Hacker News new | past | comments | ask | show | jobs | submit login
773M Password ‘Megabreach’ Is Years Old (krebsonsecurity.com)
449 points by rkrzr on Jan 18, 2019 | hide | past | favorite | 165 comments

Since a few weeks ago I receive spam emails threatening me with an old password I no longer use. I wonder if it's related to this collection. It starts with:

> I am well aware [old password I think I swapped out everywhere, but definitely in all important places, when I started to use random keepass pws two years ago] is your pass words. Lets get straight to the point. None has compensated me to check about you. You don't know me and you're most likely wondering why you are getting this e-mail?

He continues to tell me my computer was hacked using that password, he downloaded my contacts, recorded me watching porn and now threatens me to send that video to all my contacts. Of course unless I send him bitcoins for about $1000 to 1EiJMyvw2NP6T6vyWQ81HgUfBUVT1mqZkM

I got multiple of these emails in my spam folder since December. The password comes most likely from the Heroes of Newerth leak back in 2014!

It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins. This is a real threat these collections create. To be honest I feel uneasy about this email though I'm 100% sure this password is not used for anything important since about two years ago. I can't imagine how someone with a current password and no security/compsci knowledge at all would feel.

I unfortunately deleted all but the last of this emails, so I wonder if he reuses the same bitcoin address and it can be easily blacklisted by authorities. If he is smart he generates a different address for every single email.

The best defense, just in case one of these cases turns out to be legit, is to send a video of myself watching porn to all my contacts preemptively. Take out their leverage, you know?

One benefit to this approach is that next time it happens you won’t have any contacts left, so you’re covered for the future.

Yea, a double video of you and what you are watching. Select the most degenerate stuff you ever watched.

This would be a nightmare for basically anyone.

This reminds me of the time I experimented with screen recording for self-analysis and productivity. It sometimes captured things I didn't want on video, but I forgot to turn off the recorder while I was deleting the footage. So I ended up with footage of me trying to cover up embarrassing footage.

Has anyone done this as part of a ‘presentation skills’ course? You record yourself giving your talk and then you play it back but sped up a little.

Boy do those nervous ticks appear obvious at 2x. By the end you just want to scream out to yourself “stop touching your ear!”.

This was a requirement in a Speech course I took during community college. Each of my speeches was recorded while I gave it to the class. After each one, I had to watch the recording and write a short paper that analyzed the physical presentation that I gave including my ticks/mannerisms/etc.

Edit: We each brought in our own VHS tape (this was 2010-2011) on presentation day and https://www.svcc.edu/employees/directory/pa-fulfs/index.html would swap them in/out for each speech. Good memories... :)

VHS tapes in 2010-2011?????

This was probably very embarrassing and I'm sorry, but I laughed really hard at the thought of this. Thanks for making a smile this morning.

Personal anecdote; having your most embarrassing moments broadcast widely is good at filtering out all but your real friends. You might even find out some folks are way more understanding than you ever expected.

Those "way more understanding people" are your real friends. Congratulations for locating them!

Ah, the Mark Zuckerberg model!

The most revealing thing in that video would be how bored I get from porn these days.

> It's obviously a scam no one should respond to, but I'm sure there is a large enough number of people that get intimidated enough and are actually buying and sending bitcoins

I've had 3 web clients contact me that received these. One called the local police, and an IT guy, two bought new computers, and one I never hard back from.

I just got one with nearly the same wording. "I am aware [old password] is your passphrases. Lets get directly to point..." sent from using the spoofed email address oo@r.com.

The bitcoin address is different: 1ELzee2T9Wd5YPTYhWbWD3xK7xB5tJ94J4

Looks like the scam worked a couple times so far: https://www.blockchain.com/btc/address/1ELzee2T9Wd5YPTYhWbWD...

I’ve checked into some of these wallets and some of the early ones (I started receiving these several months ago) had $10k-$16k worth in deposits. And then some have none.

Oh, interesting! I've never seen anyone running this scam reuse a wallet before.

Yep I got a different one too, 1GjZSJnpU4AfTS8vmre6rx7eQgeMUq8VYr

Interestingly this address has revived 3.5489BTC and transferred most of it to: 3NLSUFJxkkW26cZKTVLrcfBQhiN7eHBET3

Different too for me 1KeCBKUgQDyyMpaXhfpRi2qUvyrjcsT44o

Quick search turned up 5 unique wallets for me :\


I've been receiving similar emails for a long time (probably more than a year) with my old Linkedin account password that was part of the 2012 breach. I don't even have a LinkedIn account anymore and I know that I haven't used the password anywhere else since it was randomly generated for that website by my password manager.

So I can confirm that scammers seem to leverage password dumps that way. It's quite clever I suppose, if I used the same password everywhere (as many people seem to do) I'd definitely be worried.

