E-mail breaches : collection #1

udg · Jan 19, 2019

Hi all,
you may have read about this before. They collected more than 773 million emails (and a good number of passwords too) through a few data breaches against some providers.
AFAIK, Troy Hunt was the first to announce it and on his site he offers a nice API to conduct some checking.
Below you can find a quick and dirty B4J implementation of password checking. Try with your own pwd and see whether it was pwned before (in that case, change it immediately).

udg

KMatle · Jan 19, 2019

I have found only one of my addresses caused by ADOBE

and TicketFly (closed down since then). As I use different passwords for each website all is good.

AnandGupta · Jan 19, 2019

I may be wrong, but if you type your 'password' to check, that 'password' can be taken by the site, no matter what it is.
So they have a legitimate password, and more in similarly manner, to try on different sites, for whatever purpose they want.

Please correct me.

Regards,

Anand

udg · Jan 19, 2019

Please read the code. In no way we send out our password to that external service. We just send the first five bytes of the SHA-1 hash of our password.
The service returns a list filled by items sharing those same 5 bytes. It's up to us to scan the list to find the exact match for our password.
I chose that service mainly because I see no risk in sending 5 bytes out of 40.

AnandGupta · Jan 20, 2019

I agree with you, but wanted to covey my concern how some sites are using this fear for their advantage.

Better use strong password with combination of local language and special characters. Change it periodically. Follow it for important sites like financial. For the rest of the sites use simple password which you can remember along with the site name combination.

Regards,

Anand

E-mail breaches : collection #1

udg

Expert

Attachments

KMatle

Expert

AnandGupta

Expert

udg

Expert

AnandGupta

Expert