711 million email addresses and passwords dumped.

touch said:
He owns a database with almost 5billion user acounts in it. Security researchers send him the latest dumps to add to the db all the time, there's even some where he is one of only a handful of people who have access to the data dump.
If he did want to sell email addresses he'd make much more from selling access to that database than he would harvesting from people who use the site and risking being implicated and losing the updates he gets for that database.
Click to expand...

Unless he gets hacked. :)

Gee said:
The Wikipedia page confirms what is on his actual website, which I linked in my original post.
Click to expand...

I think you are missing the point that just because its on Wikipedia doesn't mean its true. I'm not saying its not true. But you always have to take Wikipedia with a pinch of salt until you have a variety of indpendant sources of the same information. (that means not re-quotes of the same information).

https://en.wikipedia.org/wiki/Wikipedia:List_of_hoaxes_on_Wikipedia
http://uk.businessinsider.com/wikipedia-longest-running-hoax-2015-10?r=US&IR=T
 
Last edited by a moderator:
OspreyO said:
I think you are missing the point that just because its on Wikipedia doesn't mean its true. I'm not saying its not true. But you always have to take Wikipedia with a pinch of salt until you have a variety of indpendant sources of the same information. (that means not re-quotes of the same information).

https://en.wikipedia.org/wiki/Wikipedia:List_of_hoaxes_on_Wikipedia
http://uk.businessinsider.com/wikipedia-longest-running-hoax-2015-10?r=US&IR=T
Click to expand...

I'm not missing the point at all. I know about Wikipedia and to not take it as gospel. It just makes me laugh that people think the HIBP website is a way of stealing peoples email addresses.
 
Gee said:
I'm not missing the point at all. I know about Wikipedia and to not take it as gospel. It just makes me laugh that people think the HIBP website is a way of stealing peoples email addresses.
Click to expand...

Lol yeah, as if an email address really matters that much when he's informing you about database leaks.

EG nexus mods got attacked leaked all emails and passwords (Had an account on there some years back).... I know i'd rather type my email into his website and find that out instead of having my **** jacked.
 
...saying Wikipedia confirms something..is kinda of an Oxymoron though...

CREATIVE!11 said:
Lol yeah, as if an email address really matters that much when he's informing you about database leaks.

EG nexus mods got attacked leaked all emails and passwords (Had an account on there some years back).... I know i'd rather type my email into his website and find that out instead of having my **** jacked.
Click to expand...

Yeah, I think you have to assume all databases can be hacked. So you have compartmentalize your logins as much as possible. So a breach of one, doesn't effect another.
 
Last edited by a moderator:
robj20 said:
Not at all true. I find this picture explains it well.
https://xkcd.com/936/

Just to prove the point.

"thisismybankpassword" is actually a very strong password.
Click to expand...

Not true. You're ignoring dictionary attacks. Anything with words in it, or even letter/number substitutions is vulnerable to them. Long passwords with numbers and symbols are best, but any pattern (eg words) allows shortcuts through the brute force attack.
 
Exactly.

Also Most people can't remember short phrases never mind long ones. If I have 50 different passwords I have to start using a pattern. None IT people are even worse at it.

One of the ways the enigma was cracked was people are predictable talking about the weather etc.
 
Devrij said:
Not true. You're ignoring dictionary attacks. Anything with words in it, or even letter/number substitutions is vulnerable to them.
Click to expand...

No he's not.
The maths is simple to work out.
There's 93 different characters you can use in a password, so in the example he posted, a password made up of 11 random characters is:
93 * 93* 93* 93* 93* 93* 93* 93* 93* 93* 93 = 4501035456767426597157

There's 158390 different 5-letter words in english, so to guess a password made of 4 words, you'd need:
158390 * 158390 * 158390 * 158390 = 629377242379142410000
You can see that those numbers are not much different, so I wont bother calculating all the combinations of different length words which could be used but it's going to be significantly bigger than the number of guesses required for the shorter, random character password.
 
Problem with thinking of it as maths. Is that people don't think like that. They'll use a phrase they remember. "NextYearWe'llBeMillionaires" not "correcthorsebatterystable"

The issue is not with the maths, but human predictability/ fallibility.

That a multi-word passphrase is better than Pa55w0rd isn't in doubt. But multi word relies on the length of the phrase and that its not a predicable phrase.
 
OspreyO said:
Problem with thinking of it as maths. Is that people don't think like that. They'll use a phrase they remember. "NextYearWe'llBeMillionaires" not "correcthorsebatterystable"
Click to expand...
I dont understand this? Are you suggesting there is some kind of dictionary attack which uses context and works out related words?

OspreyO said:
That a multi-word passphrase is better than Pa55w0rd isn't in doubt.
Click to expand...
Thats exactly what robj20 said and the post I was replying to said he was wrong.
 
touch said:
I dont understand this? Are you suggesting there is some kind of dictionary attack which uses context and works out related words?


Thats exactly what robj20 said and the post I was replying to said he was wrong.
Click to expand...

Ah I should have been clearer. While it's a hell of a lot better than qwerty or 12345 or any other predictable password, my point was that anything with a pattern offers a shortcut to a brute force attack. The example you gave is perfect. It shortens the number of attempts by nearly 4,000,000,000,000,000,000,000. That is not what I'd call "nearly the same", although I agree it's still a huge number of possibilities and offers good security compared to "3xtraCrAzY" or something equally inane. Include the fact that certain words are more likely to be used than others (assuming you don't generate words randomly) and that number gets smaller again.

If we want maximum security, we would avoid any pattern and generate a long password with the largest search space possible and the fewest shortcuts.
 
http://www.netmux.com/blog/cracking-12-character-above-passwords

I work with databases. Often you have to put metadata on text that has not been categorized. Its quite easy to go through millions of records of text and pull out common phrases that categories the text.
If the hacker has a databases of passwords, he also has a databases of phrases.

You can imagine that "thisismy%password" is going to in there a LOT.
 
I think if you had a number of similar passwords from different sites for the same email you might see a pattern for example if you always used elvis lyrics and certain numbers and wildcards.

They probably go through millions of accounts and if they get one success that earns money they probably think that is worth it.
 
Just had a very odd breach. Last night someone used my Greggs account (app on iphone) and topped up £15 through paypal. They then went on to purchase over a tenners worth of stuff in-store. Greggs have cancelled the account, but it makes me think that they have my details and have been trying everything out there to see what it could work with? I wonder if the 'breach' may have had some details linked with Greggs? Just seems odd.
 
Thanks for the headsup, mine has been breached. 6th time, but the accounts an msn.com account, so very old. Think it might be time to ditch it and move to gmail..
 
You must log in or register to reply here.
Back
Top Bottom