Billions of passwords leaked online - rockyou2021

LOL, testing 9 billion combinations might as well be a brute force attack.
 
Updated my core passwords today just to be safe but JFC this is getting old...
 
I think exposed passwords are already being attempted. I checked the activity on my 25 year old Hotmail account. I've had unsuccessful logins with the wrong password from China, Brazil, Argentina, Chicago, Lincoln Nebraska, Poland, and South Africa in the past 24 hours.
 
https://haveibeenpwned.com/

Tried this in 2 browsers and in both it always has the areas for green "Good news — no pwnage found!" and red "Oh no — pwned!" after entering an email address.
There is no way to know which one applies.

edit:
ah forget that, I was blocking some IPs used by the site.

edit2
lol, it shows my email as pwned with one browser and not pwned on the other.
wtf?
 
  • Like
Reactions: Nobu
like this
I wanted this for a second then remembered its 100gb. Having tried to load a couple GB text file in the past, I doubt that would work out. It would have to be hosted on a site developed to present that to multiple users without issues. Does pastebin do that?
No, pastebin doesnt... but you can get a large scale notepad++ and chop or load the file up.
 
trustno1.jpg

I used to use this one, back in the early 90's, lol
 
I had an adventure over the weekend. Someone probably used this dump to access my cell phone account (one password I didn't think to change). They changed my pin, ported my number out, and then started changing my e-mail passwords verifying the account with my stolen phone number. They used my paypal account to buy background checks on others, and then tried to access my Coinbase account. Fortunately, the stuff where I have money tied up with (other than PP), is behind an authenticator app. I ended up getting everything back, but it was a PITA and cost me several hours of my time.

Long story short, change your wireless carrier password also!
 
Last edited:
I had an adventure over the weekend. Someone probably used this dump to access my cell phone account (one password I didn't think to change). They changed my pin, ported my number out, and then started changing my e-mail passwords verifying the account with my stolen phone number. They used my paypal account to buy background checks on others, and then tried to access my Coinbase account. Fortunately, the stuff where I have money tied up with (other than PP), is behind an authenticator app. I ended up getting everything back, but it was a PITA and cost me several hours of my time.

Long story short, change your wireless carrier password also!
I pay for the BitWarden upgraded service and it has an authenticator built right into it that lets you easily copy the circulating code right next to the username and password. It’s really convenient and I use it for any account that will let me. It’s ridiculous for websites that don’t have an option to use an authenticator these days.
 
I pay for the BitWarden upgraded service and it has an authenticator built right into it that lets you easily copy the circulating code right next to the username and password. It’s really convenient and I use it for any account that will let me. It’s ridiculous for websites that don’t have an option to use an authenticator these days.
I so _love_ that my bank wants to send MFA via SMS. Because that's never been intercepted in the history of ever. Let me use an app, damn it!
 
I wanted this for a second then remembered its 100gb. Having tried to load a couple GB text file in the past, I doubt that would work out. It would have to be hosted on a site developed to present that to multiple users without issues. Does pastebin do that?

Notepad ++ and others can usually open large text files, or just load it on a linux OS and search it that way
 
Genuine question- I see several people recommended password managers, but then how do you know the password manager itself is secured? That there is no bad employee out to leak or steal the passwords? And the site won’t get hacked?
 
Last edited:
Genuine question- I see several people recommended password managers, but then how do you know the password manager itself is secured? That there is no bad employee out to leak or steal the passwords? And the site won’t get hacked?
hence the post it note ;)
 
Genuine question- I see several people recommended password managers, but then how do you know the password manager itself is secured? That there is no bad employee out to leak or steal the passwords? And the site won’t get hacked?
Nothing is ever 100% secure, there is always a chance of a breach, but you can assume that the password manager has better security than some random forum on the internet so you choose who to trust.
 
Nothing is ever 100% secure, there is always a chance of a breach, but you can assume that the password manager has better security than some random forum on the internet so you choose who to trust.
But then problem is, if the password manager is hacked or leaked, now ALL your accounts and passwords are out there, and you gotta figure out what, how, and where to change your 20+ passwords. Am I right? Hopefully, none is your financial institution password.

I rather trust myself. I use a different password for each site anyway.
 
I don't think it is worth losing sleep over, and I've seen that argument before usually as an excuse to do something that is less secure.

But if you are really paranoid, you can use something like KeePass, where you can store the password database locally yourself and avoid having it in the cloud.

https://keepass.info/
 
I don't think it is worth losing sleep over, and I've seen that argument before usually as an excuse to do something that is less secure.

But if you are really paranoid, you can use something like KeePass, where you can store the password database locally yourself and avoid having it in the cloud.

https://keepass.info/
Much appreciated. This looks like a good answer to me.
 
Genuine question- I see several people recommended password managers, but then how do you know the password manager itself is secured? That there is no bad employee out to leak or steal the passwords? And the site won’t get hacked?
For starters, don't use a cloud-based manager.
 
I don't think it is worth losing sleep over, and I've seen that argument before usually as an excuse to do something that is less secure.

But if you are really paranoid, you can use something like KeePass, where you can store the password database locally yourself and avoid having it in the cloud.

https://keepass.info/
Here's a second vote for KeePass.
 
And then having a separate password for 20 or so different systems/sites/etc, how easy is to remember "correct horse battery staple" and what site it goes to?
Yeah, one thing that is nice about cloud password managers, is that the password is saved for only the specific domain.

So if you end up on PayPa1 instead of PayPal, the password will not auto-fill and you will know something is up.
 