Another data point: I get those to an email that was exclusively used on one insecure message board, but not only with the actual password that I had been using there, but also with a number of comically mangled variations thereof, and with some completely unrelated passwords (not mine). Apparently the data has been compiled from many different sources that went through various stages of bitrot from changing hands repeatedly, possibly with deliberate cutting to inflate numbers.

(oh, and also myspace, some identities are just meant to be stolen I guess...)

I received the same email to "myspace@" my domain. I wouldn't have used that email anywhere else..

Now we know where to try the associated password.

Makes me think I need a better strategy on the username side to not leak that info.

I tried it on MySpace and it didn't work. Nor could I figure out what did work or what my account even is/was. I suspect MySpace has removed inactive users, though, possibly due to issues like this.

Also it makes it easy to guess what other alias you would have used for another website. Short randomly generated hex is a much better solution.

If you're using a password manager to randomly generate long, secure passwords, the email address shouldn't matter much. The only potential issue would be social engineering to gain access to the account, but seeing how most people use the same email everywhere, I would think you'd have to a potential target for that to be of concern.

There are good reasons to provide unique aliases to companies requesting an email:

- if they start sending you spam you can severe their capacity to contact you by deleting the alias

- if they give your contact to a third party, you know from the alias who leaked your email address

- if you see an email on a data breach like this one, you know immediately which website got hacked

- it makes it really hard to correlate your identity across two websites

I don't disagree with providing unique emails to various services, I just don't think that _randomstring_@your-domain.com is better than myspace@your-domain.com than. I actually think it's worse, since it's more difficult to identify when an email is coming from the wrong place. If I get an email to myspace@domain.com and it's not from MySpace, I know right away. That's not as immediately obvious if I get an email to a random string.

Agreed. And it's so easy to set up when you have your own domain, I'm somewhat surprised not more people are doing it. Oh well.

It would be cool if there was something like this built into a password manager

There is, it will save off whichever username you use when you sign up eg facebook@domain.com - works well for me.

There is a pretty cool keepass plugin [1] that generates randomly generated readable passwords based on a dictionary with definitions of nouns, verbs and adjectives and multiple patterns to create short sentences.

Even if the dictionary and patterns are known by an attacker, this still has very good entropy on ~16 characters long sentences. For usernames you can easily just go down to the minimum (around 6-10).

I find this superior to random values in a lot of places as it's easily readable and it's also easily typeable, when copy-paste doesn't work.

[1] https://bitbucket.org/ligos/readablepassphrasegenerator/wiki...

Also available as a 1Password feature. It's inspired by the XKCD "correct horse battery staple" comic.

Self-plug: passhole is a keepass CLI password manager that has this feature built in.


But how will I guess my email when I do want to reconnect with my account? I see why obfuscation (well, anything to avoid predictability, up to that random hex) is advisable, but the convenience trade-off is real.

If you do that out of memory, you are most likely re-using passwords. Re-using passwords with an easily guessable login isn't a good combination.

> If you do that out of memory, you are most likely re-using passwords.

How does that follow? It still adds value to use aliases that identify the site where they're used, because then you don't need to do a hashtable lookup to see where your mail is coming from.

Re-using passwords with a unique login would indeed be stupid because it would not only be weak against attackers but also have terrible ergonomics: it's usually much easier to regain access after forgetting the password than to regain access after forgetting the login. Source: I often forget both of them.

What I and many others do is reuse not a password, but reuse a password formula (in my case with slight but easily memorable variations depending on importance, or if forced by stupid password rules). If you saw a dozen of my email/password combinations in the clear you would be able to reverse engineer the rules and then guess combinations for arbitrary sites almost as good as me. It's a calculated risk, just like trusting a password manager is a calculated risk. Right now I consider password managers the better trade-off, but still only slightly better, by a margin small enough to make it not worthwhile to invest in a habit change. If the "formula" I happen to use was just a little harder to reverse engineer than it sadly is I would consider it strictly safer than password managers.

If you're using a password manager you could generate a random local-part and store that too.

I've had the same one to nexus@ mydomain which I suspect I used when I was doing phone dev on a forum or manufacturers website. I'd love to know which site it was that leaked.

> recorded <..> watching porn

What a damning position to be in, in 2019.

Email a million addresses and you'll wind up hitting a few who've been browsing child porn, or something they'd find highly embarrassing if their parents/spouse/SO found out.

As with other scams that can be initiated at scale, you don't need a 50% conversion rate. 0.01% probably suits just fine.

A conversion rate of 0.01% on 700 million addresses and a ~$1000 demand makes you 70million dollar. That's a lot of money for just sending 700 million emails.

Probably a couple orders of magnitude high, too. One in ten thousand? I doubt that many make it through people's spam filters.

Unless it's a black mirror twist. Next thing you're following some trolls orders to kill people to conceal your dark secret

yea, umm.... that wasn't regular porn he was watching

Just watched this episode. I didn't take that "revelation" at the end to mean he actually did that. Saw it as just the final "lulz" move in the trolling.

As an embellishment by the trolls, it would probably move any authority figures from a position of "let's figure out who got this dumb kid mixed up in these terrible things" to stony indifference and something closer to "serves him right." It also alienates him from his family so he has nobody in his corner any more.

Consider your own reaction as a viewer. Think about the other person who was involved in the last task of the episode. Did you feel any sympathy for him?

You're saying he was just watching normal porn?

I remember specifically thinking "well, embarrassing sure, but everybody does it, oh well"

Why rob a bank just for some embarrassment?

I don't think he would have if the older guy with more at stake hadn't been there to pressure/manipulate him into it.

That's what I'm alluding to

I think among younger people watching porn is a given. It's ubiquitous, especially as production of pornographic media has exploded in the last decade. People post their nude selfies online for fun and seem to be fine. I've seen people I know post their photos on their personal Instagrams. At some point there must be diminishing returns for would-be blackmailers.

Right!? If some random unknown contact sends me a salacious video of one of my actual contacts, my one and only question is to the unknown contact asking why they're sending this to me.

"Yes, I'm aware he jerks it, we all do. Doesn't mean I want to watch him box the bishop."

They don't reuse wallets that I've ever seen, and I've been getting spates of these off and on for a few years now, since TVTropes (what? I had some time on my hands!) got owned.

Interestingly, the dollar amount of the attempted extortion has gone up more or less monotonically throughout; the first ones I got were looking for something like $200.

I think it's interesting that they're trying to get non-technical people who would fall for this kind of thing to buy bitcoins and then send them. Like the number of people who would believe this, have a thousand dollars on hand, and be able to buy and send bitcoins is probably tiny.

It's an optimization strategy for them between actually getting paid and not getting caught.

Buying bitcoin is actually pretty easy and they help you figure it out in the email as I already commented here https://news.ycombinator.com/item?id=18939713

Some of the ransomware scammers have actual customer service call centers set up. https://www.reuters.com/article/us-usa-cyber-ransomware-idUS...

> Some players in the booming underworld employ graphic artists, call centers and technical support to streamline payment and data recovery, according to security firms that advise businesses on hacking threats.

No surprise. Rule #1 in retail is "Make it easy for the customer to give you their money."

Market making at its finest! /s

I've received the same emails, for livejournal accounts. They seem to reuse bitcoin addresses. Bitcoin blockchain explorers show that the addresses are recently created, and that people have sent them money.

> Bitcoin blockchain explorers show that the addresses are recently created, and that people have sent them money.

I find it difficult to reconcile someone tech savey enough to use bitcoin falling for a scam of this nature.

On the otherhand, it might explain a lot about the crypto space!

The email contains:

> You will make the payment by Bi‌tco‌in (if you do not know this, search 'how to buy b‌itcoi‌n' in Google).

The top result is from coinbase [1]. I would say everyone capable of online banking is capable of following these steps.

[1] https://www.coinbase.com/buy-bitcoin

Wonder if it would be a good idea for coinbase to mention the possibility of you being scammed...

At a coffee shop on the campus of my nearby university there's a bitcoin machine with a piece of paper above it outlining bitcoin scams. Coinbase really should follow suit with the standard "The IRS, FBI, Jesus will never ask you to send them bitcoin..."

My local grocery store has a sign above the gift cards reminding people that government entities and utility companies will never ask for payment in gift cards. If they can manage a warning, I would hope Bitcoin sites could have a disclaimer somewhere...

And lose some sweet free money?

Why? They take a percentage out of everything you transfer, ofc they wouldn’t want to warn you.

That’s a very narrow and cynical view of their business.

It’s as easy to assume that a world in which crypto is a trusted, common method of value transfer benefits them if they’re a leader in that space.

> If he is smart he generates a different address for every single email.

1) I don't think it's one person, I've received multiple of these with different wording. At the least I think there are a bunch of copycats out there.

2) I received an initial batch of six to a few different mail addresses, and across about six different emails there was one bitcoin address used in four of them. I took a look on blockchain.info and a couple of payments of about the asked amount had gone through it in the previous few days.

What bugs me is that this is actual, criminal extortion on a large scale. Where are law enforcement?

I have received a few of these as well (all displaying the same password). Because I use a unique, random password for every site, it was just a matter of finding it my password manager. In my case, it was an old one from a forum breech several years ago (not in any way related to porn).

It's clear that someone has made a business model out of this, and it doesn't matter what the password is actually from. For people that don't use unique passwords, they can't say if there is anything behind the threat.

