Today I learned about the #Plex (@plex) breach via my work internal off-topic chat and was linked to a @TheVerge article that said an email was sent out. Turns out my spam filter got it 😞 🧵
One thing of note in the article is the advice that is reported and the device of the advice is terrible. They do not recommend you change your password because it's encrypted and then stated it is hashed, these are two different things.
Hashes generally are not reversible, however, this is a bit untrue since you can re-run the hashing technique via brute force and dictionary attacks. You can make these very hard by salting the data (this was the problem with #AshleyMadison they didn't salt their hashes.
Encryption is reversible; however, you need the encryption key and the algorithm used, now the aglo used is in the encrypted string so you have it. As long as the key is stored securely and separately from the secure data and they are using a secure algo, we are probably fine.
Of course not all encryption techniques are secure, and they just say "secured in accordance with best practices." - this doesn't mean anything, just tell us the encryption used (if it is encrypted...) maybe they used DES-56 (they probably used AES256)
You should change your #Password when you think your password has been exposed or you know it's been exposed. Because #Plex has been caging in their terms, we must assume that our password might have been exposed.
It is reported that #Plex recommends that you use 2FA, but if our password has been exposed, we aren't really using 2FA - we are using whatever token (something-you-know) or biometric (something-you-are) factor we've enabled and not a second factor.
Well unless you are using a #YubiKey (by @Yubico) with biometrics or something similar that has something-you-are and something-you-have in one device. That aside, once your password is exposed, it's no longer something you know, but something everyone knows :).
But the article is actually not what #Plex is recommending, reading their email is forcing a password change on everyone. Yes if they are using AES256 and properly storing their passwords we are probably fine, but this is a good move, as our password might have been exposed.
I also like what is reported in the article, but not in the email, use a password manager. There is no need to have hundreds of passwords that you know, I know exactly three personal passwords my Password Manager, my Google Account, and my Microsoft Account.
This way all three passwords are long, not socially engineerable, and not reused - keeping them secure.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Clifford Dutka

Clifford Dutka Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(