News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • CitoDay breach

    • This topic has 7 replies, 4 voices, and was last updated 2 weeks ago.
    Viewing 4 reply threads
    • Author
      Posts
      • #2312953 Reply
        MWmC
        AskWoody Plus

        Good morning. I got an email warning me about a possible massive breach directing me to Troy Hunts ever-helpful site:
        https://haveibeenpwned.com/

        I seems that this “breach” may just be a packaging of earlier breaches (I know for example that I was caught up in the 2016 LinkedIn breach, 2012 Dropbox breach, and 2013 Adobe Creative Cloud breach), but I went ahead and changed passwords related to that email address for “material” accounts (banking, finance, e-commerce, government) just in case.

        That’s probably an excess of caution, but I know that there are many real experts on this forum, and I was wondering what your take was.

        1 user thanked author for this post.
      • #2312997 Reply
        Kirsty
        Da Boss

        Troy has a very good history of alerting people before they are subject to the effects of such breaches. Changing your passwords is a darned good idea, when given such a warning 🙂

        But do make sure you use a strong password – see yesterday’s blogpost, the comments to that blog, and the many other topics on AskWoody.

        And just for a test, you can paste a sample password to check its strength:

        @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
        It’s worth checking this out:
        https://howsecureismypassword.net/

        howsecureismypassword

        4 users thanked author for this post.
        • #2312999 Reply
          MWmC
          AskWoody Plus

          Thank you! I use 1Password and try to use 32 characters or more for my passwords. I am always astonished by the limitations on some sites, however. Macys.com, for example, only allows 16 characters, and limits the characters you can choose. That wouldn’t be so bad if they allowed some form of 2FA or MFA. But of course they don’t.

          I’m CTO for a financial company (capital markets), and our systems allow up to 255 characters (the amount to which we salt anyway).

          Some sites just haven’t gotten the memo about security.

          1 user thanked author for this post.
        • #2313064 Reply
          Paul T
          AskWoody MVP

          you can paste a sample password to check its strength

          Sadly the “howsecureismypassword” site is not up to scratch to for a security site.

          They don’t tell you how they calculate the time taken to “crack” a password. As an example, the same password on the GRC test page shows around 1.5 trillion years vs 37 billion years on HSIMP – although both show a 16 character password is effectively un-guessable.

          The are wrong when they state “Password managers can generate and store uncrackable passwords”. All passwords are crackable.

          They recommend only one commercial password manager and claim it’s free without qualifying what is actually free – no more than 50 passwords.

          cheers, Paul

          • This reply was modified 2 weeks ago by Paul T.
          • #2313078 Reply
            Kirsty
            Da Boss

            I see the site is now under the umbrella of security.org, and no longer has a link to Mark’s work that underpinned it (or even acknowledges it).

            The concept of highlighting that a short, uncomplicated password gets cracked quicker than a longer, more complex password is easily highlighted by those sites, even though it doesn’t go into the scientific background to it.

      • #2313012 Reply
        Alex5723
        AskWoody Plus

        but I went ahead and changed passwords related to that email address for “material” accounts (banking, finance, e-commerce, government) just in case.

        Changing password for a pawned email won’t help you at all vs spammers, ransomwares, phishing mails…

      • #2313026 Reply
        anonymous
        Guest

        ? says:

        Alex, but doesn’t changing the password on pwnd email keep the baddies out of the control panel? at least if they had picked the lock? when i checked my aol at have i been pwned the email was data breached (x2) but the password checker there came back clean (changed it again anyway)…

        1 user thanked author for this post.
        • #2313037 Reply
          Kirsty
          Da Boss

          It won’t stop the arrival of malspam, where the address has already been shared by the spammers. But you are quite correct, changing the password stops them from logging into your webmail with the original password, and changing all your settings!
          🙂

      • #2313050 Reply
        anonymous
        Guest

        ? says:

        thank you, Kirsty. what an understatement. the aol account has been awash in (politely) “malspam,” from some of the best in the business such as AS203087 (scam score 100%) and AS28907 (88%) among hundreds of others.

    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: CitoDay breach

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.