Archive of 1.4 billion credentials in clear text found in dark web archive
A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ. The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The …
COMMENTS
-
-
-
-
Tuesday 12th December 2017 11:47 GMT Wensleydale Cheese
Re: 12345? That's amazing, I've got the same combination on my luggage!
"123 here for me."
No problem. If you have a two lock case you can go one better - the other can be 456.
I went one better in the 90s, and used my 6 digit home phone number for a briefcase.
I then changed jobs and found I didn't need a briefcase any more. I also moved house.
Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.
I finally dug it out of an old CV that was lying around on my hard drive
-
Tuesday 12th December 2017 12:13 GMT Roland6
Re: 12345? That's amazing, I've got the same combination on my luggage!
Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.
I finally dug it out of an old CV that was lying around on my hard drive
Know the feeling, I've got a whole bunch of encrypted files scattered through my projects archive, I simply wrote the passphrase in the margin of my then current notebook/diary. If I ever want to access these files and the disk is still readable, it will be a long skim read through my old notebooks/diaries...
-
Tuesday 12th December 2017 14:47 GMT Anonymous Coward
Re: 12345? That's amazing, I've got the same combination on my luggage!
"...I finally dug it out of an old CV that was lying around on my hard drive"
You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average.
-
Tuesday 12th December 2017 17:40 GMT Wensleydale Cheese
Re: 12345? That's amazing, I've got the same combination on my luggage!
"You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average."
Full marks to Apple's Spotlight in this case.
I did a search for content using my old street name and Spotlight came up with that CV in a matter of seconds.
Brute forcing the lock turned out to be unnecessary.
-
-
-
-
-
Tuesday 12th December 2017 09:57 GMT Muscleguy
Re: 12345? That's amazing, I've got the same combination on my luggage!
My wife uses her birthday. A friend she sometimes stays with to help with the kid has her alarm similar so Mrs Muscleguy can remember it.
Unsurprisingly having married someone with a very good memory she leans on me a lot to remember stuff. My sisters were amazed that I could still remember our phone number for the house we lived in in Southern NZ in the mid 1970s and the next house too. Some things just stick in my mind. I never actually tap it in any more but my wife's mobile # she has had since the '90s is burned into my mind too.
-
-
Tuesday 12th December 2017 03:18 GMT eldakka
Has an analysis of the types of accounts been done?
Over the decades of the internet, I've created thousands of 'throw-away' accounts that have used simple passwords along those lines.
Temporary email accounts, one-off accounts on a site that I must register for (and that required me to create a 2nd account - one-off email account - to receive the registration email for) that I felt some one-off need to comment on that particular article, an account I've never used since on a site I may have never visited again.
For those types of accounts, I'm not going to try a complex password I'm just going to put in abcd1234 or whatever reaches the minimum password requirements.
Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.
-
-
Tuesday 12th December 2017 08:44 GMT Steve Davies 3
Re: Has an analysis of the types of accounts been done?
A lot depends upon the level of obfuscation you give to the username you are creating
for example
RocketMan@eltonj.com
or
SlowMotion@man.co..uk
are low levels on obfucation
and
TR6DBP966G@gmail.com
Is a higher level.
But easy for you to remember if you had a Triumph TR6 with the registration number DBP966G
and finally
Df_Rg!Th$Y&jU@hotmail.com
is higher still but pretty well impossible for a human to remember so it gets written down somewhere... Doh!
-
-
-
Tuesday 12th December 2017 15:02 GMT Andy The Hat
Re: "The only password phrase to remember is that for Keepass."
Only hypothetical issue is the password/keystroke grabber trojan inserted into the apparently valid download file by some script kiddie. Instead of hitting only one password you can get tens.
The question being, is that a valid scenario for such password vaults?
My password vault was used to contain only memory hints to the passwords as I never knew whether the vault itself was secure or purely an obfuscated pipe to a central server ...
-
-
This post has been deleted by its author
-
Monday 18th December 2017 16:47 GMT Charles 9
Re: Has an analysis of the types of accounts been done?
"For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe."
Or your spouse who ALSO knows the combination...or a close associate of yours who cleans enough to figure it out and knows what's at stake.
"Software is not secure. Wise up. Don't become a statistic."
Neither's the safe if you have family or a significant other. Put it this way. If someone REALLY wants to to get you and you have a bad memory, you're basically screwed because your adversary can out-memorize you.
If software's not secure, why does the government (including the security sectors) use it? Put it this way, if someone can break KeePass, they'd find bigger fish cracking government communiques that use the same algorithms.
