Urban75 Home About Offline BrixtonBuzz Contact

Have I Been Pwned?

I mean current advice is now not to have users change their passwords often, because their more likely to use shit ones/write them down/recycle them. They probably do that anyway.
Aye, I have this argument with our security team. Make the password requirements good and hard and then scale back the expiry to once a year. If you have good complexity, more than once a year is silly (barring actual hacks and leaks and whatnot).
 
A quick takeaway from the leak that prompted this thread is that it included Roblox usernames and passwords so if you have kids that play this, who haven’t changed their passwords in the last 3 months (unlikely) who are not signed up to haveibeenpwned (even more unlikely)
to do so asap.
 
Aye, I have this argument with our security team. Make the password requirements good and hard and then scale back the expiry to once a year. If you have good complexity, more than once a year is silly (barring actual hacks and leaks and whatnot).
Although the security team maybe hampered by the Active Directory setup which is always a pain in the arse, particularly when finding decent AD architects is incredibly difficult, and then finding an AD security expert to adequately check and test the setup and determine where the issues lie that prevent a unified approach.
Progress is further slowed by different parts of the organization using different operating systems because they may have been part of an m&a effort some years ago, or just because the king of that particular castle has decided to cut back on IT services which means the already pressed local IT do not have the knowledge means or urgency to put together a decent build for the users in their organization. The list of potential problems is limitless. But never surprising.
 
Boris Sprinkler 's comment regarding "Progress is further slowed by different parts of the organization using different operating systems":

If I recall correctly, based on some things I had seen and read, some organizations were still using Windows NT or XP when (I think it was) 8 came out. Some of the software hospitals were using, couldn't work on updated / upgraded operating systems. The people who created the programs couldn't sort it out to function in a newer environment. This led to facilities figuring out how to completely shutter their internet usage.. like lock it down and make sure all builds were up to par, even when Microsoft threated the end of specific service packs. I think most places are not at least up to Windows 10 because some where some one was able to either update the programs or create something completely new (yet compatible to the old system).

Again, I could be wrong.
 
For those asking or thinking about password managers, I can't recommend one enough. I used to use Lastpass but changed to Bitwarden when Firefox changed to Web Extensions and Lastpass stopped working. They're both equally as good and I'd recommend either.

I guess because Lastpass has been hacked (twice I believe), then you might think Bitwarden is a safer choice, but as Chz said up thread, it doesn't matter much.

When I first met my girlfriend I was so sick of her complaining about forgetting her password. It was constantly. Daily. Not the same service, but whatever she happened to need that day and hadn't used in a while. She's not that IT literate so going through the process of reseting her passwords every day or so was really getting to me. I was banging on about password managers for ages, but she resisted. I did too. I didn't think I needed one or didn't see the point. And there are times when they are slightly annoying*, so it's not all good.

But, she got the password manager. And we had a couple of weeks of her asking how does she get x or why doesn't y show up. But then...silence. She's never forgotten a password since, because she doesn't even know what they are. Just like me. I don't know what my Google password is, but I use it every day. It's irrelevant now.

A couple of weeks ago, she was on her laptop doing stuff while I was playing on my phone, and she suddenly said, "You know, Bitwarden has changed my life. Seriously"

I just laughed, tbh, but I understood what she meant.

As well as not needing to know what the password is, the other features that make them good are:

You can share passwords on Bitwarden's paid service. So if you and your partner have a bills account say, and it's in one person's name. You can just share the credentials inside Bitwarden. Now you both have it. If one person changes the password, it's updated for you both.

You can choose arbitrarily complex passwords to meet the requirements of whatever service you're using. Like Google might allow 32 characters, containing spaces, special chars and numbers and letters. But BT might say you can only have 16 and no special chars. etc. When you sign up to a new service, Bitwarden (and Lastpass, IIRC) asks if you want to generate a new password. You set the length, tick the box next to uppercase, tick the box next to special chars, etc and it makes one for you and saves it. It'll remember your option for next time, so you only need to adjust this if you come across a crappy site that doesn't let you have the strong password you want. Most of mine are 20 characters of random nonsense.

Another thing that puts them above browsers is that the passwords are stored on a website that is accessible from any device. So, with Firefox Sync, for example, if you don't have a Firefox browser handy, you can't access your passwords. I don't think you can access them if you're on someone else's computer, either. Whereas I can go to Bitwarden.com and log in and all my passwords are there. I think Apple lets you do this with Keychain, but only from an Apple device, so you're stuck again if you're on Android.

