Shit. Looks like I got caught up in the adobe breach. Let this be a lesson to all engineers in charge of such situations to implement strong security. You are partially responsible for these disasters.
I got a call from PayPal a week or two ago. It turns out somebody in Indonesia accessed my Paypal account, presumably with credentials scraped from adobe. I know, I know, shame on me for reusing passwords. Luckily no damage was done and I did a change to the strongest password I've assigned anything yet.
Great job, op (if you're the one who wrote this service) for such an amazing tool. Everyone, if you haven't already, you really should check if you've been compromised. I will be sending this to all my friends.
This should be a lesson not to manage your own passwords, use a password manager there are many to choose from. I was also caught up in the Adobe breach but my password was randomly generated by my password manager.
I second this. I've been using it for a few years now. It gives me great peace of mind knowing that my password on a site like HN is something like "e5wLoMB1kZ". I only have to remember a few passwords and yet each site has a unique password.
Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.
However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.
Yeah, I did not hear about pwdhash and it sounds like a nice idea.
One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.
Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.
The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.
I like https://oneshallpass.com/ better since it lets you change some attributes about the passwords generated. So if a site is compromised you can just increment the generation field and get a totally new hash.
printf "/" ; openssl rand -base64 32 | sed 's/.$//'
The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.
Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.
Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.
Well until the recent 4.x / 3.x screwup  that 1Password did it has been quite useful (and like you, my 16 character password at Adobe, even if guessed, would not be useful anywhere else)
 My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.
I use a yubikey that outputs half of the password used to unlock my keypass database, the other half is in my head (so even if they steal my yubi they can't do much).
The database is backed on my own owncloud which is hosted on my own vps and replicated on other 3-4 servers (all mine). My little personal cloud setup.
Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.
Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".
(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)
For some logins, the answer is "Sorry Dave, I can't do that." If I don't have the private cert, or the ssh cert, or the right hole in the firewall - there are many thing I've chosen intentionally to not be able to log in to using someone else's computer.
For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)
Private SSL/TLS certs, ssh keys, and 1Password database are all stored on encrypted fiesystems (EncFS) and synced across four machines (two at work, one at home, and my laptop) using Dropbox (which is another off-site copy, and has revision archives) and/or BTSync. Those four copies are all OS X Time Machine backed up (and revision archived) - and two of those Time Machine backups are rsynced nightly to separate drives in opposite locations - so all up (not couning Dropbox) I've got copies on 10 separate spindles in two physical locations, two of them in a locked filing cabinet (the work time machine and rsync disks).
I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)
I carry a little piece of paper in my wallet that has my private key further encrypted by myself, and that encrypted key is used to decrypt other passwords through a private web/mobile app I made. The top encryption key I have is just some sort of simple algebraic mumbo jumbo formula I used to scramble my private key just a bit, and I change it up once in awhile, and have that written down. What's in my memory is how I jumbled it.
For the Adobe breach specifically, you might try the site set up by Last Pass, which checks your email against the breached data: https://lastpass.com/adobe/
The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.
P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.
Same here. I used my throw-away email to sign up at Adobe, along with my weak throw-away password. I don't have any Adobe licenses or such. The only Adobe product I use is the Flash plugin.
The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.
Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.
I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)
I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.
But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.
It was lucky in a sense that if adobe required complex passwords more important password would have been leaked. It was also lucky in a sense that adobe itself got hacked instead of entity that has one of my more sophisticated and thus valuable passwords.
One of my addresses was also in the Adobe breach. No idea what password I used there, but I'm fairly sure it must have been either my common "junk" password, shared with tons of forums, but nothing that poses any serious risk to me (just to those forums). Or if they had stricter requirements, some variation on it that I always forget, so I have to ask them for a new password every time anyway.
I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.
But those forums? I'm just not going to keep track of a new password for every site I visit.
If you're using a forum, outré in front of a computer. Keeping track of things is one of the things computers are _best_ at. Get yourself a password manager. I use 1Password, but I hear good things about KeyPass and LastPass too.
Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)
Get a tool to help, computers are wonderful tools.
I woke up this Thanksgiving with a bunch of email notifications from Paypal that my account had been hacked and taken over. I (also shame on me) tend to reuse some of my passwords, and figured someone got into my Paypal account using my adobe credentials, not even being sure if I had created an account with adobe for anything in the past.
I checked my email address on this site and it didn't find any pwnage.
I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...
If you reuse passwords, separate throw-away accounts (like Adobe or pretty much anything that's not your email, your bank or PayPal), from the important stuff.
Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.
Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.
Fuck me. Ditto. The reason I checked? I unknowingly, until today, had a domain name transferred away from me -- or rather, ownership changed, for a domain I bought years ago for $3,000. Email address used for that domain in Adobe breach.
My wife was on the Adobe list, the same credit card she used at Adobe was charged from Amazon or paypal ( I can't remember which ) couple of weeks after the leak. She called the bank they closed it right away and took the charges off the card.
I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message  to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.
I think it's a great thing to do by third-parties when leaks of this magnitude happen.
After the Macrumors breach (I had only signed up about 2 weeks before it happened), I decided it was time to make all my passwords unique and to use a credentials manager like 1Password. I too shared the same password for multiple sites/services (shame on me too).
