Re: Password Recovery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, 16 Dec 2020 at 17:52, Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Wed, 2020-12-16 at 07:51 -0400, George N. White III wrote:
> There are services like https://haveibeenpwned.com/ that check
> passwords against captured databases.  Google will warn you if a
> password saved in Chrome appears in one of the stolen password
> databases.   When this was introduced it detected couple
> stolen passwords that I used used with sites that either went out of
> business or were taken over by "bad actors". I think a number of
> other password managers can also check against the databases.

My concern with those kinds of services are that there's two ways they
can work:

1. You send them your password, and they look it up in their database.
2. A similar kind of thing is done where they compare checksums rather
than the actual passwords.

The second method will be used by legit services.
 

Either way, it's ripe for exploitation.  No doubt there's fake password
check sites out there that just immediately skim your password for
their own purposes.  I'm more in favour of a kind of site that logs
which sites have been compromised or bought out, and when, then you can
decide whether to change your passwords with them, or leave.

From my experience, failed businesses often come back with 
different names or sell customer lists to another business.   Names
of web sites often have little relation to the registered name of a 
business (and here in Canada we have "numbered" companies).


Always use good, and totally different passwords for all services, as a
matter of course.

I'm against the usual password polices, as well.  Repetitively changing
your password is no guarantee of avoiding being hacked, and is more
likely to lead to you forgetting your passwords. 

That's easy, just write down the password on a post-it and attach it to your
monitor so you don't need to remember it.
 
And weird untypeable
and unmemorable number and letter combinations are more of a problem
for yourself than any exploiters.  And when banks tell you that you
must use an eight-character-long password I just want to scream at
them.

Not to mention the user agreement that says the bank isn't responsible for
anything.   

--
George N. White III

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux