Topic: [Data Breach] Check if your passwords have been compromised (Read 792 times)
If you haven't changed your password here in Bitcointalk since around May 2015, you should change it. Make sure it is random and secure and longer than 12 characters.
They are offering a service to check whether they have leaked your passwords or not, you just have to give them your passwords for them to check.
I don't see any reason to give anybody my passwords, no matter what they claim.
Imho the healthiest way over the internet is: trust no one.
However, it's a good way to check how good is their password manager implemented
Do you mind me asking are you using chome? I'm wondering why google doesn't even recognize I'm using an chromium-based keyring to encrypt passwords
Probably something Brave did so Google can't recognize jack shit. It's good to see their password manager works to keep themselves out though, that's useful!
Alternatively, you can also use https://haveibeenpwned.com/
Someone posted a while back that https://haveibeenpwned.com/ could be a good way for whoever created the site to check which emails and accounts are still active and have any importance to their users. If you search for your email on that site that means that it has some importance to you, it does make sense. 
Alternatively, you can also use https://haveibeenpwned.com/
Someone posted a while back that https://haveibeenpwned.com/ could be a good way for whoever created the site to check which emails and accounts are still active and have any importance to their users. If you search for your email on that site that means that it has some importance to you, it does make sense. This is a major security risk too you could alternatively download exposed passwords (which haveibeenpwned does not distribute but they are usually from public leaks) and check it offline because you are still entering a password into a different site other than the ones its used for which is a security breach in itself unless you trust a third party with storing your password to check if its been "pwned".
What are you talking about? How is using haveibeenpwned a security risk? You obviously don't enter your password on haveibeenpwned, only your email is required. Or did I misunderstood what you're trying to say here?
https://haveibeenpwned.com/Passwords
This is a separate feature from their email watching service, it also notifies people if their password was leaked, but you only send them a small part (called suffix) at the start of the hash of your password, and they return all the hashes from their database that also start with the same suffix, and then the code on client's side looks if any of the hashes matches the original hash.
This is a separate feature from their email watching service, it also notifies people if their password was leaked, but you only send them a small part (called suffix) at the start of the hash of your password, and they return all the hashes from their database that also start with the same suffix, and then the code on client's side looks if any of the hashes matches the original hash.
The vulnerability example you gave however effected Chrome, not Chromium.
Nope. You are not right again. If you looked at the link that I gave above, you would go to the original description of the bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=913964
So, CVE-2019-5787 (Issue 913964 in the repository) is a Chromium bug.
There are patch for the bug:
https://chromium.googlesource.com/chromium/src.git/+/8cbb211d93b114c2bc348837d787aa5c8e545e40
You can check other Chromium security bugs: https://bugs.chromium.org/p/chromium/issues/list?q=type%3Abug-security%20os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows&can=1
Fair enough, I take it back, apologies! I did look at the link you provided, but to be fair it only documented the chrome bug (through the chromium list), there wasn't any documentation or testing there of it also affecting chromium, apart from the assumption based on software knowledge. Note the tests were through ./chrome not ./chromium. But, after thorough research (basically searching for the "CVE" and "chromium") it did confirm it was also a bug in chromium from Debian and Red Hat releases which I trust, even if they didn't specify why. Call me a fool, but the description is very misleading too, there is no mention of the CVE affecting chromium:
I do not know by what principle they relate CVE to which vendor.
But as you can see above, the bug is declared and fixed in the chromium.
So brave had this bug too.
By the way, they paid $ 3,000 for this bug.
But as you can see above, the bug is declared and fixed in the chromium.
So brave had this bug too.
By the way, they paid $ 3,000 for this bug.
My only thought why it isn't listed as a CVE for Chromium/Brave if they only list the CVE from the vendor that publishes it. As this was Chrome, as oppose to Chromium (which didn't even mention it on their blog as far as I could find), then I guess it doesn't additionally get listed as a Chromium/Brave bug. Even though the CVE's lists all the affected versions, so it's very bizarre not actually listing all the affecting products. This also makes it very hard to identify chrome bugs that do/don't affect chromium imo.
