God ****** dammit, here we go again
Use the "passwords" feature to check if one of yours is compromised. If it shows up, never ever reuse those credentials. They'll be baked into thousands of botnets etc. and be forevermore part of automated break-in attempts until one randomly succeeds.
For me, if this happens, it has no impact since almost every page i sign up to has a unique password. The most important ones has mfa as well.
Use a password manager. Simple.
Right answer. In fact, the only viable answer.
I think its almost a crime that browsers havent evolved to make users generate unique, secure passwords by default. Its just another huge sign that these browser companies dont care about security or privacy, despite their marketing departement rabbling those words.
I dont think there has been any evolution at all in this area. Browsers can save passwords but they dont help the user generate secure, unique ones, and dont encourage users to have separate accounts. Instead the web is trying to make users use something like Google or Facebook logins, so they are completely dependent on those tech companies.
Same, but I do have some level of worry regarding portability. My solution isn't local or self hosted, as I was looking for easy and works across Linux/Windows/Mac/Android/iOS. I do not look forward to needing to change to a new password manager in the future, but given the way everything seems to be going it seems likely that I'll have to at some point.
It takes a little more effort to setup, but the alternative to syncing a local keystore db like KeePassXC would be vaultwarden, which is a self hosted open source Bitwarden server that gives you all the features of Bitwarden and has full compatibility with all the clients.
Spinning it up is actually very easy, you just have to decide if you want to integrate SSL via a reverse proxy setup or just use the builtin webserver for HTTPS.
KeePass and syncthing. I use Keepass2 on a Linux desktop and laptop, KeePassDX on Android, and use syncthing to keep everything synchronized and up to date, also using an old raspberry pi to act as a central server for syncthing.
Modifying the database on one device seamlessly updates the other devices once they're visible on the network, everything works beautifully and is very easy to set up on a local network.
Pretty much default configuration all the way around, just gotta make sure syncthing starts on boot. Just did a brief search, syncthing seems to have a MacOS fork, and iOS will need Möbius Sync, which is paid but the free tier offers 20MB storage sync which is overkill for KeePass.
1Password and Bitwarden both work across multiple devices, os's and browsers. Work uses 1Password which i have on work computer and work phone. i use bitwarden across home desktop, laptop, phone, homelab, testing phones
I use a password manager in my personal life but my job doesn't allow it so I have to keep the 10 or so passwords I have for various vendor sites in my notes. All my passwords are the same thing with slight variations to meet the different asinine password policies the different sites use. It's fucking stupid but I don't care if they're not going to give me a good way to keep all this shit straight.
Totally fair. I also dont care if company blocks things i need to do it right.
How unique do passwords have to be in order to be considered safe? If they follow a pattern are they still safe or do these bots try alterations to the leaked passwords as well?
Like if your password to Reddit was reddit1234 and your password to Google was google1234, if the Reddit password leaked is your Google one still okay?
Probably not if it's a human but bots shouldn't be able to figure that out ya?
They are completely random strings for each site, so having one will not help crack the other.
But if people pick their own passwords, it tends to be some word like you wrote, and then a hacker could try and crack the others by guessing similar words.
That would be great if I only used one browser on one device with one operating system. Between my work laptop, my Macbook, my phone, and my gaming PC nothing syncs and it's very difficult to share storage between all of them.
Stuffing? Just in time for the holiday season!
moans "stuff me santa"
Santa: "we are skipping that house"
This is the type of unhinged shit I signed up for!
The thing about this one is no one seems sure of the source (it appears to be from multiple sources, including infostealer malware and phishing attacks), so you don't know which passwords to change. To be safe you'd have to do all of them.
Some password managers (e.g. Bitwarden) offer an automatic check for whether your actual passwords have been seen in these hack databases, which is a bit more practical than changing hundreds of passwords just in case.
And of course don't reuse passwords. If you have access to an email masking service you can not only use a different password for every site, but also a different email address. Then hackers can't even easily connect that it's your account on different sites.
How do they do that without sending your actual passwords somewhere off your device, or downloading the full list of hacked passwords?
More details about the k-anonimity process. https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/
The short answer is that they download a partial list of passwords that hash to values starting with the same 5 characters as yours and then check if your password hash is in that list locally. This gives the server very little information about your password if it was not breached and more if it was (but then you should change it anyway), making an elegant compromise
They probably hash the list of hacked passwords the same way your passwords get hashed and check for matches.
They connect to the Have I Been Pwned database in a secure way.
They make a hash of your password and send just the first characters.
Why did you censor yourself in the title?
Probably because they primarily live in a censorship world, be it digital or in-person, and change is difficult for most people.
Pratchett fan
-ing hell, is it?
They'll censor "fucking", but still use the Lord's name in vain. smh.
Who cares about your invented god? Let people speak however they want
No one gave you the memo?
You're allowed to swear on the internet as long as you're not one of the weird instances.
what ******* memo?
As someone who consults in the IT Security space, It's bad out there. Contractors and BYOD companies are downright sheepish in asking their outsourced employees to do anything security-related to their devices. The biggest attack vector is allowed unfettered remote access (and therefore the whole company and any bad actors are also granted unfettered remote access)
I still can't get over how quickly companies-at-large have abandoned VPN Servers (removing network trust from the list of options as well)
I'm down to managed browsers via IdP, and I just can't wait for the objections to that as well. People out here offering their faces to leopards. Certificate-based MFA on all the things IMO - passwords shouldnt matter (but six digit MFA codes aren't immune to fake landing pages and siphoned MFA tokens that don't expire)
I use utterly unique and very long passphrases for the most important stuff (banking, mortgage servicing, email, etc.), 2FA for those and most other things, and just throwaway crap passwords for things I don't care about (web forums and most everything else).
God fucking dammit, I fucking hate seeing people self-censor themselves on the internet.
Proud that my only pwned password is three decades old.
I've been "pwned" four times.
None of them due to my end. Every single fucker was a piss poor company security
Yeah gotta make sure you never use the same password in multiple places, use a password manager.
Comprised of email addresses and passwords from previous data breaches,
So these are previously “hacked” data, and now the aggregator has been hacked?
The aggregator wasn't hacked, they essentially hacked the hackers and put together this list. This ain't a data breach per se, it's just putting together a bunch of past breaches and patching it up to HIBP.
Ah, gotcha. Thanks.
This is why my password is hunter2, no one can see what is says under the asterix,
(it's asterisk)
for anyone who doesn't get the reference, it's an ancient Bash chatlog: https://knowyourmeme.com/memes/hunter2
Apparently my email was included in this breach, but none of the passwords I used with it were (before I started using randomly generated ones).
Possibly related question. Layely I've been getting email 'replies' from various businesses and services (all over the country, USA) all about an 'inquiry' that I never made. Apparently someone just got my email address and is using that for -- what ? A couple questions:
** What is that someone up to, why doing that?
** Should I do something about that?
** What could I do? Don't want to change email address.
That's just your email address being sold by information brokers. Not illegal, not a reason to change your email address. Block, delete & move on.
Probably unrelated, domain spoofing is common, but miss-configured mail servers will accept those emails and process auto replies. They can also abuse input forms to try and send out emails, but that typically does not have much control over content.
If you are getting more emails than you can deal with, than can be used to try and mask other emails by burying them in a large email volume. In that case you should be looking for emails from important accounts you do own (eg banking.)
I got this email a few days ago. I don’t even know who these people are and why they have my details. But I’ve had to change my Google account passwords anyway.
Are we supposed to pronounce the two "data"s differently when reading aloud? Asking for a friend...
One is like data from Ten Forward.
The first one is like Mister, the second one is like "that, uh...."
It's day-ter not da-ta.
Is there any info regarding how old this data is?
The breach occurred in April 2025.
