New
#20
Na yeah, you don't have to use it. and can just change every password connect to that email account if you wish,
Your Email address will remain on the HIBP lists though, and future searches will show you as pwned, so you'll never know what site was either breached, or where your password was brut forced.
It's a decision everyone needs to make for themselves.
Oh and it just checks if that password is on a list(others might use the same one), it is not connected tpo any account.
I went through all my passwords and none were on the list.
Also recommended is use a VPN when checking to prevent man in the middle listening(I talking to you CIA and German BND)
FYI, I do change my passwords on a regular basis, at least the ones that are deemed important. Some of the accounts, financial mainly, do have 2FA enabled as well. Others, like the throw away email account at this site, eh...
Checking the email address, pretty much public information, on the HIBP site is just as good and I did check my email addresses. Neither of them had been pawned and didn't see the need, or wanted to check their passwords. Especially since I didn't and still don't trust that site with my current passwords...
But you are correct, everyone can make the decision for themselves...
Thanks everyone for replying!
My apologies for taking so long to reply. My area is under a winter storm warning from 1pm tomorrow to 1pm Sunday and I've been busy getting ready for it and on top of that we got 2" of snow last night so I had to start there. even have the generator ready in case the ice gets worse than the .25" the NWS is calling for.
Code:Winter Storm Warning URGENT - WINTER WEATHER MESSAGE National Weather Service State College PA 956 PM EST Fri Jan 18 2019 PAZ033>036-056>059-063-191200- /O.CON.KCTP.WS.W.0001.190119T1800Z-190120T1800Z/ Somerset-Bedford-Fulton-Franklin-Perry-Dauphin-Schuylkill-Lebanon- Cumberland- Including the cities of Somerset, Bedford, McConnellsburg, Chambersburg, Newport, Harrisburg, Hershey, Pottsville, Lebanon, and Carlisle 956 PM EST Fri Jan 18 2019 ...WINTER STORM WARNING REMAINS IN EFFECT FROM 1 PM SATURDAY TO 1 PM EST SUNDAY... * WHAT...Heavy mixed precipitation expected. Total snow accumulations of 5 to 10 inches, with the lowest amounts south of the turnpike. Ice accumulations of one to two tenths of an inch are expected. * WHERE...Portions of southern Pennsylvania. * WHEN...Snow will develop Saturday afternoon and could become heavy at times by evening. The snow will change to mixed precipitation Saturday night, then taper off by dawn Sunday. * ADDITIONAL DETAILS...Plan on difficult travel conditions. PRECAUTIONARY/PREPAREDNESS ACTIONS... The Pennsylvania Department of Transportation and Pennsylvania Turnpike Commission strongly encourage motorists to heed all travel restrictions and delay unnecessary travel. Visit www.511pa.com for the latest travel, roadway and traffic conditions.
essenbe: My brothers email was breached a few years ago and it was a real PITA for him. I've wondered about changing passwords regularly. What if you've used a password for years then one day you change it and get hacked a couple of days later. Chalk it up to bad luck?
Maybe z3r010 can say something, without revealing forum security secrets, about how TenForums handles a sign-in from a hacker while the member is still signed-in.
Sorry to hear of your status.BTW, I am on the Collection #1 list as well as a couple of others.
copyer: Now that you mention it I think I saw it in Troy's blog. I don't have a lot of credentials so I've been debating a manager.
meebers: I believe it runs in cycles and a lot depends on the sites one visits.
Cliff S: I saw that and feel like Cr00zng, even though Troy has a stellar reputation there has to be a ton of trust on my part before I'd enter one of my pw's (password).
Hi Mr. Cautious Cr00zng, I feel the same way you do and you said it better that I did.
z3r010: I remember when I start 2fa on a site with of my devices then go to use another device for the same site I have to verify the different machine.
Well, It's getting late for me and I have an early morning, thanks again for the 'food for thought'.