Remember to always use unique passwords for every site!

I had exactly the same. I ignored them, then, more interestingly, they started coming with the first character of the password missing, like a kind of digital entropy. Reminds me of the fantastic Alvin Lucier audio piece "I Am Sitting In A Room": https://en.wikipedia.org/wiki/I_Am_Sitting_in_a_Room

I received 6 of these emails from October through December. They're all similar, but contain slightly different subject and body text. They refer to the same password I haven't used in a decade, although at that time I used it on a number of services, so I'm unsure of the source.

They all talk about having access to my computer, a recording of me watching porn, and threaten to send it to my contacts unless I send 700-850 USD to a Bitcoin address. The payment amounts and Bitcoin address is different in each of the emails.

I had exactly that email. I can't remember where the password was from, but it seems to be in old format that I used to use maybe 10 years back, if not more.

I got this one as well.

The subject of the email was a previous password I've used and they sent it "from my domain" (not really my domain, you know how it is).

I've been getting what sounds like the same emails. They used an email address and password that I used only on monster.com back in the early 2000s.

I got a dozen of these mails all from different addresses, each with a different wallet address. I checked each wallet and no transactions were made to those either, so it doesn't seem so fruitful.

Interestingly, I also did play heroes of newerth so I guess that you're right on that notion.

Another fun fact, each time my password was mentioned, it was missing the first letter.

>Another fun fact, each time my password was mentioned, it was missing the first letter.

I get an old password in these kinds of emails that has been stripped of case, the capitalization I used is not what what I received. Still, the first was was attention grabbing, even if I've long moved on from that password to a password manager with a randomly generated password for each site.

I've received around a dozen of these, all with different bitcoin addresses. All of them came from a Linkedin breach a few years ago. (I know that because I use different email addresses and passwords on every site, and these all came to my Linkedin-associated address and claimed to have stolen my [unused for years] Linkedin password.)

I got tons of those too, mostly to test accounts. It’s hilarious how bad they are when they use my test names to address me.

I've gotten, and still get, these kinds of emails daily for months. Sometimes in groups of 3. The bitcoin address is not the same as the one you linked.


Yeah, I started getting those a few weeks back as well. The password is my old intranet password from my elementary school, funnily enough. I sent their admin an email about it, but I've heard nothing back so w/ev.

This is a new variant of the porn-blackmail scam, I've been receiving similar E-mails since 2017 after the Bitcoin fever. I guess the scammers have gotten their inspiration from watching Black Mirror since then.

How can the authorities blacklist a Bitcoin wallet address? Couldn't he just tumble the coins and spread them far and wide?

Had the same; scary thing is the unknown number of people who will just pay / take everything in that email seriously.

The bitcoin address is different :), mine is 1Mzpnco6nKkHTRNr9bhMa7JqGt7ABtqLBx and they ask for $943

There is a black mirror episode very similar to that blackmailing.

Oh. Been getting these for a while. So those are actual passwords I used. I was wondering how stupid the whole thing was telling people some random string is their old password.

All the ones I've had so far have been sent to throwaway addresses with the password "monkey", so I instantly know the info comes from site I don't care about, that I probably haven't used for years.

Definitely, the first one I got had me very worried as it actually got the password correct. And I can spot these kinds of fake emails instantly.

I can't remember if it was haveibeenpwned.com or some other site, but I seem to recall once a few years ago checking my email on a site which also showed you the first two characters of the password which had been compromised. Maybe it has since been discontinued because of security concerns, but I found it really useful at the time because it let me know that the leaked password was an old one that I hadn't used in years.

I know best practice is to immediately change your password regardless, but with the increasing frequency of these kinds of breaches and the reuse and recombination of old lists, how long will it be before emails from leak notification sites like haveibeenpwned start becoming so frequent that people start ignoring them? I am already more guilty of that than I'd like to admit, even though I should know better.

I know there are various places you can check a given password against known leak lists, but it makes me really uncomfortable typing my password into anyplace which is not a password manager or the site it's used for - enough that I want to change it afterwards anyway.

I already hear the arguments that none of this matters if you follow best practices, which are not wrong, but I've always gone with the option which is as secure as possible without being overly burdensome, and I'm sure I'm not the only one.

haveibeenpwned has an api to check your password against their known list that only requires to send the first 5 characters of the sha-1 hash: https://api.pwnedpasswords.com/range/5407a.

You get a list of corresponding hash suffixes and check if yours is there. https://haveibeenpwned.com/api/v2/#SearchingPwnedPasswordsBy...

That interactive javascript checker on their site also uses that API, so in theory HIBP doesn't get sent a copy of your password.

A couple of weeks ago I spun up a little clone with slightly-simpler javascript, just in case HIBP starts serving malicious javascript: https://safepasswordchecker.hashbase.io/

Feel free to download the site and javascript for a static copy. Or reuse or modify and reshare as you like, as long as you're not malicious.

Edit: This site was made with Beaker Browser (https://beakerbrowser.com), which is rad, and you should check it out. Feel free to download / fork this site.

I did the offline check yesterday and wrote up how to do it: https://stackoverflow.com/q/54249403/96588

You CAN check breached passwords here: https://haveibeenpwned.com/Passwords, if it's a common password it doesn't mean that it's necessarily your account that's been compromised.

I was so sure it was haveibeenpwned.com that showed the password as well, but alas they do not, at least not for the last two years.

The way I use to recognize which service has been compromised is using unique email addresses. Most providers let you do either a catchall address, or xyz+alias@provider.com, meaning you should have a user+hn@domain.com for your Hacker News user account. Makes both knowing which services has been hacked easy, but also who sells your contact information to spammers easy! :)

Edit: actually, using random passwords from a manager, you should be able to identify it through https://haveibeenpwned.com/Passwords

After the Ashley Madison hack, haveibeenpwned still had not instituted blinding so you could check, for example, if your co-workers or boss has an account there, assuming they were follish enough to use their widely-known personal or employer email addresses (the latter being shockingly common for lifer-types st big companies like HP and Cisco).

One of my co-workers ended up getting revealed this way to his then-wife; it wasn’t really a happy marriage up to that point but that was the last straw.

Haveibeenpwned has since gated access to the reports which is good....

I was terrified of my old email being compromised because somebody tried logging into it from Windows (I don't use Windows) and because I had an identity theft scare a month back. What I'm doing going forward is having a personal email acct I don't give out (with 2FA thru U2F), and creating burner GMail accounts that forward emails to that email using POP3. I'm already pwned because I use my personal email for a lot of things, but I like to think it keeps my attack surface minimal.

Adding a bit of security on the identification side (usernames/emails) isn't completely useless, but the focus should be on securing authentication. I.e. never use a password twice and add 2FA to everything even vaguely important to you.

With password managers that's also way easier than managing a lot of email accounts.

I use Bitwarden, password autogen, and 2FA to manage those too, though I'm not fully migrated over yet (still have a lot of weak duplicate passwords). My problem is the older services I have to use that don't support 2FA.

In all honesty, it's probably not worth worrying about. The implementation of 2FA you're referring to here is just adding a 2nd secret, with a small twist of having time component.

There are very few scenarios where your (high entropy) password would be compromised in a way that wouldn't also lead to the discovery of at least 1 functional 2FA code.

1) Website is breached. If they can get the account password hashes, chances are they're going to get the TOTP seeds as well.

2) You're phished. Your attacker passes through your credentials (scraping the password along the way), and they get a functional session token. With most services, you can turn off 2FA just by reconfirming the account password.

3) Your password manager is breached. 'nuff said.

The push behind 2FA isn't so much because high entropy passwords are vulnerable (except in a phishing context, but there TOTP is equally vulnerable) -- the momentum behind 2FA is because we can't convince people to stop using '123456' as a password.

I’ve been robbed six times, including once where one third of my money disappeared. I agree with you that security is only as strong as its weakest link. I just take emotional comfort in doing everything I can to make myself more prickly and less vulnerable.

Thats scary. If you have been robbed six times, your operational security is probably pretty weak. Unless you are some kind of high value asset.

Would be curious to learn more about how it happened, to see if there are any learnings for myself to improve operational security.

So the seller shows a screenshot with browser tabs, a date and a time. One of the tabs is really very specific, looking at a particular disqus profile.

I'm not familiar with Windows; is there anything in the screenshot to suggest its torbrowser or anything like that?

Presumably the miscreant's ISP and e.g. the Russian government can guess real easy whom generated that screenshot...?

Of course what they'd do with that info is anyone's guess. It could well not be an offence to sell collections of passwords, if in deed its even an offence to hack those passwords in the first place.

The screenshot has a tab open on this article: https://www.troyhunt.com/the-773-million-record-collection-1...

I don't think it's from the seller - looks like it was taken by the author of this article.

In the screenshot [0] there is also a tab viewing someone's Disqus profile, and you can also see the time and date. I think the suggestion was there may be ways to track down who the hacker is based on this. Of course he could very well be using a VPN (highly likely). Or at the very least a public/free WiFi, although in Russia you have to register with a phone number to access them.

[0] https://krebsonsecurity.com/wp-content/uploads/2019/01/sanix...

It addresses that in the article: "...notice the open Web browser tab behind his purloined password trove (which is apparently stored at Mega.nz): Troy Hunt’s published research on this 773 million Collection #1"

Sooo this is either a screenshot of Sanixer's machine or of someone who has access to his entire trove. Clearly not the author's.

