back to article Archive of 1.4 billion credentials in clear text found in dark web archive

A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ. The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The …

  1. Haku

    12345? That's amazing, I've got the same combination on my luggage!

    https://www.youtube.com/watch?v=a6iW-8xPw3k

    1. Anonymous Coward
      Anonymous Coward

      Re: 12345? That's amazing, I've got the same combination on my luggage!

      Oooo get you fancy pants, with your 5 digit combinations.

      123 here for me.

      1. Doctor Syntax Silver badge

        Re: 12345? That's amazing, I've got the same combination on my luggage!

        "123 here for me."

        No problem. If you have a two lock case you can go one better - the other can be 456.

        1. Wensleydale Cheese Silver badge

          Re: 12345? That's amazing, I've got the same combination on my luggage!

          "123 here for me."

          No problem. If you have a two lock case you can go one better - the other can be 456.

          I went one better in the 90s, and used my 6 digit home phone number for a briefcase.

          I then changed jobs and found I didn't need a briefcase any more. I also moved house.

          Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.

          I finally dug it out of an old CV that was lying around on my hard drive

          1. Roland6 Silver badge

            Re: 12345? That's amazing, I've got the same combination on my luggage!

            Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.

            I finally dug it out of an old CV that was lying around on my hard drive

            Know the feeling, I've got a whole bunch of encrypted files scattered through my projects archive, I simply wrote the passphrase in the margin of my then current notebook/diary. If I ever want to access these files and the disk is still readable, it will be a long skim read through my old notebooks/diaries...

          2. Anonymous Coward
            Anonymous Coward

            Re: 12345? That's amazing, I've got the same combination on my luggage!

            "...I finally dug it out of an old CV that was lying around on my hard drive"

            You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average.

            1. Wensleydale Cheese Silver badge

              Re: 12345? That's amazing, I've got the same combination on my luggage!

              "You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average."

              Full marks to Apple's Spotlight in this case.

              I did a search for content using my old street name and Spotlight came up with that CV in a matter of seconds.

              Brute forcing the lock turned out to be unnecessary.

        2. Anonymous Coward
          Anonymous Coward

          Re: 12345? That's amazing, I've got the same combination on my luggage!

          501 for me - after Darth Vaders stormtrooper team (such a nerd)

    2. Muscleguy Silver badge

      Re: 12345? That's amazing, I've got the same combination on my luggage!

      My wife uses her birthday. A friend she sometimes stays with to help with the kid has her alarm similar so Mrs Muscleguy can remember it.

      Unsurprisingly having married someone with a very good memory she leans on me a lot to remember stuff. My sisters were amazed that I could still remember our phone number for the house we lived in in Southern NZ in the mid 1970s and the next house too. Some things just stick in my mind. I never actually tap it in any more but my wife's mobile # she has had since the '90s is burned into my mind too.

      1. Semtex451 Silver badge

        Find shows people still suck at passwords

        Why is the article tagline 'Find shows people still suck at passwords and not 'OMG change your passwords!!!'?.

        Is the author not disturbed that there's an archive of 1.4B passwords both simple and complex?

        1. swschrad

          I suggest the World Universal Password

          which would be asswordP. they'll never guess. for servers, the combination admin/fired should work. let 'em guess THOSE....

  2. eldakka Silver badge

    Has an analysis of the types of accounts been done?

    Over the decades of the internet, I've created thousands of 'throw-away' accounts that have used simple passwords along those lines.

    Temporary email accounts, one-off accounts on a site that I must register for (and that required me to create a 2nd account - one-off email account - to receive the registration email for) that I felt some one-off need to comment on that particular article, an account I've never used since on a site I may have never visited again.

    For those types of accounts, I'm not going to try a complex password I'm just going to put in abcd1234 or whatever reaches the minimum password requirements.

    Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.

    1. Charles 9 Silver badge

      Re: Has an analysis of the types of accounts been done?

      Trouble is, even cappy accounts can be leveraged in things like social engineering to wedge their way into more valuable accounts. Kinda like ignoring the "impenetrable" forest.

      1. Steve Davies 3 Silver badge

        Re: Has an analysis of the types of accounts been done?

        A lot depends upon the level of obfuscation you give to the username you are creating

        for example

        RocketMan@eltonj.com

        or

        SlowMotion@man.co..uk

        are low levels on obfucation

        and

        TR6DBP966G@gmail.com

        Is a higher level.

        But easy for you to remember if you had a Triumph TR6 with the registration number DBP966G

        and finally

        Df_Rg!Th$Y&jU@hotmail.com

        is higher still but pretty well impossible for a human to remember so it gets written down somewhere... Doh!

        1. Doctor Syntax Silver badge

          Re: Has an analysis of the types of accounts been done?

          "pretty well impossible for a human to remember so it gets written down somewhere"

          No, it gets generated and stored in Keepass. The only password phrase to remember is that for Keepass.

