Other issues in this category (25)
Password cracked in two hours
Friday, March 15, 2019
Let's talk about data leaks—a cause of ever-growing concern for many users.
A cybercriminal going by the alias Gnosticplayers put up for sale on the Darknet marketplace another lot of stolen databases; it’s the third time he’s done this. This time he’s offering potential customers user data from GfyCat, Legendas.tv, Jobandtalent, Onebip, StoryBird, StreetEasy, ClassPass and Pizap. It bears mentioning that none of the owners of those sites and databases have disclosed a data breach.
Can you say with absolute certainty that your data hasn't been compromised? "None of the owners of those sites and databases have disclosed a data breach". But that's not what we are talking about right now.
We constantly recommend to users that they change their passwords, but we also understand very well that people are too lazy to do that. There exists another option. Whenever a data breach is admitted to the general public, you may try to learn whether your credentials are present in the leaked databases. But few users can accomplish that: data gets compromised regularly, and keeping track of all the breaches, obtaining the databases, and dealing with the variety of data storage formats is not an easy task…
But there is also one more option. Some sites offer visitors the opportunity to check whether their address appears in leaked databases.
Important! We’ve already mentioned that using sites of this kind is like playing Russian roulette: you can never tell whether you are submitting your data to search a database or are in fact revealing it to scammers.
Fraudsters launched a fake “Have I been pwned” site and demanded that visitors pay a bitcoin ransom to make sure their passwords wouldn't be revealed.
Similarly to the legitimate “Have I been Pwned” project, the site invites users to enter their potentially compromised email address. But after that the site would display account passwords in plain text and demand that the user pay the equivalent of $10 in bitcoin to hide their compromised account password.
One of the most popular sites where you can check whether your passwords have been leaked: haveibeenpwned.com. By the way, according to the project's author, people keep divulging their current passwords on third-party sites even though they have been warned against doing so.
You can check the data manually by entering the information in the query field or via the API.
The API offers a more sophisticated procedure where a password hash prefix can be specified as a key. That way the server will return real password hashes from the database, which can be compared with the full password hash locally. For example, if we enter "test" as a password we need to check, the API will only return an SHA-1 hash fragment without the prefix.
With the API, administrators can automate the verification. By the way, Mozilla also uses an API in a similar project: monitor.firefox.com.
Users may find this service more convenient because it provides information about the sites from which emails and passwords were stolen as well as the dates when the breaches occurred. It looks like my primary address was leaked five times in 2011-2013.
Passwords can be checked too. But should you really do that?
A common joke:
– Master, I have created a strong password that no dictionary has a record of.
Yin Fu Woe nodded
– I searched for it in Google — the student continues — And now I'm confident that no mention of it exists on the Internet.
— Now there is one.
Another important detail: even if you have verified that your password is not among those that have been leaked, do not lower your guard.
The sites only contain information about well-known data breach incidents and publicly available databases.
The Anti-virus Times recommends
You can never know for a fact that your credentials haven't been leaked. Even the companies whose servers store your data may be unaware that a leak has occurred. Remember that "none of the owners of those sites and databases have disclosed a data breach".
Do not use short and weak passwords:
HashCat, an open-source password-recovery tool, can now crack an eight-character Windows NTLM password hash in less than 2.5 hours regardless of how strong the password is.
Within 2.5 hours of breaking into a computer, an intruder will learn all the passwords whose length is shorter than 9 characters!
And we strongly advise users against transmitting their logins and passwords unencrypted over any network.