For folks asking about 8.4B record “RockYou2021” password list that’s in the news today, this is an aggregation of multiple other lists. For example, this password cracking list: crackstation.net/crackstation-w…
Among other things, it contains “every word in the Wikipedia databases” and words from the Project Gutenberg free ebook collection: gutenberg.org
Unlike the original 2009 RockYou data breach and consequent word list, these are not “pwned passwords”; it’s not a list of real world passwords compromised in data breaches, it’s just a list of words and the vast majority have *never* been passwords
Just do the maths: about 4.7B people use the internet. They reuse passwords like crazy not just across the services each individual uses, but different people use the same passwords. Then, only a small portion of all the services out there have been breached.
Continuing the maths, the increasing prevalence of stronger password hashing algorithms in data breaches make it harder to extract plain text passwords for use in lists like this so the real number of exposed and *usable* passwords declines again
So, are there 8.4B passwords out there *in total*, let alone breached, cracked and in a single list? No, not by a long shot.
This list is about 14 times larger than what’s in Pwned Passwords because the vast, vast majority of it isn’t passwords. Word lists used for cracking passwords, sure, but not real world passwords so they won’t be going into @haveibeenpwned
Still really surprised this has made headlines and been shared to the extent it has, it’s like people don’t read stories before sharing them…
Tempted to add a 1 to the end of each “password”, join it back to the original list and ship it to the media as 16.8B passwords!
• • •
Missing some Tweet in this thread? You can try to
force a refresh
Alright folks, this is starting to smell like bullshit. Not the alleged breach (which smells bad for reasons I'll explain in a moment), but the "AI" line from both Europcar and the PR agency that just emailed me pitching someone's hot take on it. Here's why:
Firstly on the legitimacy of the data, a bunch of things don't add up. The most obvious one is that the email addresses and usernames bear no resemblance to the corresponding people names. For example:
Next, each of those usernames is then the alias of the email address. What are the chances that *every single username* aligns with the email address? Low, very low.
We often receive comments to the effect of “we want to purchase a @haveibeenpwned subscription but our company doesn’t allow us to use a credit card”. What is the financial reason behind this?
This is a very small portion compared to those that *do* pay by card, but why is this?
To add to this, having spent 14 years at Pfizer I’d see policies like this all the time. But it’s also not like there was a blanket ban: try going on a business trip and asking the person at the noodle shop you’re having lunch at to raise an invoice on 60 day terms 🤣
This also isn’t about traceability; spend the money, raise an expense claim with receipt, job done. I could understand if the answer was “because an invoice and wire transfer stops people randomly being stuff and puts procurement in control”, but they could still pay with a card.
Let me add some more context to the Dymocks breach, starting with giving them a massive pat on the back for responding so quickly. It was less than 48 hours ago between me contacting someone there via LinkedIn and them having sent disclosure emails to customers. Massive kudos!
What's not as clear from the story is the extent to which the data was already circulating before I was able to get in touch with them. Multiple Telegram channels and a popular *clear web* (not dark web) forum were broadly circulating the data.
I also suspect we're about to see a repeat of the question so many people raised after Optus and Medibank: why do they still have my data? About a quarter of the rows are flagged "inactive" with dates as far back as 2005, yet still sit there with address, email, phone etc.
Had a weird thing happen with @AzureApiMgmt that caused the public @haveibeenpwned API to start getting laggy, especially around 1 week ago. It went from ~220ms response times 90 days ago to over 1 second up until yesterday. Scaled out an instance and now we're down to ~70ms.
This is despite very consistent performance of the underlying @AzureFunctions app. Something started gradually going south at the APIM level and I'm continuing to look at that with the team there.
What I'm a bit more interested in now is tackling this graph. This is "gateway errors", namely the reason APIM rejects requests. Exceeding the rate limit is number 1, but invalid subscription keys are massive too, plus there's an obvious hourly spikey pattern.
Ok folks, here’s the next edition of “Troy’s IoT Hell” 👿
Recently I had to make a call between buying the older Yale Assure locks sold locally here in Aus or the newer one only sold in the US. This was for 2 locks, one for the front door and one for the front (undercover) gate.
I went with the newer ones from the US as they were smaller, looked a lot neater, support Matter (with a coming add on module) and only took a few days for shipping. They look *great*!
However… I knew I wouldn’t be able to pair them with the Yale app in the Aussie App Store. I’m going to come back to this issue later in the thread, for now it was an easy fix with a spare iPhone and US Apple account reddit.com/r/homeautomati…