13 Matching Annotations
  1. Apr 2020
    1. Here you can do some social good; we know how much passwords are reused and the reality of it is that if they've been using that password on one service, they've probably been using it on others too. Giving people a heads up that even an outgoing password was a poor choice may well help save them from grief on a totally unrelated website.
    2. I'm providing this data in a way that will not disadvantage those who used the passwords I'm providing.
    3. As such, they're not in clear text and whilst I appreciate that will mean some use cases aren't feasible, protecting the individuals still using these passwords is the first priority.
    1. "Changing your password is definitely the right start," Tyler Carbone, chief strategy officer at secure provider Terbium Labs said. "The other thing users need to remember is that with this password exposed, it cannot be trusted for any other services either, so they need to make sure they aren't reusing it."
    1. Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.
    1. Download the billions of breached passwords and blacklist them all. Attackers have a copy; so should you.
    2. "If someone knows your old passwords, they can catch onto your system. If you're in the habit of inventing passwords with the name of a place you've lived and the zip code, for example, they could find out where I have lived in the past by mining my Facebook posts or something."Indeed, browsing through third-party password breaches offers glimpses into the things people hold dear — names of spouses and children, prayers, and favorite places or football teams. The passwords may no longer be valid, but that window into people's secret thoughts remains open.
    3. These massive dumps of free passwords lower the cost of an attack dramatically. Password reuse or password guessing attacks are script kiddie stuff. Defending your organization against such threats is basic due diligence.