          1. Pascal Monett Silver badge
            Trollface

            Re: "The only password phrase to remember is that for Keepass."

            Which is . . password.

            1. Andy The Hat Silver badge

              Re: "The only password phrase to remember is that for Keepass."

              Only hypothetical issue is the password/keystroke grabber trojan inserted into the apparently valid download file by some script kiddie. Instead of hitting only one password you can get tens.

              The question being, is that a valid scenario for such password vaults?

              My password vault was used to contain only memory hints to the passwords as I never knew whether the vault itself was secure or purely an obfuscated pipe to a central server ...

            2. docwebhead

              Re: "The only password phrase to remember is that for Keepass."

              No, no, NO!

              "Password1"

          2. soulrideruk Bronze badge

            Re: Has an analysis of the types of accounts been done?

            Why the hell would you trust ALL your passwords to a piece of software?

            Are you F*/85*g insane?

            For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe.

            Software is not secure. Wise up. Don't become a statistic.

            1. Charles 9 Silver badge

              Re: Has an analysis of the types of accounts been done?

              "For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe."

              Or your spouse who ALSO knows the combination...or a close associate of yours who cleans enough to figure it out and knows what's at stake.

              "Software is not secure. Wise up. Don't become a statistic."

              Neither's the safe if you have family or a significant other. Put it this way. If someone REALLY wants to to get you and you have a bad memory, you're basically screwed because your adversary can out-memorize you.

              If software's not secure, why does the government (including the security sectors) use it? Put it this way, if someone can break KeePass, they'd find bigger fish cracking government communiques that use the same algorithms.

        2. This post has been deleted by its author

          1. johnmayo

            Re: Has an analysis of the types of accounts been done?

            Uptick for spamgourmet! The old ones are the best

        3. Cuddles Silver badge

          Re: Has an analysis of the types of accounts been done?

          "but pretty well impossible for a human to remember so it gets written down somewhere... Doh!"

          Why do people keep insisting that writing down passwords is in some way a bad thing? The vast, vast majority of hacks are done remotely. A post-it note on my desk is just about the safest possible place to store a password, because I can guarantee no hacker will ever see it (no, I don't have a webcam or any other connected bullshit that could expose it). Even if I get particularly unlucky and someone breaks into my house, the chance of them caring about some passwords or having the connections to sell it (or finding a buyer who actually cares about a single person's password when billions are available online) are essentially zero; they're just going to nick the TV and whatever else they can easily flog to a mate

          A workplace where you don't want all the random people wandering around to have access to your passwords is a bit of a different matter, but since we were talking about accounts created for personal use that's not so relevant.

          As it happens I actually use a password vault because I'm willing to trade a bit of security for the convenience of not having to carry a stack of post-it notes around with me. Also, with my handwriting post-its would make my credentials so secure that even I would never be able to use them.

        4. Naselus

          Re: Has an analysis of the types of accounts been done?

          "Df_Rg!Th$Y&jU@hotmail.com

          is higher still but pretty well impossible for a human to remember"

          Speak for yourself. I named my daughter Df_Rg!Th$Y&jU@hotmail.com and so, in my case, I feel it would be a rather obvious username to go with.

          1. This post has been deleted by its author

      2. sorry, what?
        Devil

        Re: Has an analysis of the types of accounts been done?

        Personally, I use mailinator.com accounts, where there are no passwords, and fake names when doing this sort of forced registration. The only stuff sent to these accounts is marketing trash or offer codes etc., neither of which will be particularly troublesome for someone else to access.

        Because there's no password at all, and the account names relate to the site being accessed along with fake names etc. I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D

        1. Anonymous Coward
          Anonymous Coward

          Re: Has an analysis of the types of accounts been done?

          "I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D"

          I do have a degree in psychology and can think of no particular area I studied which would help here.

          A PhD in the study of subconcious habits and thought patterns might do the trick.

        2. Prst. V.Jeltz Silver badge

          Re: Has an analysis of the types of accounts been done?

          re "Df_Rg!Th$Y&jU@hotmail.com"

          That email address would probably crash a lot of poorly designed email servers!

          Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.

          1. Anonymous Coward
            Anonymous Coward

            Re: Has an analysis of the types of accounts been done?

            Mr O'OR 1=1
            is our biggest customer.

          2. William Towle
            Coat

            Re: Has an analysis of the types of accounts been done?

            > Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.

            My colleagues and I were discussing the problem with handling that recently, and noted there didn't seem to be a catchy name for it.

            I suggested that in keeping with "the Emergency" and "the Troubles" (and so on) that it should be called "the O'Bother".

        3. elDog Silver badge

          And you trust mailinator to not be breached

          Or selling you tidbits on the market?

          What's in it for them (follow the money)?

          Same with every other "helpful" online site - what's in it for them?