It's good to know they donated $3,000 for this bug at least.
Checking password with Google is bad idea i think.
We like giving away our password to them, who sell our privacy for ads.
Also if some hacker can hack our email in the future, they can know what password you used.
We like giving away our password to them, who sell our privacy for ads.
Also if some hacker can hack our email in the future, they can know what password you used.
Exactly, every password was synchronized with google account can be accessed from password manager pages. Very easy for hacker who already successfully hacked our account to open all of our password. For everyone who doesn't know before, you can check your saved password at https://passwords.google.com/ that's why, it will very easy for hackers know all of your passwords in case your email got hacked
Checking password with Google is bad idea i think.
We like giving away our password to them, who sell our privacy for ads.
Also if some hacker can hack our email in the future, they can know what password you used.
We like giving away our password to them, who sell our privacy for ads.
Also if some hacker can hack our email in the future, they can know what password you used.
This is a major security risk too you could alternatively download exposed passwords (which haveibeenpwned does not distribute but they are usually from public leaks) and check it offline because you are still entering a password into a different site other than the ones its used for which is a security breach in itself unless you trust a third party with storing your password to check if its been "pwned".
What are you talking about? How is using haveibeenpwned a security risk? You obviously don't enter your password on haveibeenpwned, only your email is required. Or did I misunderstood what you're trying to say here?
Alternatively, you can also use https://haveibeenpwned.com/
They even have a notification service whereas you would be notified if one of the websites your certain email is registered on is hacked/compromised, so you can change your password on that website as soon as possible to prevent problems with your account.
They even have a notification service whereas you would be notified if one of the websites your certain email is registered on is hacked/compromised, so you can change your password on that website as soon as possible to prevent problems with your account.
This is a major security risk too you could alternatively download exposed passwords (which haveibeenpwned does not distribute but they are usually from public leaks) and check it offline because you are still entering a password into a different site other than the ones its used for which is a security breach in itself unless you trust a third party with storing your password to check if its been "pwned". It would be easier for you to just change your password than to check if its been leaked and is recommended to change your password every 2 weeks.
You shouldn’t be reusing passwords anyway, so there shouldn’t be any value to use that service. The same is true for even part of your password.
If you are using something very close to a random password, having one compromised should not affect your security on any other site and you can search by username to check if a database has been compromised
If you are using something very close to a random password, having one compromised should not affect your security on any other site and you can search by username to check if a database has been compromised
And yet a lot of people do reuse their passwords, so this service can teach them how bad it is to reuse passwords with practical example. It also shows how easily weak passwords can be broken - even if your "password1" was never leaked on the site that you use, the same password could have been leaked on some different platform by different users.
Don't discard something because it is useless to you, lots of other people aren't as knowledgeable.
The vulnerability example you gave however effected Chrome, not Chromium.
Nope. You are not right again. If you looked at the link that I gave above, you would go to the original description of the bug:
https://bugs.chromium.org/p/chromium/issues/detail?id=913964
So, CVE-2019-5787 (Issue 913964 in the repository) is a Chromium bug.
There are patch for the bug:
https://chromium.googlesource.com/chromium/src.git/+/8cbb211d93b114c2bc348837d787aa5c8e545e40
You can check other Chromium security bugs: https://bugs.chromium.org/p/chromium/issues/list?q=type%3Abug-security%20os%3DAndroid%2Cios%2Clinux%2Cmac%2Cwindows&can=1
I do not know by what principle they relate CVE to which vendor.
But as you can see above, the bug is declared and fixed in the chromium.
So brave had this bug too.
By the way, they paid $ 3,000 for this bug.
So far all my passwords are secured using all the tools posted here, all my emails need phone verification to open and every Gmail account holders should do the same, to avoid their account get compromised and always clean your cache, and install a good anti virus if you are involved in Cryptocurrency, security of your account should be high in your priority.
You don't need a antivirus if you take precautions while downloading and browsing the internet. Anti virus is just bloatware which can slow down your computer. Linux does not use a antivirus and many people on Windows who are taking caring while downloading software don't need it. Anti virus is only there for people who are not tech savvy.
