Password leaked message

dekozn · 2019-12-28T20:04:27.000Z

Every time I log in to the site I get a message saying my password is leaked on some site or app. It’s a message from Google I believe. Something I should worry about?

SammysHP · 2019-12-28T20:22:48.000Z

Yes, absolutely. Can you show us a screenshot of the message (including its surrounding)?

First of all, use a different password for every site.

Is it possible that you mean the “connection is not secure” warning?

dekozn · 2019-12-28T22:54:03.000Z

It s happening on my phone, it’s definitely password. Something from chrome and google. I made a screenshot need to figure out to upload it.

Luminosity · 2019-12-28T22:59:06.000Z

This is a new(er) feature built into Chrome.

The Verge – 2 Oct 19

Google is making it easier to check if your passwords have been compromised in...

Google also checks for reused and weak passwords.

You should change your password and ALWAYS use a different password for each website.

phouton · 2019-12-28T23:05:03.000Z

As mentioned, browsers are increasingly checking if the credentials used are found in public breaches.

Chrome has Password Checkup.

Firefox Monitor does something similar.

You can check your accounts on https://haveibeenpwned.com/ and set up alerts too. Highly recommended.

Make sure to change passwords for any affected sites immediately. Also use unique passwords and use a password manager.

hank · 2019-12-28T23:10:35.000Z

[quote]
check your accounts on https://haveibeenpwned.com/ and set up alerts too. Highly recommended./quote

Yep; do this. And get a password manager.

dekozn · 2019-12-28T23:34:15.000Z

Just checked with the website haveibeenpawned and everything is ok they say. My laptop died so I do most things obn my phone which is new for me.

Mr.Scott · 2019-12-29T00:46:42.000Z

That’s odd.

Send me your password and I’ll check it out for you.

dekozn · 2019-12-29T01:01:21.000Z

That’s a mighty christian thing to do of you good sir. Maybe I should send you my credit card numbers to so u can check that also.

anonymous_user · 2019-12-29T02:19:14.000Z

dekozn:

It s happening on my phone, it’s definitely password. Something from chrome and google. I made a screenshot need to figure out to upload it.

You can upload it to Imgur although it is a little trickier to do on mobile than desktop.

dekozn · 2019-12-30T00:40:53.000Z

Yeah doesn’t really work. Downloaded the app but uploading stalls out.

Th558 · 2019-12-30T01:56:24.000Z

dekozn:

That’s a mighty christian thing to do of you good sir. Maybe I should send you my credit card numbers to so u can check that also.

Just give me your car keys so I can make sure it’s safe to drive

sb56637 · 2019-12-30T02:11:23.000Z

Just to be clear, this is not and issue with BLF’s security. (Although of course you are welcome to discuss the issue here.)

leftdisconnected · 2019-12-30T08:17:07.000Z

It’s true that the issue reported in this thread is not an issue with BLF security, but I do think it should be said that BLF does not support secure connections, even during login, so your BLF username and password are transferred unencrypted and could be eavesdropped. Does this actually happen? Probably not. Is it a security problem? Not likely. But it is something to know about and BLF is the only website I use that doesn’t yet support TLS connections.

I am not making a complaint against any maintainers or moderators; I just want people to understand the situation. I thank and appreciate everyone that does the normally thankless work to keep BLF operating.

Encryption is not necessary for a public discussion forum, but you should definitely not use your BLF password on any other site, though obviously you shouldn’t share any passwords with multiple sites. I use a password manager, which makes it easy to simply change my BLF password every few months to ensure that my account is still under my control, though I don’t recommend frequent password changes for other websites where no one can easily intercept your credentials; it’s a waste of time, IMO.

You must use a password manager today, even if it’s just the one built into your browser. Chrome’s password manager will even generate random passwords for you when registering an account. IIRC, Chrome has a right-click option on the PC to generate a random password in relevant fields and your credentials will then be synced to anywhere and any device where you log in to Chrome. Other browsers offer similar features, though Google is the most universal, transparent solution; log in to Chrome and Google will take care of everything else.

