SoylentNews is people
SoylentNews
from the there's-lots-more-where-that-came-from dept.
Security maven Brian Krebs, possibly best known for his blog Krebs On Security, recently posted an article that puts a damper on the kerfluffle about a huge e-mail and password breach that has been recently announced: 773M Password 'Megabreach' is Years Old:
My inbox and Twitter messages positively lit up today with people forwarding stories from Wired and other publications about a supposedly new trove of nearly 773 million unique email addresses and 21 million unique passwords that were posted to a hacking forum. A story in The Guardian breathlessly dubbed it "the largest collection ever of breached data found." But in an interview with the apparent seller, KrebsOnSecurity learned that it is not even close to the largest gathering of stolen data, and that it is at least two to three years old.
The dump, labeled "Collection #1" and approximately 87GB in size, was first detailed earlier today by Troy Hunt, who operates the HaveIBeenPwned breach notification service. Hunt said the data cache was likely "made up of many different individual data breaches from literally thousands of different sources."
[...] Collection #1 offered by this seller is indeed 87GB in size. He also advertises a Telegram username where he can be reached — "Sanixer." So, naturally, KrebsOnSecurity contacted Sanixer via Telegram to find out more about the origins of Collection #1, which he is presently selling for the bargain price of just $45.
Sanixer said Collection#1 consists of data pulled from a huge number of hacked sites, and was not exactly his "freshest" offering. Rather, he sort of steered me away from that archive, suggesting that — unlike most of his other wares — Collection #1 was at least 2-3 years old. His other password packages, which [...] total more than 4 terabytes in size, are less than a year old, Sanixer explained.
tl;dr: What you've seen recently mentioned in the press is old hat, and nothing to be too terribly concerned about. On the other hand, there are other collections -- over 5 times larger -- that are even newer. That is something to be concerned about.
What to do? The old advice still applies: Don't reuse passwords. Do use long passphrases or passwords. Do enable two-factor authentication. Do use a password manager. Avoid putting your e-mail out on the web in plain text for bots to find.
(Score: 2) by richtopia on Saturday January 19 2019, @09:08PM (4 children)
I recently switched from Next Cloud's PassMan to Bitwarden. I suspect there is some code sharing between them as they are so similar, but Bitwarden is more fully featured. I also now have the approach of a separate Docker container for each of my password managers. In the past I offered to add a new user to my NextCloud for family members, but now I just configure a new sub-domain pointed to a dedicated Bitwarden instance they can manage themselves.
This is still not perfect; I am the single point of failure and I still don't fully understand Docker user permissions or chron jobs, so backup is a manual process. However, it helps with my paranoia of trusting a provider with all of my passwords. I'm curious what solution the Soylent News crowd have picked as their favourite.
(Score: 0) by Anonymous Coward on Sunday January 20 2019, @01:14AM
KeepassX! Cross-platform and you can run it without an installer.
(Score: 0) by Anonymous Coward on Sunday January 20 2019, @03:04AM
The other option is to use a password hash: https://pwdhash.github.io/website/ [github.io]
It takes the URL and your password to generate a unique password for each site. Because of bad password policies on a number of sites, the passwords are fairly short, so not the best option for high security options. Mainly it helps for low security options so that when they get cracked, you maintain a level of protection on all your other low security sites. It has the advantage of being accessible from computers that you would not want to keep your keyfile on. There are browser extensions and Android "apps" that are cross compatible and used to be a userjs script for unsupported browsers. Personally I just keep a downloaded copy of the site in my bookmarks.
(Score: 1) by DECbot on Sunday January 20 2019, @04:55PM
I just picked up a Mooltipass [themooltipass.com]. It's a rather interesting hardware password keeper that works on Windows, Mac, Linux, and any phone or tablet that supports OTG USB. It doesn't need internet access and only works on the device you plug it into. Also, it used chip and pin. The pin is to unlock the private certificate that's stored on the removable smart card. The device also supports multiple users via multiple smart cards. There's also a browser plugin to assist with stirring credentials to websites, but there's also an application for manually adding credentials, which is necessary for those accounts not associated with a web browser. In either case, the user name and password appear to the system as keyboard input, so this should work anywhere where a USB keyboard would (that is what I haven't tested yet).
It's interesting enough that I'm thinking of getting a second one for my spouse so she won't reuse passwords and stop writing them in password books. Though I worry that the device is too technical for her to adopt for everyday use.
cats~$ sudo chown -R us /home/base
(Score: 0) by Anonymous Coward on Monday January 21 2019, @06:28AM
KWallet FTW