? What's his motivation for helping users when his main focus is on
pushing ads?

As others have pointed out in response to me, he's incredibly dishonest in
claiming that his website is funded by him on one page, but clearly he's being
paid by a company selling something. He injects ads into email notifications
without identifying them as such.

If someone is acting untrustworthy 50% of the time, would you still trust them
100% of the time?

~~~
ubernostrum
So, what untrustworthy things do you suspect him of?

FUD is not useful.

------
ecesena
Does IIIm mean 111m or 3m (roman number)?

~~~
jwilk
Where do you see "IIIm"?

~~~
Cthulhu_
In the title right here on HN, it says 111M. Guess the HN font doesn't clearly
distinguish between 1 and I clearly enough.

~~~
kuroguro
It's even worse on the site, they use
[https://fonts.google.com/specimen/Vollkorn](https://fonts.google.com/specimen/Vollkorn)

------
pwaai
what about an email-as-login authentication? click url link on your phone to
log in.