I see the mega.nz handle "Louren KINGUR" with avatar, and the same person's Google account avatar with no username. I did an image search on this latter one and came up empty handed, but maybe someone with more finesse could find him this way.

That looks like a regular version of Chrome running on Windows 7. But it could be running on a proxy or a VPN.

In the first image with the telegram id the other id is for discord. I don't recall discord being e2e encrypted so that is an interesting choice to offer. Especially since discord is known to have access to all data since they regularly remove chats/servers that don't follow their tos.

The seller may be using a VPN to mitigate this.

Discord would still have the contents of the messages.

This has been the event that has finally convinced my wife to use a password manager. I'm torn between bitwarden and 1Password though. Anyone care to weigh in on the options? My biggest concern with BitWarden is the lack of automated testing

edit - just fyi, Bitwarden responded on github last month with a plan to add some testing, and I think some of their code does use automated testing. They have issues on GitHub tracking it :)

Bitwarden is nice from a user perspective. I'm a former 1password user and switched because I felt that things in the 1password world moved slowly, even though it costs more than Bitwarden. Bitwarden being open source and audited also helps a lot for trusting it, even if it isn't perfect.

1password has a rock solid UX that looks pretty. Bitwarden is more practical imo. I prefer the latter these days. Guessing the 1password iOS app is probably better than what Bitwarden offers, but I don't know, because I use an Android phone, and I prefer Bitwarden on Android.

I use bitwarden personally and I like it a lot. I was using Dashlane previously and the ubuntu UX was awful (strictly browser extension, missing features, etc).

I'm only nervous about Bitwarden because of the lack of automated testing. Apparently at least one closed-source one apparently does not test either, possibly <edit: my memory is too fuzzy to name anything> but please don't quote me on that since my memory is fuzzy.

See my note above about Bitwarden adding tests though

If you happen to be on MacOS, keychain works great for me.

Why not keepass, I've never had an issue and it works great!

I've used KeePass and one issue I do take with it is the UX. Bitwarden and 1password feel like cohesive apps and have good integration with many platforms. For KeePass I felt uneasy about some of the ports of it. There's a lot of good ones on desktop, less so on mobile.

Syncing is also a thing I prefer 1password and Bitwarden for. They both have cloud syncing by default. Some won't want that but I definitely do.

The problem I personally have with KeePass is sharing and that you are on your own for many things.

You CAN make mistakes with KeePass. You pretty much can’t make mistakes with a service.

I’ve set about 100 people up on LastPass including my mom. I recommend it as a very good thing normal people will actually use.

I used to recommend LastPass but I had to stop recommending it based on their responses to issues including security issues. You can see some instances on the Mozilla bug tracker. It also has had a bad track record with security issues. There was an RCE on the browser extensions in 2017.

why is sharing a problem? You can put your password database anywhere as long as your master password is good.

Email your mom right now with a secure password from your vault, and do it in a way that she won't have to call you about it.

That's why I recommend LastPass.

All of the breaches are, especially these compilation ones. I switched email addresses back in 2016, and despite having accounts basically everywhere, my newer account has never showed up in a breach. Even the email address I used primarily for new accounts years before that hasn't shown up in any. Only my original created-in-2006 Gmail account ends up in breach lists.

On the topic of old email addresses, make sure your old email provider doesn't release your email address after so many years / months. This is a common way to get access to accounts by creating a new email account with the same address as an expired address and then using an email-based password reset to gain access to the account. Happened to my wife with an old email address from high school.

My understanding is that as of now, Google never permits account name reuse. That being said, I keep all of my old accounts, even if I don't use them anymore. I do check Gmail occasionally for emails which trickle in from time to time.

I lost the password to the @hotmail.com address I used for Myspace, and wanted so desperately to delete the account. Last year, just on a whim, I tried to register it and they actually let me.

Turns out it wasn't the email I used on Myspace.

Also, is Myspace back? Somehow my profile and pictures are on there again, but I thought they removed personal profiles years ago?

This is really a big problem since one is forced to keep old addresses active and around. But your email provider, even if it’s a paid service, may have stupid policies to recycle addresses very soon and may not make exceptions for you.

Posteo.de recycles deleted email addresses/aliases in three months. Fastmail is also similar and recycles them within three months or so. Same goes for Mailbox.org. All these paid services are pathetic in this regard.

Runbox.com (which I don’t use) is the only paid email service that clearly states that it never ever recycles email addresses, just like Gmail and Yahoo Mail don’t do either.

I’d like to know about privacy focused paid email services that have a clear policy of not recycling addresses.

Ideally if you're paying for email as it is, you should probably be in the custom domain space. FastMail may be able to reuse my FastMail address, but my FastMail address is tied to very little, since I use a custom domain, that they can't keep.

