Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
You must log in or # to comment.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
Also 2FA. You’ll still want to change passwords but it buys you time.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
your email (to be able to recover your password for the password manager)
If your password manager has a password recovery mechanism, that means your key is stored on the server and would be compromised in a breach. If that’s the case, I highly recommend changing password managers.
The ideal way a password manager works is by having all encryption done client-side and never sending the password to the server. If the server cannot decrypt your password data, neither can an attacker. That’s how my password manager works (Bitwarden), and I highly recommend restricting your options only to password managers with that property.
If you need a backup, write it in a notebook and keep it in a safe. If your house gets broken into, change your password immediately before the thief has a chance to rifle through the stuff they stole. My SO and I have shared passwords to all important credentials, so that’s out backup mechanism.
throwing in a special character
Okay, but hackers don’t have to know whether I used special character or just lowercase? Or am I stoopid?
As always, the most secure password is the least convenient and accessible. It’s a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.
Longer is better…giggitty.
I use a “password pattern”, rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
That is assuming that someone will sit there and try to decrypt password rules for that specific person. Chances of that happening are basically 0, unless they are some sort of a high interest person.
If there’s a leak with multiple services, it’s possible some script kiddie will flag it as having a pattern. I’m guessing the rule is simple enough that an unsophisticated attacker could figure it out with several examples.
It’s way better than reusing passwords, but I don’t think it’s better than a password manager, and it takes way more effort esp given all the various password rules companies have (no special characters, must have special character, special character must be one of…). If you’re paranoid, use something like keypassxc that’s just a file.
-
figure out the rule
-
figure out the services
-
figure out the usernames
-
What’s more likely, a password manager gets a breach or someone targets only me and manages to find out multiple passwords across multiple services and cross compares them works out what the random numbers and letters mean…
I don’t know your rule, but when I hear this, usually it includes the name of the service or something, so a script kiddie armed with a levenstein distance algo could probably detect it.
That said, the “safer than the person next to you” rule applies here. You’re probably far enough down that list to not matter.
As for password manager breaches, the impact really depends on what data the password manager stores. If all decryption is done client-side and the server never gets the password, an attacker would need to break your password regardless. That’s how Bitwarden works, so the only things a breach could reveal are my email, encrypted data, and any extra info I provided, like payment info. The most likely attack would need to compromise one of the clients. That’s possible, but requires a bit more effort than a database dump.
No you are right, your method is stronger than using a password manager hahaha of course there will never be a targeted attack or anything like it
And when that password manager gets cracked?
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
LastPass recently, check Addie Lamarr’s channel on YouTube.
LastPass is the maximum shit. They got hacked like 3 times in a year and my company‘s password notes got leaked.
We are now with Bitwarden and this was the biggest security hardening measure we have taken.
Make sure whatever password manager you use doesn’t store the key on their servers. Bitwarden does this correctly (if you lose your PW, Bitwarden can’t recover it), and I’m sure some competitors do as well. LastPass apparently didn’t.
Yeah, I left LastPass after like 15 years when I’ve come across some news headlines that it had got breaches more than once while I was using it O.o
Been a happy user of Bitwarden for a couple years now. I love that little “copy custom field name” function, so I don’t have to go hunting around in the HTML code if a site is using weird field names.
Just as an example, 1Password has a secondary encryption key that they can’t even recover. If you lose it, you’re fucked. I doubt the chances of that being cracked are any good at all.
Bitwarden has no secondary key, and the master key is never sent to the server. All they get is an email address and encrypted data. If you forget your key, your passwords cannot be accessed, which means an attacker is screwed too.
There are tons of ways to give yourself ways to “recover” your password that don’t compromise you in a breach scenario:
- logged in devices - they have the key decrypted and can generate a new one, re-encrypt, and overwrite the data server-side
- store a physical copy of the password at home somewhere (notebook?)