They were encrypted, but with no variation between the hashes for per email. https://lastpass.com/adobe/ will show you the password hints associated with the (in my case) 200 people with the same (hashed) password. The clues would be sufficient to guess the password.
I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).
I much prefer using the program `pwgen`. It's installed on all my Linux boxes and it's available from Cygwin too, and it generates a 'pronounceable' password, which makes it a lot easier to remember and also much easier to copy.
There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.
Funny/scary anecdote I experienced a few days ago: most Linux flavors check against the cracklib database when changing passwords, and as I typed in an account password, a brand-new cracklib said it was based on a dictionary word. Now, my passwords are alphanumerical jumble, and they're usually comprised of an alphanumerical jumble "core" that I memorize and then a site-based or computer-based pre- and suffix.
So, let's say for example, my current core is "kgA85kjF3". Then for example, I'd morph that for my Hacker News account to "ZkgA85kjF39!" and my fileserver as "UkgA85kjF3O2". I thought this was a good method of having reasonably long passwords but I'd have to memorize very little per site.
So imagine my surprise, when I created a new password "NkgA85kjF3T3", cracklib found a dictionary word in it. It got worse from there. Through experimentation, I determined that it was indeed the core that was compromised. Any password containing "kgA85kjF3" was compromised.
I have no idea how this happened. If this was not a big cosmic coincidence, if this is not just a random regex filter accident, that means data from at least two known password databases containing my cores has been correlated, and put into cracklib no less. There is really no limit to the imagination regarding what illegitimate databases might contain...
That's a good procedure, a few weeks ago I'd have deemed you paranoid but obviously there is no practical limit to paranoia anymore ;)
However, the hashing step makes it impractical for me on different devices in certain situations. I don't want to rely on browser extensions or apps either. So I'm changing my passwords to the output of an algorithm I can do in my head now.
It's a linux library that checks passwords against a database of known words and patterns. You give it a password and it gives you basically one of two answers: "this is based on a known word" or "nope, never seen anything like it before". The database format looks highly obscure and doesn't lend itself to grepping without much effort.
Passphrases are a really good idea, but a lot of sites have very short length limits.
Granted if they have limits thats a really big red flag that they're storing your password in plain text, as a hash should always be the same length, so you probably shouldn't sign up there anyway. I remember a few years ago I was signing up for a TD account, and about 5 pages through the signup page it wouldn't allow me to continue because my password was /too secure/ (not their exact wording, but that was basically the problem). What makes it funnier is a lot of sites would reject the password I used at the time as not being secure enough.
I stopped signing up at that point, but I remember getting a phone call (!) from them a couple days later asking why I didn't finish the sign up, and my answer was: because I'm not giving my money to a company that doesn't know how to store passwords!
In Australia, our "welfare" system is taken care of by Centrelink. They have all of your personal details, as well as access to the amount you're getting per fortnight, and job history, resume etc. Lots of stuff you don't want compromised.
They also limit your password to 8 characters.
This is a huge government website that heaps of Australians have to access at least fortnightly.
One of the benefits of learning to program J for me has been to make it easy to remember hard to crack passwords. I have some passwords which are actually runnable J on-liner programs and contain all kind of '#!$' symbols. All I need to do is remember what they do so that I can recreate them.
I've memorized an algorithm instead of trying to remember passwords. I don't actually remember hardly any of my passwords, instead I use this mini algorithm that I came up with to create unique passwords for each site I go to. Each time I go to a site it just takes me a couple seconds to figure out what the password is. I find it a lot easier to remember that one algorithm rather than trying to remember a bunch of passwords or rotating through the same few passwords.
You can also use an algorithm. I do something like create a 'base' that is used for all sites. And then something like take the number of letters in the url google = 6 and add it the beginning. Then take the second letter from the right and last, 'o' and 'e' and add it to the end. In the end you get 6baseoe. Unique password for each website.
That's not the point. The idea is to have different passwords for each site and each device. So in this many-words scheme (which will run afoul of a lot of websites' length restrictions on passwords by the way) I'd have to find a good way to encode the site's name or I'd have to tack on at least four specific words to the existing core sentence. That's not something I'll remember with dozens of sites and devices.
I know. If I wanted my information to be "safe", I wouldn't have an online profile at all. For starters, I wouldn't use Google services. It's a matter of limiting exposure at this point. I know the NSA reads my email and can probably log into my home router, but I don't want everybody else to do the same. Otherwise, let's all change our passwords to "password" and be done with it. Just because protection isn't close to 100% doesn't mean I don't want any at all.
If you're connected to the world wide web and you send/receive data, there's a strong chance that either:
a) Either sending/receiving machine is broken into
b) Someone or something is intercepting your message
c) The service you are using is broken into
There's just too many holes to plug and too many people with expertise in these domains orders of magnitude above ours that they can use to either be malicious, or help our cause.
Your computer/device needs to be secure. Your other parties devices need to be secure. Your connection needs to be secure. Your third parties service needs to be secure. The internet the third party uses needs to be secure. Their data centre needs to be secure. Then their ISP needs to be secure.