Also, I have all my credit cards saved in Bitwarden. When I go to buy something, I auto-fill the cc field as if it was a password. It's all encrypted on Bitwarden's services, and encrypted locally, so I have no fear about this. My password is very long and is required every time I have a new browser session - even if I stay signed in to the browser.

This all sounds like an ad, I know, but seriously, it's one of the simplest ways to improve your security and it actually makes your online life a little bit more convenient at the same time. And it doesn't have to cost you anything.

*The annoyance is when I have to type my password into something like a TV and it's 20 characters long, and I have to keep switching between different on screen keyboards. Samsung TVs have the worst keyboards I've ever used in my life :mad: Thankfully, these situations are rare, though.
 
My data has been breached twice according to pwned, in 2019 and 2016. So far nothing too nasty. It's worth being cautious with passwords and having a different password for your email and more sensitive stuff for sure. I use the same generic passwords for most other websites but maybe dont copy me on that :thumbs:
 
For those asking or thinking about password managers, I can't recommend one enough. I used to use Lastpass but changed to Bitwarden when Firefox changed to Web Extensions and Lastpass stopped working. They're both equally as good and I'd recommend either.

I guess because Lastpass has been hacked (twice I believe), then you might think Bitwarden is a safer choice, but as Chz said up thread, it doesn't matter much.

When I first met my girlfriend I was so sick of her complaining about forgetting her password. It was constantly. Daily. Not the same service, but whatever she happened to need that day and hadn't used in a while. She's not that IT literate so going through the process of reseting her passwords every day or so was really getting to me. I was banging on about password managers for ages, but she resisted. I did too. I didn't think I needed one or didn't see the point. And there are times when they are slightly annoying*, so it's not all good.

But, she got the password manager. And we had a couple of weeks of her asking how does she get x or why doesn't y show up. But then...silence. She's never forgotten a password since, because she doesn't even know what they are. Just like me. I don't know what my Google password is, but I use it every day. It's irrelevant now.

A couple of weeks ago, she was on her laptop doing stuff while I was playing on my phone, and she suddenly said, "You know, Bitwarden has changed my life. Seriously"

I just laughed, tbh, but I understood what she meant.

As well as not needing to know what the password is, the other features that make them good are:

You can share passwords on Bitwarden's paid service. So if you and your partner have a bills account say, and it's in one person's name. You can just share the credentials inside Bitwarden. Now you both have it. If one person changes the password, it's updated for you both.

You can choose arbitrarily complex passwords to meet the requirements of whatever service you're using. Like Google might allow 32 characters, containing spaces, special chars and numbers and letters. But BT might say you can only have 16 and no special chars. etc. When you sign up to a new service, Bitwarden (and Lastpass, IIRC) asks if you want to generate a new password. You set the length, tick the box next to uppercase, tick the box next to special chars, etc and it makes one for you and saves it. It'll remember your option for next time, so you only need to adjust this if you come across a crappy site that doesn't let you have the strong password you want. Most of mine are 20 characters of random nonsense.

Another thing that puts them above browsers is that the passwords are stored on a website that is accessible from any device. So, with Firefox Sync, for example, if you don't have a Firefox browser handy, you can't access your passwords. I don't think you can access them if you're on someone else's computer, either. Whereas I can go to Bitwarden.com and log in and all my passwords are there. I think Apple lets you do this with Keychain, but only from an Apple device, so you're stuck again if you're on Android.

Also, I have all my credit cards saved in Bitwarden. When I go to buy something, I auto-fill the cc field as if it was a password. It's all encrypted on Bitwarden's services, and encrypted locally, so I have no fear about this. My password is very long and is required every time I have a new browser session - even if I stay signed in to the browser.

This all sounds like an ad, I know, but seriously, it's one of the simplest ways to improve your security and it actually makes your online life a little bit more convenient at the same time. And it doesn't have to cost you anything.

*The annoyance is when I have to type my password into something like a TV and it's 20 characters long, and I have to keep switching between different on screen keyboards. Samsung TVs have the worst keyboards I've ever used in my life :mad: Thankfully, these situations are rare, though.
How does it all work if you have multiple accounts for things? And use more than one browser but different logins for different accounts on each browser?
And does it do just web based stuff, or also accounts for games on different platforms/launchers (ie. Steam, Bethesda.net, various other game logins).

I just have a lot of gmail/google accounts, I play some browser based games where I have more than 1 account, with 1 account permanently logged in on each browser (Chrome, Edge, Opera), and also MMOs (3 accounts in ESO, again each with a different login ID and password) - can the free version handle my ridiculous mess?
 
Last edited:
In terms of non web logins, it really depends on how it launches the login. A lot of things use the built-in web libraries in Windows/Android/iOS and that can be detected and it will launch the password manager with it. Some don't. And you're stuck either looking it up in a web browser tab or saying "fuck it, it's a game, I don't give a shit" and setting your password to "Jakeyrocksmyworld".

Using different browsers, you can be logged into a different password account in each one, but I don't think any allow being logged into multiple accounts in the same browser.

As for different accounts on the same site, you turn off autofill for that site and you'll have a clickable icon in the login prompt that will offer a menu of all accounts on that site.
 
Using different browsers, you can be logged into a different password account in each one, but I don't think any allow being logged into multiple accounts in the same browser.

not in multiple tabs, but with firefox you can have private window/s open, so one won't know what you're logged in to on the other. not sure how that works with password managers, though.
 
I've heard of "have i been pwned?" before but whether this email is really from them is another matter so i'd be careful clicking links etc.
 
not in multiple tabs, but with firefox you can have private window/s open, so one won't know what you're logged in to on the other. not sure how that works with password managers, though.
This is a completely different topic to password management, IMO, but Firefox has a great feature to handle this situation - container tabs.

Basically, each tab can run in its own isolated environment, which means you can be logged into, for example, different Google accounts on the same browser at the same time. I use it for work, as I mostly use Google docs for work, but never YouTube, Gmail, etc. So I have it setup that whenever I go sheets.google.com, my "Work" container opens and I'm already logged into my work Google account in the new tab. If I go to youtube.com, it automatically opens in my "Personal" container and I'm logged into my Gmail account.

You can also override this on an ad-hoc basis, by right clicking the link or bookmark, and selecting which container you want to open it in. So if I ever did want to view Youtube on my work account, that's easy to do without messing up my container automation.

Another benefit of this is you can have Facebook in its own container, and only login on the Facebook container. That means you can click links and they open with you already logged in. But if you're on another other site, you're not logged in, so FB can't track you with it's Like button and embedded pixels.

It's a great feature, and not that well known.

For you Epona, password managers can easily have more than one login, sure. I can't remember how LastPass works, but for Bitwarden, it's does a lookup of the URL and compares that with your password vault. If there's a match, it offers to log you in. If there's multiple, you just choose the one you want at that time.

I just checked and I actually have 7 Google accounts. One personal, and various work ones, and some for the clubnight I run. When I go to Google, if I wasn't logged in, I just click the Bitwarden button, and the 7 logins show up. I click the one I want and it auto-fills the username and password for me, just like any browser autofiller.

For multiple browsers with different logins for each you could handle that by renaming the login. Here's my urban login, for example:

1705755759002.png

So if I wanted to login using my firky troll account when on Chrome, but stay as fez909 on Firefox, I can add a second login and change the "Name" bit so I know which one to use. Now, you can manage your cross thread beef really easily without detection. Just go to urban, open Bitwarden and you'll see all your accounts. Select the one that matches your persona and browser for that day, and continue your mission to piss everyone off.

1705755995902.png

So, it's not automatic...but it's easy.

For games etc, it's not quite as handy. There are plugins for all the major browsers to handle web stuff, so that's no problem. And I have an app for Android that detects when I enter a password field on almost every app, and then I get a popup asking if I want to use Bitwarden to fill it. It takes me out of the app, but it's pretty painless. Then I copy the password from the Bitwarden app, press back and paste into the app I'm trying to login to.

For desktop apps, it's not as good. You will have to switch to the browser extension or website, search the vault, click the copy password button and switch back to your app. It's definitely the worst thing about password managers, but it's actually not a big deal. It was this that stopped me using them for years, and then when I finally did switch, I found it wasn't that much of a problem.

I think you'd definitely benefit from container tabs on Firefox, assuming FF can run your games (I find it's slow for some JS stuff). Everyone would benefit from a password manager :)
 
This is a completely different topic to password management, IMO, but Firefox has a great feature to handle this situation - container tabs.

Basically, each tab can run in its own isolated environment, which means you can be logged into, for example, different Google accounts on the same browser at the same time. I use it for work, as I mostly use Google docs for work, but never YouTube, Gmail, etc. So I have it setup that whenever I go sheets.google.com, my "Work" container opens and I'm already logged into my work Google account in the new tab. If I go to youtube.com, it automatically opens in my "Personal" container and I'm logged into my Gmail account.

You can also override this on an ad-hoc basis, by right clicking the link or bookmark, and selecting which container you want to open it in. So if I ever did want to view Youtube on my work account, that's easy to do without messing up my container automation.

Another benefit of this is you can have Facebook in its own container, and only login on the Facebook container. That means you can click links and they open with you already logged in. But if you're on another other site, you're not logged in, so FB can't track you with it's Like button and embedded pixels.

It's a great feature, and not that well known.

For you Epona, password managers can easily have more than one login, sure. I can't remember how LastPass works, but for Bitwarden, it's does a lookup of the URL and compares that with your password vault. If there's a match, it offers to log you in. If there's multiple, you just choose the one you want at that time.

I just checked and I actually have 7 Google accounts. One personal, and various work ones, and some for the clubnight I run. When I go to Google, if I wasn't logged in, I just click the Bitwarden button, and the 7 logins show up. I click the one I want and it auto-fills the username and password for me, just like any browser autofiller.

For multiple browsers with different logins for each you could handle that by renaming the login. Here's my urban login, for example:

View attachment 409035

So if I wanted to login using my firky troll account when on Chrome, but stay as fez909 on Firefox, I can add a second login and change the "Name" bit so I know which one to use. Now, you can manage your cross thread beef really easily without detection. Just go to urban, open Bitwarden and you'll see all your accounts. Select the one that matches your persona and browser for that day, and continue your mission to piss everyone off.

View attachment 409036

So, it's not automatic...but it's easy.

For games etc, it's not quite as handy. There are plugins for all the major browsers to handle web stuff, so that's no problem. And I have an app for Android that detects when I enter a password field on almost every app, and then I get a popup asking if I want to use Bitwarden to fill it. It takes me out of the app, but it's pretty painless. Then I copy the password from the Bitwarden app, press back and paste into the app I'm trying to login to.

For desktop apps, it's not as good. You will have to switch to the browser extension or website, search the vault, click the copy password button and switch back to your app. It's definitely the worst thing about password managers, but it's actually not a big deal. It was this that stopped me using them for years, and then when I finally did switch, I found it wasn't that much of a problem.

I think you'd definitely benefit from container tabs on Firefox, assuming FF can run your games (I find it's slow for some JS stuff). Everyone would benefit from a password manager :)

Thanks for that! I really need to start using a password manager, I used to be good at remembering lots of passwords but I think those days have gone
 
I used to be good at remembering lots of passwords but I think those days have gone

I can remember some passwords, but there are just too damn many.

hence a system / theme for passwords, so i can write maybe 2 or 3 characters down (i have an address book for that purpose) and will know what that means.

there is a risk of someone nicking the address book, but the chances of that person understanding the relatively obscure theme is fairly remote.

except for bloody stupid 'strong' passwords that have been generated by other people and you can't change - i have one (for a work thing) that's in the format 1ABcDEfg which there's no possible way to remember other than write it down in full somewhere...
 
I'm aware of Have I Been Pwned and have checked on their website occasionally.

Think the simple question is whether you have signed up for their notify service, which appears to be a thing.

If you have, this might be genuine. If you haven't, it's definitely not legit.

Your e-mail address being on there doesn't necessarily mean your e-mail account is compromised, it can just mean that somewhere you have used that e-mail address as part of your sign in has been.

Changing the password on your e-mail account won't do any harm, though.

And (at the possible risk of stating the obvious) if you use the same combination of e-mail address and password to sign in to multiple online things, that's not a great idea, as if one has a security breach, there's a chance that someone might try the same combination on other sites. I have a system for passwords, but don't think i use the exact same one on multiple sites.
The other day I was talking about security with my grandson, he was wary of giving bank details. I just stopped myself from saying 'Have you never written a cheque?'. :D
 
Boris Sprinkler 's comment regarding "Progress is further slowed by different parts of the organization using different operating systems":

If I recall correctly, based on some things I had seen and read, some organizations were still using Windows NT or XP when (I think it was) 8 came out. Some of the software hospitals were using, couldn't work on updated / upgraded operating systems. The people who created the programs couldn't sort it out to function in a newer environment. This led to facilities figuring out how to completely shutter their internet usage.. like lock it down and make sure all builds were up to par, even when Microsoft threated the end of specific service packs. I think most places are not at least up to Windows 10 because some where some one was able to either update the programs or create something completely new (yet compatible to the old system).

Again, I could be wrong.

I belive it still happens. Because if its a multi million pound machine you don't just replace it because there is a new OS.
 
Fez909 - your #35 and #41 comments make a lot of sense. Very detailed explanations on Bitwarden & lol at your girlfriend finally giving in and using / loving it. The multiple tab / instances environment (container) in Firefox sound amazing. That's a lot of work you've done to create various containers for everything and it makes sense to do it that way, especially for the people working remotely on their personal devices. I've tried Firefox back in the day and keep going back to Chrome. If I ever go back to FF, I'll check out your instructions! :thumbs:

The other day I was talking about security with my grandson, he was wary of giving bank details. I just stopped myself from saying 'Have you never written a cheque?'. :D

I've found way too many people around my age (I'm 40) and younger, stepping away from writing checks. I might be the only one out of my friends who does write, as any bill paying person I know, is on auto pay with everything. Or, they have the transfer / sharing apps to pay for everything (Venmo, etc).

Quite honestly, I think the sharing apps are just as unsafe as worrying about someone hacking a password because the sender can always maliciously make something up (i.e. fraud / it wasn't them who sent the money) and the person receiving the amount gets screwed.

A woman explained that exact scenario to me one day while explaining why the cash app was so amazing. She said the down side is someone could call the bank and cancel, saying it wasn't them, etc. The problem is, this woman was trying to buy something from me at a yard sale and wanted to use the cash app! She did herself no favors for it, as I said "cash only, please. I don't use the apps" and she walked away because I didn't accept her form of payment.


"And if you'll just confirm your signature with the three-digit code on the back of your credit card ..."

That's the other problem - websites always asking for the three-digit code on the back of the card. Even sites I trust, I'm contemplating it, but you have to provide it in order to continue. It's a risk, but luckily for me, it hasn't been a problem to date since I don't use my card online in a lot of places.

Then again, this is also why the older generation that is online, is split between writing checks and using web payments. Those who are "hip" enough to get around the internet with no worries, normally have no issue providing bank details online to pay for things. Those who still write checks and are leery, well, they're still writing checks and complaining to their friends about the potential problems of relying on the internet for everything (I've seen it with my mother and her group of people).

I belive it still happens. Because if its a multi million pound machine you don't just replace it because there is a new OS.

I'm not surprise if it does still happen. You're right - multi million dollar machine can't be replaced just because a new OS came out.

I'm actually seeing something similar at work at the moment. The company bought 90 laptops because IT is trying to get off specific networks (Citrix) and servers (I think one is external) and have everyone on the same system / environment / internal hub. So remote people have to go buy very specific laptops (if they're out of state. The in state people have to pick it up) while in-house people are given the ones at their desk. I don't know how the remote people will log in to a secure system on these laptops because there's no secure environment to get in to, from what I've heard and seen. I haven't gotten my laptop yet, so I don't know all the details. But, the other main reason behind getting new computers is because everything is so fast and clean and we all should have no problems getting our work done.

I didn't know people were complaining about anything on the company computers. The only complaints I know about deal with the two specific cloud based programs we use but that's not something installed on our machines. It's all browser related and most of the problems are due to issues on that company's end, not ours (things are tweaked or changed) and we have no superfluous software / bloatware to deal with on our end. We pay big bucks for one of the online programs since it's our phone stuff... all VoIP and is finicky at best. Higher ups refuse to find something better so we suffer through it. The other program, I don't know what the higher ups pay for it because it's not only a field specific branded website, it's got plenty of add-ons that we never seem to use.

Meh... Sorry; got off topic!
 
My data has been breached twice according to pwned, in 2019 and 2016. So far nothing too nasty. It's worth being cautious with passwords and having a different password for your email and more sensitive stuff for sure. I use the same generic passwords for most other websites but maybe dont copy me on that :thumbs:


I do the same, I have secure passwords for sensitive and financial sites but cycle through half a dozen others for don’t care sites
 
Back
Top Bottom