      3. This post has been deleted by its author

    2. Kiwi Silver badge
      Thumb Up

      Re: Has an analysis of the types of accounts been done?

      Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.

      Same here. Not thousands maybe, but could be hundreds.

      Plus, with my hatred of farcebroke but occasional like to find others, I've now had at least a couple of dozen single-sign-in (no not single-sign-ON) FB accounts that were used once, search the name, close the private window, never remembered the password again. Or the account name etc.

  3. Jack of Shadows Silver badge

    What's interesting, at least to myself, is that two of my GMail accounts were compromised while this is not the case with my Live/Outlook and Yahoo accounts. That's a serious WTF. None use simple passwords or definitely not short either.

    1. phuzz Silver badge

      It's unlikely that they got the passwords from gmail. Either you reused the passwords somewhere (don't reuse passwords!), or you've got a keylogger on one of your devices.

    2. Julian Bradfield

      How did you find out?

    3. TechnicalBen Silver badge

      Your Yahoo was not hacked?

      You must be the only one!

      Ps, will this become user searchable? Though I'm guessing just changing everything is best policy?

  4. Anonymous Coward
    Anonymous Coward

    Look guys!

    qwerty is MY password!

    OK?

    1. Anonymous Coward
      Anonymous Coward

      Re: Look guys!

      mines, big dick willie

      1. Anonymous Coward
        Anonymous Coward

        Re: Look guys!

        Mine's gotta umlaut, yours has diaeresis

        1. Wensleydale Cheese Silver badge

          Re: Look guys!

          "Mine's gotta umlaut, yours has diaeresis"

          Mine's got glottal stops.

  5. Anonymous Coward
    Anonymous Coward

    Why can't someone email them all their passwords explaining in simple terms how easy they are to guess?

    At least it makes the data useless.

    1. Prst. V.Jeltz Silver badge

      That is actually a pretty good idea. If my email address (and quite possibly password ) is on a dark web archive that is actively in use I'd like to know!

      And its not like the dilemna of removing botnet clients from machines where you're actually changing the machine , and therefore breaking the law / could be responsible for god knows what breaking.

      Its just an email. I guess there are probably some spam laws that will rule this out.

      1. Anonymous Bullard
        1. Prst. V.Jeltz Silver badge

          Thanks. I didnt really trust that site before so hadnt tried it . I have now and lo and behold:

          "In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords."

          and also

          "Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump."

    2. Jamie Jones Silver badge

      At the last place I worked, an automated password cracker was used that did email users if their password had been cracked.

      These were internal users, on the corporate network.

      This lead to one support ticket that simply read: "How do you know my password is 6inches? Have you or your staff ever slept with me?"

      True story!

  6. Jin

    Not because we are silly or lazy.

    Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.

    At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.

    1. Saul Dobney

      Re: Not because we are silly or lazy.

      Use an offline 'password masher' that blends the domain name with a simple password to produce a strong password that is unique to each site you visit, while your simple password never leaves your desk.

      1. Prst. V.Jeltz Silver badge

        Re: Not because we are silly or lazy.

        Thats what I do , but I keep the formula for blending domain name in my head , so i can easily work out what my password for a given site is - and i need to up the algorythm a bit to make it more secure.

        If a "password masher" is going to produce a result that means nothing to you - why base it on the domain? surely random would be better?

        1. This post has been deleted by its author

        2. Saul Dobney

          Re: Not because we are silly or lazy.

          The password masher takes a simple password and mashes it against the domain seeded with some fixed options to produce a strong password. That strong password is unique to the domain, so the password doesn't get used anywhere else, so no password leakage. By hashing the domain, the password and some hidden fields, reverse engineering back to the simple password is very very hard, (more so since there's are additional level of personalisation possible). The simple password stays local, but doesn't need to be stored or written down itself, while the code for mashing runs locally, again so the password itself doesn't get exposed.

  7. Ochib

    Ubiquitous XKCD

    https://www.xkcd.com/936/

    1. ratfox Silver badge
      Meh

      The issue for me is that "correct horse battery staple" is too long. I already type my current 9-character password wrong roughly 10% of the time; with 28 characters it'd become a real pain.

      1. Anonymous Coward
        Anonymous Coward

        it also fails on many password systems now by not containing an upper case letter, a number and a symbol.

        1. Stoneshop Silver badge
          Headmaster

          Fails many password systems

          not containing an upper case letter, a number and a symbol.

          So I tried "anuppercaseletteranumberandasymbol" and it displays an error message that it doesn't contain an upper case letter, a number and a symbol.

          Stupid parser.

      2. elDog Silver badge

        No problem. After 2-3 generations of your spawn that'll become automatic

        Typing a 500 character string into a text box will be embedded in the DNA of the great-grandchildren of this currently procreating generation.