Of course, as a reminder: This means you have to keep your custom domain, or else someone can register it after it expires and make any emails they want on it. But if you have a domain personal to you that you've used as part of your email address, you should probably keep it forever anyways.

Anyone here recommend a good security key? Is YubiKey still the best option?

I noticed that they don't have any usb-c + NFC options.

Fwiw I just received some solo keys after backing their kickstarter. Unfortunately the firmware doesn't yet support key storage, but it should be comming. I think it looks like an interesting alternative to nitrokey in the open source space. They have usba and usbc variants, and are working on nfc ("solo tap") variant:





"Can I use Solo for OpenGPG or Ssh? Not yet

Can I use Solo to store passwords? Not yet."

They do have NFC and usb-c options (separately, though), and are planning to launch lightning as well


Yes, I was looking for USB+C + NFC, so I can use it with my Macbook + iPhone... having to buy two seems inconvenient.

Note that you will want to own at least two and enroll both of them to properly lock down a service so that it doesn't need some plan B. The reason is that obviously if it's locked down to a single U2F Security Key and that key breaks or is lost you're screwed.

Google's programme aimed at high risk people (e.g. journalists covering government corruption) specifically aims to leave you in a position where so long as you have control over the physical devices your secrets are safe, and if the devices are destroyed then your account is irrevocably lost and too bad. Doing that with just one key is asking for trouble.

If you're just dipping your toe in the water, buying one key and having your plan B be a bunch of one time codes written in the back of a diary in your locked desk drawer makes sense, and if you're mostly just interested in the cool technology and not worried about security then going to a Key with Google Authenticator as plan B is fine too.

But if you want this to solve all your problems as advertised, buy two keys.

Thanks that’s good advice. Is the idea your token is synced across both devices? Or you have two separate tokens that allow you to authenticate? I’ve only set up a mobile based authenticator per account before...

Ordinary Security Keys can't be synchronised so to as to be interchangeable. A good U2F/ WebAuthn implementation lets you enroll several of them and use any each time you sign in. So yeah, separate tokens, any of them works.

It's pretty different from authenticator apps, it can be much more convenient (no trying to quickly type in six digit numbers) but it's kinda expensive for now.

Ordinary Security Keys only know how to do exactly one thing, prove that they're still the same Security Key that they were the last time. They can't even prove which one they are in particular (most can prove which model they are, because a bank or something might be like "Ooh, we like this technology but we insist you use Bank of America brand Keys..." but they don't even know like a "serial number" or anything). This is deliberate - it allows the strongest possible privacy guarantees while still delivering a useful security function. The Firefox implementation lets you pick "No" when sites ask which model it is - I always do, none of their bloody business, it's a Security Key, eat it.

When you "enroll" a Key the site gets back a "cookie" (not an HTTP cookie) that is only useful to identify that site to that Security Key; a Elliptic Curve public key; and a signature proving the Key knows the corresponding private key and was enrolling with this specific web site. The site puts those somewhere (presumably a database table) ready to use them when you log in subsequently.

When you need to log in, the site gets its list of all the keys you've enrolled and says "OK, here are the cookies for some keys you enrolled, prove you still have one". If you have one of these keys it can find its cookie among the set, and it knows the private key that goes with that cookie, so it can sign a new message saying "Hi, this is still me, signing in to $domain right $now" and the site verifies that with the public key.

In principle the Security Key could be keeping a big database of every site it has enrolled with and the cookies used versus private keys. In practice what it does is make a random new private key each time it enrolls, encrypt the private key and put the result in the cookie. Only it knows how to decrypt the cookie, so there's no danger from this approach.

Thanks, I'm going to buy more than one for backup and use the multi-key approach. Appreciate the long explanation. I've been meaning to set this up for years.

This should be standard practice taught to kids in school! Especially considering their whole life is digital now.

I saw that Linux's full disk encryption supports Yubikey as well as Gnome login screens which is neat.

I believe their upcoming HW will have support for NFC, but at this time iOS will not support NFC as MFA, though of course YK would love Apple to support them.

Correction: Looks like YK is saying iOS does support YK as MFA via NFC[1]


If anyone had a chance of getting Apple to approve NFC for MFA, it’s Yunikey. But I wouldn’t hold my breathe just yet and would plan on the lightening one.

For Troy Hunt's detailed breakdown of this particular breach: https://www.troyhunt.com/the-773-million-record-collection-1...

It just took a minute of searching to find the other collections. Does Troy wait for people to send him specific files? https://raidforums.com/Thread-Collection-1-5-Zabagur-AntiPub...

In a blog post some time back Troy mentioned that he will not pay for files on principal, because he doesn't need to financially support black hats/thieves/criminals and most of the "best" files themselves get stolen or breached (because thieves will be thieves).