Bare in mind that Chrome has 100+ vulnerabilities per year, Brave hasn't had one yet in 2019. Just saying
No, you are not right. The brave is based on the chromium and has exactly the same vulnerabilities as a chromium.
For example, CVE-2019-5787.
This vulnerability was fixed in
And here is the brave update for this version: https://github.com/brave/brave-browser/issues/3669
I hear what you are saying, Brave is a fork of Chromium. True story.
The vulnerability example you gave however effected Chrome, not Chromium. Chrome is based on Chromium, not the other way around, believe it or not. Hence Chromium also hasn't had a vulnerability this year either, which is why Brave hasn't, or any forks of Brave for that matter. Why Chrome takes open source software and modifies it to generate on average a vulnerability every other day is anyone's guess, but ultimately unrelated to this topic. It's corporate-owned proprietary software, of course it's vulnerable!
You maybe right that this Chrome vulnerability did effect both Chromium and Brave, but without any documented evidence (CVE's), and without being a qualified programmer, I think it's far fetched to claim that this is the case. Please provide (actual) evidence to the contrary and I'd be happy to reconsider my opinion. The brave merge you referenced isn't tagged, labeled or referenced as a vulnerablity in any way, shape or form, as far as I can tell. It just confirms that when chromium updates it's stable branch, then brave follows suit, as you would hope and imagine. Now does it make sense why people use open-source software to stay safe and not proprietary closed-source software?
Correction: Here
and install a good anti virus if you are involved in Cryptocurrency, security of your account should be high in your priority.
Or better, learn to use Linux! Then you wouldn't even need to install an antivirus as long as you don't do something utterly careless like executing random commands you've found over the internet. Linux distros like Ubuntu and Linux Mint are honestly decently noob friendly now, compared to how they were 5 years ago.
all my emails need phone verification to open and every Gmail account holders should do the same
It's better to use the something like Google Authenticator than a phone for protection due sim swapping.
I have already met a number of such cases in crypto and in traditional banks sphere.
This is a targeted attack, respectively, if you have significant amounts - you should think about it.
So far all my passwords are secured using all the tools posted here, all my emails need phone verification to open and every Gmail account holders should do the same, to avoid their account get compromised and always clean your cache, and install a good anti virus if you are involved in Cryptocurrency, security of your account should be high in your priority.
Bare in mind that Chrome has 100+ vulnerabilities per year, Brave hasn't had one yet in 2019. Just saying
No, you are not right. The brave is based on the chromium and has exactly the same vulnerabilities as a chromium.
For example, CVE-2019-5787.
This vulnerability was fixed in chromium 73.0.3683.75.
And here is the brave update for this version: https://github.com/brave/brave-browser/issues/3669
My personal tip, use a brand new email for every new website you need to create an account with, if they require an email address. You can easily make one even using gmail and any old android phone.
We cannot use separate email for every website we register. First it will be hassle to create hundreds of emails as every email require you to verify it with the phone number and managing them is not an easy task. I personally have 3 email ids and they are enough for me.
Privacy-focused email services like Protonmail and Tutanota exists, and if you pay for their service, you can have email aliases, so you wouldn't need to create separate emails for different websites. You just create a new alias then you're good to go.
Also, if you're just going to register on a website and you're going to use your account probably once(especially on shitty and shady websites), you can use burner emails through services like guerrillamail.com.
You shouldn’t be reusing passwords anyway, so there shouldn’t be any value to use that service. The same is true for even part of your password.
If you are using something very close to a random password, having one compromised should not affect your security on any other site and you can search by username to check if a database has been compromised
If you are using something very close to a random password, having one compromised should not affect your security on any other site and you can search by username to check if a database has been compromised
And yet a lot of people do reuse their passwords, so this service can teach them how bad it is to reuse passwords with practical example. It also shows how easily weak passwords can be broken - even if your "password1" was never leaked on the site that you use, the same password could have been leaked on some different platform by different users.
Don't discard something because it is useless to you, lots of other people aren't as knowledgeable.
Jump to: