The announcement yesterday's of the discovery of a botnet command and control database of user credentials for Facebook, Twitter, Yahoo, ADP and others is
just the latest in a trend going back several years. You can't trust
Internet services to protect your passwords; you have to protect them
yourself.
This new revelation is actually rather minor compared to many others from recent years for reasons explained by Webroot in a blog entry:
the number (2 million credentials) is actually small compared to many
of the others, with the king of the hill being the Adobe breach of as
many as 150 million credentials.
Trustwave, the company that found the botnet and password database,
isn't publishing it, but other databases are publicly available and you
can search them. But there are two sites I have found that let you
search across multiple databases.
Troy Hunt's Have I been pwned? consolidates the databases from five major breaches for a single search:
- 152,445,165 Adobe accounts
- 859,777 Stratfor accounts
- 532,659 Gawker accounts
- 453,427 Yahoo! accounts
- 37,103 Sony accounts
Enter your email address and haveibeenpwned.com searches all of them
and reports back. One of my addresses was in the Adobe database, but I
knew that already:
I changed the password a while ago and hadn't used it on other sites.
As Hunt explains in a blog entry announcing the site,
he built it in large part as an exercise to in using certain Windows
Azure technologies, but he believes in the service and wants to make the
site as useful as is practical. He says he has plans to add new
databases as they come available and new features such as a service to
alert you in case your email address shows up in a database and the
ability to search on a whole domain (such as '@zdnet.com').
The other site, Should I Change My Password?,
is mostly a front-end for pay services. The site already has the email
alert service, which they call Email Watchdog, and which appears to be
free. But if you simply search for an address and it's in one of their
databases they won't give you any detail, just the fact that it was in a
database:
It seems odd that they "...can't tell you which breach your email address was compromised in" as they say in their FAQ.
haveibeenpwned.com has no trouble providing this information, as it is
stored in their database for each breached record.
shouldichangemypassword.com only stores a hash of the password, the date
of the last compromise and the number of times it was compromised
(i.e., presumably, the number of databases in which it was found). This
seems less useful. If I learn from haveibeenpwned.com that my Adobe
account was breached then I only have to change that password.
Perhaps shouldichangemypassword.com (a service of Avalanche Technology Group) will give you this detail as part of one of their pay services which they push
Regardless of your status on any of these databases, the only good
strategy is to have strong and separate passwords for all services you
use. Remembering all that is not humanly possible, so you'll need a
password manager. I use LastPass, others I know use 1Password and RoboForm, and there are many others. I hope to write more about password managers soon.
By Larry Seltzer for Zero Day
The homepage shows how much effort you have made in the production process. 엘리트바카라
ReplyDeleteI always feel gratitude and gratitude. Thank you.
If you really desire to get such type of information, visit this blog quickly.
ReplyDeletefind more information
If your life has stopped giving you pleasure due to some unknown reasons than our Escorts Service is the right place it is still not too late to make it exciting. It is just your, who are such buddies, who can make you worth living if you spend a few moments with them. There is no such nudging in availing yourself of their companionship.
ReplyDeleteCall Girls in Paharganj, Delhi
Escorts Service in Connaught Place
Call Girls in Faridabad
Russian Escorts in Faridabad
Escorts Service in Connaught Place
Massage Parlor in Gurgaon