I think it is a reasonable position not to pay for these files, if the money is just going to encourage the creation of more of them.

Yeah, somebody signed into my Netflix account that I reactivated after years and years of inactivity. It was the only site that was using a really old password that's in this breach.

Naive soul here, but is it really wise to type live passwords into someone's site that ostensibly is looking for matches with its existing database? That seems awfully trusting.

Troy Hunt's haveibeenpwned has a password checking facility at https://haveibeenpwned.com/Passwords

He describes the security measures behind the process here:


Of course, it all still boils down to how much you trust the guy, the approach, etc etc.

The reasoning given is: if you're aware it's a bad idea, great! Don't do it. If you don't yet know it's a bad idea, and do it, you'll see how many places it has already been leaked, and hopefully start using different passwords, and a password manager ...

It trains average/non-IT people to enter their password on websites to “check”. If scammers start setting up mock websites that ask you to enter your password to see if your account was hacked, people will fall for it because they have been trained by white-hats that this is an acceptable practice.

You have to dig to get to this feature.

The consumer facing feature is entering your email address.

Probably a good start to using 2FA and security keys.

I think having 2FA should be a feature of every page that provides a login possibility.

There should be a login-as-a-service startup offering secure login tool that is easily configurable.

I think they are also trying to use the same credentials to log in to accounts. I got an email from Epic Game saying there are too many failed login attempts, so it was suspended. Ironically, I don't even remember having one. So I logged into the account and made sure there none of the information on there were personal.

Did you click on the link in the email to log in? That's another one to be aware of, fake clone websites linked to fake emails purporting to be from the company.

Always go directly to the site using your bookmarks or typing it in, or at least remember to check the url before you click it.

Actually, they only offered a link for enabling 2FA, And yea, I typed the website in. I have a fake name on the account, and I don't have any payment info on there since I'm not playing any of their games. Now I really have to just think of a constant false name when registering accounts.

That would explain why HIBP told me my account was in the breach, but I couldn't find a specific password within his Password Checker--the breach is probably from before I switched to a password manager and rotated all of my passwords.

Thank goodness everyone changes their password regularly.

In all seriousness, the reason why this and several collections roughly as large as it went for $45 on the market is precisely that it must not be that useful anymore. If it truly were a skeleton key to the world it would not be going for $45.

I'm abundantly positive there's still a lot of perfectly valid login credentials in there, but the trick is finding them without also triggering rate limiting detection now.

I'm not aware of the specifics of the dark market, but from a marketing perspective selling something for cheap makes it easier to sell volume. Perhaps the guy who did the hack didn't want to go into the trouble of finding the one bidder who would give him top dollars, not to mention the dangers a contact like that might include. It's easier to find 1k buyers for $45 than one for $45k.

There isn't a "the guy" who did "the hack"; this is an aggregate compilation of a series of low-quality elements that have mostly lost their market value. It's the computer security equivalent of this: https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-Dig... 50 low-value movies for $11.99. Note the distinction between "low value" and "no value". Yes, you might find something you like in there, as some of the reviewers did, but the economic value of this stuff has passed.

My point is that the market value has been lost because there actually is some churn in passwords and accounts. If 99% of the credentials in this hack still worked, it would not be getting sold at this price at all; it would be selling something worth tens or hundreds of thousands, if not millions to the right buyer, for You Pay Only $44.99. Not gonna happen. It can't be worth all that much to most buyers if that's all they're selling it for.

Or it's just so widespread that it's worthless, although I'd suggest in that case that we'd have heard about it earlier. Have I Been Pwned actually has some hookups in that world.

> It's the computer security equivalent of this: https://smile.amazon.com/Midnight-Movie-Madness-MegaPack-Dig.... 50 low-value movies for $11.99. Note the distinction between "low value" and "no value". Yes, you might find something you like in there, as some of the reviewers did, but the economic value of this stuff has passed.

They should call it "Amazon Subprime".

Sure, but let's not forget that there are e-mails in there too. $45 for 750M e-mail addresses doesn't sound like a bad deal. Perhaps whoever compiled that list is aiming at spammers and that's why he's selling cheap to get volume.

Re-released as a scare tactic to get people to buy 1password? (I hate to sound cynical, because really it's a great way to get people to look into password managers if it was a marketing scheme)

My new years resolution is to change my passwords every year and not reuse any.

Along with the traditional diet and exercise spiel that lasts a month, only 12 days left on most of my new years resolutions!

Yeah I knew this when I got the haveibeenpwned email about it. Just brushed it off with a "oh, that password is making the rounds again." The password in question was compromised something like 5+ years ago.

Having a 20 character password in a vault and 2FA is a great piece of mind now. I don't even have to bother looking into it.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact