I’m wondering (out of ignorance) if it’s safe to use sites like the one you linked to… I’ve never visited there but assume they ask for name, emails etc in order to do their report. Isn’t that helping miscreants find out part of the data they need, and point to those who are worried and maybe more valuable to hack? It’s kind of like… sticking your head out of the foxhole as they say.
How do you know it’s a reputable site that will destroy the info you entered after telling what it knows?
You are quite right to be concerned. I’m usually quite skeptical of such sites. Have I Been Pwned, however, is the creation of Troy Hunt who is well-known in cybersecurity circles. The site has been around a long time (12+ years) and many major players in the industry use the site (for example, 1Password’s breach warnings). Troy has been astonishingly transparent as he has developed the site so that it preserves privacy to the greatest extent possible.
So, no, it’s not safe to use sites like Have I Been Pwned but in this particular case, it is my belief that the site is trustworthy.
J
The reason this works is because by getting long enough you eliminate rainbow tables and dictionary attacks and force brute force password cracking. The guess might include real dictionary words…but unless the entire guess is correct it fails to decrypt and they move on to the next guess. It is theoretically possible that completely random are more secure…but 19 trillion centuries vice 20 is irrelevant. Steve Gibson has a demonstration of this at his site…. https://www.grc.com/haystack.htm. While I rarely type passwords…on the infrequent occasions when it is necessary real words make things simpler.
Of the password cracking told the bad guy that the first 5 characters were correct it would help them…but that’s not the way brute force works. As long as a password has the 4 food groups of upper case, lower case, numbers and special characters for an alphabet of 95 characters…and as long as the password is long enough to force brute force only…then Dog1234……………+ (or however many periods are needed to get to 20 or 22 long…is perfectly safe for brute force attacks for far longer than I will be alive.
It is important…maybe..to have the 4 food groups…although even HouseBoatClockGiraffe as a password is 3.5 trillion centuries to brute force per that site. Adding $1 to the end increases it to 10 billion trillion centuries because of the larger alphabet size…which is the approach I always recommend. 2FA helps too…but long and stored in some password keeper for auto entry when needed is the easy peasey solution.
My banks think “2FA” means sending you a six-digit number via insecure SMS! I really want banks to adopt passkeys, but they won’t. PNC Bank just did a huge update to their online banking (offline for two days)—and they still send the same insecure SMS. What will it take for them to support passkeys?!
Exactly! Your email address is 50% of your login credentials (and it’s used to track you across the internet too). That’s why we all need to use a service that creates a different email for each account (they forward it to your real email account). Apple offers that service, and so does IronVest (it’s not currently reliable though) and I think also Proton Mail.
For many institutions, either banking regulators forcing them to or when a huge lawsuit results in banks no longer being able to shift the costs of security and security breaches onto their customers.
ETA
I use a Google Voice number for SMS-based 2FA on a small number of accounts where I want to protect against SIM swappng. This is one case where Google’s lack of human customer service provides a benefit to users: it is impossible to social engineer call center/store workers who don’t exist.
It has been several years since I set it up with two financial institutions, a social network, an email provider, and a federal government centralized login service. I haven’t had any problems since then. Keep in mind, though, that not all companies allow virtual phone numbers for 2FA.
Here are the steps I followed for anybody interested (may be out of date)…
I think USAA Bank didn’t allow Google Voice, but at least they have their own random-number generator, which is far and away more secure than 2FA via SMS.
In a sense, it’s already here. I could use an address email+pnc@icloud.com for one bank, email+wf@icloud.com for another bank, and so on. The + and characters up to but not including @ are disregarded, and messages go to email@icloud.com for pickup. With some creativity in the stuff following + so a pattern is not discernible, there is a different email for each account and they cannot be guessed following a breach. (This works for iCloud and GMail; I don’t know about others.)
My bank stopped sending email because email is insecure. You guessed it; the bank started using SMS.
My bank will not send SMS to a Google Voice number. I don’t know how it knows, but when I select my Voice number to receive the magic code, it never arrives.
Those are not really different addresses; any scammer worth his salt would run a job on his email list to eliminate the plus and any characters up to the at sign.
Wells Fargo? Yeah, banks still pay for SMS outgoing gateway services, and they chintz out on Google, I guess. Maybe it’s because it’s a virtual number, a potential security risk.
This depends on the context. The point here is to use the altered email address as the first part of the email/password combination. Eliminating the stuff after the plus would enable someone to email you, but the goal here is that having the email address – either without the plus or with a different plus suffix – does not give you part of the login credential.
Dave
Have you tested that? Some websites might eliminate all from the plus to the at sign, reducing it to the base address, since the rest isn’t necessary…
A firm I used with GV stopped accepting GV numbers, citing that reason.
That’s bad, the bank should tell clients up front virtual numbers don’t work! Leaving people to figure out on their own a number won’t work is infuriating.