Today I learned about the #Plex (@plex) breach via my work internal off-topic chat and was linked to a @TheVerge article that said an email was sent out. Turns out my spam filter got it 😞 🧵
One thing of note in the article is the advice that is reported and the device of the advice is terrible. They do not recommend you change your password because it's encrypted and then stated it is hashed, these are two different things.
Hashes generally are not reversible, however, this is a bit untrue since you can re-run the hashing technique via brute force and dictionary attacks. You can make these very hard by salting the data (this was the problem with #AshleyMadison they didn't salt their hashes.
Encryption is reversible; however, you need the encryption key and the algorithm used, now the aglo used is in the encrypted string so you have it. As long as the key is stored securely and separately from the secure data and they are using a secure algo, we are probably fine.
Of course not all encryption techniques are secure, and they just say "secured in accordance with best practices." - this doesn't mean anything, just tell us the encryption used (if it is encrypted...) maybe they used DES-56 (they probably used AES256)
You should change your #Password when you think your password has been exposed or you know it's been exposed. Because #Plex has been caging in their terms, we must assume that our password might have been exposed.
It is reported that #Plex recommends that you use 2FA, but if our password has been exposed, we aren't really using 2FA - we are using whatever token (something-you-know) or biometric (something-you-are) factor we've enabled and not a second factor.
Well unless you are using a #YubiKey (by @Yubico) with biometrics or something similar that has something-you-are and something-you-have in one device. That aside, once your password is exposed, it's no longer something you know, but something everyone knows :).
But the article is actually not what #Plex is recommending, reading their email is forcing a password change on everyone. Yes if they are using AES256 and properly storing their passwords we are probably fine, but this is a good move, as our password might have been exposed.
I also like what is reported in the article, but not in the email, use a password manager. There is no need to have hundreds of passwords that you know, I know exactly three personal passwords my Password Manager, my Google Account, and my Microsoft Account.
This way all three passwords are long, not socially engineerable, and not reused - keeping them secure.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