-
-
-
This post has been deleted by its author
-
Tuesday 12th December 2017 12:01 GMT Cuddles
Re: Has an analysis of the types of accounts been done?
"but pretty well impossible for a human to remember so it gets written down somewhere... Doh!"
Why do people keep insisting that writing down passwords is in some way a bad thing? The vast, vast majority of hacks are done remotely. A post-it note on my desk is just about the safest possible place to store a password, because I can guarantee no hacker will ever see it (no, I don't have a webcam or any other connected bullshit that could expose it). Even if I get particularly unlucky and someone breaks into my house, the chance of them caring about some passwords or having the connections to sell it (or finding a buyer who actually cares about a single person's password when billions are available online) are essentially zero; they're just going to nick the TV and whatever else they can easily flog to a mate
A workplace where you don't want all the random people wandering around to have access to your passwords is a bit of a different matter, but since we were talking about accounts created for personal use that's not so relevant.
As it happens I actually use a password vault because I'm willing to trade a bit of security for the convenience of not having to carry a stack of post-it notes around with me. Also, with my handwriting post-its would make my credentials so secure that even I would never be able to use them.
-
Tuesday 12th December 2017 15:50 GMT Naselus
Re: Has an analysis of the types of accounts been done?
"Df_Rg!Th$Y&jU@hotmail.com
is higher still but pretty well impossible for a human to remember"
Speak for yourself. I named my daughter Df_Rg!Th$Y&jU@hotmail.com and so, in my case, I feel it would be a rather obvious username to go with.
-
This post has been deleted by its author
-
-
-
Tuesday 12th December 2017 08:51 GMT sorry, what?
Re: Has an analysis of the types of accounts been done?
Personally, I use mailinator.com accounts, where there are no passwords, and fake names when doing this sort of forced registration. The only stuff sent to these accounts is marketing trash or offer codes etc., neither of which will be particularly troublesome for someone else to access.
Because there's no password at all, and the account names relate to the site being accessed along with fake names etc. I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D
-
Tuesday 12th December 2017 11:56 GMT Anonymous Coward
Re: Has an analysis of the types of accounts been done?
"I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D"
I do have a degree in psychology and can think of no particular area I studied which would help here.
A PhD in the study of subconcious habits and thought patterns might do the trick.
-
-
Tuesday 12th December 2017 17:36 GMT William Towle
Re: Has an analysis of the types of accounts been done?
> Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.
My colleagues and I were discussing the problem with handling that recently, and noted there didn't seem to be a catchy name for it.
I suggested that in keeping with "the Emergency" and "the Troubles" (and so on) that it should be called "the O'Bother".
-
-
This post has been deleted by its author
-
-
Tuesday 12th December 2017 23:26 GMT Kiwi
Re: Has an analysis of the types of accounts been done?
Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.
Same here. Not thousands maybe, but could be hundreds.
Plus, with my hatred of farcebroke but occasional like to find others, I've now had at least a couple of dozen single-sign-in (no not single-sign-ON) FB accounts that were used once, search the name, close the private window, never remembered the password again. Or the account name etc.
-
-
-
Tuesday 12th December 2017 13:03 GMT Prst. V.Jeltz
That is actually a pretty good idea. If my email address (and quite possibly password ) is on a dark web archive that is actively in use I'd like to know!
And its not like the dilemna of removing botnet clients from machines where you're actually changing the machine , and therefore breaking the law / could be responsible for god knows what breaking.
Its just an email. I guess there are probably some spam laws that will rule this out.
-
Tuesday 12th December 2017 13:43 GMT Anonymous Bullard
Today is your lucky day: https://haveibeenpwned.com
-
Tuesday 12th December 2017 14:33 GMT Prst. V.Jeltz
Thanks. I didnt really trust that site before so hadnt tried it . I have now and lo and behold:
"In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords."
and also
"Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump."
-
-
-
Tuesday 12th December 2017 14:43 GMT Jamie Jones
At the last place I worked, an automated password cracker was used that did email users if their password had been cracked.
These were internal users, on the corporate network.
This lead to one support ticket that simply read: "How do you know my password is 6inches? Have you or your staff ever slept with me?"
True story!
-
-
Tuesday 12th December 2017 07:45 GMT Jin
Not because we are silly or lazy.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
-
-
Tuesday 12th December 2017 13:06 GMT Prst. V.Jeltz
Re: Not because we are silly or lazy.
Thats what I do , but I keep the formula for blending domain name in my head , so i can easily work out what my password for a given site is - and i need to up the algorythm a bit to make it more secure.
If a "password masher" is going to produce a result that means nothing to you - why base it on the domain? surely random would be better?
-
This post has been deleted by its author
-
-
-