Was Your Data Included in Recent Security Breaches?

Originally published at: https://tidbits.com/2019/04/18/was-your-data-included-in-recent-security-breaches/

Billions of email addresses and other bits of data have been revealed in security breaches this year alone. There’s nothing you can do about what’s already out there, but read on for advice on preventing future problems.

Credit Karma also has a similar monitoring service, and they seem to catch breaches that Have I Been Pwned doesn’t, as I’m subscribed to both and get notifications of some breaches from Credit Karma that I don’t from Have I Been Pwned.

Discover Card also monitors for my social security number and new financial accounts in my name, but not for other things that Credit Karma and Have I Been Pwned do.

Credit Karma is free, although you do have to sign up and give them some personal information. I don’t know if you have to have a Discover Card to use Discover’s service, I’d guess you do, although I already had one when they started offering the service.

Obviously giving your personal information to additional services increases your risk because those services could be hacked, so it’s a balance, but in my opinion worthwhile to use at least Have I Been Pwned and Credit Karma.

This question is only tangentially related, and doesn’t apply if someone reuses passwords. Why don’t programmers build a delay into accepting passwords after the first incorrect password? I envision the host allowing me to enter a password incorrectly, then allowing me to try again, but then introducing short delay (say, one second) before accepting the next password attempt. After another small number of incorrect attempts (perhaps one, perhaps two or three), the delay becomes longer. After still more attempts, the delay becomes longer still.

It seems like this would slow down a brute force attack. To make it a bit fancier, restart the timer or at least reduce the delay if a different IP address attempts to connect. This would allow the user to get in even if a bad actor was actively trying to hack the account. (I assume the bad actor could switch IP addresses, but from within a limited pool.)

To me, this seems simple and obvious. Is there something I’m missing?

On a different note, I recently read about a bank that detected an intruder in one of its user’s accounts by the way the intruder moved the mouse. The intruder had actually gotten into the user’s account, but was thwarted by behavior (mouse movement!) while in the account. (Obviously, the bank had been monitoring the user’s behavior, and presumably all users’ behaviors, prior to the incident.)

My suspicion is that many sites do in fact have delays before accepting multiple login attempts on the same account, but if you have automation software that distributes thousands of login attempts across hundreds of sites, it’s easy to avoid such obstacles.

Here’s an article that explains more about how credential stuffing works:

That’s what I was missing: I was forgetting about botnets. If there are many hundreds of sites, my idea is not as good as I had originally thought. And you’re right that the sites might already do this; there is no reason they would let me know.

Just in terms of security, how does using a third party password manager like 1Password compare to the Apple KeyChain? Both appear to be strong/vulnerable in the same ways. Is there an article, or at some point could there be, comparing approaches? Thanks.

Take Control of Your Passwords compares all the major password managers, including iCloud Keychain, in a fair amount of detail. I’m not sure if Apple publishes details about the encryption, so I don’t know if it can be compared purely on security.

Joe says:

If you use only recent-vintage Apple devices, iCloud Keychain could be all the password manager you need. However, it’s limited compared to some of the other password managers I discuss here. For example:

  • It can’t sync with Windows or Android.
  • On a Mac, it currently works only in Safari, not in third-party browsers.
  • Although it does create random passwords, they’re all 20 characters long with the format XXXXXX-XXXXXX-XXXXXX, where each X is an alphanumeric character. Because the hyphens never vary (no other symbols are used and the grouping is always the same), the effective length is only 18 characters. If you want a longer or more varied password, you’re on your own.
  • It can’t store or enter a credit card CVV number, which most other password managers can do.
  • It won’t help you with software licenses, secure notes, and other arbitrary data types. (Although the Keychain Access app on a Mac can store secure notes, you can’t create or read them on iOS devices—and Keychain Access has a truly awful user interface.)
  • By default, it locks only when your Mac or iOS device does, which strikes me as a poor balance between security and convenience. (This fact also makes it that much more important that you choose an outstanding login password for your Mac!)

For these and other reasons, I use iCloud Keychain only as a supplement to a third-party password manager.

The inflexible password generation would be a problem for me—some sites require only 16 character passwords or don’t like certain character types. I fairly often have to adjust LastPass’s settings to generate an acceptable password.

Each book costs $14.99, but you can buy both together for just $20.

Somewhat off-topic here; my question is about buying Take Control books. I understand that discounts cannot be combined, but does that apply to the entire order or to individual (or combinations of) books? In the current situation, if I want to buy the two books named in the link plus another title or two, should that be one order to get the quoted discount on the linked titles and another order to get the TidBITS member discount on the other titles? Thanks.

Here’s what @joe says:

Somewhat off-topic here; my question is about buying Take Control books. I understand that discounts cannot be combined, but does that apply to the entire order or to individual (or combinations of) books?

The limitation is one coupon per order. So, for example, you could have a coupon that gives you a discount on one or two specific books, and then add other books besides those to your order (which would not be discounted).

