Some really big ones got hit, in particular, so it’s good to make sure you have all your ducks in a row. Here are some particularly-concerning ones, or ones that the people here might be more likely to have accounts for:
I have forgotten some of the passwords. Like this forum, for instance. I wonder what the procedure to have that fixed? I can’t even remember my Zoom account login names.
Also, I used Google Authentication on some of the accounts, but I can’t remember for the life of me which ones.
Interesting list, because point more toward politics than greed behind this attack (in EU, is more used farcebook than xtwit); Linkedin, telegram and tumblr are more used in US than elsewhere, and walmart… well, is practically unknown outside USA.
The most serious site breached is by far github, because, well, too many IT companies uses it as a closed dev cloud, and significantly (I’m looking @ the list of big companies’s endorsement and success stories, incl. a major US airline and one of the major US automotive corporation; the impact of compromised safety-related firmware on civil aviation and automobiles is too ugly to contemplate…)
If you look at the details, it’s a collection of previous breach data, not a new breach. Although some of the data will be newly reported, so check your passwords anyhow. And don’t reuse passwords.
Anyway, remain that downloading an archive of archives is easier than downloading single archives, so the breaks not only makes sense, but can be a clue that the perp has the need of getting ASAP on par, a non-minor detail, IMVHO.
“On par with” is a golf term, and you’re right about the general meaning. I usually hear it used to make a specific comparison, though. (If I wanted to say “catch up to the level of others in general”, I’d probably say “get up to speed”.)
Y’know, any decent comp sci graduate should know how to represent passwords in databases in a way that would make it massively cost-ineffective to try to do anything with a leaked password db. It’s not complicated; it just requires more computing resources per login. But here in the third decade of the third millennium there are grown-ass companies still just md5-ing unsalted passwords.
I’ll mercifully spare y’all the explanation (the wikipedia password strength article is decent), but these 3 things will make you close to bullet-proof even if a site’s password db is leaked.
Like Zarf said above, a unique password on every site.
Each of those unique passwords is honestly-to-god randomly generated. Humans suck at randomness. Your clever scheme to reuse the same password but with the first two letters of the corresponding website’s domain in front? It also sucks. Just 16 randomly generated mixed-case alphabetic characters would be all you needed (well, for the foreseeable future, at least). Throwing numbers and punctuation into the pool helps less than you might imagine. 16 mixed-case alphabetic characters trumps 14 characters from the 95 printable ascii characters.
a password manager. It’s not feasible to have different random passwords everywhere and remember them all. I haven’t checked the environment lately, but as of the last time I did, 1Password and BitWarden were the only ones I’d recommend. They have associated browser extensions so you don’t have to actually type your long, hard-to-type passwords, other than the password to your password vault (for which I use a password that looks like relive54trimming27fine27rate62refresh… long but not especially hard-to-type.) I wouldn’t recommend LastPass.
and then there’s a silent #4: avoid logging into things on devices you don’t control, and maintain the security of your own devices. The things above protect you from the consequences of websites’ databases leaking, but that doesn’t help you if something is stealing your password as you use it.
(2FA that isn’t by SMS is good, but it’s not a substitute for the above.)
Regarding such things, I do not trust any password manager that is not personally constructed and accessed. Preferably with option to manually reconstructed backup by hand. What if your device is damaged/lost? You’ll be stuck without any passwords.
In my mind, password generators requiring mixed case, numbers, and punctuations is less secure than enforcing password length. I can remember long phrases associated with a certain site, but capitalizations, numbers, and symbols always tripped me, and hence the need of password managers.
xkcd did a comic on this, but I digress.
Edit:
BTW, I do have a technique to simulate Enigma cypher using 2 decks of cards. Or half Enigma cypher using 1 deck of card. No case, number, or marks available just like the original. Any opinion on how this can be best used for password creation?
Enigma has been cracked since WW2, but I think that’s mainly due to limited number of plates. 7 cyphers and 3 reflectors, if I remember correctly.
Can’t do. Email is a weak link. Unfortunately, so is SMS text messages. There have been cases of bank breaches even with double authentication method, due to phone number hijackings. The suspicion is that it’s internal attack, but details are sparse regarding the subject.
