Not sure if 1Password does as well, but it seems like a fairly obvious feature to add.
The certificate/password link is a guess since on their website they say to change the password starting with date that matches the date of certificate reissuance.
This seems to be related to Hearbleed, also it lists a site that didn't reissue certificate after Heartbleed as vulnerable too, and so for passwords there, seems to be regardless of age.
I am a long-time 1password user and have a lot of old passwords, so for me like 90% of passwords are listed as compromised, which I'm pretty sure is not the case.
Thankfully the notification emails from this service are prompt and helpful (not to mention totally free).
Also it's an email address, not your credit card number.
Which I suppose forces more awareness, but it doesn't instill a lot of confidence.
Why do I see my username as breached on a service I never signed up to?
When you search for a username that is not an email address, you may see that name appear against breaches of sites you never signed up to. Usually this is simply due to someone else electing to use the same username as you usually do. Even when your username appears very unique, the simple fact that there are several billion internet users worldwide means there's a strong probability that most usernames have been used by other individuals at one time or another.
My primary personal email address is routinely used by a small handful of other real people (all strangers) for all sorts of things - college applications, car insurance, some address books think it belongs to a cousin who gets included in a lot of group threads about reunions and full of photos. I've found the families more difficult to unsubscribe from than the services, name+email associations spread like a virus. I routinely get alarming/misleading "Someone has your password!" security alerts from Google after someone tries to list my email as a backup account.
These little strings we use to identify ourselves can be typed by anyone, anywhere, bot or human. I wouldn't worry too much about false positives.
It's not that I'm worried, it's that it's a distraction. When the margin of error is high enough, it becomes less signal and more noise, which leads to either panic (spending all your time managing access credentials) or complacency (ignoring the indicators).
They might not even know it's yours, like if your email is davidsmith@gmail and they fat-finger davidrsmith@gmail--boom, "you" now have an account.
Good services use double-opt-in to ensure that every account is actually tied to a correct and working email address. But not every service does this.
And even services that do use double opt-in would create a row in their database to note that a confirm email was sent out. If they never scrub those invite rows, "your" email address would still be in the DB when it's exfiltrated, even if the confirmation process was never completed.
FWIW I was subscribed and didn't get anything until this most recent breach. Unfortunately GMail thought it was spam (speaking of false positives!).
Everything I know about it (this article included) places the Dropbox leak very low in my sense of severity.
Even when the exposed sites have minimal information or impact, minor information in aggregate adds up to a lot of danger for escalation and social engineering.
Now consider that there are huge swaths of people with the same password that they've use for email, banking, medicare, and everything else.
A proper response from Dropbox would be to explicitly and loudly inform every leaked email address (not just their current users) that they need to immediately change every password across any and all sites that might use the same leaked credentials.
Furthermore, Dropbox should set up a secure site with a unique link per email address that allows a user to key-in and check their memory against the exposed hash. I know that I have changed my password for Dropbox at least twice since 2012, but in 2012 I might have used an insecure password. Allowing me to figure it out before a nefarious party would allow me to better judge the potential personal impact.
The significantly greater issue imo is the leaking of email addresses and ensuing spam.
If I'm interpreting the hashcat screenshot correctly (I'm probably not, and even if I am it's probably skewed by init overhead or by not counting the final result) it looks like passwords can be attacked at ~6ms/dictionary attempt against the bcrypt passwords? While HIBP didn't get their hands on salts for the SHA1s, that doesn't mean they weren't breached as well.
I take it as a given that all high value dropbox accounts with a weak password in this breach will be pwnt.
Then again, it took until last week for anyone to try and grab my Minecraft account (successful email change, but successful resecure.) Given that HIBP knew about 1 of the 4 breaches I'm aware of for similarly weak passwords, I'm surprised it took this long... (I've since finally gotten off my ass and better secured all the legacy old terribly passworded accounts I can think of / were listed in my password database...)
If not, there's nothing to suggest they didn't take other things.
Sure most of us have a few passwords we reuse, but I know less than 5 people with truly unique passwords.
I don't even know any of my passwords.
I wish we had a better alternative to passwords. Something that's actually good, solid, can't lose or forget. I get the feeling we won't have that until we can start implanting chips in ourselves.
First off, your passphrase should only be used for the password manager itself. So if you accidentally paste it on twitter, you just change your passphrase.
