Login change coming: enforcing non-compromised passwords

Forums › Geekzone › Login change coming: enforcing non-compromised passwords

1 | 2 | 3 | 4 | 5

Networkn
32862 posts

Uber Geek
+1 received by user: 15453

ID Verified

Trusted

Lifetime subscriber

#2648239 5-Feb-2021 15:48

fearandloathing:

The 'have i been pwned' API is great, I wrote a script that takes all the email address in the exchange tenant and checks them against the 'have i been pwned' API.

@freitasm will you be reevaluating using Yubikeys as an alternative factor for geekzone.

I'd love a copy of that script please!

fearandloathing

537 posts

Ultimate Geek
+1 received by user: 206

ID Verified

Lifetime subscriber

#2648253 5-Feb-2021 16:39

It's just a modified version of this

Check Office 365 accounts against Have I Been Pwned breaches - GCITS

you may want to change

$uri = "$baseUri/breachedaccount/$uriEncodeEmail"

$uri = "$baseUri/breachedaccount/$uriEncodeEmail/?truncateResponse=false"

however, as @GregV pointed out it is redundant Have I Been Pwned: Domain search

old3eyes

9158 posts

Uber Geek
+1 received by user: 1364

Subscriber

#2648255 5-Feb-2021 16:42

Got the login change about an hour ago. Did the password change no biggy but what is "Your IP address is rate limited due to too many connections. It will automatically unlock soon" I was locked out for about 30 minutes.. ??

Edit. Looks like I was pawned at an old Pluto TV account.

Regards,

Old3eyes

Mehrts

1112 posts

Uber Geek
+1 received by user: 984

Trusted

#2648315 5-Feb-2021 17:12

+1 for using Bitwarden. It sits in the background and just does its job nicely.

Using it with iOS devices and Firefox on MacOS with zero issues. Can enable touch/faceID on iOS too which saves having to type in the master password each time.

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2648328 5-Feb-2021 18:03

@old3eyes:

Got the login change about an hour ago. Did the password change no biggy but what is "Your IP address is rate limited due to too many connections. It will automatically unlock soon" I was locked out for about 30 minutes.. ??

Edit. Looks like I was pawned at an old Pluto TV account.

If you tried to login a couple of times then decided to reset password you probably ended up using the login page five times on a very short time - we rate limit that page to avoid credential stuffing.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

hsvhel

1273 posts

Uber Geek
+1 received by user: 596

ID Verified

#2648433 5-Feb-2021 20:28

I got the multiple logins when i was VPN'd to our offshore servers.

Although I've not been pwned I guess I triggered a reset based on the password, which I am surprised, of all the years since late 90's has never been an issue

Referral Link Quic

Free Setup use R502152EQH6OK on check out

Dyson

Shop now for Dyson appliances (affiliate link).

sparkz25

750 posts

Ultimate Geek
+1 received by user: 284
Inactive user

#2648459 5-Feb-2021 23:07

So how long does this thing last? no indication as to time or when this happened

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2648460 5-Feb-2021 23:11

About 15 to 30 minutes.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

ANglEAUT

altered-ego
2436 posts

Uber Geek
+1 received by user: 841

Trusted

Lifetime subscriber

#2648471 6-Feb-2021 00:35

Eva888: ... Question if I use bitwarden, does IPad still remember the passwords generated by it so there’s a sort of back up?

Yes, starting to use a password manager app does not clear your iOS / Mac Keychain store. I would advise against this. Stick with one password manager. They will get out of sync very quickly.

MurrayM: So it keeps a local copy of the DB on each device? That would make sense and as you say I could export that if I ever needed to. ...

While there might be a local cached DB, you will not be able to access it. I am very sure the devs will prevent as much as possible local access to the files.

Please keep this GZ community vibrant by contributing in a constructive & respectful manner.

BlinkyBill

1443 posts

Uber Geek
+1 received by user: 1100
Inactive user

#2648553 6-Feb-2021 09:29

Thanks for your help, Mauricio. Kids - don't link an obsolete email address to your GZ account.

BlakJak

1330 posts

Uber Geek
+1 received by user: 735

Trusted

#2649065 7-Feb-2021 18:32

eracode:

xpd:

Hmm maybe time for me to update passwords.... Ive been lazy and I know the one I use here has appeared in the HIBP database previously.

<wil go do now>

Same. Done too.

Seriously, anyone running a set of creds that've appeared in HIBP is setting themselves up for failure.

Get yourself a password safe and start using unique-passwords-everywhere. Can't emphasize the value of this enough.

No signature to see here, move along...

Apple TV

Stream your favourite shows now on Apple TV (affiliate link).

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2653146 10-Feb-2021 16:16

Special tidbit: of 900 people logging in the last five days since we've implemented this, about 650 had to reset their passwords.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

clinty

1201 posts

Uber Geek
+1 received by user: 402

Lifetime subscriber

#2653149 10-Feb-2021 16:21

freitasm:
Special tidbit: of 900 people logging in the last five days since we've implemented this, about 650 had to reset their passwords.

Maybe a badge for those that didn't :)

Clint

freitasm

BDFL - Memuneh
80646 posts

Uber Geek
+1 received by user: 41030

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2653151 10-Feb-2021 16:24

clinty:
freitasm:

Special tidbit: of 900 people logging in the last five days since we've implemented this, about 650 had to reset their passwords.

Maybe a badge for those that didn't :)

Clint

That's an idea...

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

jarledb

Webhead
3319 posts

Uber Geek
+1 received by user: 1983

Moderator

ID Verified

Trusted

Lifetime subscriber

#2653152 10-Feb-2021 16:29

What should it be called? I suggest Password Ninja.

Jarle Dahl Bergersen | Referral Links: Want $50 off when you join Octopus Energy? Use this referral code
Are you happy with what you get from Geekzone? Please consider supporting us by making a donation or subscribing.

1 | 2 | 3 | 4 | 5