- share passwords with a trusted person (SO) for critical shared accounts
- securely store an unencrypted backup of your password vault (say, on a personal computer with full disk encryption)
Maybe that’s how 1password works, idk, but I do recommend verifying that there’s no password recovery option on whatever password manager service you use.
deleted by creator
Yes and no; they have their own issues:
https://cybersecuritynews.com/hackers-weaponize-keepass-password-manager/
I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
I’ve only really been in one breach. This one is actually a breach of a “security firm” (incompetent idiots) who aggregated login data from the dark web themselves, essentially doing the blackhats’ work for them.
This is also EXACTLY why requiring online interactions to be verified with government ID is a terrible idea. Hackers will similarly be able to gain all possible wanted data in a single location. It’s simply too tempting of a target not to shoot for.
You’ve only been in one breach that you know about so far!
I currently have 110 unique user+password combos. I wouldn’t want to change all those even once, if I were breached and had used similar credentials everywhere.
Bitwarden keeps them well managed, synced between devices, and allows me to check the whole database for matches/breaches via haveibeenpwned integration. Plus because I prefer to keep things in-house as much as possible, I even self-host the server with vaultwarden walled off behind my own vpn, instead of using the public servers. (this also means it’s free, instead of a paid service)
For everyone else reading, bitwarden is an open source free password manager. The pro features are less password related and more about sharing access, file storage, and 2fa authenticator integration
Fair point.
The self-hosting part was mostly about total control over my own systems and less about the paid features. It’s very much not necessary.
As far as pro features go, It was the TOTP authenticator integration that was kind of important to me. ~20% of my accounts have TOTP 2fa, and bitwardens clients will automatically copy the latest 2fa code into the clipboard when filling a password.
Bitwarden will even tell you if a saved account could have 2fa (the service offers it), but it’s not setup/saved in bitwarden atm.
Lucky you, I’ve been in at least 21 confirmed breaches so far.
Which I don’t really care about, as I’ve been using unique passwords and a manager for well over two decades now. 178 of them, currently. …half to websites that probably died a decade ago.If you think you’ve only been in one breach, you’re probably mistaken or very young. I don’t know how many breaches I’ve been involved in, but it’s at least double digits.
I’m American, and my Social Security number has been leaked multiple times. Each time I’ve done everything possible to secure my accounts (random passwords, TOTP 2FA where possible, randomized usernames, etc), yet there’s always a new breach that impacts me.
I’m not too worried though. My important accounts are pretty secure. I use one of the few banks (brokerage actually) that provides proper 2FA. My email and password manager use 2FA. My credit is frozen. Breaches happen, the important thing is to limit the impact of a breach.
Don’t download shit from random websites… make sure its from legit places…
legit places…
My university, 23andMe, Transunion, Equifax, CapitalOne, United Healthcare…
You shouldn’t download KeePass from any of those.
Legit means the keepass website… those are not legit places to download the password manager
Yeah UHC sold my data as soon as I was put under their coverage. Now I get so many phishing emails pretending to be from UHC.
These kinds of breaches are at the site level. Not much you can do as a regular user if the company doesn’t hash or salt their passwords, for example.
I believe they are replying to the article you posted in regards to the download from legit sites comment, not the fact that the sites have shit web practices (which while correct is a different thing).
To the people who didn’t read the article posted in the comment prior, basically the software installed wasn’t the legitimate software, it was a modified software that was a trojan that was forwarding passwords stored in the keepass database to a home server.
That’s not something that the sites are going wrong, nor is it the password managers fault. That’s fully the users fault for downloading a trojan.
Not from what the article says
involves compromised download links and trojanized versions of the legitimate KeePass application that appear identical to the authentic software on the surface, while harboring dangerous capabilities beneath.
Oh, so don’t use unique passwords? Sure buddy.
deleted by creator
A password manager is still a good idea, but you have to not use a hacked one. So only download from official sites and repositories. Run everything you download through VirusTotal and your machine’s antivirus if you have one. If it’s a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there’s no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
Doing these things will at least reduce your risk of installing compromised software.