        This will be passed own via pure genetics from the one or more parents that contribute genetic code to the little embryotic robot. The little kid will be able to bring up the holographic portal just after birth and enter its U500.

        If, in unfortunate circumstances, the little human cyborg loses its U500 - no problem. We'll terminate the current one and issue you a permit to start another. (SROFF excepted).

        1. Anonymous Coward
          Anonymous Coward

          Re: No problem. After 2-3 generations of your spawn that'll become automatic

          "If, in unfortunate circumstances, the little human cyborg loses its U500 - no problem. We'll terminate the current one and issue you a permit to start another. (SROFF excepted)."

          And if that's not possible (the maternal unit is medically barren or post-menopausal)?

    2. This post has been deleted by its author

      1. John Robson Silver badge

        Re: STOP. In the name of love.

        Slightly missing the point of the XKCD cartoon there.

        Password managers are clearly a good way to go - I have no idea what most of my passwords are, and I don't need to. That much the article has correct.

        But there are a host of passwords which I *do* need to remember.

        WiFi codes are one obvious example, and actually they are one where the correcthorsebatterystaple is a decent mechanism (assuming you can choose random words).

        I am slightly surprised that such an article doesn't major on keys/certs - register with a site by sending it your public key/cert, and bingo.

        1. Charles 9 Silver badge

          Re: STOP. In the name of love.

          But the trouble is, what if your memory is REALLY bad, such that "correcthorsebatterystaple" easily becomes "donkeyenginepaperclipwrong", AND you can't trust any computer for a password safe because they're all communal?

      2. ShortLegs

        Re: STOP. In the name of love.

        "https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/"

        And the author of that article is not wholly correct either. Actually, he is very wrong. The assumption inherent in his article is that all users will have access to a password manager all of the time.

        It ignores what happens when I go to work, and my employer does not use a password manager. Worse, when my employer insists on several different credentials for each application, e.g. PC/network userID and pwd, credentials for the Intranet, different credentials for the various "apps" hosted from this (email, SAP, MIS, etc), credentials to access the legacy mainframe via terminal. And all of these with their own, unique, username format and password requirements. No single sign-on, no commonality of user ID and/or password, no consistency of password requirements.

        And then I go to my part-time (Reservist) role, with another set of credentials, again one set for local logon, one set for remote DII access, one set for JPA access... and again, no commonality between the various userIDs or passwords.

        And thats before we run into "your password has locked as it has not been access for 6 weeks"... requiring a call to the Helpdesk, and antoher temporary password.

        The userID/password combination is the LAST line of defence; we ought to be looking at the security of the front end (3 login attempts then account lockout), the security of the userID/password database, and the encryption of the database itself.

        As techies, we look at this ass-backwards.

        1. This post has been deleted by its author

          1. Charles 9 Silver badge

            Re: STOP. In the name of love.

            ""The assumption inherent in his article is that all users will have access to a password manager all of the time." You don't have a smartphone? You can run passwordsafe on that. Or you can use Google's smartlock in Chrome, https://get.google.com/smartlock/ . These methods have some drawbacks, but it's all better than the crappy horse stable thing."

            Unless, of course, it's blacklisted by the corporate network as time-wasting (or not on the whitelist of places employees are allowed to go to conduct business on company time).

            Of course, no local apps not approved by the IT department, so no password safes due to SPoF issues.

            ""Ultimately, Passwords should die. As a longer term strategy, we are moving to kill the use of passwords as the single authentication mechanism, and enforcing multi-factor authentication as the default everywhere.""

            Until people start LOSING their second factors and so on. The first problem with passwords is that we have bad memories. The second problem with passwords is that they're also the best option we have. IOW, the best option is unacceptable, meaning we're basically screwed unless we take a few steps back and go back to human-on-human contact where everyone simply knew everyone else on sight.

            PS. The first consideration of any security measure is taking the Stupid User into consideration.

          2. Kiwi Silver badge
            Pint

            Re: STOP. In the name of love.

            @ShortLegs.

            "The assumption inherent in his article is that all users will have access to a password manager all of the time." You don't have a smartphone?

            Nope. And some of the places I've worked one would not be appropriate or allowed.

            Or you can use Google's smartlock in Chrome, https://get.google.com/smartlock/ .

            Fuck off. Use chrome? Trust google with my data? Might as well find the lowest possible criminal scum on the web and invite them round for a party, let them sleep in the house afterwards, and let them stay while I go out to work. With all my passwords and accounts written down in plain sight.

            These methods have some drawbacks, but it's all better than the crappy horse stable thing.

            Not when you're suggesting a "solution" from Google. BTW, what happens when they decide that they're not going to support it any more? Not much change of that happening though, not like google has ever removed a product with little warning before...