Secondly, you're way more easily fooled than a password manager. I don't know my passwords (they're generated), so to phish me you have to convince 1password as well. That means e.g the google open redirect bug on HN yesterday can't trick me with a fake password page on a different domain.
Third, it makes your passwords way easier to use on mobile. Most of the managers support whatever biometric integration your phone has nowadays, so rather than trying to type your 24 character alphanumeric symbol crap (or worse, a crappy password because you didn't want to make a good one on mobile) by hand you can just paste it in.
Lastly, it encourages you to actually use separate passwords for all your accounts. And when passwords get leaked, your manager can tell you which sites need new passwords.
In conclusion, password managers improve your internet security and experience immeasurably. Go buy 1password!
- satisfied 1password customer
I need to get into the habit of exporting my password list to plaintext csv and storing it in a safe or safe deposit box but I haven't disciplined myself for that yet.
I am worried about the ability for the 1Password database to be hacked if someone were able to get their hands on that.
This is one among several reasons I don't go in for any "cloud" based syncing of password managers. I use keypass and sync the file with syncthing on LAN only mode.
That was my point: I use my password manager to store those security questions and answers but if someone got ahold of my password manager account I would be screwed because many sites require the answers to those questions to reset a password.
So yeah change the password and delete previous versions is a good first step but everything else has already leaked to who knows where.
ad. 1: I find it a pretty good idea to also have a secondary junk mail for signing up to these services - just in case they give my e-mail to someone for spamming or get breached.
And therein lies the rub. Single point of failure for your whole intricate security setup.
I have the same problem.
HTTP auth not working is a bit annoying, but it's not a massive deal when you can CMD+ALT+\ and copy-paste it. Same deal with non-browser based stuff.
On a side note, don't forget the time dropbox accepted ANY password during logins - http://www.cnet.com/news/dropbox-confirms-security-glitch-no...
I do this too, but it taught me everything is breached - the local ambulance service, the local computer store, the local car share, small businesses overseas that I've placed orders with.
Some of the big names don't seem to be, which is lucky because otherwise I'd be wondering if it was the ISPs that had been breached. Either large chunks of SMTP routes are breached and picking up confirmation emails, or there's a giant iceberg of pwnage floating beneath the surface out of view.
Very poetic. I'd like to see this made into one of those motivational posters and hung in the office of every dev team nationwide.
For the sysadmins out there ;)
I also have expiring subdomains. So I'm not using domain.com, but something like b2.domain.com. The rationale is that if I start receiving a lot of spam, I go through all the accounts I have, change all emails to use another subdomain like b3.domain.com, and then invalidate the old subdomain entirely. I haven't had to do that yet and my domain is several years old.
With two big exceptions: the email address I leave on my website and the email address I publish on my GitHub profile. These 2 have dedicated throwaway domains like email@example.com. Because you wouldn't believe how much spam I get from that GitHub profile, not just recruiters, but also get rich offers from princes in Nigeria and Viagra pills.
More likely, sold. Every service that collects user data will get offers, and many can't resist the temptation.
Doesn't matter however, businesses that will sell you to the highest bidder (and in many cases, outside the US, illegally) can't be trusted to ever seriously invest in security. So if they aren't breached, they sooner or later will be.
failure to send to firstname.lastname@example.org
failure to send to email@example.com
failure to send to firstname.lastname@example.org
I have been running per-service emails for 10 years and wonder to myself if it is worth the bother as I can recall only one ever spreading.
I don't have any fancy script to check these addresses - I have to go into my spam headers manually, and I've not done that for a long time. Perhaps there was a common issue a while ago that got patched. I'll have to check whether modern addresses are being spammed.
I mention that because most of the ISP do have re-targeting efforts.
Also it would seem more likely that your email provider is breached as opposed to lots of other companies/servers.
E.g. email@example.com will go to your inbox and you can filter on it.
My earlier hypothesis was that this was on purpose, to make sure you don't use a filter on any email they might send. But these days I'm tending to think it's just a bad regexp on their side.
"I can't log in and to boot your site says there is no account matching firstname.lastname@example.org. What kind of Mickey Mouse operation are you running here?"
"Sir, you are an idiot."
What's important is to keep a backup of your password database in a few places. I use KeePass because I have no desire to keep passwords, encrypted or not, in a cloud service. I also don't find value in browser integration (possible attack vector?). I'm generally very DIY-inclined anyway. Your preferences may vary.
