Wired has an article up on hackers serving up stolen credentials in an all you can eat buffet.
WHEN HACKERS BREACHED companies like Dropbox and LinkedIn in recent years—stealing 71 million and 117 million passwords, respectively—they at least had the decency to exploit those stolen credentials in secret, or sell them for thousands of dollars on the dark web. Now, it seems, someone has cobbled together those breached databases and many more into a gargantuan, unprecedented collection of 2.2 billion unique usernames and associated passwords and is freely distributing them on hacker forums and torrents, throwing out the private data of a significant fraction of humanity like last year's phone book.
In a bit of libre philosophy remeniscent of 'data wants to be free' Chris Rouland, a cybersecurity researcher opines on the megadump
"It's entropy. When the data is out there, it’s going to leak."
Random Reminder - Password managers such as Password Safe and the always cheerful site for checking if your credentials are already pwned https://haveibeenpwned.com/ are your friends. Might be worth an update check on your email addresses (as of 1/30 the new dump was not fully reflected in haveibeenpwned results, but that has likely been remedied by now.)
(Score: 4, Informative) by Apparition on Tuesday February 05 2019, @05:48AM (1 child)
Yep, I'm in that new 2.2 billion dump. I'm not too worried though. I change my passwords every year or so, and use Bitwarden [bitwarden.com] as my password manager. It's open source, has nice browser extensions, and did well in a recent . I find Bitwarden to be a nice compromise between the security of PasswordSafe or KeePass and the usability of Lastpass or Dashlane. [ghacks.net]
(Score: 2) by RamiK on Tuesday February 05 2019, @03:31PM
zx2c4's pass is free open source and been good enough for me for years:
CLI: https://www.passwordstore.org/ [passwordstore.org]
GUI: https://qtpass.org/ [qtpass.org]
Encryption: https://www.gnupg.org/ [gnupg.org]
Firefox extension: https://github.com/passff/passff [github.com]
Android: https://github.com/zeapo/Android-Password-Store#readme [github.com]
And dozens more are listed on the main (CLI) page for windows iOS OSX and so on... Only caveat is that it doesn't encrypt the website's name, only the password. There's https://github.com/alpernebbi/pass-code [github.com] which lets you encrypt/obscure those as well. And I do believe it should work fine with the extensions... But I just never bothered to check.
compiling...
(Score: 2) by MichaelDavidCrawford on Tuesday February 05 2019, @06:23AM
You say that like it's a bad thing.
Yes I Have No Bananas. [gofundme.com]
(Score: 0, Troll) by aristarchus on Tuesday February 05 2019, @07:14AM (1 child)
My username and password, that lead the nefarious dark-webber to my horde of aristarchus submissions on SoylentNews? Should be able to sell those for beau-coup bucks on the internets! I mean, according to some website I have visited, an aristarchus submission getting over a hundred comments, and over 1K views, is worth $2.50 to Google Doubleclit Adsensorium, if the SN was doing stuff like that. So who, besides Runaway, puts personally identifiable stuff on the internets? My bank knows who I am, because I show them my face, and the currency in real-time reality. Now, if I had some bit-coin, and my name was Donald, all that would change.
(Score: 2, Funny) by Anonymous Coward on Tuesday February 05 2019, @11:38AM
So you run the fake donald trump account! BUSTED!!!!
(Score: 1, Interesting) by Anonymous Coward on Tuesday February 05 2019, @01:35PM
the bank manager got a fat book for christmas
now if some suspect order arrives via email, she ask me for the word on page 414, 5th line from top and then the 5th word, or 414-5-5.
which is "awesome" ^_^