            Also, in the article, the guy does say that:- "Ultimately, Passwords should die. As a longer term strategy, we are moving to kill the use of passwords as the single authentication mechanism, and enforcing multi-factor authentication as the default everywhere." Anyway, what do you do to solve the problems you list? I read your post, but I don't see you make a better suggestion. Some techie you are! ;-)

            No no fucking NO. Unless you can come up with a trustable "dongle" or other thing that works in EVERY instance, that is small enough to easily transport, it's not going to fly. I have a pile of convenient gadgets, bottle openers, mini torches and the like I've received over the years that could go on my key ring (physical thing the car/house/bike/etc) keys are on. Not a chance they'll ever get there though, like a lot of people I prefer to keep my key rings to a minimal set, to the point that when I could afford multiple vehicles I'd swap in/out the vehicle keys based on what I was using. So for a lot of people keyring-based dongles would be a no go.

            Phones aren't entirely secure, and liable to failure/theft/breakage/flat batery etc.

            Until someone can make something convenient to carry that does the job across the board, 2FA will continue to crop up and quickly die. (though at least ID+building access cards can help in a lot of workplace related cases)

            @Batfink. Lastpass is shite IMO. Stick with a local password manager. Which is why the Google smartlock thing isn't something I use.

            I use computers in more than one place. If I was to use a password manager I'd use local+cloud (Nextcloud that is) and move the profile, or perhaps have it on USB but see above re keyrings.

            @John, WiFi codes. Write the code on the access point. If someone has access to the AP, it's game over anyway.

            Not really. Sure they could factory-reset it, but then a) it'd be discovered quickly and b) would be of limited use (your reset would wipe the ISP details so no WAN connection). The admin is fairly well locked down and I haven't yet found a way to break it, so unlike a lot of crappy ISP-supplied ones, just visiting the admin page won't get you anywhere even if you are plugged in by cable.

            That said, I have stored the relevant info on the router in the past, in a place where getting to the router wasn't going to be easy for miscreants.

            1. John Robson Silver badge

              Re: STOP. In the name of love.

              Two factor authbstill tends to use a password as one of the factors...

              I can’t get to my AP very easily - it’s ceiling mounted. Writing it there is no help. A long, but typeable, key is a good compromise between usability and security. If I was being really paranoid I’d have a radius server and post connection authorisation dropping me onto an appropriate vlan. Of course the connection would be cert based as well...

            2. John Robson Silver badge

              Re: STOP. In the name of love.

              >>Write the code on the access point. If someone has access to the AP, it's game over anyway.

              >Not really. Sure they could factory-reset it, but then a) it'd be discovered quickly and b) would be

              >of limited use (your reset would wipe the ISP details so no WAN connection). The admin is fairly

              >well locked down and I haven't yet found a way to break it, so unlike a lot of crappy ISP-supplied

              >ones, just visiting the admin page won't get you anywhere even if you are plugged in by cable.

              Depends what they do with physical access - most routers will happily give you and ethernet connection without question. That might be the valuable thing. Or you could put in an ethernet/wireless bridge to which you can later connect at will.

              If the issue is protecting the WiFi passcode then you are correct physical access isn't necessarily game over (although many devices have a physical button to let devices connect without auth for thirty seconds.)

              1. Kiwi Silver badge
                Pint

                Re: STOP. In the name of love.

                Depends what they do with physical access - most routers will happily give you and ethernet connection without question. That might be the valuable thing. Or you could put in an ethernet/wireless bridge to which you can later connect at will.

                If the issue is protecting the WiFi passcode then you are correct physical access isn't necessarily game over (although many devices have a physical button to let devices connect without auth for thirty seconds.)

                WPS can (theoretically) be turned off (I say theoretically because I've never checked to make sure it doesn't work).

                If you're paranoid, you can set your wired network up with no DHCP and even install a firewall box between the router and the rest of the network that only allows known machines to work, or in some other way messes with unknown machines.

                E-W bridge may be a bit sneakier, depending on what tools the victim uses to check for such things. I'd expect that in most places "nothing" is used, only a few high security places performing scans on a regular basis. Is it possible to have one that won't show up in any logs in a more secure place? I was asked by someone recently (a housewife with the computer literacy of your average insect) about a device that was showing up on her Mac, which is just the wifi range extender she has (they're not entirely transparent to the network)

                I can think of many ways to hide the hardware, but not sure how to always get them out of logs and the like. At least using static IP's (not DHCP) would make them invisible to most home routers, and probably most SM businesses as well (at least ones that don't specialise in IT)

      3. batfink
        Mushroom

        Re: STOP. In the name of love.

        No no no. Putting all your passwords into a password manager is all fine, until you discover that your password manager has been pwned. Then it's game over.

        Lastpass anyone?

  8. ukgnome Silver badge

    my password is pa55word - those buggers will never guess that.

    1. Anonymous Coward
      Anonymous Coward

      ah ... I'd been assuming it was pa55w0rd and wondered why I could never log into to you account

      1. Anonymous Coward
        Anonymous Coward

        gotta get l33t on it

        P/\55\/\/()|¬d

    2. Anonymous Coward
      Anonymous Coward

      hah

      "pjomssed" is much more obscure...