Yes, this means that your Google password must be strong as it’s the key to your kingdom, but this is equally true if you instead depend upon your Google e-mail account for resetting all the passwords that you’ve “forgotten”. Since you’re depending on Google so much already, you may as well use a system designed for the purpose. If you don’t use Google, then congratulations; you’ve surely had to solve all these problems on your own . (full disclosure: I use Firefox and KeePass)

If browser-based password managers aren’t your cup of tea, you might look at BitWarden (free tier, fully open source), LastPass (free tier), Dashlane, or 1Password. There are now a lot of options in this field, but I recommend using a proven, mainstream solution that is being actively supported by its developer, studied by research firms, and attacked by hackers.

If you’re remembering a handful of passwords and using some on multiple sites, then you’re doing it wrong.

If you can memorize the passwords on any site other than your “master” site/service, then you’re doing it wrong.

If you’re typing gibberish into password fields and then constantly using your e-mail to “reset” your passwords, then you’re doing it wrong. This is presently the most common behavior that I see.

These things aren’t “wrong” just because they are insecure as that’s not always the case; they are wrong mostly because they are actually more difficult than the better and easier solution called a password manager . Pick a proven one that seems enjoyable to use and use it for everything.

Though you should use 2-factor authentication, SMS text messages are not a secure solution and you should instead use the Google Authenticator or a compatible system like Authy. (full disclosure: I don’t, but I should)

HaveIBeenPwned.com is service that seems “too convenient to be true”, but it’s been proven over many years and is now a core service relied upon by companies like Mozilla and Google. Luckily, you shouldn’t need to use the service directly as both Firefox and Chrome will automatically check your accounts for potential breaches and typically alert you to any problems. If you do want to use it manually, use Google/Bing to search for it or be certain to type the domain name correctly as copy-cat sites could exist that simply try to steal your information.

And then there’s this.

kat · 2019-12-30T07:48:27.000Z

Chrome is becoming very annoying and it behaves like it’s the only app on your PC and thinks it should do everything.
Google should just stick to the browser, because it’s pretty bad and far from working correctly, and not try to stuff other crap onto our throats

g_damian · 2019-12-30T08:02:51.000Z

Regarding password managers: Keepass has extensions for all browsers, works on mobile (keepass dx) and it’s fully open source. The missing part is synchronization, but it can be achieved with help of other software, like syncthing (also open source).

leftdisconnected · 2019-12-30T08:58:37.000Z

I use KeePass as well, but I don’t recommend it to non-technical folks . It’s not hard to use for people like us, perhaps, but it’s not simple enough for the average consumer. They need something that requires no extra effort or special knowledge. If even the slightest inconvenience arises, most people will simply go back to banging on the keyboard and then resetting their password every time they need to log in .

As you mentioned, any file syncing system will do the job and this seems to be the most common approach today, but it typically must overwrite the “oldest” version of the database if both sides have changed. This could potentially cause data loss without careful usage (another reason I don’t recommend it to muggles). Though I rarely need the feature, I like to use the fine-grained synchronization built into the KDBX4 format.

To do this, I use the KeeAnywhere plugin and a Dropbox account that is used solely for storing the database; it has no connection with any of my other accounts and uses its own “master” password that I’ve practiced to the point that I should remember it until I forget my own name . I use KeePass2Android for mobile access as it natively supports Dropbox.

Everything I just said above is too difficult for your parents and probably your significant other as well. Thus, I recommend easier solutions. Most people already use Chrome, so that’s the easiest sell I’ve found. In my experience, people are simply not interested in using a password manager; it either sounds like too much hassle or too insecure (“putting your eggs all in one basket”). Rather than explain how all of their account “eggs” are already in one e-mail “basket”, I try to show them how Chrome can remember their passwords with no extra work. Even this rarely works .

Though I use Firefox, I’m aware that Chrome is becoming bossy; Google sees itself as a sort of de facto “king of the Internet” and though many of its projects and decisions have been truly beneficial to all Internet users, I don’t want to live in a world where one company owns or controls my browser, my operating system (Android or ChromeOS), and much of the Internet itself. That’s why I’ve never switched to Chrome and never will; I’m stubborn like that .

raccoon · 2019-12-31T03:06:04.000Z

I hope no one figures out my password.

Spoiler alert, it's 12345.

Don't tell anyone!

anonymous_user · 2019-12-31T03:06:56.000Z

That’s my luggage combination!

leftdisconnected · 2019-12-31T05:07:44.000Z

No, no no. You must switch it up like: 12354

That makes it unguessable within the next trillion years .