Passwords don’t need to be complex, best password your have is a small phrase that you couldn’t forget if you tried. We all have one, 3-5 words long no machine is guessing that any time soon. But it’s all pointless if the sites shit security and crap IT store it plain text on a poorly configured AWS instance.

there really needs to be some sort of legal implications for these sorts of breaches. There is absolutely 0 reason to not be salting your databases at this stage.
Yep, a small 3 word pass phrase is all you need. If you want to get crazy, add your email domain at the end like [email protected] - Takes something super complex and makes it impossibly complex to crack but very easy to remember. Who ever would of thought a 27 character password was this easy to remember.
 
Passwords don’t need to be complex, best password your have is a small phrase that you couldn’t forget if you tried. We all have one, 3-5 words long no machine is guessing that any time soon. But it’s all pointless if the sites shit security and crap IT store it plain text on a poorly configured AWS instance.

there really needs to be some sort of legal implications for these sorts of breaches. There is absolutely 0 reason to not be salting your databases at this stage.
And they could affordably sub-contract the task to us [H] posters. We can be quite salty.
 
Yep, a small 3 word pass phrase is all you need. If you want to get crazy, add your email domain at the end like [email protected] - Takes something super complex and makes it impossibly complex to crack but very easy to remember. Who ever would of thought a 27 character password was this easy to remember.
i think for offline attacks a 3 word password passphrase would make me a little nervous. thats 30-39 bits of entropy, which from what i understand, a modern desktop can crack in seconds.
 
"Dubbed RockYou2021, the list as revealed on a hacker forum contains 8.4 billion password entries, says CyberNews."
"A list of leaked passwords discovered on a hacker forum may be one of the largest such collections of all time. A 100GB text file leaked by a user on a popular hacker forum contains 8.4 billion passwords, likely gathered from past data breaches, tech news site CyberNews said on Monday."

https://techxplore.com/news/2021-06-largest-password-breach-history-leaked.html
https://www.techrepublic.com/article/billions-of-passwords-leaked-online-from-past-data-breaches/

better check...
https://haveibeenpwned.com/



Damn it 2 out of 3!

2 Out Of 3.jpg
 
Yea the databases being hacked are really the bigger issue -- not my passwords.. poor security standards and cyber security practices (or lack thereof) seem to be the only times my passwords have been stolen -- including at my banks and insurance companies.

I use keepass with strong passwords for everything. Been doing it for years. My keepass database is over 100KB now, haha.

What's worse though is the debit card security standards.. it seems anyone can make one. Just two months ago I had someone 5 states away withdraw $5180 from my checking account at various ATMs. I have never used my debit card anywhere, not even at a local ATM, so it could never have been skimmed or stolen online from anything I've done. I put it in the gun safe when I was first issued the card, and that's it. I shred all documents I receive in the mail with critical information on them. What's worse is I had to prove it actually was not me.. took several weeks to get my money back.
 
As others have mentioned, this is a good time to consider your password security. I highly suggest to use only open source projects for password management (that have zero knowledge in the case of a database/remote hosting) so you can be reasonably sure in the trustworthiness of the tools being used. While using something like Google Chrome/ium password storage or lastpass is perhaps better than nothing, I'd suggest instead..

Browser - Firefox's built in password manager is pretty decent if you just need a browser based setup. Local and encrypted, but capable of zero knowledge sync through Firefox account system or manual import/export. Other options, including integration with the other PW manager options listed below, also compatible through addons. Overall the best option for a browser-based PW manager and (for other reasons) often the preferable browser..

Database file - KeePass . Use either the KeePass 2.x+ version ( https://keepass.info/index.html ) , or KeePassXC ( https://keepassxc.org/ ) for desktop (win/mac/linux) and a variety of clients for mobile (KeePassDX for Android - https://www.keepassdx.com/ - both via Google Play and even better, F-Droid. AuthPass is also available both on desktop and Android - https://authpass.app ) and elsewhere. WIth KeePass you will have a client and a separate database file which actually holds your PW and potentially tons of other information - it will be up to you to either clone it to where you need, sync, or otherwise manage changes if you are using more than one device. Definitely the most granular and powerful of the "you control the database file directly" libre solutions.

Cloud-based - BitWarden - https://bitwarden.com/ - A close analog to LastPass, Dashlane, and other proprietary implementations, BitWarden is a libre cloud-based setup, encrypted zero knowledge before transmission. You can use clients for all platforms (note: besides the listed Google Play, it is also available on F-Droid but may need a custom repository added) and then either self host a server if you wish, or use an existing server including the official one. Using the official servers can be done for free, but they also have inexpensive premium services for yourself ($10/year), a family ($40/year), or business depending on what you need; all the funds go into supporting the development of BitWarden and of course hosting. For those who don't want to manage a database file, this is one of the best solutions.

Good luck!

Edit: Its worth noting that all of the above can also auto-magically generate passwords for you, using parameters you set (ie length, characters allowed etc) , and besides copy/paste, can also be set to automatically fill forms in your browser when necessary. Note that some may need a browser extension to do more advanced things (ie the Kee extension for Firefox or Chrome/ium , formerly KeeFox, basically works around the built in FF PW manager and allows users to both save to and auto-fill from a KeePass database )

Bonus - 2FA! Instead of using proprietary 2FA software like Authy or Google Authenticator (which used to be FOSS at first, but was locked down years ago), use Aegis Authenticator ( https://getaegis.app/ ) for Android! Aegis also has encrypted backup and export functions, as well as biometric options! Note that certain KeePass and I think BitWarden clients can both be set to require a HOTP/TOTP 2FA to access their database and/or be able to generate HOTP/TOTP codes itself depending on the addons/features enabled. However, many wish to keep their OTP generating application separate from their password storage and database.
 
Last edited:
Whatever you do, get a password manager (based on your needs, any of them are better than nothing).

Don't try to roll your own silly scheme for making insecure passwords. Just get a manager, make long random strings, and be done with it.

It honestly just makes your life so much easier, it's crazy to not do it.
 
Back
Top