As a full disclaimer, there are some issues with KeePass , but known issues are detailed in full by the project and are available for review.
Then, if the spammer strips (removes) that part, it gets sent to the trash (binned).
Everything is breached. From websites to software to hardware, I would estimate the majority of them can be/have been exploited by advanced hackers.
I'm awaiting the time when we all acknowledge that computers are fundamentally insecure.
One that stands out in my head is Cadillac. I had requested a brochure for a CTS, and I got random unrelated spam just days later!
I've not forgotten, and this glitch has kept me from ever considering opening a Dropbox account.
I'm surprised everyone else seems so forgiving of this massive screw up.
I wonder if there has ever been an attempt through a forum like RFCs or ISO to define a worldwide (or at least latin char set) standard for password requirements. Based on what i've seen in forums like this, there seems to be fairly broad acceptance that allowing a large number of characters from a character set with as few limitations as possible bests serves the interest of security. The thorniest issue would likely be about balancing requirements for increased complexity (eg capitals and lowercase, numbers, etc) with ease of use.
Alternatives, though? Plenty: Google Drive, Box, OneDrive, iCloud Backup and iCloud Drive.. the list goes on with a simple Google search for "online storage"
Install the desktop application: https://support.google.com/drive/answer/2374987
Change sync settings: https://support.google.com/drive/answer/2375083
No native linux support is a bummer, but if you only need to use it there infrequently, the web client is quite capable for manual uploads and downloads.
For more similar alternatives, running owncloud on a VM is straightforward. And, of course the featureset is limited compared to Dropbox.
- Useful as a canary of which website has been breached
- Useful as a canary of which website sold your details
- and if your details are in the wild, you can stop the spam by deleting the address
Credit cards should work the same way: a unique authorization code specific to this vendor or this transaction and useless to any other actor.
If someone steals my credit card, AMEX has a problem. I'll take reasonable care, but I'm not going to generate transaction specific numbers or whatever unless there is a strong incentive to do so.
whatever the theoretical rise in price would be (due to the fraud), don't you think the merchant would price things at that level in the first place to make extra profit, if they could?
I recently started using it, works great.
But thanks anyway!
So, it seems they have some kind of partnership with a bank, which is able to generate unlimited card numbers for them.
I'm using a card from getfinal.com, which appears to be the same idea. So far so good, though it's not 100% disposable, I still have a plastic card who's number is no easier to change than a chase card.
(Yes, I know about the '+' in gmail, but I suspect the word is out on it)
Also like email@example.com, this is really transparent to a spammer and gives away the real email.
Of course, if someone sees my email address, they could certainly infer a new one. But I'll deal with that if and when I get singled out. I don't think the spammers often actually look at the millions of addresses they use.
If I start getting spam on a particular alias, I can set up filtering rules to delete them.
I also take this one step further and have inbox rules to automatically send all promotional email (from sites I'm interested in) to the trash folder. If I want a coupon for a website I frequent, I'll just search my trash for the latest offers from that company. Google conveniently purges messages from the trash folder every 30 days or so, and I don't have to worry about a massive backlog of promos.
Biggest downside to ASO: you have to pay $7/yr extra on domain registrations to make them private. So I register with Hover and host with ASO.
There was an HN discussion about it fairly recently, https://news.ycombinator.com/item?id=11781361
Sounds a lot like a bitcoin address.
I know the credit card company and everyone they share your data with can see your transactions, and that's a problem some may wish to avoid, but that is still a much smaller number of people who can see your transactions than Bitcoin. Bitcoin does not inherently include privacy.
Isn't that how chip-and-pin works?
I have no idea what Paypal is trying to achieve by passing on this fairly personal piece of data. I always have to enter a separate email address with the retailer anyway, and because of this scheme, those two of course never match.
Of course I let her know about it, and I seem to recall her saying she'd addressed it successfully, but if she described how, I no longer remember. It quite astonished me that this was even a thing that could happen, though. One hopes it no longer does.
It's like her giving out her email address and it being firstname.lastname@example.org
I'm not sure the fault lies with the service.
For years the Paypal API sucked, and even today their are many companies that do not have full integration with paypal, so this is a way to match payment records as for 99% of shoppers the email address for the order/account will match the paypal email address.
