Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
58773 posts

Uber Geek
+1 received by user: 10171

Administrator
Trusted
Geekzone
Subscriber

Topic # 222826 30-Aug-2017 11:52
4 people support this post
Send private message quote this post

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.





Create new topic
2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1855236 30-Aug-2017 12:43
Send private message quote this post

Yet another reason to ensure you're using 2FA everywhere that supports it!

 




BDFL - Memuneh
58773 posts

Uber Geek
+1 received by user: 10171

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1855238 30-Aug-2017 12:48
Send private message quote this post

I have a long list of 2FA credentials but not many services support this yet.




 
 
 
 


5591 posts

Uber Geek
+1 received by user: 2513
Inactive user


  Reply # 1855243 30-Aug-2017 12:56
Send private message quote this post

I don't have a cell phone. I don't need one and I don't want to have one. Is 2FA even possible without one? How would that work?

 

 

 

 


2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1855246 30-Aug-2017 13:04
Send private message quote this post

There are software and hardware tokens (Such as Yubikeys which do U2F). For TOTP software you can use something like Gauth https://chrome.google.com/webstore/detail/gauth-authenticator/ilgcnhelpchnceeipipijaljkblbcobl and enter the Secret manually..

 


5591 posts

Uber Geek
+1 received by user: 2513
Inactive user


  Reply # 1855275 30-Aug-2017 13:42
Send private message quote this post

OK, thanks. Would that also work for Geekzone?

 

 


2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1855285 30-Aug-2017 14:05
Send private message quote this post

Yep, geekzone uses the "TOTP" standard.

 

As with all things, make sure you keep a backup! (Of your password manager database and 2fa tokens. You can write down the TOTP "secret" on paper and store it in a safe etc)

 


135 posts

Master Geek
+1 received by user: 35


  Reply # 1855287 30-Aug-2017 14:10
Send private message quote this post

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?


2019 posts

Uber Geek
+1 received by user: 168


  Reply # 1855290 30-Aug-2017 14:15
Send private message quote this post

Could be related to the latest Locky outbreak.

 

 

 

Quadruple the spam gone out with it. 

 

https://blog.fortinet.com/2017/08/17/locky-launches-a-more-massive-spam-campaign-with-new-lukitus-variant 


3222 posts

Uber Geek
+1 received by user: 907


  Reply # 1855291 30-Aug-2017 14:16
One person supports this post
Send private message quote this post

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Email as we know it today is quite broken. 

 

 


2471 posts

Uber Geek
+1 received by user: 910

Subscriber

  Reply # 1855300 30-Aug-2017 14:51
Send private message quote this post

dryburn:

 

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

 

 

Yes, he maintains a DB based on leaked / breached lists of data and uses it to search against





Windows 7 x64 // i5-3570K // 16GB DDR3-1600 // GTX660Ti 2GB // Samsung 830 120GB SSD // OCZ Agility4 120GB SSD // Samsung U28D590D @ 3840x2160 & Asus PB278Q @ 2560x1440
Samsung Galaxy S5 SM-G900I w/Spark

764 posts

Ultimate Geek
+1 received by user: 268

Subscriber

  Reply # 1855303 30-Aug-2017 15:07
Send private message quote this post

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Two of my emails were found on Troys! But I now use LastPass to manage passwords, and I can check the dates that passwords were last change and confirm they were changed subsequent to the reported breaches.

 

Lastpass is fantastic - I really don't know how I managed without it. Actually I do know - I used to use the same passwords on dozens of different sites which is a no-no but the alternative is to write them down somewhere which is also a no-no. The other thing Lastpass does well is it's security check - it will tell you about sites that have weak passwords or passwords that are similar to passwords for other sites.

 

 

 

 

 

 

 

 

 

 


6558 posts

Uber Geek
+1 received by user: 2970

Moderator
Trusted
Subscriber

  Reply # 1855334 30-Aug-2017 15:42
One person supports this post
Send private message quote this post

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.





Michael Murphy | https://murfy.nz
Want to be with an epic ISP? Want $20 to join them too? Well, use this link to sign up to BigPipe!
The Router Guide | Electric KiwiCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial


mdf

1540 posts

Uber Geek
+1 received by user: 386

Trusted

  Reply # 1855338 30-Aug-2017 15:50
Send private message quote this post

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

2352 posts

Uber Geek
+1 received by user: 95


  Reply # 1855377 30-Aug-2017 16:42
Send private message quote this post

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 

 

Authy requires a smartphone/mobile number (to auth for the app install etc) tho, and someone mentioned they don't have one..



BDFL - Memuneh
58773 posts

Uber Geek
+1 received by user: 10171

Administrator
Trusted
Geekzone
Subscriber

  Reply # 1855393 30-Aug-2017 16:47
Send private message quote this post

@mdf:

 

michaelmurfy:

 

kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

 

The problem with using LastPass authenticator is that you then have BOTH your password AND your second authentication factor in the same platform. If LastPass is compromised (or your LastPass account is compromised by phishing) then the Bad Guy (TM) has all the keys needed to access all your accounts.

 

Keep it separate.





Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel unveils the 8th Gen Intel Core Processor family for desktop
Posted 25-Sep-2017 19:45


Chow brothers plan to invest NZ$100 million in technology
Posted 24-Sep-2017 16:24


Symantec protects data everywhere with Information Centric Security
Posted 21-Sep-2017 15:33


FUJIFILM introduces X-E3 mirrorless camera with wireless connectivity
Posted 18-Sep-2017 13:53


Vodafone announces new plans with bigger data bundles
Posted 15-Sep-2017 10:51


Skinny launches phone with support for te reo Maori
Posted 14-Sep-2017 08:39


If Vodafone dropping mail worries you, you’re doing online wrong
Posted 11-Sep-2017 13:54


Vodafone New Zealand deploy live 400 gigabit system
Posted 11-Sep-2017 11:07


OPPO camera phones now available at PB Tech
Posted 11-Sep-2017 09:56


Norton Wi-Fi Privacy — Easy, flawed VPN
Posted 11-Sep-2017 09:48


Lenovo reveals new ThinkPad A Series
Posted 8-Sep-2017 14:37


Huawei passes Apple for the first time to capture the second spot globally
Posted 8-Sep-2017 10:45


Vodafone initiative enhances te reo Maori pronunciation on Google Maps
Posted 8-Sep-2017 10:40


Voyager Internet expand local internet phone services company with Conversant acquisition
Posted 6-Sep-2017 18:27


NOW Expands in to Tauranga
Posted 5-Sep-2017 18:16



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.