The company I work for forces everyone to do a training every year that goes over all of that and a few others. I assume most larger companies do the same.
None of this has anything to do with password managers, but knowing how to install stuff properly.
Stuffing? Just in time for the holiday season!
moans “stuff me santa”
Santa: “we are skipping that house”
Why did you censor yourself in the title?
Probably because they primarily live in a censorship world, be it digital or in-person, and change is difficult for most people.
Pratchett fan
They’ll censor “fucking”, but still use the Lord’s name in vain. smh.
No one gave you the memo?
what ******* memo?
The thing about this one is no one seems sure of the source (it appears to be from multiple sources, including infostealer malware and phishing attacks), so you don’t know which passwords to change. To be safe you’d have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
And of course don’t reuse passwords. If you have access to an email masking service you can not only use a different password for every site, but also a different email address. Then hackers can’t even easily connect that it’s your account on different sites.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
They probably hash the list of hacked passwords the same way your passwords get hashed and check for matches.
Interesting, thanks!
More details about the k-anonimity process. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
The short answer is that they download a partial list of passwords that hash to values starting with the same 5 characters as yours and then check if your password hash is in that list locally. This gives the server very little information about your password if it was not breached and more if it was (but then you should change it anyway), making an elegant compromise
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.
Let’s make a master list of all the emails leaked with their passwords, what could go wrong?
That’s not how it works
It’s exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked
Synthient wasn’t hacked, as a security company, they aggregated tons of stealer logs dumped to social media, Telegram, etc.
They found 8% of the data collected was not in the HIBP database, confirmed with some of the legitimate owners that the data was real.
They then took that research and shared it with HIBP which is the correct thing to do.
I was also thrown off by the title they gave it when I first saw it, a security company being hacked would be a terrible look. but they explain it in the article. Should probably have named it “list aggregation” or something.
so why hibp calls them data breach??? Ultra misleading, almost defamation, everyone including me only reads the headlines
But then nothing has changed if they were just collating what was already leaked.
God fucking dammit, I fucking hate seeing people self-censor themselves on the internet.
deleted by creator
I use utterly unique and very long passphrases for the most important stuff (banking, mortgage servicing, email, etc.), 2FA for those and most other things, and just throwaway crap passwords for things I don’t care about (web forums and most everything else).
This is why my password is hunter2, no one can see what is says under the asterix,
(it’s asterisk)
for anyone who doesn’t get the reference, it’s an ancient Bash chatlog: https://knowyourmeme.com/memes/hunter2
Proud that my only pwned password is three decades old.
I’ve been “pwned” four times.
None of them due to my end. Every single fucker was a piss poor company security
Yeah gotta make sure you never use the same password in multiple places, use a password manager.
Comprised of email addresses and passwords from previous data breaches,
So these are previously “hacked” data, and now the aggregator has been hacked?
The aggregator wasn’t hacked, they essentially hacked the hackers and put together this list. This ain’t a data breach per se, it’s just putting together a bunch of past breaches and patching it up to HIBP.
Ah, gotcha. Thanks.
Apparently my email was included in this breach, but none of the passwords I used with it were (before I started using randomly generated ones).
Possibly related question. Layely I’ve been getting email ‘replies’ from various businesses and services (all over the country, USA) all about an ‘inquiry’ that I never made. Apparently someone just got my email address and is using that for – what ? A couple questions:
** What is that someone up to, why doing that?
** Should I do something about that?
** What could I do? Don’t want to change email address.
That’s just your email address being sold by information brokers. Not illegal, not a reason to change your email address. Block, delete & move on.
Is there any info regarding how old this data is?
The breach occurred in April 2025.
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. Working to turn breached data into awareness, Synthient partnered with HIBP to help victims of cybercrime understand their exposure.
This was added to Have I Been Pwned on Nov 6
Are we supposed to pronounce the two "data"s differently when reading aloud? Asking for a friend…