In the current situation, if I want to buy the two books named in the link plus another title or two, should that be one order to get the quoted discount on the linked titles and another order to get the TidBITS member discount on the other titles? Thanks.

The TidBITS member discount uses a coupon code, which applies to your entire order and can’t be combined with any other coupons (back to the one-coupon-per-order rule).

So, if you wanted to use the link to buy those two books together for $20 (which is a greater than 30% discount), you can’t also use your TidBITS member discount for other books in the same order. You’d need to place two separate orders.

We understand this is a hassle. The limitation of one coupon per order comes from eSellerate, our payment processor. It so happens eSellerate is shutting down in a couple of months, and we’re in the process of rebuilding our website to use both a different payment processor and different logic to deal with coupons and other discounts. In the new world order, it will be possible, for example, to do things like have two coupons in a single order (one that gives you a discount on book A and one that gives you a different discount on book B). We want to make all this stuff way easier and less fiddly. One thing we won’t do, however (even though it would be technically possible) is permit coupons to be stacked—as in, save 50% due to some promotion and then save another 30% on top of that with your TidBITS member discount. That seems incompatible with staying in business :-).

Thanks for the detailed response.

That’s fine. I want you to stay in business.

The Passwords and Accounts function of iOS Settings now includes a caution about the use of the same password on multiple websites. A triangle with ! appears next to each case. Tapping on the triangle brings up an option to “Change Password on Website”.

Looking at my list I have some work to do…

It is a pity that macOS KeyChain Access does not have the same feature.

Adam, you mentioned that your email showed up in 22 data breaches; I just checked the email address that I’ve had since the late 80s and … I beat you at 23! Believe me, I’m not happy at all about that.

While I am a big fan of 1Password — it was the first article I wrote when I was the Tech Daddy on the Huffington Post — it is dismaying that even though I’ve spent several hours a day over the last week dealing with the list 1P is showing me of my Compromised, Vulnerable, Reused and Weak passwords, there are still literally HUNDREDS of them that still need attention. Of course, a certain amount of these are for websites that are no longer in existence, but that still leaves weeks more of work to do.

How many people will have the wherewithal to do this? At what point will the big tech companies and corporate America start taking responsibility? I may never get the answer to those questions but I can’t stop asking them …

One of my breaches was MyFitnessPal - except I’ve never used that program! I delete just about any app that makes me set up an account. But obviously I use something owned by them.

I had 7 breaches on my main email. Off to check the others.

Diane

Your phrasing makes it sound like you’re blaming 1Password for something but isn’t it just the messenger?

There are a number of MapMy… apps that are also owned now by Under Armor. There’s also an app marketplace that lists a few dozen other apps that must as least give the option of being connected to one’s MyFitnessPal account.

And there it is - mapmyride. I signed up for that years ago so I could map out longer rides and import them into my GPS. Thanks!

Diane

You’re the leader so far, Ken!

It is distressing, and I have much the same problem. The only real consolation is that none of those accounts are at all important, so it’s unlikely that a bad guy breaking into several of them could actually do much damage.

Diane, I envy you :slight_smile:

As for MyFitnessPal, many years ago it was purchased by UnderArmour and merged with their suite of websites, so if you ever used any of the other associated sites that’s probably what happened. Which is a whole other topic, isn’t it? The way companies absorb other companies and in the process acquire their users’ logins and personal info. Some companies require you to create a new account, while others don’t.

And don’t get me started (oops! too late) on the process of creating a login password itself, and how so many websites don’t tell you what their password requirements are until AFTER you try to create one and then it tells you “not accepted!” and what they expected you to do. sigh

I was not blaming 1P for anything; I apologize for my lack of rigor in writing that. One of the reasons I use and recommend 1Password is precisely because it tells you what passwords are compromised, weak, vulnerable or reused.

1 Like

Here’s a real-world example of people suffering from credential stuffing.

https://www.washingtonpost.com/technology/2019/04/23/how-nest-designed-keep-intruders-out-peoples-homes-effectively-allowed-hackers-get/

The reason I used MyFitnessPal was the digital divide between Withings and Garmin Connect. For a while the only way to get weight from a Withings scale to automatically be sent to Garmin Connect was MyFitnessPal. It stopped working a couple of weeks ago (which end is responsible I’m not sure) so I looked into alternatives and found smartscalesync.com, which I signed up and paid for. Weights are now automatically flowing again. I never bothered trying to keep track of calories with MFP, because I don’t trust either the input or the output numbers various devices/sites give, so what’s the point. I trust my scale so far as my weight goes.

Of course, there’s another digital divide that I have problems with, the split between 1Password on my Sierra MacPro (upgrading to High Sierra when it came out failed, and I need the machine too much right now to try upgrading to Mojave) and my Mojave MacBookPro. I went to login to smartscalesync on my MacPro and neither 1Password or Sierra have any record of the password I set up. Fortunately, 1Password on my iPhone does, so I simply read it off the phone and typed it into Safari on my MacPro (and now I hope it remembers it).