  9. petethebloke

    Length is Everything

    My wife agrees

    1. William Towle
      Devil

      Re: Length is Everything

      When creating an(other, sheesh) account for myself recently I encountered my first system that refused my usual password scheme - mix of alphanumeric and non-alphanumeric symbols, around a dozen characters long, ... you know the drill.

      "Your new password needs to be at least 14 characters in length", this one asserted. I thought again.

      Looking back, there was a very literal interpretation (two, in fact) that may well have sufficed. I wonder now if they foresaw that, and the phrases were specifically disallowed...

    2. Kiwi Silver badge
      Coat

      Re: Length is Everything

      Length is Everything

      My wife agrees

      I know! She tells me that each Thursday...

  10. Kaltern Silver badge

    Such an enigma...

    Makes you wonder why a system hasn't been invented that obfuscates passwords as they're being typed in, hence storing them in an encrypted format on the server side, so noone could easily guess what it is.

    Oh.

    Seriously tho. What's more secure, a password, or simply biometrics? I actually don't know the answer to that, but I would have assumed fingerprints would, at the most simplistic level, be the most secure way to log in to your average website.

    I mean, fingerprint scanners are almost ubiquitous in their presence now, virtually all modern smartphones have them, which we trust to login to banking and other sensitive things. How difficult would it be to stick one in every keyboard made now and the future? You can even buy USB scanners for a few quid.

    They don't have to be NSA-approved, nor do they need to be of highest military specification. And for really sensitive stuff, why not have a combination of both - at least that way it'll be as simple as typing the password while having your finger(s) scanned.

    Within 2 years, every single home PC could have one, and then webmasters could incorporate this into their security by way of a simple plugin. Facebook, could adopt this, which would mean the sheeple of the world will quickly fall in line.

    I genuinely wonder why this isn't a thing.

    1. sitta_europea

      Re: Such an enigma...

      "... I mean, fingerprint scanners are almost ubiquitous in their presence now, virtually all modern smartphones have them, which we trust to login to banking and other sensitive things. ..."

      Speak for yourself.

      I'll use Internet banking when I can buy a 64 gigaqubit quantum computer and there's a way to encrypt the communications, storage and credentials that's been mathematically proved uncrackable (in any amount of time; not just in time of, say, the order of the age of the universe - that's just difficult, and I want impossible). Of course then I'd want similar proof that the implementation was correct, but I'm not holding my breath. After all, HSBC did let anybody into anybody's account if you just put the password in wrong ten times, and then there was...

      https://www.theregister.co.uk/2017/12/11/mobile_banking_security_research/

      1. Kaltern Silver badge

        Re: Such an enigma...

        The point is, passwords are no more secure than fingerprints, but fingerprints ARE more secure than passwords. What you're describing is typical overreaction to security issues that are pretty much beyond your control. Millions of people use internet banking, regardless of how some few of us view the inherent security issues, and in my opinion, while it is only a sticking plaster, biometrics would be a much larger bandage than the current reliance on passwords.

        It doesn't matter how much 'we' trust online banking, or anything else. It's here, it's being used, and we should probably try to improve things as much as we can, to avoid people who cannot engage their brain to remember more than 'pa55word'.

        1. Kiwi Silver badge
          Pint

          Re: Such an enigma...

          but fingerprints ARE more secure than passwords.

          You sure about that?

          How about you come round to my place for a coffee and we can talk more about it.

          Don't worry about washing your cup afterwards, I'll take care of that.

          It doesn't matter how much 'we' trust online banking, or anything else. It's here, it's being used, and we should probably try to improve things as much as we can

          On that we agree.

      2. fidodogbreath Silver badge
        Meh

        Re: Such an enigma...

        I'll use Internet banking when I can buy a 64 gigaqubit quantum computer and there's a way to encrypt the communications, storage and credentials that's been mathematically proved uncrackable

        FTFY. Unless your bank is already using some kind of mythic "uncrackable" security, your account can still be pwned by many other methods: attacks on the bank's systems, ATM skimmers, spear-phishing bank execs and sysadmins, social engineering the call center, finding one of your checks in a dumpster after it was scanned by whoever you sent it to, etc.

        Internet banking is an attack vector, but it's far from the only one.

    2. Pascal Monett Silver badge

      Oh not biometrics again

      First of all, there is no such thing as a reliable biometric scanner. Fingerprints can be faked, especially on consumer-grade equipment. Facial recognition is still rather unreliable, can be easily fooled and requires a rather important back-end. Other more exotic methods (like iris recognition, or back-of-the-eye blood vessel mapping) are still in the lab, or eventually at the NSA, but nowhere else.

