TINS breach
Chris Katko

So did anyone know/realize that TINS accounts were breached and leaked online?

{"name":"612848","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/b\/8\/b8adb037021fa62ea11c7972d899ab97.png","w":593,"h":112,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/b\/8\/b8adb037021fa62ea11c7972d899ab97"}612848

amarillion

Passwords in the TINS database are hashed and salted. There is no cleartext. Therefore a breach is unlikely.

Of course I can't be sure that I prevented every possible attack. Where did you see this? Please show me some more information so I can investigate.

Matthew Leverton

I assume it's saying his password from TINS was found in a data dump. If it's a unique, random password, then it's unlikely that it came from elsewhere.

I just act as if all passwords on all sites are in the public domain, and I rotate ones I care about and/or enable TFA. And every password of mine is completely randomly generated.

amarillion

I really do want to know more about this. I could check my own password for example.

Chris Katko

It showed in my Chrome (google checks against known breaches).

You can also check if your e-mails (or all e-mails in your database) show up as flagged in haveibeenpwned.com

I don't believe Google tells you the specific breach. It is possible that it's not breached, like Matt said, and a common e-mail and password were stored in chrome, that then flagged. As in, anywhere I used my e-mail and that password, would show up in that Chrome warning menu.

If it's a unique, random password

I doubt it's unique though I don't remember it.

But Matthew is probably right. I used to use passwords common to multiple websites before you know... everyone got hack crazy.

amarillion

Ok, I checked a few email addresses in the TINS database against haveibeenpwned.com. Some of them are green, some of them are red. It doesn't look like the whole site was breached. It looks like indeed that this is just a re-used password.

At this point I won't take additional security precautions, unless somebody feels strongly otherwise.

Elias

If I go to passwords.google.com it lists both allegro.cc and amarillion.org under "reused passwords" :P

bamccaig

{"name":"612855","src":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51.png","w":952,"h":412,"tn":"\/\/djungxnpq2nug.cloudfront.net\/image\/cache\/1\/0\/10d4e39672f2daf65940fac7f5d84d51"}612855

Coincidentally I finally got around to cleaning up saved passwords in Firefox and Chrome, and moved them all over to LastPass instead. Then using LastPass I generated new, long, complex passwords for all the things, one-by-one.

LastPass's code to automatically generate new passphrases for known services appears to be broken for years now (according to threads I found online anyway). I started around 11 AM and didn't finish until like 4 AM (with undefined breaks and distractions in between). :P Which is why I had put it off so long.

I've only been using a [cloud/mobile] password manager for about a year now. And I only finally switched fully to it literally today. In theory, I'm reasonably safe now. In practice, you only have to break one passphrase (well, and 2fa1.7n) to get everything that I have.

The passwords that are duplicated are for cross-platform apps that require me to type in a password to log in from the TV or game console or what have you. I didn't want to have to try to type a 48 character password by glancing at my phone (which sleeps every few seconds, requiring my fingerprint to unlock, and I think even LastPass locks in that case again). So I came up with a reasonably secure passphrase that is sufficiently random and complex that I can easily remember, and that my wife will be able to type if necessary. It's shared to make it easy because the worst thing is when you're uncertain which passphrase you used... And for the things I'm using it for I can just call the company and yell at them if my account ever gets hijacked (and if they're utilizing services I'm paying for and not using then I guess who cares).

Unfortunately, now if LastPass goes down (or I get amnesia or otherwise permanent memory loss) I'm fucked. :P

Thread #618345. Printed from Allegro.cc