Excellent advice on credential management on this thread. However, these data breaches occur on the side of online services that we use. The onus is on these companies to protect our confidential/sensitive data. Unfortunately, data breaches happen everyday and will continue to be a problem in the future.
https://www.csoonline.com/article/21...t-century.html
HIBP's list of pwned websites include Adobe, Avast forum, LinkedIn, Dropbox, imgur, Last.fm, Patreon, Plex, Yahoo, Sony, Creative, Forbes, Malwarebytes forum, MajorGeeks forum, and Tesco among others.
https://haveibeenpwned.com/PwnedWebsites
I found out sometime last year (via HIBP) that one of my email addresses is featured in a data breach that took place a few years ago. HIBP published details about it in 2018. Until then, the company behind the service had not disclosed this event to its users (they may not even have been aware of it) and even after the disclosure, did not have the common decency to comment on it. The idiots running the website were storing user credentials and other sensitive information in plain text. Among the data leaked were personally identifiable information such as phone numbers and physical address. Sadly, once leaked, such information will continue to exist on the Internet.
I find checking select email addresses/usernames against HIBP regularly very helpful. If you trust the makers of Spybot Search & Destroy, you can consider using a program like Spybot Identity Monitor to automate the monitoring of your email addresses and/or usernames against the HIBP database
https://www.safer-networking.org/pro...ntity-monitor/
Review by Martin Brinkmann on ghacks.net
https://www.ghacks.net/2018/10/29/a-...r-for-windows/
Last edited by PrivacyFreak; 19 Jan 2019 at 02:30.
Hi PrivacyFreak,
That's what I don't understand about some of these web sites, your first concern when starting a site should be security not how much you're gonna make from ads or info sold about your members.
I used to use spybot back in the day but gravitated away from it, IIRC, didn't spybot have some problems back then after a merger? I think it was more about poor scan results and not security.
Anyways, I'll give it a look along with FireFox's Monitor, I forgot about that until I saw it in Brinkman's article. Thanks for the links!
Yes, excellent advise on credential management, but...
When the authentication server(s) hacked and becomes known, the knee jerk reaction of most of the security experts is:
Use passwords or passphrases of twelve characters or more with mixed types of characters
Like the password strength would matter in the case of data breaches. Does it really matter, if the password is “123456Ab” or “3pHj1P38JVF4A”? Especially, if the the password stored in plain text and/or easily reversible password hash. Yes, end user's credential management matters, but it does not account to much, if the subject of the data breach does not inform its end users and the public about the data breach. As you experienced...
And for that matter... Biometric or other types of authentication methods may not provide the level of account security sought after either. For cyber-criminals, it does not make a difference, if the stolen account credential is password or fingerprint for example. Well, there is a difference. It is easier to replace the password than the fingerprint. Not to mention that while passwords are unlimited, fingerprints for the end-user in question limited to ten, for most people. Once the biometric credential is out in the open, the end user is toast...
And that's just on the authentication server side. Hacking the client side is even worse, where smartcards, SecurID tokens, etc., can be exploited with ease.
Prior to settling the type of authentication that we'll use, both the server and client side security need to change. Without securing the systems at the end points, there's not much reason to change the password based authentication systems. Unfortunatrely, not much effort put in to this, it's much easier to blame the end user for not having credential management in place, lack of 12+ character strong password.
Entities can also blame APT and point finger at Russia, China, North Korea, or any other other politically correct country for the data breach at hand. That's the "get-out-of-the-jail" card for the lack of security for these entities systems and has been working for every one of them...
, If you want to run with the big dogs you have to get off the porch.
Yep, I remember that. I'm a young geezer at 67 but also remember a time....When cable TV was just starting out and they advertised how great it would be with no commercials like the OTA channels had. Now-a-days I flick the fios channel to avoid a com break only to see another one running. Sometimes the other channel will have the same ad running in sync from what I left. I had to make sure I actually changed the channel. I tried TCM and they were showin' their night's movie lineup, dear wife looked at me and said "You just can't get away from those ads can you?"
What do you think about this? Microsoft - Building a world without passwords in Windows 10