      The problem with biometrics is not even its reilability, it's the fact that the legitimate owner of the biometric cannot change it when it is compromised. So anything biometric is only useable until it is compromised, which means it is next to useless in any environment that needs true security.

      Let us not pretend that your Twitter account needs NSA-level security.

      1. Kaltern Silver badge

        Re: Oh not biometrics again

        Reading before understanding - a common issue here sadly.

        I stated we DON'T need NSA-level security. So your killer tagline at the end of your post was sadly wasted on those able to do more than skim through for keywords to throw scorn at.

        Next, Biometrics could very simply be changed in EXACTLY the same way we change regular passwords. Send an email asking to be changed, re-scan fingerprint. I fail to see how this is an issue.

        And stating that biometrics are only usable till compromised, is pretty much a strawman argument - in that ALL security is useful till compromised.

        I think you are mistaking my suggestion for simple password replacement, for high security biometric eyeball scanning to get into NASA's secret Area 52, where they develop and test new security systems*.

        * this may or may not be true...

        1. ponga

          Re: Oh not biometrics again

          "Next, Biometrics could very simply be changed in EXACTLY the same way we change regular passwords. Send an email asking to be changed, re-scan fingerprint. I fail to see how this is an issue."

          Wow, they'll issue you new fingertips? Sounds painful.

        2. Roland6 Silver badge

          Re: Oh not biometrics again

          Next, Biometrics could very simply be changed in EXACTLY the same way we change regular passwords. Send an email asking to be changed, re-scan fingerprint. I fail to see how this is an issue.

          Most people only have 8 fingers and two thumbs, and current biometric scanners only use a handful of data points (hence why they are so easy to fool), whereas each character of a password can use most of the keys on a standard keyboard...

        3. Joe Harrison Silver badge

          Re: Oh not biometrics again

          When I had my eyetest recently the optician took a photo of my retina, without asking me, and stored it on their who-knows-if-secure system. If they are doing this for everyone it surely has to undermine the biometric eyeball Area 52 security.

          Area 52 probably claim that you can't get in with a fake eyeball photo, just like Apple claimed you couldn't unlock their phone with a 3D printed face.

          1. Naselus

            Re: Oh not biometrics again

            "When I had my eyetest recently the optician took a photo of my retina, without asking me, and stored it on their who-knows-if-secure system. "

            It's worse that that - I leave copies of my fingerprints all over the place all the time, stored on tabletops, doors, and the devices I use to log into the web services he's suggesting I should unlock with my fingerprint...

      2. Roland6 Silver badge

        Re: Oh not biometrics again

        >Facial recognition is still rather unreliable, can be easily fooled and requires a rather important back-end.

        As far as my son and daughter are concerned facial recognition works perfectly on the Xbox One!

        They enter the room and most of the time the Kinect automatically logs them in as me, I go in and get logged in as one of them; largely making parental controls even more pointless (IE on the Xbox has a 'feature' that after a couple of minutes on xbox.com, automatically logs into the parent account, regardless of whichever account on the Xbox is actually signed on).

        My son (age 12) has finally decided parental controls are a nuisance and has simply turned them off, at least he hasn't yet bothered with the content restrictions, but to watch "The Grand Tour" he needs 'relaxed' ratings I think it will be a couple of years before he has need to play around with these...

    3. Pen-y-gors Silver badge

      Re: Such an enigma...

      There are good reasons - biometric ID and passwords are very different creatures.

      Biometrics mean that a known individual is accessing the system (assuming no-one's used the old cutting-off-the-finger trick, or the old R.Austin Freeman 'Red Thumb' method for faking fingerprints, written in 1907)

      Passwords mean that someone with the password is accessing the system. So you can give your password to someone else if you want. And a good defence is that someone must have intercepted your password or shoulder-surfed you in an Internet cafe.

      1. Charles 9 Silver badge

        Re: Such an enigma...

        "Biometrics mean that a known individual is accessing the system (assuming no-one's used the old cutting-off-the-finger trick, or the old R.Austin Freeman 'Red Thumb' method for faking fingerprints, written in 1907)"

        What about the Gummi Finger? Proven to work by the MythBusters, even.

  11. Tigra 07 Silver badge
    Facepalm

    >> Insert loud headslapping sound here <<

    I suspect a lot of people will simply change their passwords from "password1" to "password2" after this...Just to throw off the cyber criminals, you know...

  12. Tigra 07 Silver badge
    Pint

    Reminds me of this old gem...

    When creating a password:

    cabbage

    Sorry, the password must be more than 8 characters.

    boiled cabbage

    Sorry, the password must contain 1 numerical character.

    1 boiled cabbage

    Sorry, the password cannot have blank spaces.

    50fuckingboiledcabbages

    Sorry, the password must contain at least one upper case character.

    50FUCKINGboiledcabbages

    Sorry, the password cannot use more than one upper case character consecutively.

