Submitted 11 hours ago by Kyrgizion@lemmy.world to technology@lemmy.world
https://lemmy.world/pictrs/image/81033799-df31-48c2-aa8f-86dcf73d022e.jpeg
Use the “passwords” feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They’ll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
Let’s make a master list of all the emails leaked with their passwords, what could go wrong?
That’s not how it works
It’s exactly how it worked. A company called synthient made a master list with all the leaked emails + all leaked passwords. Then they were hacked and it leaked
Proud that my only pwned password is three decades old.
Stuffing? Just in time for the holiday season!
moans “stuff me santa”
Santa: “we are skipping that house”
This is the type of unhinged shit I signed up for!
The thing about this one is no one seems sure of the source, so you don’t know which passwords to change. To be safe you’d have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
More details about the k-anonimity process. blog.cloudflare.com/validating-leaked-passwords-w…
The probably hash the list of hacked passwords the same way your passwords get hashed and check for matches.
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.
Is there any info regarding how old this data is?
The breach occurred in April 2025.
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. Working to turn breached data into awareness, Synthient partnered with HIBP to help victims of cybercrime understand their exposure.
This was added to Have I Been Pwned on Nov 6
Yeah gotta make sure you never use the same password in multiple places, use a password manager.
Oh no, some Russian troll farm now knows my favorite color.
BombOmOm@lemmy.world 11 hours ago
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
blazeknave@lemmy.world 2 hours ago
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don’t know a single other password. Can someone correct me if I’m wrong?
Vigge93@lemmy.world 1 hour ago
I’ve found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in different languages than english can also greatly increase the resistance to dictionary attacks.
artyom@piefed.social 10 hours ago
And an email alias.
stealth_cookies@lemmy.ca 4 hours ago
I hate how many places don’t allow for + aliases. I want to know who leaked my email.
wreckedcarzz@lemmy.world 9 hours ago
Catch-all address 😎
BrianTheeBiscuiteer@lemmy.world 9 hours ago
Also 2FA. You’ll still want to change passwords but it buys you time.
Dave@lemmy.nz 10 hours ago
Don’t forget unique email addresses. I’ve had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I’m pretty sure was the company selling my data). I can block those addresses and move on with my life.
My old email address from before I started doing this still receives 10+ spam emails a day.
BitsAndBites@lemmy.world 8 hours ago
I’ve started using {emailaddress}+{sitename}@gmail.com i.e. myemail+xyzCompany@gmail.com
That way I can at least see who sold my info. I wish I would have started doing this long ago though. Some sites dont let you use the plus symbol even though it’s valid though
Malfeasant@lemmy.world 6 hours ago
And when that password manager gets cracked?
KairuByte@lemmy.dbzer0.com 2 hours ago
Just as an example, 1Password has a secondary encryption key that they can’t even recover. If you lose it, you’re fucked. I doubt the chances of that being cracked are any good at all.
ayyy@sh.itjust.works 5 hours ago
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
echodot@feddit.uk 4 hours ago
I seem to remember that the passwords were encrypted so, all they got was the passwords people use for their password manager which because people were using the password manager and therefore had random passwords it didn’t really matter hugely.
realitista@lemmus.org 11 hours ago
Which one works on all browsers including mobile safari and mobile Firefox?
sc2pirate@lemmy.world 11 hours ago
Bitwarden has been good for me, but I actually don’t know about safari…
stealth_cookies@lemmy.ca 4 hours ago
Not an iOS user and it certainly seems like something they would be behind on, but with Android every password manager with a Android app will work since the hooks are built directly into Android. Other than websites and apps that don’t implement passwords properly it works pretty well.
Pika@sh.itjust.works 11 hours ago
Keepass does a pretty decent job. I have keepassXC on my Windows, Debian and Android devices. On Android it’s integrated into the phone(and the autofill service if actual 2fa isn’t supported on the app) so it works on every application. With IOS though I know they can be a stickler on anything remotely technical so I’m not sure if something similar exists with it. I also use syncthing as the service to make sure the same copy of the database is on each device to prevent having to use a password manager that requires a subscription for a cloud service, this also minimizes my risk factor of a cloud service being compromised.
CrazyLikeGollum@lemmy.world 8 hours ago
For mobile safari Bitwarden (and I think a number of others, but Bitwarden’s the only one I can speak to) ties into Apple’s password management system for autofill and password generation. Still have to use the app or webpage (either Bitwarden’s official site or self-hosted vaultwarden) for more in depth management.
For mobile Firefox, on iOS it’s the same as Safari. On Android you can either use the Bitwarden add-on or use it with the app and Android’s built-in password management system just like on iOS.
Since you mentioned “all browsers” for chrome/chromium based browsers there is also on add-on for both mobile and desktop. For Internet Explorer and pre-chrome Edge I don’t believe there’s an add-on but it can still work, it’ll just be more of a pain since you autofill either won’t work or will be spotty. You’ll probably be relying on the standalone desktop app.
On MacOS it integrates with Apple’s password management, so no need for an add-on on desktop safari.
For other browsers, you’ll probably have to use the desktop app and manually copy/paste just like for IE.
I also remember seeing some third-party integration for the windows terminal app and various Linux terminals, but I can’t really speak to their quality or functionality since I haven’t used them. But that would probably cover your needs for terminal based browsers like Lynx.
haulyard@lemmy.world 9 hours ago
Heard great things about bitwarden. I’ve personally been using 1Password for over a decade.
BombOmOm@lemmy.world 11 hours ago
I’m a big fan of the Keep It Simple method, and went with Password Safe. Works on Linux, Windows, iOS, and Android. It’s big thing is it just makes an encrypted password file which then you can sync between devices however you like (Box, Dropbox, etc)
It has an auto-type and copy feature, so no need for browser support.
paraphrand@lemmy.world 11 hours ago
Keychain should work in both now. (iCloud passwords)
Kyrgizion@lemmy.world 11 hours ago
Yes and no; they have their own issues:
cybersecuritynews.com/hackers-weaponize-keepass-p…
Godort@lemmy.ca 11 hours ago
I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
Joeffect@lemmy.world 11 hours ago
Don’t download shit from random websites… make sure its from legit places…
paraphrand@lemmy.world 11 hours ago
Oh, so don’t use unique passwords? Sure buddy.
floofloof@lemmy.ca 11 hours ago
Only download from official sites and repositories. Run everything you download through VirusTotal and your machine’s antivirus if you have one. If it’s a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there’s no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
Doing these things will at least reduce your risk of installing compromised software.