I felt like they could bridge the gap between a regular person who is weary of having to look up every password using a password manager (although a lot of them make it easier with browser plugins and phone apps, but it's still an extra step).
However, in light of the recent Gentoo vandalism, it seems like a user had their password formula figured out. Algorithms do guard against credential stuffing; that particular person was most likely specifically attacked. If you have a strong formula, it should take at least 7 or 8 passwords to begin to figure it out.
At a minimum, if you have non-tech friends who use a single password for everything, start them off easy: You should use a manager. It's the only way to guard everything. But if they don't want to go that route, at a bare minimum, recommend that they need three passwords. One that's highly secure for banks, employment and government. One insecure for everything else. And finally one for your e-mail which should be shared with nothing!
Password algorithms are a step up. It's a trade off of course: you are protected against credential stuffing and you don't need a manager; you can have a different password for every site without having to memorize a hundred password; only the exceptions to stupid password rules. The trade off: your algorithm probably sucks and if you're targeted specifically, someone can get to everything.
Every aspect of security involves trade offs. The various password management choices, along with their advantages and disadvantages, should be taught in high school.
To regenerate your passwords, an adversary would need both to figure out your algorithm and obtain your piece of paper.
Personally, I have different mp for different “security domains” (google/fb, banks, other socials, ...), and I’m using just a sha256 plus encoding — a trade off between requiring a stronger mp, and being able to easily remember everything, including the algorithm.
I wrote more about it here: https://hackernoon.com/mempa-a-modern-deterministic-password...
"Password Strength" https://www.xkcd.com/936/
Diceware: http://world.std.com/%7Ereinhold/diceware.html "This page offers a better way to create a strong, yet easy to remember passphrase for use with encryption and security programs. Weak passwords and passphrases are one of the most common flaws in computer security. Take a few minutes and learn how to do it right."
I currently have about ~15 different passwords I use. I know which to use based on how long I've been using the service. Why is this strategy ineffective?? At most a hacker could get 3-4 of the services I use, and even then they'd need to find each of those services out of the hundreds I use. I also have 4 different emails I use for logins.
The problem with using the same password on multiple sites is this: if any one site gets pwnd, it gets a lot easier for the cybercreeps to pwn your account on other sites (says Obvious Man).
It doesn't take much technical skill to credential-stuff--to hammer a lot of sites with a list of credentials. So, keeping the list of sites you actually use a secret is not effective.
This whole deal sucks. But it's real.
As for the password strategy, I imagine you could be vulnerable if any two important accounts - say, email and bank - both used the same password. Are you confident this is not the case?
I assume certain emails associate with certain types of accounts, which could flaw your strategy. If you're able to remember ~15 different passwords with random emails, congrats on your stellar memory!
Either use a service that syncs up to a server, or a standalone apps and save its encrypted database to a shared filesystem such as Dropbox or pcloud.
I suspect most people will end up having weak algorithms the same way they have weak passwords.
I guess I'll just start going through my saved passwords and use them to delete all of the old accounts I rarely use, maybe with a little help from the GDPR.
Unless they strip out the +something part.
The "huge pw torrent" is something I can just search on torrent trackers? Once I have the list, its just a list of passwords, or includes the emails? Then they're sha-256 hashed and I need to ..unhash them?
Once it’s updated, you can check all your passwords against the list. It’s a list of sha256-hashed passwords.(so he isn’t sharing tons of plaintext passwords, as sha256 can’t be reversed) You would sha256 your own passwords and check them all against the list.
Edit: to clarify, I think there are tools to help check against the offline list pretty easily. Or you could also query Troy hunts pwned password page (or its api)once it’s updated; instead of downloading 9gb. The k-anonymity model is pretty clever, and querying the site should be secure.
We saw this pretty regularly at my old job, with attacks almost daily. They range from ‘script kiddie’ who just use the default tool settings and do it all from one IP making it easy to spot, to persistent attackers who would play cat and mouse with our live defences. They’d switch IPs using huge proxy lists found online every few minutes, as well as learn our alerting thresholds and attempt to fly just under the radar. For some reason though, they always seems to user UserAgents that were ancient, or weren’t real, allowing us to identify attack traffic compared to our normal user activity.
If anyone is suffering with these types of attacks (or isn’t and you think you’re missing something) feel free to reach out, more than happy to help - email is in my profile
As said, you need to vet a range of sophistication above the most sophisticated example you actually encountered, to assume there are no others that you could reasonably detect with the techniques you could deploy. Always make sure to know you'd see anyone who is only one level better than the best you encountered, where the size of such a level should be estimated from the density you see in the distribution of attacks.
You are also good if you don't automate defense with the best detection you have, so that you prevent an attacker from automatically judging the quality of your detection capabilities with you then believing the attacker got stopped when he just deployed a technique you can no longer see.
I.e., make sure you don't alert an attacker that you can still see him when you are just barely still able to do so, as you would not want him to up his camouflage to the point where you won't see him anymore.
I've lost pretty much all of my respect for Troy Hunt as he went from maintaining a useful service to just being another ad for 1Password.
Maybe I was wrong but I always thought that was the "point"...
At least in the sense that as far as profitability goes the point of hacking or gaining access to a list of hacked passwords from say a boring site like some image sharing site was that you then take that and use it to do more nefarious things like access banking stuff, more sensitive identity related things, spying, etc.
Obviously there are folks out there hacking away for their own enlightenment or fun, but ultimately anyone looking to do more than that, I always thought the point was credential stuffing all along, otherwise who cares what someone's Flickr username and password is?
I'm not sure troy shares the lists - for obvious reasons.
Do you believe he's lying about the existence of certain breaches? Returning false results for whether a password is compromised? Be specific: what untrustworthy things do you suspect him of?
As others have pointed out in response to me, he's incredibly dishonest in claiming that his website is funded by him on one page, but clearly he's being paid by a company selling something. He injects ads into email notifications without identifying them as such.
If someone is acting untrustworthy 50% of the time, would you still trust them 100% of the time?
FUD is not useful.
I see a link below the search box, which when I click explains he has "partnered" with 1Password, why, and why he liked it prior to the partnership. It also links to this:
which has a lot more detail.
That's not what I call "without any disclosure". And makes me wonder what your idea of "disclosure" would be.
> If you loved this free service and want to know what goes into making it possible, have a read of the donations page. Buy me a coffee or a beer or just some time with the kids at a movie.