    50FuckingBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessImmediately

    Sorry, the password cannot contain punctuation.

    NowIAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessImmediately

    Sorry, that password is already in use!

    1. Anonymous Coward
      Coffee/keyboard

      Re: Reminds me of this old gem...

      Mustn't forget the "password is too long" response.

      wtf? "passwords must be secure... woah! not that secure!!"

      1. Stoneshop Silver badge
        Windows

        Re: Reminds me of this old gem...

        Error Message: Your Password Must Be at Least 18770 Characters and Cannot Repeat Any of Your Previous 30689 Passwords

      2. Anonymous Coward
        Anonymous Coward

        Re: Reminds me of this old gem...

        Please keep passwords short enough and simple enough that they are not hard for the NSA to type out.

        Sincerely

        Some guy who does not work for the NSA

  13. Roland6 Silver badge

    The linked article <https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14 > is interesting.

    This database seems to be an aggregation of a number of previous breaches and thus spans several years of Internet usage and can for any particular email address give an idea of the level of password re-use etc.

    Interestingly, because of the aggregation, I see that even passwords of 10 characters have made it into the top 20.

    I see that both in the linked article and here on El Reg, little real thought is being given as to how user credentials are stored, transported and looked up, particularly on websites.

    1. Naselus

      " I see that even passwords of 10 characters have made it into the top 20."

      So Password123 remains safe, then?

  14. The_H

    I'd love to know where they get some of this stuff.

    I recently had an iPhone imposed on me by my employer. Created an iCloud email address that I have used for absolutely nothing, and it's a weird combination of letters and numbers that I'll never remember. The only time it was ever used was on the brand new, out-of-the-box iPhone's setup screen... but by the end of the same day it had *hundreds* of spam emails in it. That email address somehow got out of the iPhone universe... and not thanks to me.

  15. Zippy's Sausage Factory
    Flame

    It'd be nice if someone like HaveIBeenPwned would load this up and then tell you WHAT PASSWORD they had in that list. I can then use my password manager to find that password, plus I now know where the leak came from.

    Oh wait, but then I might sue someone, and they might sue HIBP because - well, if your security got breached and nobody ever finds out, did it really happen? I mean, that's an approach that's working SO WELL for Uber right now...

    1. Naselus

      Do you not think there's a slight flaw in the idea of listing all sites and passwords whenever you type in a known username?

      As in, what if you typed in someone else's email address, for example?

      1. Roland6 Silver badge

        Re: Do you not think there's a slight flaw in the idea...

        Re: It'd be nice if someone like HaveIBeenPwned would load this up and then tell you WHAT PASSWORD they had in that list.

        Looking back, this is the substantive part of the email I received from HaveIBeenPwned when LinkedIn was Pwned:

        "You've been pwned!

        You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:

        Breach: LinkedIn

        Date of breach: 5 May 2012

        Number of accounts: 164,611,595

        Compromised data: Email addresses, Passwords

        Description: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

        It would make sense for Troy to amend the lookup and to send the results (suitably secured) to the user entered email address, thereby getting around this issue...

  16. Anonymous Coward
    Anonymous Coward

    Somebody tell the banks

    If you have the misfortune to hold an MBNA card, there's no option anywhere to change your password, short of hitting the "I've forgotten my details" link and going through the rigmarole of proving who you are by re-sharing supposedly secure details about yourself.

    Yeah, that's secure.

    A/c as I'm ashamed that an expensive divorce and my subsequent financial pain led me to MBNA's door. Still, only another 18 months and I'll be free of them forever!

  17. Anonymous Coward
    Anonymous Coward

    How do I check if my password's been compromised

    What someone needs to do now is to set up an search tool so people can submit their password & account info to check whether it's been compromised...at least the "am I compromised" check would be simple :)

    1. Roland6 Silver badge

      Re: How do I check if my password's been compromised

      Visit Troy Hunt's website: https://haveibeenpwned.com/

      Although it might be a few weeks before this latest credential haul is uploaded.

    2. fidodogbreath Silver badge
      Joke

      Re: How do I check if my password's been compromised

      What someone needs to do now is to set up an search tool so people can submit their password & account info to check whether it's been compromised

      Send them to me. I'll check for you...

  18. DougS Silver badge

    I have two accounts on there

    Both of them have a similar password, which is what I use for throwaways - one for places I never need to look at the email (goes to a hotmail account I never login to) and the other for places I may need to look at the email (mostly used for online shopping at places that don't save your CC info or web forums)

    They've had the same password for 15+ years so it is not surprising they were on the list. What I was surprised about is that my non-hotmail email address was not listed with a SINGLE other password, indicating nothing I consider more important and gets a better password was compromised. Out of a list of 1.4 billion I was kind of expecting I might need to go do some password changes on sites like amazon, ebay, facebook and so forth but I guess that can wait.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019