[HN Gopher] Two billion email addresses were exposed
___________________________________________________________________
Two billion email addresses were exposed
Author : esnard
Score : 589 points
Date : 2025-11-06 20:20 UTC (1 days ago)
(HTM) web link (www.troyhunt.com)
(TXT) w3m dump (www.troyhunt.com)
| gausswho wrote:
| Amidst all of these pwnings, we still don't have a standard way
| to update our passwords from our password managers automatically.
| throawayonthe wrote:
| if we could have standardization like that, we wouldn't need
| passwords
| phoronixrly wrote:
| We also wouldn't be having an issue with password leaks as I
| expect it would be simpler to move on to passkeys (or
| something else) than implementing a standard way of password
| rotation...
| XorNot wrote:
| Except passkeys are an opaque, awful solution.
|
| They're hard to explain to users, the implementations want
| to lock people to specific devices and phones, you can't
| tell someone a passkey nor type it in easily over a serial
| link or between two devices which don't have electronic
| connectivity.
| NetMageSCW wrote:
| With the right apps, passkeys can be synced across
| devices (e.g. iCloud Keychain or 1Password).
| bl4ck1e wrote:
| If there was a standard, do you know how long it would take to
| get adopted across the interwebs.
| DANmode wrote:
| 10 years.
| goalieca wrote:
| I feel like we missed the chance to have a standard http
| resource for this stuff.
| berkes wrote:
| yes!
|
| It's a shame, IMO, that the Basic Auth never got updated or
| superceded by something with a better UX and with modern
| security.
| mbesto wrote:
| Passkeys essentially solve this, however they are not backwards
| compatible. If they were backwards compatible (e.g. an
| automated way to change passwords) then you might as well just
| enable Passkey as a replacement. Thats the conundrum.
| worldfoodgood wrote:
| The downside to having many vanity urls and giving out a unique
| email address to each website you visit is that you cannot use
| haveibeenpwned without paying (despite being a single human). I
| have no idea how many email addresses I've given out over the
| years, probably hundreds across at least 6 or 7 domains, and they
| want to charge me a monthly fee to see which of those have been
| pwned.
|
| I understand they gotta make a buck, but I find it interesting
| this is the first real negative to running a unique email address
| per company/site I work with.
| SoftTalker wrote:
| Just assume they have all been exposed.
|
| Email addresses are not secrets under any stretch of the
| meaning of that word.
| worldfoodgood wrote:
| It's not the email address itself that I care about, and
| that's not the service that the site provides. It tells you
| for which email addresses a related password has been pwned.
| EvanAnderson wrote:
| I'm in the same boat. I track all of the unique addresses I use
| (via my password manager) so I guess I could just check them
| all against HiBP's database. Kind of a pain in the ass, though.
| warkdarrior wrote:
| My password manager (Bitwarden) does that automatically.
| EvanAnderson wrote:
| I use Bitwarden with a Vaultwarden server so I have some
| familiarity. Bitwarden checks new passwords against HiBP.
| I'm not aware of functionality where it can retroactively
| check old email addresses or passwords to see if they're
| included in a breach.
| lern_too_spel wrote:
| It's under Reports: https://bitwarden.com/help/reports/
| EvanAnderson wrote:
| Ahh, okay. I assume that's a part of the Bitwarden
| offering, presumably happening server-side. I'm just
| using their official client w/ a Vaultwarden server.
| jorams wrote:
| It is also available in the Vaultwarden web interface
| (which is just a rebranded Bitwarden web interface).
| Beijinger wrote:
| enpass.io does this automatically if you selected the option.
| mindslight wrote:
| Me too. It _used to_ work for whole domains. Then I guess the
| limit was added as part of some kind of monetization push. I
| don 't derive enough value to pay for a monthly subscription
| any time it occurs to me to check, nor figure out how to
| check addresses one-by-one programatically. So the site is
| basically dead to me now. It's a shame because there were a
| few breached lists where people were speculating on where
| exactly they came from, and I was able to add to the
| discussion based on which of my tagged addresses were in the
| list.
| EvanAnderson wrote:
| I've had that experience re: my personalized addresses
| being used to more closely identify the source and time of
| a breach. When I start getting spam to one of my
| personalized addresses I'll usually reach out to the party
| for whom the address was created to let them know. Usually
| I get treated like a crank but occasionally I get somebody
| who understands and appreciates the help.
| huijzer wrote:
| Isn't the idea that you don't need haveibeenpowned since you'll
| see mails coming in and then know your details have leaked?
|
| For ID fraud, more than an email address has to be leaked.
| worldfoodgood wrote:
| Have I been pwned will tell me if the associated password for
| that site leaked. I create unique passwords per site, but
| lets say my mastercard login gets pwned -- that'd be one I
| want to change the password for right away.
|
| I might not get an email if someone gets that account info.
| dpoloncsak wrote:
| In theory, I agree.
|
| In practice, anything that high-profile will be plastered
| all over every tech news site, twitter, reddit, probably
| even the news. It would be difficult for MasterCard/Visa to
| have dataleaks, even just email/pass, fly under the radar
| (I imagine...)
|
| Oracle _tried_ to cover up a data leak, and it didn 't go
| great. Oracle touches nowhere near as many every-day people
| as MasterCard does
| kccqzy wrote:
| The domain search feature on haveibeenpwned is/was free. I
| registered my domain on haveibeenpwned back in 2017 and I got
| two emails about breaches, one in 2020 and another in 2022. I
| did not pay.
| EvanAnderson wrote:
| It tells you that an address in your domain has been included
| in a breach. It doesn't tell you which address was included.
| That's what the OP and I are opining about.
| osculum wrote:
| It does. I just checked mine today. I can see exactly which
| individual email addresses in my domain where exposed and
| in which data leak. I have never paid for it.
| EvanAnderson wrote:
| Interesting. I'd love to see where you're seeing that.
| I'll go poke at the site a little more.
|
| Edit: When I try to do a domain search I get told:
|
| > Domain search restricted: You don't have an active
| subscription so you're limited to searching domains with
| up to 10 breached addresses (excluding addresses in spam
| lists).
|
| My domain has 11 breached addresses.
| osculum wrote:
| I log in. Click on Business -> Domains. Then click on the
| looking glass under "Actions" on my domain. I can there
| see all my addresses an Pwned Sites.
|
| But I think you are right, because I only have 3 breached
| addresses under my domain (I do see the 10 addresses
| wording under subscriptions)
| toast0 wrote:
| Yep, if you have the good fortune of having many breaches
| while using companname@example.org, the service requires
| that either you pay up or you have to guess and check.
|
| I understand, but it's frustrating.
| username44 wrote:
| I wasn't aware of this feature, but can confirm. Just tried
| and it is free.
|
| Log into dashboard, under business there is a domains tab.
| Enter your domain there and verify ownership. Didn't ask for
| payment.
| chinathrow wrote:
| But I can't find the old list of what address was affected
| where. I only see my own address.
| worldfoodgood wrote:
| I have 15 pwned email addresses. It's free for under 10.
| worldfoodgood wrote:
| It is only free if you have fewer than 10 pwned addresses.
| ekjhgkejhgk wrote:
| I don't understand... The password is the secret, right? If
| your mastercard login ends up in some breach, your password is
| protecting. You without or without vanish urls, if you have
| strong passwords you'll be fine.
| XorNot wrote:
| Cybercrime has a logistics pipeline.
|
| Harvesting potential targets is one part of it i.e.
| establishing someone was using an email address is the entry
| point. There's a lot of emails, so associating them to any
| particular website is right near the start. Establishing that
| they're _active_ increases their value further.
|
| The people responding to Troy here for example are
| technically doing that: they clearly monitor the email or
| still use it, so addresses which respond to up in value.
| guelo wrote:
| I have the more typical one email used with hundreds of
| passwords on many websites. haveibeenpwned is also useless for
| me, it will tell me that my email was compromised but not which
| sites or passwords. I guess I could check each password
| individually, hope each password is globally unique to me, and
| then try to match it back to the website where I used it so I
| can change the password.
| NetMageSCW wrote:
| If you don't know which web site uses a particular password,
| how do you ever login to that website?
| worldfoodgood wrote:
| Reread the parent post more closely. It does not tell them:
| A) which site nor B) which password.
|
| The parent can log in because they have a map of
| site<->password. But without either the site or the
| password, the notification that an email address is
| compromised is useless.
| TZubiri wrote:
| You need a domain, and possibly a paid mail provider with catch
| all support.
|
| So cost was always part of this strategy
| worldfoodgood wrote:
| I have those things? Did you miss the part where I have
| multiple vanity URLs and hundreds of email addresses? Of
| course I have a paid mail provider and catch all. The problem
| is the cost of haveibeenpwned is too much for me as an
| individual.
| ycuser2 wrote:
| The problem with catch-all inbox is when you have to reply to
| an email. Then you have to create the email address to be
| able to send emails from it. Or are there other solutions?
| joshka wrote:
| Troy's response [1] on this use case from a couple of years ago
| was that you should buy a monthly fee and then cancel it.
|
| [1]: https://www.troyhunt.com/welcome-to-the-new-have-i-been-
| pwne...
| joe5150 wrote:
| It's honestly very hard to even care at that scale.
| imgabe wrote:
| My data was exposed in one of the Facebook leaks and it turned
| out I had an old email on my Facebook account with a domain I had
| since let lapse and abandoned. Someone else registered the domain
| and tried to take over my Facebook account by sending a password
| reset request using it. Luckily I had 2FA and I guess Facebook's
| fraud alerts picked it up so It wasn't successful.
|
| I guess what I want to say is beware that even something as
| innocuous as an email being leaked can cause problems, and make
| sure you delete any unused addresses from your accounts!
| esafak wrote:
| What a lot of work to capture one account.
| twodave wrote:
| I can think of a lot of ways that would be worth it.
|
| * blackmail the account owner
|
| * make up an illness, create a donation page and get all
| their friends to donate
|
| * find all connections over a certain age and disguise a
| phishing vector as literally anything!
|
| * so many more
| morshu9001 wrote:
| A real FB account with real friends who trust it (and are
| rich) is worth a lot
| guywithahat wrote:
| Which is incredible because it means they paid to get the
| domain and try to access that account. I can't imagine why
| anyone would care that much about your Facebook (assuming
| you're not someone who's especially influential) and yet here
| we are
| giobox wrote:
| One of the drawbacks of using a custom domain for personal
| email is you essentially have to pay for it for life, otherwise
| anyone can just buy your old email address if the domain
| expires and start receiving mail, resetting accounts... I think
| some folks don't fully consider this consequence when setting
| up a fun vanity email address or similar etc, especially now
| both iCloud and gmail have made it so trivial to link a custom
| domain.
| hn_acc1 wrote:
| Conversely, if yahoo/google ever stop offering free email,
| I'll probably end up paying them much higher prices to keep
| going for a bit until I can transition.
|
| If either ever stop period, especially one day to the next,
| FML...
| digisign wrote:
| Accounts can most often be closed or deleted permanently when
| one wants to stop or move. Some can change your address.
| giobox wrote:
| Speaking for myself, the "blast radius" of my email address
| is some 600+ accounts... (just looking in my password
| manager). The chances of me sitting down and closing every
| single one are non-existent. Many won't even have the
| luxury of having diligently tracked their login accounts in
| a password manager either.
|
| Just having a family, kids, bills, schools, jobs, credit
| cards, banks, investments, insurance, shopping etc etc -
| the number of accounts many of us pick up can easily get
| into the hundreds.
| zwnow wrote:
| Can anyone enlighten me why an exposed email address is an issue?
| I get it if its some kinda admin@foo.com but my private mail, why
| would I care? Its not like they have my password?
| dylan604 wrote:
| Until they figure out the password to that email and then take
| over everything else in your life. They are not collecting
| email address because they are useless.
| worldfoodgood wrote:
| > Oh - and 1.3 billion unique passwords, 625 million of which
| we'd never seen before either.
|
| It's not just email addresses. It's address + password combos.
|
| But also, how did 2 billion email addresses get exposed?
| Assuming I give an email address to a company (and only that
| company) if someone gets access to that email addresss they
| either got it from me or that company. Knowing the company has
| sold, lost, or poorly protected my email address tells me they
| are maybe not worth working with in the future.
| zwnow wrote:
| Yea a combo is more problemtic, I could see why thats an
| issue. Most important stuff in my life has 2FA with my phone
| thankfully. My banking password got breached like 3 years ago
| and i still didnt change it... nothing ever happened. I am
| guessing tech companies that could have huge negative
| influence on your life should have additional security
| measures in place, like not allowing a login from a different
| country unless some kinda mobile code is provided or stuff
| like that. I'm pretty naive with all that tbh.
| buzer wrote:
| > But also, how did 2 billion email addresses get exposed?
|
| The list contains emails which have been part of some other
| breaches. In my domain I have 2 emails that were exposed that
| weren't my normal email address. One of them was a typo that
| I used sign up for one service which was later breached. The
| other one was something someone used to register to service
| that I have never used & that service was later breached.
| Those emails have never been used for anything else as far as
| I'm aware.
|
| Of course judging from what posted there are likely some
| other services as well which were breached but wasn't
| noticed/published until now.
| santiagobasulto wrote:
| Could leave to massive impersonation attempts. All the folks
| here on HN are probably very tech savvy, so we'll likely have a
| strong password + 2FA. But mom and pops that just got their
| email addresses leaked? Probably not. So they might start just
| trying out a rainbow table of common passwords and getting
| access to peoples emails. Once you're there getting to home
| banking and other privileged resources is not hard.
| 295fge wrote:
| Troy Hunt's brand is to exaggerate secret risk.
| elorant wrote:
| One reason is spam. The other is that in many cases passwords
| are leaked too.
| ddxv wrote:
| Yeah, I agree. I consider them like public keys or IPs.
| clickety_clack wrote:
| It's not the email address itself that's important, it's that
| the email address is a key identifying users in data breaches.
| The email addresses are presumably linked to breaches of pii or
| passwords etc.
| zkmon wrote:
| I think we should stop seeing email address as a secret or
| something that can be "stolen". Password? who is still storing
| passwords on their servers, instead of a hash?
| gretch wrote:
| Given enough time, hashes are reversible via brute force.
|
| If the attacker steals the entire password table undetected,
| they have a large amount of time to generate soft collisions.
| After all they don't need to hack any particular account, just
| some 50% of the accounts.
|
| The time can be increased by some coefficient via salting, but
| the principles remain the same.
| MattSteelblade wrote:
| For password hashing, only short-output or broken hash
| functions have practical collision concerns. The odds of any
| random collision with a 256-bit hash, and not with a specific
| hash, is 50% at 2^128 inputs. Salting is a defense against
| precomputation attacks like rainbow tables and masking
| password reuse. Attackers crack password dumps by trying
| known password combinations, previously compromised
| passwords, brute force up to a certain length, etc. and using
| the hashing algorithm to compare the output.
| berkes wrote:
| A _lot_ of companies and services are storing _unsalted hashes_
| of passwords. Which is not much better than storing plain-text
| passwords.
|
| It's becoming less and even languages with a "strong legacy
| body" like PHP have sane defaults nowadays, but I do see them
| around when I do consultancy or security reports.
|
| "Never fix something that aint broken" also means that after
| several years or a decade or more, your "back then best
| security practices" are now rediculously outdated and insecure.
| That Drupal setup from 2011 at apiv1docs.example.com could very
| well have unsalted hashes now. The PoC KPI dashboard that long
| gone freelancer built in flask 8 years ago? probably unsalted
| hashes. And so on.
| elric wrote:
| It's not about the email addresses themselves. Those are just
| the identifier by which things can be discovered on
| haveibeenpwnd. The point is that when email addresses rae
| stolen/leaked, they're usually accompanied by passwords,
| addresses, CC information etc.
|
| In some cases the email address combined with the name of that
| site that leaked it can be enough to get people in trouble.
| E.g. "niche" dating sites.
| hirvi74 wrote:
| I have really started to use the 'Hide my email' feature from
| iCloud. It's been so nice. If an email gets pwned, which often
| happens from a service I stopped using many moons ago, then I
| just deactivate or delete the email address. I imagine many other
| services provide this feature as well, but it's what's most
| convenient for me at this time.
| rkagerer wrote:
| Can anyone recommend a good third party service that provides
| similar functionality and a great user experience?
|
| For those of us who don't want to entrust this to Apple and
| who'd like to use our own domain?
| hylaride wrote:
| There are several options to choose from, but most data
| brokers will know that small custom domains go back to a
| certain or small group of people.
|
| That being said, this is a good list:
|
| https://www.reddit.com/r/privacy/comments/108wzvg/what_is_th.
| ..
|
| Not sure I trust the longevity of some of them, though. I do
| use https://temp-mail.org/en/ or other similar services for
| some logins for some services I'm not afraid to lose access
| to, though (especially for places likely to spam me).
| sdfhbdf wrote:
| addy.io
| jlund-molfese wrote:
| Post should've been titled "1.3 billion passwords were exposed",
| because, even though the number is slightly smaller, it actually
| represents something much more important.
| layer8 wrote:
| The number of passwords is probably smaller. ;)
| bobmcnamara wrote:
| ~1.3e9 passwords, ~1.9e9 (account, password) tuples, if I
| understood
| elric wrote:
| The joke, presumably, was that many people share the same
| shitty password (e.g. 123456, password1, etc).
| naet wrote:
| There have been enough data breaches at this point that I'm sure
| all my info has been exposed multiple times (addresses, SSN,
| telephone number, email, etc). My email is in over a dozen
| breaches listed on the been pwned site. I've gotten legal letters
| about breaches from colleges I applied to, job boards I used, and
| other places that definitely have a good amount of my past
| personal information. And that's not even counting the "legal"
| big data /analytics collected from past social media, Internet
| browsing, and whatever else.
|
| I now use strong passwords stored in bitwarden to try to at least
| keep on top of that one piece. I'm sure there are unfortunately
| random old accounts on services I don't use anymore with
| compromised passwords out there.
|
| Not really sure what if anything can be done at this point. I
| wish my info wasn't out there but it is.
| kccqzy wrote:
| Addresses? Most of the time addresses are a matter of public
| record. I have used https://www.fastpeoplesearch.com/ a couple
| of times to search for people's addresses and it really works.
| One day a close friend excitedly told me she bought a new house
| and I told her the address before she told me about it.
|
| Telephone number? There used to be phone books. And I still
| instinctively think they should be public.
| animex wrote:
| I think the headline is a bit vague, it includes passwords as
| well. Does anyone know if Troy's HIBP'd site reveals the
| passwords to verified users? I'd like to know if my current
| or what generation of passwords has been breached to evaluate
| if I have a current or past problem with my devices.
| birdman3131 wrote:
| They do not want to have such a list as it makes them a
| target.
|
| What they do have is a searchable password list not
| connected to any usernames.
| NoahZuniga wrote:
| *searchable list of password hashes
| lotsofpulp wrote:
| Addresses can lead you to public land and mortgage records,
| and phone numbers can lead you to names and addressed. I
| assume everyone can easily find that out about me once they
| know my name/phone number.
| Cthulhu_ wrote:
| An address can be dangerous if it's e.g. a social network
| site or blog, anywhere where you post under an alias. People
| make enemies, have stalkers, or say things online that
| certain regimes don't like. Granted, this is only really a
| thing for a minority, but if a minority isn't safe, nobody
| is.
| coleca wrote:
| I was thinking the same thing. Can you imagine the headline?
|
| "Forget Hackers! Phone Company Delivers Your Private Info--
| Including Your Home Address--Directly to Strangers!"
| skinkestek wrote:
| > Telephone number? There used to be phone books. And I still
| instinctively think they should be public.
|
| I used to think the same. Around here I feel until a few
| years ago most people I knew with secret phones were people I
| would prefer to have fewer interactions with: people who
| frequently got into trouble, tried to scam others etc.
|
| These days I'm more in the camp of layered security. Whatever
| I can do to make it harder for an attacker, the better.
|
| > I have used https://www.fastpeoplesearch.com/ a couple of
| times to search for people's addresses and it really works.
|
| Tangential:
|
| Sorry, you have been blocked You are unable to access
| fastpeoplesearch.com
|
| (Safari on a stock iPhone, mobile broadband from the biggest
| and most well known telecom company in my country, ipv6
| address.)
| kulahan wrote:
| I was in the military. China stole my freaking _DNA profile_. I
| 've given up on worrying about this stuff.
| rdl wrote:
| Even better "please give us all the things which could be
| used by a foreign power to blackmail you, or apply pressure
| to relatives or other close contacts" and then poorly secure
| that database.
| smsm42 wrote:
| Those are the same guys who told us we must give them
| backdoor keys to every encryption algorithm, because
| nothing can go wrong with it and otherwise terrorists win.
| harvey9 wrote:
| Gonna be a very weird day for you when China's clone army
| invades us.
| rafabulsing wrote:
| If nothing else, I guess one should at least be kinda proud
| that of all stolen DNAs, yours is the one they end up
| making a clone army out of.
| kulahan wrote:
| 5,000,000 Kulahans invading America would not be very
| effective thus I have defeated China myself, no thanks
| are necessary.
| WaitWaitWha wrote:
| The number of years I got "free credit monitoring" I can pass
| it down to my children . . .
| Aeolun wrote:
| I feel like only in the US is credit monitoring something
| sold as an optional service.
|
| I got a confirmation mail from System76, because apparently
| they feel the need to validate my credit card can't be used
| without my approval, but my back does this by default...
| tredre3 wrote:
| Credit monitoring has nothing to do with Credit Cards.
|
| Most banks in America indeed do offer (for free) the
| option to be notified for each transactions if you want.
| enjaydee wrote:
| Wow! Didn't hear about this. What test did you get done? I'm
| hoping it wasn't whole genome or exome?
| kulahan wrote:
| It wasn't an actual DNA test, but the military takes blood
| samples of every recruit. I'm referring to this hack:
|
| https://en.wikipedia.org/wiki/Office_of_Personnel_Managemen
| t...
|
| edit: the relevant text is below
|
| > The data breach compromised highly sensitive 127-page
| Standard Form 86 (SF 86) (Questionnaire for National
| Security Positions).[8][18] SF-86 forms contain information
| about family members, college roommates, foreign contacts,
| and psychological information. Initially, OPM stated that
| family members' names were not compromised,[18] but the OPM
| subsequently confirmed that investigators had "a high
| degree of confidence that OPM systems containing
| information related to the background investigations of
| current, former, and prospective federal government
| employees, to include U.S. military personnel, and those
| for whom a federal background investigation was conducted,
| may have been exfiltrated."
| esseph wrote:
| DNA, blood type, fingerprints, and anything else on your
| background checks...
|
| They even got my kids social security numbers.
| ifwinterco wrote:
| DNA is actually almost impossible to keep secret if someone
| really wants it - you basically shed your entire DNA every
| time you touch anything
| InitialBP wrote:
| That is awful, but it doesn't lessen the impact of someone
| who right now has access to your email and or other accounts.
| China having your DNA profile is not near as impactful as
| someone actively stealing your identity and potentially
| ruining your finances. Use 2fa everywhere, and if your email
| is in this list, you should change your password.
| eyeundersand wrote:
| +1 for Bitwarden. It is literally the best solution out there.
| Been getting to increase uptake in personal circles with (very)
| limited success. The wife keeps trying to convince me that the
| ship has sailed in trying to protect info online. She's
| probably right.
| stronglikedan wrote:
| > Bitwarden
|
| Best when paid for so you can do 2FA with TOTP codes!
| troyvit wrote:
| I self-host through Vaultwarden but I think I miss this.
| Besides, I feel like paying these guys anyway just for the
| great product. We use 1Password at $dayjob and it's so
| primitive by comparison.
| shinypants wrote:
| What is lacking in 1Password by comparison? I pay for a
| family plan but maybe I should switch next year.
| troyvit wrote:
| Here are the things that get me, and maybe it's because I
| haven't configured it well yet.
|
| 1. On firefox first start-up is slow after unlocking to
| actually find a password for a site. The interface says,
| "No logins for xyz.com" for maybe 5 seconds before the
| login loads.
|
| 2. Along those lines when I open it first thing in FF the
| box for its password isn't focused and I have to click
| it.
|
| 3. The keyboard combo to open it also only works in
| Chrome.
|
| 4. To add a new login I have to go to the site. I haven't
| figured out how to do it from within the plugin.
|
| 5. We get alerts at least once a week about service
| disruptions but they don't seem to actually affect me.
|
| 6. I like Bitwarden's command line tool but I bet
| 1Password has something at least as good that I haven't
| found yet.
| jnrk wrote:
| Really? I find it to be the complete opposite.
| nagisa wrote:
| TOTP works with vaultwarden.
| NetMageSCW wrote:
| 1Password supports TOTP?
| sam345 wrote:
| Yes definitely. Works great.
| troyvit wrote:
| Oh cool! I'll have to dig into it.
| sam345 wrote:
| How is 1password primitive? It does totp. It integrates
| with TPM in Windows hello. It does sh keys and has its
| own agent which is a huge help. It's sync is nearly
| instantaneous. It handles multiple accounts with ease.
| chinathrow wrote:
| Is this sarcasm?
| smsm42 wrote:
| It costs $10/year, so there's really no reason to not pay
| for it.
| antiframe wrote:
| I have two reasons not to pay for it: 1) Aegis is free.
| 2) I rather not have my second factor be stored in the
| same database as my first factor.
| Aeolun wrote:
| You can just not store the TOTP tokens in Bitwarden? I
| don't see how this is an argument against.
| antiframe wrote:
| If I only store passwords in Bitwarden, not TOTP tokens,
| then I don't have to pay for it. So, it's an argument for
| spending less money while being more secure.
| Yodel0914 wrote:
| I've never paid and Bitwarden does 2FA/TOTP for me?
| Koffiepoeder wrote:
| The moment you put TOTP in Bitwarden it is no longer a
| 'second factor'. Pretty bad security advice to be honest.
| Better to use hardware tokens or a secure phone (with
| enclave) instead (never SMS though).
| Aeolun wrote:
| I think it's mostly nice for places that require TOTP but
| don't actually rate carrying around/plugging in a yubikey
| for.
| Marsymars wrote:
| In most cases a true second factor isn't really what any
| involved party cares about.
|
| My bank (I mean, they use SMS, but pretend they use TOTP)
| just care about not having to spend money on support
| because I used "password1!" as my password for every
| account and lose all my money.
|
| I just want to log in to my bank.
|
| If I've got a long, random, unique, securely-stored
| password, I don't actually care about having a second
| factor, I'm just enabling TOTP so that I don't have to
| copy/paste codes from my email or phone.
| ratherbefuddled wrote:
| > If I've got a long, random, unique, securely-stored
| password, I don't actually care about having a second
| factor
|
| I'm not comfortable with my entire online identity being
| protected by a single line of defence which is a company
| that I'm paying a few dollars a month to. Not having to
| type 6 digits off a phone is a pretty minor convenience
| for me.
| Marsymars wrote:
| Do you then avoid syncing any passwords to your phone to
| avoid having your two factors in the same place? (And
| similarly, avoid syncing SMS to any devices where you do
| have passwords.)
| Xerox9213 wrote:
| I convinced my wife to start using a password manager, too
| (Bitwarden). Now she stores all of her very guessable, short,
| similar passwords in a manager. Sigh.
| Aeolun wrote:
| So happy to not have to remember whether the
| [firstname][lastname][number] password ended with a 4 or 5
| NewsaHackO wrote:
| I use a similar service, I always wonder what sort of risk
| having one point of failure has though. I know 2FA helps, but
| a particularly motivated person with access to you physical
| still may be able to get both, espically if it for an
| investigation of some sort.
| teekert wrote:
| I switched from Bitwarden to Proton pass (because we got
| Proton family) and I find to be equally good. Ineven find
| sharing credentials a bit easier as it does not require
| organizations, you can just share with individuals.
|
| Proton also has a separate 2fa totp app.
| smsm42 wrote:
| Bitwarden supports TOTP too, even though it's not entirely
| obvious from the UI.
| CaptainNegative wrote:
| TOTP inside a password manager doesn't make much sense to
| me. What's the point of two factor auth if both factors
| are stored together?
| behringer wrote:
| Bingo. You need to use a different totp.
| klardotsh wrote:
| I don't know the "correct" answer, but here's my answer
| as someone whose TOTP are split across a YubiKey and
| Bitwarden: I store TOTP in Bitwarden when the 2FA is
| required and I just want it to shut up. My Vault is
| already secured with a passphrase and a YubiKey, both of
| which are required in sequence, and to actually use a
| cred once the Vault is authenticated, requires a PIN code
| (assuming the Vault has been unlocked during this run of
| the browser, otherwise it requires a master password
| again).
|
| At that point, frankly, I am gaining nearly nothing from
| external TOTP for most services. If you have access to my
| Vault, and were able to fill my password from it, I am
| already so far beyond pwned that it's not even worth
| thinking about. My primary goal is now to get the website
| to stop moaning at me about how badly I need to configure
| TOTP (and maybe won't let me use the service until I do).
| If it's truly so critical I MUST have another level of
| auth after my Vault, it needs to be a physical security
| key anyway.
|
| I was begging every site ever to let me use TOTP a decade
| ago, and it was still rare. Oh the irony that I now
| mostly want sites to stop bugging me for multiple factors
| again.
| aryonoco wrote:
| My Bitwarden account is protected with YubiKey as the
| 2FA. I then store every other TOTP in Bitwarden right
| next to the password.
|
| I get amazing convince with this setup, and it's still
| technically two factor. To get into my Bitwarden account
| you need to know both my Bitwarden password and have my
| yubikey. If you can get into my Bitwarden, then I am
| owned. But for most of us who are not say, being
| specifically targeted by state agents, this setup
| provides good protection with very good user experience.
| codegrappler wrote:
| 2FA most commonly thwarts server-side compromised
| passwords. An API can leak credentials and an attacker
| still can't access the account without the 2FA app,
| regardless of which app that is. The threat vector it
| does open you up to are a) a compromised device or b)
| someone with access to your master password, secret key
| and email account. Those are both much harder to do and
| you're probably screwed in either case unless you use a
| ubikey or similar device.
| eimrine wrote:
| How is it possible to have compromised password but not
| compromised the second factor? I don't understand the
| theory of leaking not enough factors. What is stopping
| webmasters from using 100FA?
| Alupis wrote:
| Bitwarden Families plan is $40 a year and supports up to 6
| users. It has TOTP built-in, is open source[1] and has been
| audited multiple times[2].
|
| The individual plan is $10 a year. I've been a happy user
| for many years. I converted the last business I was at to
| exclusively using Bitwarden for Business as well.
|
| [1] https://github.com/bitwarden/
|
| [2] https://bitwarden.com/help/is-bitwarden-audited/
| johnisgood wrote:
| Why do we need a separate 2FA TOTP app for anything? :| I
| have a feeling too many people have no idea what TOTP is,
| and how easy it is to implement.
| hombre_fatal wrote:
| Now that I'm not only using a Macbook and iPhone, I've been
| looking for cross-platform solutions.
|
| For a week I've been using KeePassXC + Syncthing between four
| devices. Syncthing is also syncing my Obsidian vaults which
| has replaced Apple-only Notes.app.
|
| Bitwarden is definitely more polished, and Syncthing is
| definitely (much) more fiddly than using Bitwarden's and
| Obsidian's ($5/mo) native syncing tools.
|
| But I like the idea of having the same syncing solution
| across all apps on all devices. Curious if anybody can
| recommend this setup or if collisions will make it
| unbearable.
| Yodel0914 wrote:
| Not sure about Obsidian sync, but for Bitwarden you can
| self-host Vaultwarden.
| Tallain wrote:
| This is the same setup I used for years with no issues,
| both KeePassXC and multiple Obsidian vaults, along with
| some other random files and folders. Syncthing is pretty
| much rock solid. Now I have the KeePassXC database stored
| on my NAS which is even simpler.
| Joe_Cool wrote:
| The cool thing with KeePass is that each client is also a
| local backup. It's pretty neat.
| seemaze wrote:
| I originally started using Bitwarden to achieve sync across
| Mac, Windows, and Linux machines, along with all major
| browser platforms. It's been great!
| Aeolun wrote:
| Which device can you not use bitwarden on?
| therealpygon wrote:
| Why not just run a vaultwarden instance at that point?
| doubled112 wrote:
| No matter how you sync, a Keepass file is a file. I can't
| be logged out. It will still be on my phone if my house
| burns down. Every device it's synced to is an additional
| backup copy.
|
| The Bitwarden client will sometimes log you out if
| something happens on the server side, which has the
| potential to make worst case recovery from annoying to
| impossible. The circular dependency of having my cloud
| backup password in the vault made me nervous.
|
| Yes, you can back your vault up, but it's a manual step
| and likely to be forgotten.
| 9029 wrote:
| I have used this setup for 6 years or so with KeePassXC and
| it's fine. Just being mindful of not editing stuff on other
| devices before the first one has had the chance to sync has
| been enough to avoid pretty much all sync conflicts. I have
| only had to resolve those a few times so far, iirc my
| android client was misconfigured at the time or something.
|
| I still recommend Bitwarden for password management for any
| "laypeople" since it will just work. Also worth noting that
| the basic functionality is free.
| yorwba wrote:
| Even when you do get a sync conflict, Syncthing will
| rename one of the copies and then you can have KeePassXC
| merge the two files back into one. So that's still pretty
| much hassle-free.
| hombre_fatal wrote:
| Probably due to Obsidian's aggressive autosaving, I did
| cause a syncthing collision my first day by clicking into
| a note that I was editing on my other device. Kinda wish
| desktop Obsidian had a save system more like code editors
| and less like smartphone apps.
|
| I suppose I can avoid the issue with some discipline.
| echelon wrote:
| > Now that I'm not only using a Macbook and iPhone, I've
| been looking for cross-platform solutions.
|
| 1password works in all the places, it's just not open
| source.
| rafabulsing wrote:
| I use a similar setup, but with Onedrive instead of
| Syncthing (and, before that, Dropbox).
|
| In the almost 10 years I've been running this setup, I
| think I hit a conflict one single time. I don't quite
| remember the details, but I think I accidentally edited
| something in the mobile app, and before saving, edited
| something else in the desktop app or vice-versa. So it was
| pretty much my fault.
|
| Other than that, literally never had an issue. Password
| managers are by their nature mostly reads, and very
| occasional writes, so it's very hard to put yourself in a
| situation where conflicts happen, even if you don't pay
| attention to it. I've made an identical setup for my
| (fairly savvy but non-technical) fiancee, and she's never
| hit an issue either. I had to insist a bit for her to get
| on board, but years later she actually loves using KeePass.
| She's thanked me multiple times for how convenient it is
| not having to remember passwords anymore!
| fibers wrote:
| strongbox is a reasonable app for iOS and you can set it up
| for sftp to your main self hosted server.
| hackeman300 wrote:
| Unfortunately strongbox was sold a few months ago to a
| somewhat notorious app firm that has the nasty habit of
| buying popular apps and adding a whole bunch of
| telemetry. Not something I'd want in a password app.
|
| I've switched to KeePassium. Not quite as polished UX,
| but works for me
| hombre_fatal wrote:
| I'm using KeePassium and SyncTrain for the syncthing
| integration on iOS.
|
| SyncTrain has been working well, but all the knobs in the
| advanced folder settings definitely reminds me that I
| would never recommend it over Dropbox/iCloud/etc to
| almost anyone, heh.
|
| But as long as I don't run into frequent problems, I like
| the idea of p2p device syncing over LAN. The phone in my
| pocket ends up passing around the latest copy since my
| other devices are almost never on at the same time. It's
| kinda cute.
| kevstev wrote:
| If you have a nas, I highly recommend you set up a VPN back
| to your network. It's been a bit of a game changer for me.
| I don't fiddle around with Dropbox or gdrive anymore, it's
| just on my nas and it just works. I was even mounting /home
| from it but that was a bit of overkill and still caused
| some hassles when I was completely offline- like on an
| airplane. Vpn has other advantages as well like no longer
| really having to worry about sketchy wifi networks. It felt
| annoying and like overkill at first, but I'm never going
| back to relying on any sync apps again.
| jmb99 wrote:
| > I was even mounting /home from it but that was a bit of
| overkill and still caused some hassles when I was
| completely offline- like on an airplane.
|
| I solved this by having /home for desktops/workstations
| on my NAS, but laptops had their own /home (with the NAS
| /home mounted somewhere locally). It's not perfect but
| was way easier than dealing with the offline case.
| FabHK wrote:
| Yes, I'm using Tailscale, and you're basically always on
| your home network. Very convenient.
| eightys3v3n wrote:
| One consideration is that Bitwarden seems to not work fully
| in an offline state the same way your setup would. I
| constantly try to edit or add a password while offline and
| can't. I think this somewhat negates the collision
| situation though.
| hombre_fatal wrote:
| That came up during my research and it's one of the
| reasons I couldn't choose it.
|
| Forcing a read/write right before and after each edit
| probably simplifies the sync scenario for them but I
| don't like relying on permanent internet access in my
| life since it's just not the case.
| com2kid wrote:
| You can throw a keepass vault on OneDrive or Dropbox and it
| works just fine everywhere. Not fiddly at all except Linux
| and OneDrive support.
| sach1 wrote:
| I have almost the exact same setup! Hit me up if you have
| any Qs as I've been a happy user of this for a few years
| now.
| theonething wrote:
| Can anyone with experience with 1Password and Bitwarden share
| their opinions on each.
|
| I've been on 1Password for years and am wondering if I'm
| missing anything.
| whatevertrevor wrote:
| I might be that guy soon. I really don't like Bitwarden's
| extensions, they have clunky UX, are slow and often don't
| even respect my settings. Autofill is a crapshoot,
| especially on Android. And they have performance issues
| with the Firefox and Chrome(-based) extensions so it's not
| even platform specific.
| hexbin010 wrote:
| Same experience here
| bfg_9k wrote:
| 1P is closed source and have had a number of breaches in
| the past. Bitwarden have had none that I'm aware of, and
| they're FOSS. I however have been preferring ProtonPass
| lately (also FOSS) and really like the layout over BW.
| Huppie wrote:
| > and have had a number of breaches in the past
|
| Do you have a source for this claim of multiple past
| breaches? The only one I know of is the Okta breach.
|
| For me they're still firmly in the 'one of the best
| options out there' category because cross-platform
| usability is incredibly good imho. I will admit it's been
| quite a while since I migrated from KeyPass so maybe
| these other options have improved too.
| jbmoney wrote:
| This is either ignorance or throwing shade at 1Password.
| Outside of their Okta thing (which didn't impact vaults
| as far as I'm aware, and was more Okta's fault) they
| never had a compromise. They are definitely an excellent
| provider.
| hexbin010 wrote:
| 1password has better UI/UX and is faster but Bitwarden is
| cheaper, supports prompting of the master password for
| specific passwords, and better security options (such as
| app idle settings instead of just device idle)
|
| I just trialled it but got a refund
| jbmoney wrote:
| I started paying for 1Password years ago when an annual
| family plan was $48, and to their credit, they've kept me
| grandfathered in to that price this whole time.
| hexbin010 wrote:
| I'm not saying 1Password is expensive, but Bitwarden is
| only $10 a year
| neogodless wrote:
| I use unique email addresses per domain name, and I believe
| IHaveBeenPwned shows me at 39 unique email addresses breached!
| (So many that seeing which ones have been breached would now
| cost me $22 / month... IHaveBeenPwned is starting to feel like
| an extortion racket of its own..)
| mrbluecoat wrote:
| I feel you. The aggregate email breach list just feels like a
| rainbow table at this point.
| esnard wrote:
| If you're using the same domain for each of your email
| address, HIBP has a domain-wide search feature which is free
| (but you need to register to validate your domain)
| neogodless wrote:
| I've registered (years and years ago) and I get emails
| saying how many, but to see _which_ emails they want lots
| of money.
|
| (If I'm wrong their interface is very confusing and I
| cannot find the free access.)
|
| Specifically it says this:
|
| > Insufficient subscription. Only subscription-free
| breaches will be returned for this domain.
|
| So I'm able to see _37_ email addresses on my domain have
| been breaches, but I can 't see _which_ without paying $22
| / month - https://haveibeenpwned.com/Subscription
|
| > Domain search restricted: You don't have an active
| subscription so you're limited to searching domains with up
| to _10 breached addresses_ (excluding addresses in spam
| lists). Only results for subscription-free breaches are
| shown below, upgrade your subscription to run a complete
| domain search. If you believe you 're seeing this message
| in error, make sure you're signing in to the dashboard with
| the correct email address (check your latest receipt if
| you're unsure).
| solarwindy wrote:
| Quoting Troy from a thread beneath the article:
|
| > The easiest approach in that case is to take out the
| subscription, then immediately cancel it. It'll still
| last the full month, more here:
| https://support.haveibeenpwned.com/hc/en-
| au/articles/7707041...
| Razengan wrote:
| So by this point, if anyone does anything naughty online they
| could just pin it on an hacker using their identity, no?
| TZubiri wrote:
| Right. Having some data leaked isn't really a boolean,
| leaked/unleaked. It's a list of leaks, and the implicit map
| betweenyl your datapoints, whether by intra or interprovider
| mapping
|
| For example a forum might leak a map between your mail and a
| password; Implicitly your affinity for that forum's topic is
| also now on the public record, additionally if your posts were
| public but under a pseudonym, that might be now known by a
| sufficiently motivated attacker.
|
| Finally this may be linked with other public datasources like
| your public tweets or public state records, or even other
| leaks.
|
| This is why the meme about all ssn's being leaked or about a
| list of all valid phone numbers is so asinine.
| sixothree wrote:
| Even if you weren't breached, the sophistication is getting
| higher too. New hires get emails starting literally day one
| because email formats follow a pattern and they posted their
| new job on linkedin (or something).
| NegativeLatency wrote:
| > what if anything can be done at this point
|
| I'm in a similar situation, just make sure your credit is
| frozen with the 3 major US companies. I had someone steal like
| $50 of cable TV with my info in another state and it was a
| major pain to get off of my credit report.
| dheera wrote:
| I generally don't give my real address or real phone number to
| anyone who doesn't legally need it. I use a virtual address as
| the billing address on my credit cards and for registering for
| things that don't need to know where I sleep.
|
| The government can have at my real info, but private companies
| have bad data security.
| 8cvor6j844qw_d6 wrote:
| I used per-account email with alias services and password
| managers.
|
| Also started migrating old accounts in free time.
|
| Now its pretty easy to tell the source of leak by email
| addresses as well as sources of spam.
|
| ---
|
| Per-account alias might sound much, but using sieve filtering
| [1] is amazing, and you can get a comprehensive filtering
| solution going with 'envelope to' (the actual address receiving
| the email) + 'header to' (the recipient address you see,
| sometimes filtering rules don't filter for BCC or sometimes
| recipients are alias instead of your actual email) that are
| more comprehensive than normal filtering rules to sort your
| emails into folders.
|
| [1]: https://datatracker.ietf.org/doc/html/rfc5228
|
| ---
|
| Amusingly, I've managed to recover old accounts from emails
| that contains my old passwords with demands for crypto payment,
| it just provided me enough help to recall old variations of my
| passwords.
| lelandfe wrote:
| (the keyboard smash username is apropos)
|
| > Per-account alias might sound much
|
| Not only does this not sound too much, this is a feature
| Apple offers called Hide My Email:
| https://support.apple.com/en-us/102548
| fainpul wrote:
| And one day you've had it with Apple's latest user-hostile
| shenanigans and switch to Linux. What now? Do you just keep
| paying for iCloud+ forever?
| marliechiller wrote:
| wouldnt this be the case for any vendor you choose?
| fainpul wrote:
| yes
| steelframe wrote:
| In my experience the overwhelming majority of services
| permit me to change my email address.
| fainpul wrote:
| Of course. But I have hundreds of user accounts, as
| probably many people do. I would not enjoy changing all
| those email addresses.
| sometimes_all wrote:
| As someone who uses both, I much rather prefer aliases to
| hide-my-email for the more important stuff. For one, I can
| choose the email address "username", which I cannot with
| Apple's solution. Plus, what happens when I move on from
| Apple to something else?
| bn-usd-mistake wrote:
| But aliases can be easily mapped back to your normal
| email address, unlike Apple's which are opaque. I, too,
| am afraid of vendor lock-in though. Sadly, couldn't find
| a good alternative yet
| ekropotin wrote:
| I just use <myname>+<service>@gmail.com At the end of day day
| it's all delivered to myname@gmail.com mailbox, but I can use
| filters based on part after "+".
| sneak wrote:
| As someone who deals in breach data this is a simple regex
| to strip out.
| mesrik wrote:
| >As someone who deals in breach data this is a simple
| regex to strip out.
|
| Sure it is, but at least you do get later, post leak, a
| slight chance find out where leak originated.
|
| Data stealers seldom strip out that +extension part
| before the selling or otherwise dump it somewhere. And
| while it's passed on, you get to see address as you gave
| to that party that had leak. Reason seller don't strip of
| it is perhaps because they sell by number of unique
| addresses and while +extension usage is quite rare they
| make more money when they don't strip it off too.
|
| Information where it leaked can be very useful
| information to pass leaker at least up till point they
| have announced they know about the compromise happened.
| I've done that since turn of century too many times I've
| lost count already and been quite many times the first to
| get them know that they had a problem there.
|
| And sure I've received thank you emails that I gave them
| early head-up info about the issue.
| tapland wrote:
| Anyone who's looked at breach data knows to try
| yourname+service for any service.
|
| This does help in filtering spam though
| selcuka wrote:
| It doesn't have to be literally the service name. Can be
| any unique alphanumeric suffix you make up randomly. As
| long as you use a password manager you don't have to
| remember it.
| fragmede wrote:
| Indeed, it needs to be more than just the company name if
| you want it to be useful later. If the email address used
| is company@example.com, any idiot could guess company.
| But receiving email to company_wkhx46@example.com is
| clearly gotta be from them, or they got hacked.
| gblargg wrote:
| That's why you have to salt the + portion (look up an old
| email from the service if you forgot the alias).
| logifail wrote:
| > Anyone who's looked at breach data knows to try
| yourname+service for any service
|
| Since we're all using a unique password for every service
| - <cough> we are doing that, aren't we (!!) - then how
| does that help?
| mroche wrote:
| I do this as well, but there are a number of service
| providers that just do not handle subaddressing at all.
| Like creating an account will result in never receiving a
| confirmation or verification code because the system failed
| to parse the address.
|
| I've started using grouped aliases instead for a bunch of
| things.
| willvarfar wrote:
| I'd be really surprised if Gmail's + behaviour isn't so
| well known by spammers that they just strip them off?
| neobrain wrote:
| Conversely, I'd assume this pattern is used rarely enough
| for spammers to even bother fighting it.
| vladvasiliu wrote:
| But I've seen service providers who insisted on creating
| some account with a valid email who wouldn't accept a `+`
| it in their forms...
| edoceo wrote:
| My favorite was that I could sign-up with the + address
| but couldn't sign-in. And the support desk rejected that
| + address too.
|
| The phone support person was confused about that symbol
| too, what an odd email.
| sussmannbaka wrote:
| even better: those will be spam guaranteed and can just
| be filtered by rule then
| vthriller wrote:
| Not sure about normalizing recipients' emails but some
| are definitely aware of it because I've seen spam that
| asked to "reply back to
| defi.n.it.ely.not.shady+email@gmail.com" or something.
| kevin_thibedeau wrote:
| This is one of the reasons I switched to a different
| provider using a custom domain. I can make new addresses
| in any format I want. There's zero risk of a spammer
| stripping them down to a base address for the primary
| account. They also don't get rejected by broken
| validators.
| prein wrote:
| yep, i use fastmail with a custom domain. i have a catch
| all email set up, so i just register any account on
| sitename.com as "sitename@mydomain" and it all gets
| sorted into a catch all folder. I can then run rules if i
| want it to go into a certain category like "bills" or
| just straight to the garbage.
| pil0u wrote:
| With Gmail, also note that firstname.lastname@gmail.com is
| equivalent to firstnamelastname@gmail.com or
| fi.rs.tn.am.el.as.tn.am.e@gmail.com
|
| As some other comment suggested, these rules are easy to
| tackle by motivated spammers.
| askl wrote:
| If they were motivated, they wouldn't work as spammers.
| docmars wrote:
| I see what ya did there, you get an upvote.
| esseph wrote:
| Some spammers make obscene amounts of money. CEO of
| Fortune 100 money.
| tumetab1 wrote:
| The downside is that https://haveibeenpwned.com/ can only
| find "exact email" addressed, as in, you must search for
| myname@gmail.com, myname+service1@gmail.com, etc.
| sotix wrote:
| Careful with this method. I was unable to purchase plane
| tickets from Southwest or even change my email address
| because they changed their parsing rules on me and silently
| dropped the plus. I found out most airlines don't have a
| ticket counter to buy a ticket the old fashioned way! But
| the premier help can issue tickets. Took me two months to
| have CS get someone to run a DML to remove my "bad" email
| address.
| mapt wrote:
| It's probably easier to tell them "I lost access to that
| email, I need to set up a new account". People do this
| all the time.
|
| On some level, my employer uses emails as the primary key
| for customer accounts, the baseline identifier which all
| information is filed under. It's quite ridiculous.
| sotix wrote:
| I did, but the CS agent kept trying to change the email
| to a new one when I told them I had lost access, and the
| validation failed because it wanted to send an email to
| the old address about the email being updated and
| couldn't. They didn't have the right tools to fix it.
|
| Had to get an engineer involved.
| abustamam wrote:
| I tried to start doing this. The first site I tried to sign
| up to said it was an invalid email address.
|
| I would say they could fuck all the way off, but there are
| legitimate reasons to not let people sign up with an alias
| (like one person signing up for multiple free trials)
| sometimes_all wrote:
| I also use per-account emails, but not sieve filtering.
| Catch-all is helpful for throw-aways, aliases for the more
| important stuff.
|
| It's super-easy to figure out who leaks my emails to whom, so
| I can easily disable both the leaker and the people who
| leaked.
|
| Much more user-friendly than Apple's hide-my-email.
| scoot wrote:
| > I used per-account email [addresses] with alias services
|
| I do too (anything@mysubdomain.example.com), but but online
| services collude with data brokers to share so much
| information [0] that I don't doubt that many of these
| "separate" profiles have been aggregated.
|
| Unfortunately the services that supposedly offer to have your
| personal data removed from data brokers don't seem to support
| aliasing, so no straightforward way to either find out or
| have the data removed.
|
| [0] Just look at the scary list of third-party cookies you
| can't opt out of on Coursera [1], for example:
|
| Match and combine data from other data sources 419 partners
| can use this feature _Always Active_
|
| Identify devices based on information transmitted
| automatically 546 partners can use this feature _Always
| Active_
|
| Link different devices 358 partners can use this feature
| _Always Active_
|
| Deliver and present advertising and content 582 partners can
| use this special purpose _Always Active_
|
| [1] https://www.coursera.org/about/cookies-manage
| jwr wrote:
| > I used per-account email with alias services and password
| managers.
|
| For people who want to do this, be sure to get it right. I
| run a SaaS with a free tier, and I see people register with
| "fancy+nospam+servicename@gmail.com" addresses. Many of those
| become undeliverable or are left unread forever because of
| filtering rules. So when my system sends a warning E-mail
| that the account will be deleted due to inactivity, it
| doesn't get read, which leads to suboptimal outcomes for
| everyone involved.
| mapt wrote:
| It was infuriating to me when
| normal_email+site_name@gmail.com stopped working for
| registration on some sites.
|
| Fucked up my Costco registration, a variety of other
| things.
|
| This sort of quasi-pseudonymity is required for basic
| security/privacy in 2025; It's the only way to get a handle
| on who's allowed to send you email, since we've never
| bothered to fix spoofing or impose a cost on spam. I've
| been trying to use it since Sneakemail was a free service
| back in the pre-Gmail days.
| thallium205 wrote:
| Many spammers will strip the +xxxx out of the emails
| anyway to not reveal the source of their data so it
| doesn't matter too much really.
| toddmerrill wrote:
| I do this also. I started doing it with physical mail before
| email existed to sort out the junk mail, so first and last
| name always contained a reference to the company you were
| dealing with. Paul Allen back in the 80s said in a Seattle
| Times interview that it was how he handled it.
| 6c696e7578 wrote:
| > I used per-account email with alias services and password
| managers.
|
| 20-something-ish years ago I setup qmail in my VPS and a
| .qmail-default file captures all my me-sitename@vps emails.
| If they send me junk I echo '#' > .qmail-sitename and that's
| the end of it.
|
| Other things that get a mixture like someone annoying who
| harvested my ebay/paypal addresses or something, I'll sift
| out the good (stuff I need) via maildrop and everything else
| gets junked.
|
| Honestly one of the best, but annoying, things I've done,
| well worth the time invested as I have a nice clean mailbox.
| tguvot wrote:
| did exactly same. the only difference is that i use
| compromised emails to train spam filter
| varispeed wrote:
| I bet now some corporations actually want to be exposed, have
| data breach. If you have not been in the news, it means you
| have not made it yet (not popular enough to be a target worth
| writing about).
| esseph wrote:
| Those CISOs / CTOs / CIOs attached to those companies do
| _not_ want to be in the news.
| edoceo wrote:
| Right to be removed/purged and maximum retention policy. One
| place I'm aware of purges accounts that have been inactive
| 18month. Historical billing info is offline and "gapped"
| sandeepkd wrote:
| To confirm, data/info leaks happened on the server/application
| side. How does a solution like Bitwarden on the client side
| helps with this situation?
|
| As per my understanding the only possible threat it saves
| against is someone trying to brute force for your password
| against the application. And may be ease the cognitive burden
| of remembering different passwords.
| theonething wrote:
| freeze your credit at the three major companaies.
| ulfw wrote:
| Exactly this.
|
| Does anyone still care?
|
| I like how the Apple Password app informs you about Compromised
| Passwords so you can you know... go in and fix it, get a new
| password etc.
|
| Nice little cute idea.
|
| I got 717 warnings. Seven hundred seven teen.
|
| No I will never be able to fix this
| ErroneousBosh wrote:
| It's probably more important to keep passwords safe, but lots
| of people treat their email address like some kind of
| "sensitive secret". "Oh but I don't want to get spam" - my dude
| you are going to get spam.
|
| There's a guy who lives near me who, when he parks his car,
| very carefully puts tape over the number plate "because
| otherwise people might see my registration number". Because
| apparently if people can see your car's registration number
| they can somehow just steal your car and the police won't do
| anything because the number plate was visible. Mad, absolutely
| barking mad.
| somehnguy wrote:
| Same, and I find it really difficult to care about it anymore.
|
| It was leaked through no fault of my own. There are 0 actual
| consequences to companies doing it. So what am I going to do -
| stew about it??
| submeta wrote:
| I have a throwaway email adresses for every website that requires
| signup. And a new password for every signup. Using Fastemail and
| a password manager. When emails adresses/passwords leak, I know
| which one I have to replace.
| hypeatei wrote:
| Cynicism is everywhere these days but these events really don't
| register for me anymore. Companies aren't punished by the
| government for these leaks and they aren't punished by consumers
| either. What incentive is there to reduce this data collection in
| the first place or to lock down your databases?
|
| Even if someone's security is awful as the consumer and their
| account gets hacked because of these leaks, what are the actual
| consequences of that? Oh bummer, they need to reset their
| password and make a few phone calls to their bank to reverse the
| fraudulent charges then life goes on. Techies view that as
| unacceptable but most don't really care.
| morshu9001 wrote:
| I don't care for most things, but banking is one place I've
| been bitten pretty hard without even getting hacked. Not going
| to extremes to protect it, just gonna make sure it's decent.
| eckesicle wrote:
| Is there any real drawback to just never giving your real name or
| address to service providers to minimise the chance of identity
| theft? Most likely it's against terms of service, but other than
| account suspension are you likely to suffer any legal
| consequences?
| bigbuppo wrote:
| The ad tech companies can associate any fake identity with your
| real identity. So no, there is no problem. Good thing that all
| ad tech companies are fully on the up-and-up and have never
| been compromised to spread malware.
| Aurornis wrote:
| Service providers generally use your name and address to
| validate your billing method.
|
| If you can pay by some method that doesn't require name or
| address then go ahead and use a fake name.
| legitster wrote:
| Depending on the service, the billing data may be in its own
| database outside of the user tables.
| rkagerer wrote:
| Anonimity on the Internet is going out of vogue.
|
| The only way to fix the ToS issue you raised is through
| regulation protecting it.
|
| Unfortunately we're going the other direction, with efforts
| like verified ID gaining traction in some parts of the world.
|
| It's ironic because in most cases anonymity (or allowing an
| alternate identity that has its own built-up reputation) would
| offer real protection, while the verification systems are
| arguably security theatre.
|
| I don't care what technical genius is built into your
| architecture, as soon as you force a user to plug their ID
| information into it, they've forked over control along with any
| agency to protect their own safety.
| hn_acc1 wrote:
| I mean, for some services, likes banks / credit cards, it's
| required..
|
| For others, I try to stay anonymous / aliased where possible.
| rkagerer wrote:
| The bit at the end about email deliverability was also
| interesting:
|
| _Notifying our subscribers is another problem... in terms of not
| ending up on a reputation naughty list or having mail throttled
| by the receiving server .... Not such a biggy for sending breach
| notices, but a major problem for people trying to sign into their
| dashboard who can no longer receive the email with the "magic"
| link._
|
| And this observation he got from someone:
|
| _the strategy I 've found to best work with large email delivery
| is to look at the average number of emails you've sent over the
| last 30 days each time you want to ramp up, and then increase
| that volume by around 50% per day until you've worked your way
| through the queue_
| legitster wrote:
| This is also known as "warming a domain" in the email world. A
| large rush of emails from an email server is an indicator of a
| hack or takeover, so anti-spam software may flag an IP address
| that surges in activity.
| jimmar wrote:
| I respect Troy Hunt's work. I searched for my email address on
| https://haveibeenpwned.com/, and my email was in the latest
| breach data set. But the site does not give me any way to take
| action. haveibeenpwned knows what passwords were breached, the
| people who breached the data knows what passwords were breached,
| but there does not seem to be any way for _me_, the person
| affected, to know what password were breached. The takeaway
| message is basically, "Yeah, you're at risk. Use good password
| practices."
|
| There is no perfect solution. Obviously, we don't want to give
| everybody an easy form where you can enter an email address and
| see all of the password it found. But I'm not going to reset 500+
| password because one of them might have been compromised. It
| seems like we must rely on our password managers (BitWarden,
| 1Password, Chrome's built-in manager, etc.) to tell us if
| individual passwords have been compromised.
| junon wrote:
| https://haveibeenpwned.com/Passwords
| AlienRobot wrote:
| my password: 2,408
|
| password: 46,628,605
|
| your password: 609
|
| good password: 22
|
| long password: 2
|
| secure password: 317
|
| safe password: 29
|
| bad password: 86
|
| this password sucks: 1
|
| i hate this website: 16
|
| username: 83,569
|
| my username: 4
|
| your username: 1
|
| let me login: 0
|
| admin: 41,072,830
|
| abcdef: 873,564
|
| abcdef1: 147,103
|
| abcdef!: 4,109
|
| abcdef1!: 1,401
|
| 123456: 179,863,340
|
| hunter2: 50,474
|
| correct horse battery staple: 384
|
| Correct Horse Battery Staple: 19
|
| to be or not to be: 709
|
| all your base are belong to us: 1
| zahlman wrote:
| > all your base are belong to us: 1
|
| Only 1, really?
| Sohcahtoa82 wrote:
| Because of the spaces.
|
| Without spaces, it's 681.
| e12e wrote:
| Password2020: 109,729
|
| Edit:
|
| louvre: 7,219
| latexr wrote:
| Spaces are skewing the numbers lower. Remove them from any
| of those and see the number increase at least an order of
| magnitude. That "let me login" goes from 0 to 4,714 just by
| removing spaces ("letmelogin").
| neogodless wrote:
| _correcthorsebatterystaple_ (no spaces) 4,163
| bdcravens wrote:
| I was trying random phrases just out of curiosity, and
| couldn't help but chuckle when it said "epsteinfiles" wasn't
| found :-)
| the8472 wrote:
| This doesn't help. If the _email address_ check says the
| address has been exposed it doesn 't tell you which password
| that was used together with that has been exposed. Was it one
| from 10 years ago you don't even remember? Or that's still
| actively in use? Which one of my hundreds of passwords?
| Thorrez wrote:
| You can use the API to check all of your passwords. Then
| you'll know the security state of all of your passwords.
|
| https://haveibeenpwned.com/API/v3
| the8472 wrote:
| Doesn't help. Some accounts are old and may not be in my
| current PW DB. Or they were memorized, or forgotten.
|
| If the thing suggests the EMAIL (+ associated password)
| has been compromised for some unknown account then to do
| a risk assessment I would have find which account it
| belongs to, not which currently-in-use passwords match
| the same datasets.
|
| Those are different queries, providing different bits of
| information.
| junon wrote:
| It doesn't matter, don't use passwords that have been
| compromised. Period.
| elzbardico wrote:
| > It seems like we must rely on our password managers
| (BitWarden, 1Password, Chrome's built-in manager, etc.) to tell
| us if individual passwords have been compromised.
|
| Yes.
| karencarits wrote:
| One possible solution could be to give you an option to send
| the affected password as a list to the mail address you
| specify, then only people with access to that mail address will
| see them
| elwebmaster wrote:
| That would be a great idea!
| bobmcnamara wrote:
| Hash of the affected password? People share these things and
| don't always run their own mail servers.
| technion wrote:
| At one point I responded to a haveibeenpwned notice by
| immediately having the user reset a password.
|
| I've got over 200 users in a domain search (edit: for this
| particular incident), and nearly all of them were in previous
| credential breaches that were probably stuffed into this one.
| I'm not going to put them through a forced annoyance given how
| likely it is the breached password is not their current one,
| and I'm urging people to start moving in this direction unless
| you obtain a more concrete piece of advice.
| kbrkbr wrote:
| Same here: reset on first beach (ROFB), but on subsequent
| ones only if it is no collection, eg a new infostealer
| breach.
| fckgw wrote:
| The problem with breaches like the latest data set is that
| there's no source on where the breach came from, it's an
| aggregate from multiple breaches. They can't tell you that info
| because it's not in the initial data set.
| chinathrow wrote:
| Yeah and I am confused by his new setup private vs business. I
| got that mail too but can simply not see what addresses were
| affected by that breach.
| craftkiller wrote:
| > there does not seem to be any way for _me_, the person
| affected, to know what password were breached
|
| You should be using a unique randomly-generated password for
| each website. That way, one breach doesn't lead to multiple
| accounts getting hijacked AND you'll know which passwords were
| breached solely based on the website list. The only passwords I
| still keep in my head are: 1. The password to
| my password manager 2. The password to my gmail account
| 3. The passwords for my full disk encryption
|
| All of those passwords are unique and not used anywhere else.
| Everything else is in my password manager with a unique
| randomly generated password for each account. And for extra
| protection, I enable 2fa on any site that supports
| u2f/webauthn.
|
| I used to reuse the same password for everything, and that lead
| to a pretty miserable month where suddenly ALL of my accounts
| were compromised. I'd log in to one account and see pizzas I
| never ordered. Then I'd open uber and see a ride actively in-
| progress on the other side of the country. It was not fun.
| taftster wrote:
| Yes! Me too. Not adding anything here except a confirmation
| on the above approach. You kind of need your email password
| as a "break glass" scenario. But mostly, you just need your
| password manager.
| DaSHacka wrote:
| and root disk encryption, unless you have some alternative
| method set up.
| imp0cat wrote:
| That's the default in this day and age, no?
| taftster wrote:
| I mean, probably should be. But for me, no. Well, not my
| personal computer anyway. That's a mistake, I know. But
| corporate computer yes.
|
| So no, I don't think "in this day and age" necessarily.
| And I believe that the vast majority of "normal" users
| don't do full drive encryption either. But yes, we
| should.
| akerl_ wrote:
| Last I looked, windows and Mac installs both push the
| user to set up bitlocker or FileVault, respectively. You
| have to actively say no if you don't want it.
| taftster wrote:
| I deliberately dodged there, as you noted. I do not have
| full disk encryption setup. I know that I'm probably have
| a very bad day if I come to lose my laptop, etc. I should
| do this, no doubt.
|
| But I'm not sure. While maybe good password management is
| starting to soak into common computer usage, I don't
| think disk encryption is all that common just yet across
| the average user. It should be. But the average user is
| just moving to their phone anyway, with face id and
| encryption by default, instead of maintain their own
| personal device.
|
| Corporate devices seem to be a bit better in this regard,
| though.
| tengwar2 wrote:
| Also if possible, use a unique email address for each site. I
| know that's not feasible for most people, and some sites
| (e.g. LinkedIn) are structured so that email addresses become
| linked, but it does provide useful isolation.
| subscribed wrote:
| Nice. Now I'd like to know WHICH password got leaked.
|
| That way the breach impact can quickly be limited.
|
| Troy probably would share that information for a price. Not
| sure whom to pay though - the "good" guy who won't say a
| word, or a criminal who will happily share it with me?
|
| It's possible the latter would be cheaper too.
| Jaxan wrote:
| They don't store email addresses with password in the
| database. That would be way too risky. These are separate
| databases, so you can lookup your email address, and
| separately check a password.
| TZubiri wrote:
| What? You expect the guy to tell you your password? Lol, lmao
| even.
|
| I know roughly what passwords were exposed because either I
| remember it, or the date of the leak or the associated email.
|
| I know simple passwords are almost public and that leaks of say
| linkedin will be properly hashed, while a vb forum from 2006
| might not be.
| pessimizer wrote:
| > But the site does not give me any way to take action.
|
| It gives you as much information as you should be given. Any
| more information would just be spreading around the hacked
| dataset.
|
| It does give you an awful lot of information about the specific
| hacks that exposed your information, and what was the content
| of that exposure. You may have been owned, but the way you were
| owned doesn't really matter e.g. I don't care that my
| firstname.lastname@gmail.com was exposed as being me. I may not
| care that my username@yahoo.com account was exposed as being
| username at archive.org. If that's it, I can keep using them.
| But a lot of hacks are a lot worse, and you might have to
| rearrange things or close them down. haveibeenpwned gives you
| enough information to make all those decisions.
|
| Also, your second paragraph seems to imply that the site
| doesn't tell you if passwords were compromised for an email
| address. It definitely does by identifying the hack and
| describing its extent. You don't need the _actual password_ to
| know that you need to change it. Likely, the hacked site forced
| you to change it anyway.
| froddd wrote:
| Change the password for what account though? The dashboard
| doesn't seem to list the actual website(s ) linked to the
| email/password breached, so how am I to know which password
| to rotate?
|
| If I follow the recommended best practice, I have a different
| password for every website or service. That could be hundreds
| of them. Am I supposed to rotate all of them every time
| there's a breach?
| seb1204 wrote:
| You buy you email in and then the result it a website that
| got breached. Together this should give you enough
| information.
| the8472 wrote:
| > It does give you an awful lot of information about the
| specific hacks
|
| No it doesn't. Enter <old email address> - 5 data breaches -
| first one says:
|
| > During 2025, the threat-intelligence firm Synthient
| aggregated 2 billion unique email addresses disclosed in
| credential-stuffing lists found across multiple malicious
| internet sources
|
| It doesn't tell me which site or which of the many passwords
| used together with that address. Just that it has been in a
| generic data dump.
| subscribed wrote:
| So it gives me the information that my email has been
| exposed.
|
| Where? In what service? Did my password got leaked too? I
| can't change password / delete the account if I don't know
| where.
|
| Did any other data got leaked? Anything sensitive? Do I have
| to cancel my credit card? Were any files leaked as well? My
| home location?
|
| At this point HIBP is next to useless.
|
| And how showing me WHAT is in the database about the email I
| proved I own would be spreading it? At this point if I want
| to learn it I need to either try to find the torrent with it
| (spreading it further!) or pay the criminals.
| Jaxan wrote:
| Btw they are not storing more info along the email address,
| because that would be way too risky. Just imagine the HIBP
| database being leaked.
|
| Also, they don't always know where your info has leaked.
| Some datasets are aggregates.
| seb1204 wrote:
| This information is given for each of the leaked incidents.
| Troy also explains this in his blog post.
| NetMageSCW wrote:
| If you read the instructions, you will discover
| https://haveibeenpwned.com/Passwords which will let you enter a
| password and securely check if it has been published in a
| breach.
|
| If it has, it is either a simple password that multiple people
| are using, or a complex secure password that can make you
| pretty confident it is your password that has been published.
|
| 1Password just does the same thing for all of your passwords -
| it doesn't check against your account name either. That
| information isn't stored so they can't become a new source of
| breached accounts (as explained at the site).
| donatj wrote:
| Letting me check my passwords one at a time is like letting
| me check my grains of rice individually for poison before
| eating.
| jve wrote:
| Use a tool
|
| https://monitor.mozilla.org/
|
| https://watchtower.1password.com/
|
| https://bitwarden.com/help/reports/#exposed-passwords-
| report
| Jaxan wrote:
| There is also an API
| froddd wrote:
| The details about the "Stealer Logs" on the dashboard even
| state:
|
| > The websites the stealer logs were captured against are
| searchable via the HIBP dashboard.
|
| There is no way to use the HIBP dashboard to figure out what
| domains my email address appears against.
|
| Am I meant to change all passwords associated with that email
| address? Or do I need to get a paid subscription to query the
| API to figure out exactly what password(s) to change?
|
| This has always confused me. On the one hand, HIBP is an
| invaluable service, but, on the other, it does nothing more
| than stating you're in trouble, with no clear way forward.
| subscribed wrote:
| It's quite certainly a up selling attempt. I once spend a
| couple of hours to see what was actually exposed in the
| infostealer breach my email appeared (eg: payment data?
| Physical address? Government id ?) to no avail.
|
| This service is toxic tbh.
| Thorrez wrote:
| The API is free.
|
| https://haveibeenpwned.com/API/v3
| Thorrez wrote:
| You don't need a paid subscription. The API is free.
|
| https://haveibeenpwned.com/API/v3
| froddd wrote:
| The API is not free.
|
| https://haveibeenpwned.com/API/v3#Authorisation
| Thorrez wrote:
| Only if you want to search by account. If you want to
| search by password, it's free. You can query all your
| passwords to see which ones are breached, and change
| those.
|
| > Authorisation is required for all APIs that enable
| searching HIBP by email address or domain, namely
| retrieving all breaches for an account, retrieving all
| pastes for an account, retrieving all breached email
| addresses for a domain and retrieving all stealer log
| domains for a breached email addresses. There is no
| authorisation required for the free Pwned Passwords API.
|
| And searching by account wouldn't tell you anything
| useful. It would just say "Synthient Credential Stuffing
| Threat Data". It wouldn't tell you what password to
| change, because HIBP doesn't know what site the
| password(s) that it found in "Synthient Credential
| Stuffing Threat Data" were associated with, and HIBP
| doesn't maintain a database linking passwords to emails.
| froddd wrote:
| The only part of the API that is free is the passwords
| API, which would not help for this use case.
|
| Every other endpoint requires a subscription. This is
| very far from "The API is free".
|
| > searching by account wouldn't tell you anything useful
|
| The API can return the domains listed in stealer logs for
| a specific email address:
| https://haveibeenpwned.com/API/v3#StealerLogsForEmail
| jerf wrote:
| On the plus side, Troy can save a lot of DB space now. Instead of
| storing which emails have been compromised at this point he can
| replace that with just def
| email_compromised(email): return True
| Havoc wrote:
| Not necessarily. Both my main addresses still come back clean
| after years in use.
|
| The one I use for random crap has 9 hits though.
| Ey7NFZ3P0nzAe wrote:
| Same here
| TheTxT wrote:
| In that case he could just store the emails that haven't been
| compromised yet.
| jerf wrote:
| If we're going to take my obviously unserious suggestion
| seriously, I'd suggest a bigger problem is that his stack
| isn't in Python and the code for whether an email is pwned
| probably isn't remotely structured as a function call like
| that...
|
| but other than that I'm sure it's a good idea.
| brikym wrote:
| It boggles my mind that most email providers don't have a way to
| generate aliases for sign ups. Looks like proton and fastmail
| support it.
| cryptoegorophy wrote:
| -Setup a website with article that 3 billion emails were exposed
| -Offer a form to check if your email was leaked -start getting
| confirmed emails list
| sfilmeyer wrote:
| Troy Hunt has been running Have I Been Pwned for years. He even
| uses the k-anonymity model to allow you to search if a password
| has been pwned without giving him the password if you don't
| trust him.
|
| I get your general point, but he's been a leader in this space
| and walking the walk for a decade. I'm not even into security
| stuff or anything particularly related to this, and I still
| recognized his name in the OP domain.
| kmeisthax wrote:
| More importantly, since HIBP sells monitoring services to
| 1Password, if they were maliciously collecting this data they
| would be immediately sued to oblivion.
| gorgoiler wrote:
| I've always had a bit of a chip on my shoulder about HIBP's
| switch to charging for domain searches. It felt a bit like those
| travel visa scalpers who charge 50 CURRENCY_UNIT to file an
| otherwise gratis form on your behalf.
|
| Law enforcement should provide this kind of service as a public
| good. They don't, but if you do instead, I don't think it's cool
| to unilaterally privatize the service and turn it into a
| commercial one.
|
| I voted with my feet but this post feels like a good enough place
| to soapbox a bit!
| NetMageSCW wrote:
| How much did you donate to keep HIBP running?
|
| What is the URL to your free HIBP alternative?
| debugnik wrote:
| > However, none of the other passwords associated with my address
| were familiar.
|
| Could at least some of those cracked passwords be hash collisions
| for really weak choices of hash? I once looked up an email of
| mine on a database leak, and found an actual outdated password
| except for random typos that I suspect hashed the same.
| ptrl600 wrote:
| Are there any email services which allow basically unlimited
| aliases with long, random names?
|
| I'm using my own domain right now, but that can only uncover who
| has leaked my data; does not provide additional privacy.
| bootlooped wrote:
| I know you can set up "catch-all" email with a custom domain
| through Proton Mail.
|
| I don't think there's any limit on gmail + codes.
| mac-attack wrote:
| duckduckgo's free email aliases. Can use it as a front-end and
| keep your existing domain
| ptrl600 wrote:
| I misphrased my query; I already run my own mail server and
| am using a unique e-mail address for every service. I'm
| wondering if there's a provider with a common domain name
| shared between lots of users that still allows such a large
| number of aliases. That would let me use a fake name for
| anything that doesn't need my real identity, and wouldn't
| reveal my identity in the case of a breach. Has any e-mail
| provider found a way to implement this while preventing
| abuse?
| gostsamo wrote:
| check simple login. they were both by Proton, but you can use
| them without the parent.
| mapper32 wrote:
| https://simplelogin.io/
| mkl wrote:
| Use a catch-all inbox. Fastmail supports them well in its web
| interface. I use unique addresses for every organisation.
| ycuser2 wrote:
| The problem with catch-all inbox is when you have to reply to
| an email. Then you have to create the email address to be
| able to send emails from it. Or are there other solutions?
| mkl wrote:
| When you reply, any sensible system will use the address
| you received it at. Fastmail does this, as do many others
| (I used Thunderbird for many years, possibly with an
| extension to do that). To send an email from scratch you
| just type the address you want in the from field or select
| from a list. At no point is there any need to create
| specific addresses, as the catch-all means all addresses
| are already valid.
| omeletdufromage wrote:
| Another commenter mentions ProtonMail, but somewhat
| unadvertised is with a paid Proton sub (I forget which tier),
| you also get access to SimpleLogin. It's a service which lets
| you create new email aliases with your domain that just send
| them to another email you own. (Also lets you send emails as
| that alias, so the other end doesn't see your real address.)
|
| I use it with Vault/Bitwarden, which lets me generate email
| addresses of format `<uuid>@my.domain.com` when I create new
| login info for services.
| stOneskull wrote:
| proton unlimited, i think. mail plus doesn't seem to do it,
| which kinda sucks.
| gostsamo wrote:
| I checked a few of my passwords and a few random ideas. It turns
| out that I'm not the only one who finds the Star wars drone names
| a good inspiration for a password, but the rest were okay. Proud
| that I found a password which leaked in only one breech. Whoever
| has used "feromancer" as a pass, congrats, you might be unique
| among a big part of humanity.
| sloped wrote:
| I switched to using masked emails with Fastmail primarily so I
| could see who sold my data. The potential security benefit was
| not really a driver. Having 1Password be able to generate a
| unique email makes it a no-brainer these days. For those services
| that require a username that is not your email, they can usually
| be used without the domain part. Works really well.
|
| I even wrote a tiny little local only web app that I can use to
| generate a masked email on my phone, so when I need an email for
| an in person thing I can just show them my brand new weird email
| directly on my phone.
| digiconfucius wrote:
| Any interesting finds on companies that tried to sell your
| data?
| sloped wrote:
| Not really any places where things get sold, but opt-in in
| the background for newsletters is bad in certain sectors.
| Ticket platforms are terrible. I like to use a new email for
| every event and boy does that lead to new round of clicking
| opt-out until I can deactivate the email after the event has
| concluded.
| frankdvn wrote:
| I just learned that FastMail provides an iOS shortcut to
| "Create Masked Email".
|
| Just be careful, you must press Save after or else you'll lose
| it.
| layer8 wrote:
| Interestingly, the HIBP data seems to have an expiration date. My
| email address from the Dropbox data breach [0] is now shown as
| having no recorded breaches, although it did back in 2016 after
| HIBP acquired that dataset.
|
| [0] https://haveibeenpwned.com/breach/Dropbox
| reddalo wrote:
| Are you sure you typed the right email address?
|
| My 2012 Dropbox leak still shows up for my account.
| layer8 wrote:
| Yes, I'm sure. The old password from that breach also doesn't
| show any hits.
| zahlman wrote:
| From what HIBP tells me (from an email address; I am not about to
| put any site's password in there, I don't care that they don't
| know who I am or what it's for):
|
| > During 2025, the threat-intelligence firm Synthient aggregated
| 2 billion unique email addresses disclosed in credential-stuffing
| lists found across multiple malicious internet sources. Comprised
| of email addresses and passwords from previous data breaches,
| these lists are used by attackers to compromise other, unrelated
| accounts of victims who have reused their passwords. The data
| also included 1.3 billion unique passwords, which are now
| searchable in Pwned Passwords.
|
| (Edit: this is also directly linked in TFA. Well, I guess the
| site was still somewhat successfully advertised here...)
|
| So, this doesn't seem to comprise new information, and doesn't
| imply that your email _has been associated with_ your password by
| the hackers.
|
| Although they probably do have passwords for a couple of services
| I don't use any more, which I have not reused.
| elwebmaster wrote:
| Why are we still using passwords? Why can't all login be done
| with asymmetric keys: your public keys are stored on the server,
| your private keys on the device. Carry a backup pair on your USB
| and treat it as a key to your house. Any of them got lost? Just
| delete the respective public key from the service.
| magackame wrote:
| That's passkeys. Google and Microsoft are pushing in that
| direction.
| elwebmaster wrote:
| I have never seen a website where I can sign up without a
| password and using only email and passkey. Is there one? All
| websites treat passkeys as an "add-on" to the passwords of
| the last century. Totally backwards thinking.
| mrweasel wrote:
| How are you going to sign in and delete the public key, if you
| lost the private key?
|
| This is exactly why so many do not want passkey, the recovery
| options aren't exactly great.
| layer8 wrote:
| Amusingly, hunter2 is listed with over 50.000 breaches.
| waynesonfire wrote:
| Another ad for have i been owned? ... How much does it cost to
| advertise on hackernews?
| galaxyLogic wrote:
| What about "pass-codes"? Weren't they supposed replace passwords?
| anonu wrote:
| > we run on Azure SQL Hyperscale, which we maxed out at 80 cores
| for almost two weeks
|
| the data challenge is interesting here. there's clearly a lot of
| data - but really its just emails and passwords you need to keep
| track of. SQL feels like overkill that will be too slow and cost
| you too much. are there better solutions?
|
| 15 billion records of email+password, assume ~40bytes thats
| roughly 600GB
|
| should be searchable with a an off-the-shelf server.
|
| of course, im oversimplifying the problem. but I'm not clear why
| any solution to insert new records would take 2 weeks...
| jiggawatts wrote:
| > we run on Azure SQL Hyperscale
|
| Definitely the wrong technology, and was almost certainly
| picked only because Troy Hunt is a "Microsoft Regional Director
| and MVP".
|
| Many other technologies scale better for this kind of workload.
| Heck, you could ask ChatGPT to write a short C# CLI tool to
| process the data on one machine, you don't even need a huge
| box.
|
| This kind of thing comes up here regularly on HN for problems
| such as duplicate password detection, leaked password
| filtering, etc...
|
| After previous brainstorming sessions the general consensus was
| that it's _really_ hard to beat a binary file that contains the
| sorted SHA hashes. I.e.: if you have 1 billion records to
| search and you 're using a 20-byte SHA1 hash, then create a
| file that is exactly 20 billion bytes in size. Lookup is
| (naively) just binary search, but you can do even better by
| guessing where in the file a hash is likely to be by utilising
| the essentially perfectly random distribution of hashes. I.e.:
| a hash with a first byte value of "25" is almost certainly
| going to be 10% of the way into the file, etc...
|
| It's possible to create a small (~1 MB) lookup table that can
| _guarantee_ lookups into the main file with only one I /O
| operation of a fixed size, such as 64 KB.
|
| Sorting the data is a tiny bit fiddly, because it won't fit
| into memory for any reasonably interesting data size. There's
| tricks to this, such as splitting the data into 65,536 chunks
| based on the first two bytes, then sorting the chunks using a
| very ordinary array sort function from the standard library.
|
| On blob storage this is super cheap to implement and host,
| about 50x cheaper than Azure SQL Hyperscale, even if it is
| scaled down to the minimum CPU count.
| zazaulola wrote:
| Try Blake3 instead SHA-1
|
| https://github.com/BLAKE3-team/BLAKE3
| jiggawatts wrote:
| The sorting is the slowest step by far.
|
| Hashing is so fast that you can hand-wave it away as zero
| cost relative to the time taken to read such a large amount
| of data. Also, you only have to do it once for the whole
| input, which means that it's O(n) time where 'n' is the
| gigabytes of passwords you have.
|
| Sorting is going to need about O(n * log n) time even if
| it's entirely in memory, but more if it has to spool to
| disk storage then it'll take much longer than the hashing
| step.
|
| PS: I just realised that 2 billion passwords is not
| actually that much data -- only 40 GB of hashes -- that's
| well within the range of what's "easy" to sort in-memory by
| simply creating an array of hashes that size and calling a
| standard library sort function.
| zazaulola wrote:
| What other algorithms have you used? I'm really
| interested in big data streams. I would like to hear not
| only successful solutions, but also failed ones. Have you
| tried using Bloom filters? Is it possible to merge shards
| using the Min-Heap algorithm?
| Stebet wrote:
| Hi.
|
| Stefan (the other HIBP developer) here :)
|
| There are good reasons for the tech we picked. I'll elaborate
| in a more detailed answer later today or tomorrow.
|
| I love good nerd discussions.
| enjaydee wrote:
| Thought the same thing, and agree completely with jiggawatts.
| Troy does very well off the back of this relationship, and on
| that note I hate how confusing the marketing language of
| "Microsoft Regional Director and MVP" is.
| bobmcnamara wrote:
| > I'm not clear why any solution to insert new records would
| take 2 weeks...
|
| The article mentions some of the challenges, like 1.9e9 sha1
| hashes. And 1.9e9 row updates performing poorly in-place, so
| they created a separate table for the results. Then they got
| rate limited by email providers when they wanted to tell people
| about their pwnage
| jorams wrote:
| This seems to include details from a Spotify data breach in or
| before early 2020 that, to my knowledge, was never reported on.
| They did have other, similar issues that year.
|
| Reporting from the time seems to all be about one or multiple
| leaks/attacks involving:
|
| - Credential stuffing with data _from other breaches_
|
| - A leak of data (including email addresses) to "certain business
| partners" between April 9, 2020 and November 12, 2020.
|
| On April 2, 2020 somebody logged in to my Spotify account (which
| had a very weak password) from a US IP address. This account used
| an email address only ever used to sign up to Spotify years
| earlier, and the account had been unused for years by that point.
| I changed the password minutes later. A few hours after that
| Spotify also sent an automatic password reset because of
| "suspicious activity". At no point have I ever been notified by
| Spotify that my data had been leaked, though it obviously had,
| and now said email finally shows up on HIBP.
| Torn wrote:
| You'd think spotify as a mature company would have had
| obligations to report this stuff!
| ChrisMarshallNY wrote:
| I think, at this point, we should just assume that our emails are
| out there. Can't put the candy back in the pinata.
|
| My main email addy is an OG mac.com address. I registered it
| about five minutes after Steve announced it. My wife got her
| first name, but I suspect that Chris Espinosa already had
| chris@mac.com.
|
| In any case, it was compromised back when Network Solutions sold
| their database to spammers (or some other scumbags sold their
| database), and it's been feral, ever since. Basically, most of
| this century.
|
| I've survived it. I maintain Inbox Zero, frequently.
|
| One of the saving graces, is that mac.com has "aged out," so most
| of the spammers switched over to icloud.com, and that means I can
| just set up a rule to bin anything that comes into icloud.com.
| 1970-01-01 wrote:
| Giving out fake information is the only solution. Real name is
| only for the government and your employer.
| 1a527dd5 wrote:
| This explains why my outlook/hotmail account had a 2fa prompt
| from a country I've never been in a few days ago.
|
| Checked my password on https://haveibeenpwned.com/Passwords :-
| This password has been seen 1 times before in data breaches!
|
| _Great_.
| Retr0id wrote:
| The scale of infostealer malware is really staggering. I'd have
| naively assumed that OSes were getting locked down so much by
| default these days that local malware was less of an issue.
| hk1337 wrote:
| I'm guessing this is total, not an alert that something happened
| last night that exposed 2 billion email addresses.
| jacquesm wrote:
| I totally respect Troy and the work he's doing, but I still can't
| justify to myself the risk of typing my passwords into his
| website because that would be the very first time that I would
| use any of those in places other than the ones where I normally
| use them.
|
| Is there a way around this?
|
| Edit: to answer my own question, I should read a bit more rather
| than click on the first link, the answer is here:
|
| https://haveibeenpwned.com/API/v3?ref=troyhunt.com#PwnedPass...
|
| Which uses:
|
| https://en.wikipedia.org/wiki/K-anonymity
| arealaccount wrote:
| DM me your passwords Ill do it for you
| mbana wrote:
| Do some research on passwords, in particular read Bruce
| Schneier's stance on passwords.
| senorqa wrote:
| If there's no meaningful reward or punishment for keeping or
| leaking PII, companies won't do anything about it. They'll keep
| collecting sensitive inf unless they're educated or forced not to
| collect unnecessary PII.
| tencentshill wrote:
| We need to make storing customer data and recommendation
| algorithms a liability.
| adabyron wrote:
| Not just this but the lack of diligence by companies that allow
| accounts to be created, bills to go unpaid & then sent to
| collection agencies is something that needs to change.
|
| Speaking as someone who has had companies give away my PII and
| then other companies open accounts with it without contacting
| me until bills are due.
|
| None of this should be the fault of innocent individuals.
| yawgmoth wrote:
| When you have days like this, 2-10 billion and you want to search
| it, what are the cheapest options? Reindexing could be slow, be
| search should be reasonably quick. It would be really expensive
| to do this all in, say, Elastic, right? Especially if you had a
| bunch of columns?
| 8cvor6j844qw_d6 wrote:
| Anyone have thoughts on Bitwarden / 1Password / Proton Pass?
|
| Proton Pass feels too new for me but eagerly awaiting good
| feedbacks / reviews. However, "don't put all your eggs in one
| basket" might apply here.
|
| Went with Bitwarden instead of 1Password since its open source,
| and I imagine (in my uninformed opinion) that a larger userbase
| by being free means more issues might be encountered and ironed
| out.
| LilBytes wrote:
| 1Password is awesome.
|
| I haven't really looked at anything else but I found >2 years
| ago the UI of BitWarden to be ordinary. And it was more awkward
| to manage a company.
|
| Went with 1Password in the end, and that you get a free Family
| account with a Business account is great.
|
| Your position on how BitWarden is open source should contribute
| to any decision you make though.
| frm88 wrote:
| I switched from Windows to Linux a couple of weeks ago and to
| KeePass XC. I like it that I can easily copy/paste passwords
| on sites where autofill is not allowed, e.g. banking. It's
| free, open source, no tracking and local and you can donate
| directly to the org. Of late I grow somewhat allergic to
| commercial solutions.
| txtsd wrote:
| I suggest KeepassXC + SyncThing + KeepassDX (for Android)
| mrweasel wrote:
| If you're happy with Bitwarden, I think you should stick to
| that. I'm currently using 1Password, I switches after the
| security issues with Lastpass. Later I did try Bitwarden but
| was unhappy with the ability to correctly identify username and
| password fields on websites. Others tell me that they have more
| a better experience with Bitwarden, so I might have to give it
| a try again.
|
| 1Password is really nice, but it's also expensive, compared to
| Bitwarden.
| lisbbb wrote:
| I'm sorry, but I couldn't really follow what the hell that guy
| was writing. So some huge number of emails and passwords got
| exposed somehow?
| Springtime wrote:
| This is a massive PITA for any users who exclusively use unique
| passwords and various unique addresses, as it sounds like the
| source of the breach(es) is unknown (so hard to judge which
| accounts would be affected without using Troy's sites to test
| _everything_ or find some searchable dump online somewhere
| dubious).
| NetMageSCW wrote:
| Just check each unique password and then you know which sites
| need a password change?
| dmje wrote:
| I'm unclear how the new data helps anyone? If you identify you've
| been in a data breach with Adobe for instance, you change your
| Adobe password. But if you're in this new dataset there's no
| service being pointed at - just "you've been breached" which
| doesn't really help anyone apart from those who have the same pwd
| for everything. Maybe they're the audience, I'm unclear.
| pacificmint wrote:
| I agree. I wish it would tell me the password, there is a good
| chance I could identify the service that it came from based on
| the password. This way it doesn't feel that useful.
| hufdr wrote:
| I feel like my phone number and email have already been leaked a
| long time ago. These days I get spam emails almost every day, and
| random calls from different cities keep coming in. What I keep
| wondering is how all this data gets out there. Is there an entire
| underground business built around selling our information?
| seb1204 wrote:
| Yes, unfortunately there is a whole industry out there after
| your data.
| fencepost wrote:
| I was mildly annoyed by the handling of this for domains. I have
| a personal domain, and now I know that one of the generally
| service-specific email addresses I've used (most likely with a
| unique password unless it's Palm levels of old) has been breached
| with its password. I don't know which one because I don't have a
| high enough (paid) account.
|
| If I'd realized that jumping through the hoops to get onto the
| site was just going to tell me I'd need a paid account I'd have
| saved myself a few minutes. As it was it made the whole
| experience feel like I fell for a sales email.
| saintamh wrote:
| Domain search is free. I never paid for HIBP and they give me a
| list of every address @my-domain that's been leaked.
|
| Edit: others are pointing out that it's only free for domains
| with fewer than 10 pwned addresses. I have 8.
| fencepost wrote:
| The message I got wasn't related to the number of addresses
| affected (though I've been using this approach for a couple
| decades), but IIRC regarded whether the datasets in question
| were free.
| mrweasel wrote:
| This is exactly while I and incredibly reluctant to sign up for
| any new service. You have to offer me something very special for
| me to ever create an account with your site. A free trial simply
| isn't enough for me to wanting to deal with yet another account,
| and I have a password manager.
|
| Sign in with Google/Apple/Facebook/Microsoft/Github, whatever,
| could have been a solution, but I don't believe any of them to
| trustworthy long term.
| voidUpdate wrote:
| Ah, so that's why I've been receiving emails about suspicious
| attempted logins...
| jonathanstrange wrote:
| I don't understand "email leaks." My email has and always will be
| public, that's the whole point of having an email address. It's
| on my website so people can contact me.
| w4lker wrote:
| I have several doubts about the utility of haveibeenpwned. For
| example, I know for a fact that a certain email of mine have been
| exposed, but it never appears on the site.
| WhereIsTheTruth wrote:
| This website is very useful, you can target any individuals and
| find all their secrets (websites they browse, their data and
| passwords)
|
| More seriously, they should notify the owner of the email address
| privately rather than displaying it publicly, this can be easily
| weaponized
|
| But who cares right, they are monetizing the service..
| NetMageSCW wrote:
| None of that is true, but you keep your outrage going.
| WhereIsTheTruth wrote:
| If that makes you sleep better at night, you are free to
| believe none of that is true and just move on..
| donatj wrote:
| Many people here have echoed similar sentiments, but I really
| wish they would give you any sort of information so you could
| have any sort of idea of what got pwned and ideally when. Was it
| a bank account, or some random forum? As it stands the action of
| even processing this data was of very little utility.
|
| As with roughly a quarter of the planet, I was in this breach. My
| 1Password Watchtower is green. I cycle important passwords
| regularly. Back 10-15 years ago my passwords like most peoples
| were much shorter and not randomly generated. All of them for
| everything show up in the passwords search.
|
| The utility of Have I Been Pwned approaches zero the longer you
| have been on the internet, and I have been on the internet since
| the late 1990s.
|
| We're left in a place where everyone but the victim knows the
| compromised account, and that's just kind of absurdly useless.
| jve wrote:
| > The utility of Have I Been Pwned approaches zero the longer
| you have been on the internet, and I have been on the internet
| since the late 1990s.
|
| I mean if your 1Password is green then HIBP has definitely
| helped.
|
| First of all, without HIBP, you wouldn't have Watchtower.
|
| HIBP has raised awareness on having unique passwords per site.
|
| HIBP has achieved that multiple services now can and check if
| particular password is leaked or not.
|
| Of course you could argue that since your security hygiene is
| so good you don't need HIBP. True. Let's pretend every people
| on planet will be generating unique passwords per service.
| Great. HIBP will have achieved enourmous job of making the
| planet more secure.
|
| And still a notification if you appear in some breach that can
| be attributed to a service - good signal to change password.
|
| Hats off for you cycling the password.. Have you ever ran into
| problems with that? Say you kinda rotated password but it no
| longer is accepted or something?
| TabTwo wrote:
| Got 10 hits. 8 of the email adressess were invalid like user1@
| and user2@ while user@ would be the valid one
| L_226 wrote:
| Is Troy rotating out old breaches? Because I have 2 email
| addresses that were definitely part of leaks (I got notified by
| the parties that were hacked), and one of them used to show up as
| compromised on the site, but no longer. The other one was part of
| the Qantas frequent flyer leak (I got an email from Qantas about
| it), but this address doesn't show up as part of that leak.
| mdale wrote:
| Almost like it's irresponsible to not require 2 factor now days.
| dangerboysteve wrote:
| Is it me, or is anyone just numb to all these breach articles? I
| take all the precautions, use 2FA everywhere, stay away from
| sketchy sites, use ad/malware blocker and the issue is always
| never the individual. It's usually the website/app and their lack
| of security, not keeping up with patching or sloppy programming.
| bookofjoe wrote:
| As a complete non-techie reading hundreds of comments on this it
| strikes me that there are a pretty much unlimited number of
| solutions/methods employed and described by HN readers -- which
| makes me conclude none of them is THE best answer. It's like we
| say in medicine: the fact that there are 100 remedies for hiccups
| means none of them usually work.
| timvisee wrote:
| The email I have in that list is invalid and must be generated.
| It's on a domain I own.
| 1vuio0pswjnm7 wrote:
| As used here, the term "preventative" means an approach or
| strategy that seeks to prevent email addresses from becoming
| public and term "remedial" means an approach or strategy that
| seeks to limit damage if email addresses become public
|
| To reduce risk from data breaches one option is to send less
| personal data to websites rather than more (preventative)
|
| One old strategy is to not "sign up" for websites unless
| absolutely necessary (preventative), e.g., to complete a
| commercial transaction. On the early www, sites publishing public
| information generally did not ask for email addresses
|
| Another old strategy is to use account-specific addresses and
| account-specific passwords that identify the account, the date
| and the computer used, i.e., some user-contructed identifier only
| known to the computer user (remedial)
|
| Alas today's website operators, including ones offering nothing
| more than public information, attempt to convince visitors to
| "sign up" and submit email addresses, even when it is not
| necessary to access the public information
|
| The website operators benefit from this data collection
|
| As such, data collectors may not recommend that users stop
| signing up for websites and sending email addresses
| (preventative). It would reduce their benefit. Instead, they
| encourage it
|
| HIBP is one such data collector. It requests email addresses in
| order to search public information
|
| HIBP focuses on behavioural trends with respect to passwords
| (remedial) instead of behavioural trends in sharing personal data
| with website operators (preventative)
|
| The operator even admits having an interest in password managers
|
| "My interest in 1Password aside"
|
| Data breaches share private information with the public, making
| it, detrimentally,^1 public information. This is how it becomes
| accessible to HIBP
|
| An obvious mitigation strategy is to limit the amount of private
| information collected (preventative), thereby limiting the amount
| that could ever be shared with the public in a data breach. This
| is "preventative"
|
| HIBP is "remedial", i.e., it assumes private information has
| become public. Without data breaches to collect and search, HIBP
| would not exist
|
| The two approaches, preventative and remedial, are not mutually
| exclusive
|
| Both can be used at the same time (preventative plus remedial)
|
| HIBP appears to ignore the preventative approach of modifying
| behaviour to not submit email addresses to websites. Perhaps
| because HIBP itself engages in data collection. It solicits email
| addresses
|
| Unfortunately, one cannot use an account-specific address with
| HIBP. It solicits addresses that have potentially been used for
| other accounts
|
| 1. Arguably breaches are not detrimental for HIBP since it
| profits from their existence. If there were a reduction in data
| breaches, could HIBP continue to successfully solicit more email
| addresses. If there were behavioural changes the resulted in www
| users creating fewer accounts and sharing fewer email addresses,
| would demand for password managers suuch as 1Password be reduced
___________________________________________________________________
(page generated 2025-11-07 23:02 UTC)