During 2025, the threat-intelligence firm Synthient aggregated 2 billion unique email addresses disclosed in credential-stuffing lists found across multiple malicious internet sources. Comprised of email addresses and passwords from previous data breaches, these lists are used by attackers to compromise other, unrelated accounts of victims who have reused their passwords. The data also included 1.3 billion unique passwords, which are now searchable in Pwned Passwords. Working to turn breached data into awareness, Synthient partnered with HIBP to help victims of cybercrime understand their exposure.
This was added to Have I Been Pwned on Nov 6
Irony
Oh no, some Russian troll farm now knows my favorite color.
Protip for the room: Use a password manager with a unique password for every service. Then when one leaks, it only affects that singular service, not large swaths of your digital life.
And an email alias.
I hate how many places don't allow for + aliases. I want to know who leaked my email.
Catch-all address 😎
Don't forget unique email addresses. I've had two spam emails in the last 6 months, I could trace them to exactly which company I gave that email address to (one data breach, one I'm pretty sure was the company selling my data). I can block those addresses and move on with my life.
My old email address from before I started doing this still receives 10+ spam emails a day.
I've started using {emailaddress}+{sitename}@gmail.com i.e. myemail+xyzCompany@gmail.com
That way I can at least see who sold my info. I wish I would have started doing this long ago though. Some sites dont let you use the plus symbol even though it's valid though
Also 2FA. You'll still want to change passwords but it buys you time.
Also, length is most of what matters. A full length sentence in lowercase with easy to type finger/key flow for pw manager master, and don't know a single other password. Can someone correct me if I'm wrong?
I've found that there are a handful of passwords that you need to remember, the rest can go in the password manager. This includes the password for the password manager, of course, but also passwords for your computer/phone (since you need to log in before you can access the password manager), and your email (to be able to recover your password for the password manager).
You are also correct that length is mostly what matters, but also throwing in a random capitalization, a number or two, and some special character will greatly increase the required search space. Also using uncommon words, or words in other languages than english can also greatly increase the resistance to dictionary attacks.
You are mostly correct it is length * (possible char values).
See passphrase generator.
https://www.keepersecurity.com/features/passphrase-generator
As always, the most secure password is the least convenient and accessible. It's a trade off, but you want fewer dictionary words and patterns overall. Preferably with a physical component for the master password.
Longer is better...giggitty.
Which one works on all browsers including mobile safari and mobile Firefox?
Bitwarden has been good for me, but I actually don't know about safari...
Keepass does a pretty decent job. I have keepassXC on my Windows, Debian and Android devices. On Android it's integrated into the phone(and the autofill service if actual 2fa isn't supported on the app) so it works on every application. With IOS though I know they can be a stickler on anything remotely technical so I'm not sure if something similar exists with it. I also use syncthing as the service to make sure the same copy of the database is on each device to prevent having to use a password manager that requires a subscription for a cloud service, this also minimizes my risk factor of a cloud service being compromised.
Heard great things about bitwarden. I’ve personally been using 1Password for over a decade.
For mobile safari Bitwarden (and I think a number of others, but Bitwarden's the only one I can speak to) ties into Apple's password management system for autofill and password generation. Still have to use the app or webpage (either Bitwarden's official site or self-hosted vaultwarden) for more in depth management.
For mobile Firefox, on iOS it's the same as Safari. On Android you can either use the Bitwarden add-on or use it with the app and Android's built-in password management system just like on iOS.
Since you mentioned "all browsers" for chrome/chromium based browsers there is also on add-on for both mobile and desktop. For Internet Explorer and pre-chrome Edge I don't believe there's an add-on but it can still work, it'll just be more of a pain since you autofill either won't work or will be spotty. You'll probably be relying on the standalone desktop app.
On MacOS it integrates with Apple's password management, so no need for an add-on on desktop safari.
For other browsers, you'll probably have to use the desktop app and manually copy/paste just like for IE.
