Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




BDFL - Memuneh
65382 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

# 222826 30-Aug-2017 11:52
4 people support this post
Send private message

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.





Create new topic
2460 posts

Uber Geek


  # 1855236 30-Aug-2017 12:43
Send private message

Yet another reason to ensure you're using 2FA everywhere that supports it!

 




BDFL - Memuneh
65382 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

 
 
 
 


Lock him up!
11220 posts

Uber Geek

Lifetime subscriber

  # 1855243 30-Aug-2017 12:56
Send private message

I don't have a cell phone. I don't need one and I don't want to have one. Is 2FA even possible without one? How would that work?

 

 

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


2460 posts

Uber Geek


  # 1855246 30-Aug-2017 13:04
Send private message

There are software and hardware tokens (Such as Yubikeys which do U2F). For TOTP software you can use something like Gauth https://chrome.google.com/webstore/detail/gauth-authenticator/ilgcnhelpchnceeipipijaljkblbcobl and enter the Secret manually..

 


Lock him up!
11220 posts

Uber Geek

Lifetime subscriber

  # 1855275 30-Aug-2017 13:42
Send private message

OK, thanks. Would that also work for Geekzone?

 

 





I don't think there is ever a bad time to talk about how absurd war is, how old men make decisions and young people die. - George Clooney
 


2460 posts

Uber Geek


  # 1855285 30-Aug-2017 14:05
Send private message

Yep, geekzone uses the "TOTP" standard.

 

As with all things, make sure you keep a backup! (Of your password manager database and 2fa tokens. You can write down the TOTP "secret" on paper and store it in a safe etc)

 


369 posts

Ultimate Geek


  # 1855287 30-Aug-2017 14:10
Send private message

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?


 
 
 
 


3525 posts

Uber Geek


  # 1855290 30-Aug-2017 14:15
Send private message

Could be related to the latest Locky outbreak.

 

 

 

Quadruple the spam gone out with it. 

 

https://blog.fortinet.com/2017/08/17/locky-launches-a-more-massive-spam-campaign-with-new-lukitus-variant 


4473 posts

Uber Geek


  # 1855291 30-Aug-2017 14:16
One person supports this post
Send private message

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Email as we know it today is quite broken. 

 

 


2547 posts

Uber Geek


  # 1855300 30-Aug-2017 14:51
Send private message

dryburn:

 

Does Troy's Have I been pwned service have a list of breached data content and then run that against the email you enter?

 

 

Yes, he maintains a DB based on leaked / breached lists of data and uses it to search against


2523 posts

Uber Geek

Lifetime subscriber

  # 1855303 30-Aug-2017 15:07
Send private message

freitasm:

 

This huge (711 million records) leak would explain some email being sent from people's addresses and it contains email, password and SMTP server. 

 

I commented on there - Troy's Have I been pwned service is great but it's getting harder now to manage passwords. If you have a website leak and know the source you know where to change the password but with leaks that are username + password then it's harder to know where to change. And since he (rightly) do not disclose the passwords in the dumps then those already using unique passwords have a harder time. 

 

It seems we have to start using unique email + unique passwords to be able to better manage security. Those email aliases or emails with "+" in the address come handy here.

 

I recommend subscribing to the notification service at Have I been pwned so you receive notifications of leaks.

 

 

Two of my emails were found on Troys! But I now use LastPass to manage passwords, and I can check the dates that passwords were last change and confirm they were changed subsequent to the reported breaches.

 

Lastpass is fantastic - I really don't know how I managed without it. Actually I do know - I used to use the same passwords on dozens of different sites which is a no-no but the alternative is to write them down somewhere which is also a no-no. The other thing Lastpass does well is it's security check - it will tell you about sites that have weak passwords or passwords that are similar to passwords for other sites.

 

 

 

 

 

 

 

 

 

 


/dev/null
9032 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1855334 30-Aug-2017 15:42
One person supports this post
Send private message

mdf

2403 posts

Uber Geek

Trusted
Subscriber

  # 1855338 30-Aug-2017 15:50
Send private message

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

2460 posts

Uber Geek


  # 1855377 30-Aug-2017 16:42
Send private message

michaelmurfy:

@kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 

 

Authy requires a smartphone/mobile number (to auth for the app install etc) tho, and someone mentioned they don't have one..



BDFL - Memuneh
65382 posts

Uber Geek

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 1855393 30-Aug-2017 16:47
Send private message

@mdf:

 

michaelmurfy:

 

kyhwana2 have a look at Authy (https://authy.com/) - very good and has device sync.

 



As does Lastpass Authenticator (also totp compliant). I really like the push to authenticate option.

 

The problem with using LastPass authenticator is that you then have BOTH your password AND your second authentication factor in the same platform. If LastPass is compromised (or your LastPass account is compromised by phishing) then the Bad Guy (TM) has all the keys needed to access all your accounts.

 

Keep it separate.





Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24


Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30


JBL launches headphones range designed for gaming
Posted 13-Jan-2020 09:59


Withings introduces ScanWatch wearable combining ECG and sleep apnea detection
Posted 9-Jan-2020 18:34


NZ Police releases public app
Posted 8-Jan-2020 11:43


Suunto 7 combine sports and smart features on new smartwatch generation
Posted 7-Jan-2020 16:06


Intel brings innovation with technology spanning the cloud, network, edge and PC
Posted 7-Jan-2020 15:54


AMD announces high performance desktop and ultrathin laptop processors
Posted 7-Jan-2020 15:42


AMD unveils four new desktop and mobile GPUs including AMD Radeon RX 5600
Posted 7-Jan-2020 15:32


Consolidation in video streaming market with Spark selling Lightbox to Sky
Posted 19-Dec-2019 09:09



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.