Viewing a single comment thread. View all comments

Wahaha wrote

users are recommended to immediately check if their passwords were included in the leak.

"We recommend you to add your password to the leak".

These tools have always been a head scratcher for me.

2

Wingless wrote (edited )

I assume they add passwords to the next list...

The key thing for cracking passwords is, at some point it is way faster to search every password anybody has ever thought of, than to search every password anyone possibly could think of.

Yes, an honest site would just let you look up in the index starting with any string of letters, so you didn't have to give away your password in the process. Therefore, this is not an honest site. Q.E.D.

Faster proof: It's a site, from a company, on a computer. Therefore it is spying on you and selling your information. Q.E.D.

2

Wahaha wrote

You can only make use of this if you already have the data. At that point it matters little whether they have to brute force the password based on every possibility or based on a huge list. The password is going to get cracked.

How does a 200GB password list come in handy when trying to guess the password of some online account that locks you out after three failed attempts? It doesn't.

1

LnWpxtqPEXyDjAH9rs27 wrote

You don't have to "add" it. You can probably download the list and check it offline.

1

Wahaha wrote

The list is what, 200GB? All they offer is an "add-yours-to-the-list", no download in sight.

1

LnWpxtqPEXyDjAH9rs27 wrote

Have you done even a tiny bit of research?

Downloading the Pwned Passwords list

The entire set of passwords is downloadable for free below with each password being represented as either a SHA-1 or an NTLM hash to protect the original value (some passwords contain personally identifiable information) followed by a count of how many times that password had been seen in the source data breaches. The list may be integrated into other systems and used to verify whether a password has previously appeared in a data breach after which a system may warn the user or even block the password outright. For suggestions on integration practices, read the Pwned Passwords launch blog post for more information.

Please download the data via the torrent link if possible! If you can't access torrents (for example, they're blocked by a corporate firewall), use the "Cloudflare" link and they'll kindly cover the bandwidth cost.

1

Wahaha wrote

No, I don't care enough. My point is that the tool is designed in a way to fish more passwords and the moment you "check" your password with the tool, you have to change it anyway, so there's no point in doing so in the first place.

Also, why would anyone download hundreds of gigabytes to check whether their password is compromised, if one could also just update their password?

1

BlackWinnerYoshi wrote

To be honest, if you have an account on a just breached site and your data didn't got leaked, it's probably a good idea to change it anyway. I still use these kinds of tools, though, but mostly because I used to make accounts on lots of services, forget about them, then get reminded again by a breach, then I usually just download whatever data I had, if any, then remove the account and forget about services for however long. The shock when I found out I got my data leaked because of the Armor Games breach...

1

Wahaha wrote

Even if my online accounts got compromised, I don't think I would particularly care. What are they going to do, post mean things in my stead?

2