I also remember seeing some third-party integration for the windows terminal app and various Linux terminals, but I can't really speak to their quality or functionality since I haven't used them. But that would probably cover your needs for terminal based browsers like Lynx.
Not an iOS user and it certainly seems like something they would be behind on, but with Android every password manager with a Android app will work since the hooks are built directly into Android. Other than websites and apps that don't implement passwords properly it works pretty well.
Bitwarden
Keychain should work in both now. (iCloud passwords)
I'm a big fan of the Keep It Simple (KISS) approach, and went with Password Safe. Works on Linux, Windows, iOS, and Android. It's big thing is it just makes an encrypted password file which then you can sync between devices however you like (Box, Dropbox, etc)
It has an auto-type and copy feature, so no need for browser support. Though, the main criticism of this offering is if you want a ton of features and don't care about KISS.
If there's one thing I've always been wary of, it's the password manager browser extensions. And I've been proven right. Don't be lazy, it takes 30 extra seconds to do it manually.
Pishing detection is nice though, I'll admit.
I was thinking about this earlier. The password manager browser plugin I use (Proton Pass) defaults to staying unlocked for the entire browser session. If someone physically gained access to my PC while my password manager was unlocked, they'd be able to access absolutely every password I have. I changed the behavior to auto-lock and ask for a 6-digit PIN, but I'm guessing it wouldn't take an impractical amount of time to brute-force a 6-digit PIN.
Before I started use a password manager, I'd use maybe 3-4 passwords for different "risks," (bank, email, shopping, stupid shit that made me sign up, etc). Not really sure if a password manager is better (guess it depends on the "threat" you're worried about).
Edit: Also on my phone, it just unlocks with a fingerprint, and I think law enforcement are allowed to force you to biometrically unlock stuff (or can unlock with fingerprints they have on file).
If someone can gain physical access to your PC you are done anyway, he van simply copy the file or do whatwver he want
Yes, it is better. The likelihood that someone will physically access your device is incredibly low, the likelihood that one of the services in your bucket gets leaked and jeopardizes your other accounts is way higher.
I set mine to require my password after a period of time on certain devices (the ones I'm likely to lose), and all of them require it when restarting the browser.
True, but it's also highly unlikely that LE will steal your passwords.
My phone requires a PIN after X hours or after a few failed fingerprint attempts, and it's easy to fail without being sus. In my country, I cannot be forced to reveal a PIN. If I travel to a sketchy country or something, i switch it to a password unlock.
And when that password manager gets cracked?
Got any examples? Because I have…some…examples of password reuse being a real-life problem.
I seem to remember that the passwords were encrypted so, all they got was the passwords people use for their password manager which because people were using the password manager and therefore had random passwords it didn't really matter hugely.
Just as an example, 1Password has a secondary encryption key that they can’t even recover. If you lose it, you’re fucked. I doubt the chances of that being cracked are any good at all.
I use a "password pattern", rather than remembering all the passwords, I just remember a rule I have for how passwords are done, there are some numbers and letters that change depending on what the service is so every password is unique and I can easily remember all of them as long as I remember the rules I put in place
So when someone figures out your rule he has all the passwords
Yes and no; they have their own issues:
https://cybersecuritynews.com/hackers-weaponize-keepass-password-manager/
I assure you, the rare security issues for password managers are far preferable to managing compromises every couple weeks.
Don't download shit from random websites... make sure its from legit places...
Oh, so don’t use unique passwords? Sure buddy.
A password manager is still a good idea, but you have to not use a hacked one. So only download from official sites and repositories. Run everything you download through VirusTotal and your machine's antivirus if you have one. If it's a Windows installer check it is properly signed (Windows should warn you if not). Otherwise (or in addition) check installer signatures with GPG. If there's no signature, check the SHA256 OR SHA512 hash against the one published on the official site. Never follow a link in an email, but always go directly to the official website instead. Be especially careful with these precautions when downloading something critical like a password manager.
Doing these things will at least reduce your risk of installing compromised software.