With chip and pin? I don't think they do.
Something to keep in mind is that when chip and PIN was developed to combat credit card fraud it was card present fraud that was the big problem, either by someone using the stolen card itself at a brick and mortar merchant or making a counterfeit cart by writing the stolen number onto a blank card and using that at a brick and mortar merchant. Card not present fraud, where the number is used but not a card such as at an online merchant or a mail order merchant or telephone order merchant, was much less common.
Chip and pin made card present fraud much harder because it was much harder to obtain blank chip cards and the equipment to write a stolen number to them, and it made using an actual stolen card harder because of the PIN.
Where I work you need the 3 digit security code and some address numbers (which you can make up) to properly process a transaction without the card.
My dropbox alias email started getting loads of spam about 2 years ago, I immediately junked that account, and set-up a new dropbox account (friends insist on sharing stuff over it...) - my old spammy dropbox alias is in the Dropbox leaked dump, my new current one isn't, which proves that this dump of credentials is from at least before 2015.
> Unique-per-service email addresses work pretty well
Unfortunately, depressingly many sites validate email fields, and get it wrong - thinking '+' is not allowed.
IMO it's not even worth trying to get an email regex (or other validation) right - you're probably going to send out an activation email anyway!
Another feature of Gmail is you can place dots anywhere in your email and it will still reach you: email@example.com. I haven't seen services that reject that so it is what I use when I can't use a +.
HOWEVER, you should only do so after careful consideration. This will restrict moving your email hosting to the limited number of providers who provide provide this type of service, or hosting your own server.
Alternatively, you could go and reset your email address with all of the services that you gave a subdomain email.
For myself, I have been using FastMail for years and feel confident that I will continue to use their services. In the event that I needed to move from FastMail, I know that could self host if forced to.
Think of the average user. Sometimes they're going to capitalize the first letter when putting in their email, and sometimes they aren't. You don't want to make it unusually difficult for them to log in.
You -should- treat email the way that vast majority of hosted services do. "Foo Bar"@gmail.com is not allowed. Covering the million edge cases seems to not be worth the trouble, especially when it might cause difficulty for the average user
With smartphone keyboards and the capitalization of the first letter of the first word in form input fields by default, this is a very common occurrence. If case was considered for uniqueness of email addresses, at best, people would be extremely annoyed. At worst, there would be a tremendous amount of leakage of sensitive information to random people (due to human errors in entering case sensitive addresses), chaos due to incorrectly delivered emails and fatigue in receiving mails intended for thousands of other people. In an alternate universe where this is true, email would never have been a killer application, only a quickly killed and abandoned one. :)
I am a google apps customer and already have a few 20 aliases in there but having to go through their UI every time I sign up seems very tiresome.
Can I create a wildcard email in the terms of firstname.lastname@example.org being a alias of email email@example.com?
Do you know of a non-selfhosted provider that is able to do that?
/EDIT: Looks like fastmail, a service many on HN recommended is able to do something similar , though if one email gets added into a spam list, it seems to be not possible to remove one particular one.
/EDIT2: Fastmail just confirmed to be on Twitter that it is possible to set individual emails to rejected. Though this requires effectively creating a new alias and setting it to bounce which falls under the account limitations , so 600 for a single person account.
This works better than firstname.lastname@example.org because many sites fail to handle/allow that 'format'.
I would assume that google apps version of gmail offers something similar.
I also use it but some services do not allow the plus sign in their registration form. Very frustrating.
Sometime I even fire a mail explaining people rejecting '+' how and why they lost my business...
Another Google Mail trick is to use periods. Not as useful as the +, but for those sites that don't accept +, one can usually add in a few extra periods to place sites into buckets (multiple adjacent periods don't work).
You probably just locked the stranger out of accessing their account though, so you probably shouldn't do this, unless said stranger is signing up for all kinds of services using your email address, in which case maybe they deserve it. :p
Plus you can't completely shut down a label. You could route it into the trash but it will still end up in your email account.
Gmail also ignores full stops, so you could also use d.v.crn@gmail or dvc.rn@gmail etc.
This also works on google apps hosted email domains.
You can then use that as part of a filter if you start getting spam to it.
When I've contacted them about it, they've been absolutely adamant that the spammer must have (twice) guessed the exact email address that I've had there.
Sadly, it doesn't support 2FA.