• Guests may view all public nodes. However, you must be registered to post.

10 billion passwords leaked

Friendly Engineer

DEFCON Staff
Staff member
Joined
Jan 2, 2022
Location
England, UK
LOCATION
United Kingdom of Great Britain & Northern Ireland
TWITTER
Fr_Engineer
I'd recommend checking your password wasn't part of the leak.
I found out my mother's email password was leaked, it could happen to anyone.

Out of 10 billion passwords, chances are either you or someone you know got an account password leaked.
 
Keep in mind, this leak is a compilation of previous leaks. This isn't new.
Actually, the biggest risk here is that such large password lists make it easier to brute-force a hash. i.e say I got into facebooks database. Well, I wouldn't be able to do anything with that. The passwords are encrypted. But, say I also decided to find their hashing method. Then, I can simply hash these 10 billion passwords, or to make it easier, the top million or billion most used passwords, and see if any of them match what I got from Facebook. That may seem like a lot of passwords to test, but a 16 character password has to be attempted up to 30,583,281,110,353,123,000,000,000,000,000 times before you get the correct answer. Using this 10 billion password list, you probally will get into a few accounts in a reasonable amount of time.

And you only have to hash each password once. You hash every single password, you check to see if there are any matches in the database.

Each data breach doesn't just mean you have to change your password. It is a security concern to everyone. It makes all passwords easier to guess.
You may think, well my password didn't show on the list, I'm fine. No, but if even 1 other person used G3n4r1cD0gN1me as their password and its on that list, your password is still comprimised.

You should realistically change all your passwords regularly to randomly generated ones. But that also means you store passwords on your computer, which might break, you lose them all. Security is a pain. even 2fa wont save you, its possible to recieve texts of someone else, though most hackers wont go through the effort if you aren't important, its not easy.

I kind of rambled, but in a nutshell, use 2fa and randomly generated passwords. Or use a few different passwords depending on how secure you think the website is, how important the account is, etc. Email accounts should ALWAYS be their own unique and long password, they are the #1 thing that someone who found your password will try to gain access to.
 
This why two step authentication with mobile phone 100% necessary. Only way anyone logging into my accounts is to physically steal my phone to receive the texts to confirm it's me logging in. I'm it's full proof or almost short of physically stealing the phone.
 
This why two step authentication with mobile phone 100% necessary. Only way anyone logging into my accounts is to physically steal my phone to receive the texts to confirm it's me logging in. I'm it's full proof or almost short of physically stealing the phone.
It is possible to spoof the sim, but its not something someone is going to do for a random account.
 
It is possible to spoof the sim, but its not something someone is going to do for a random account.
Also you can socially engineer the phone company and get a replacement SIM sent to you.
 
This forum offers them now iirc, but it's rare people use them, passkeys are more secure than passwords but are a bit easier to lose if your devices fail. I believe they can be copied between devices fairly easily, though.
 
Back
Top Bottom