On Wed, 16 Dec 2020 at 17:52, Tim via users <users@lists.fedoraproject.org> wrote:
> On Wed, 2020-12-16 at 07:51 -0400, George N. White III wrote: > > There are services like https://haveibeenpwned.com/ that check > > passwords against captured databases. Google will warn you if a > > password saved in Chrome appears in one of the stolen password > > databases. When this was introduced it detected couple > > stolen passwords that I used used with sites that either went out of > > business or were taken over by "bad actors". I think a number of > > other password managers can also check against the databases. > > My concern with those kinds of services are that there's two ways they > can work: > > 1. You send them your password, and they look it up in their database. > 2. A similar kind of thing is done where they compare checksums rather > than the actual passwords. > The second method will be used by legit services. > > Either way, it's ripe for exploitation. No doubt there's fake password > check sites out there that just immediately skim your password for > their own purposes. I'm more in favour of a kind of site that logs > which sites have been compromised or bought out, and when, then you can > decide whether to change your passwords with them, or leave. > >From my experience, failed businesses often come back with different names or sell customer lists to another business. Names of web sites often have little relation to the registered name of a business (and here in Canada we have "numbered" companies). > Always use good, and totally different passwords for all services, as a > matter of course. > > I'm against the usual password polices, as well. Repetitively changing > your password is no guarantee of avoiding being hacked, and is more > likely to lead to you forgetting your passwords. That's easy, just write down the password on a post-it and attach it to your monitor so you don't need to remember it. > And weird untypeable > and unmemorable number and letter combinations are more of a problem > for yourself than any exploiters. And when banks tell you that you > must use an eight-character-long password I just want to scream at > them. > Not to mention the user agreement that says the bank isn't responsible for anything. -- George N. White III
_______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
