Reply With QuoteIf in doubt I'd update them.
Anyone have any ideas as to how accurate Apples Detect Compromised Passwords is?
Reason for asking is that 80 > 90% of my saved passwords on the device have been compromised due to data leak and it’s recommended that I change my passwords immediately.
I should add that most of my passwords are not the same.
Thanks
B
If in doubt I'd update them.
Probably best to change them, even if they are "throwaway" accounts on sites you don't visit any more. If they have "appeared on a data leak" they'll be tested at some point, if not already, and used for sending spam, identity fraud or scamming.
Even if they are not known to be on a data leak, any password with 12 or fewer characters is quick to hack (if the site keeps the password poorly or not encrypted - which happens more than we might think. Virgin Airlines once read me back my password "because it made them laugh" on a phone call...)
Using two factor authentication, passkeys (biometric) and other additional methods really helps keep you out of the easy-prey zone too.
A password manager like Bitwarden is also highly recommended, as it can generate, store and autofill super secure passwords.
What is the source of that table? I think it underestimates the value of length.Originally Posted by Tokyo Tokei
Probably best to change them, even if they are "throwaway" accounts on sites you don't visit any more. If they have "appeared on a data leak" they'll be tested at some point, if not already, and used for sending spam, identity fraud or scamming.
Even if they are not known to be on a data leak, any password with 12 or fewer characters is quick to hack (if the site keeps the password poorly or not encrypted - which happens more than we might think. Virgin Airlines once read me back my password "because it made them laugh" on a phone call...)
Using two factor authentication, passkeys (biometric) and other additional methods really helps keep you out of the easy-prey zone too.
E.g. put three random five letter words (English, all lower case) into a site like https://www.security.org/how-secure-is-my-password/ and it estimates 10 billion years to crack.
Certainly as you say your best bet for a difficult to crack password is to make it a long one.
Just tried this with dictionary words, got "1 thousand years" without the spaces.
One of my regular passwords is in excess of 20 chars long and uses all of the classes from the last column in the graphic, Just tried one of the same length and similar structure and got 700 sextillion years! Which is 50,750 trillion times longer than the present age of the universe.
Pretty good password that, memorable enough that I don't have to copy & paste it so it's not stored anywhere, but highly secure.
It was from security firm Hive https://www.hivesystems.com/password-table
I used it because it was fairly recent (from 2023), as clearly the time to crack a password decreases as compute power evolves. Speaking of which, when quantum computing becomes more widely available, those "years" will turn into "seconds".
But we'll have other issues to worry about then, like the futility of common encryption. "Harvest now/Decrypt later (with quantum capabilities)" is already a thing, hence some companies are already preparing for that.
That's an excellent observation TT. The way I understand it, making sure products and systems are quantum-encryption ready across ecosystems will be a very significant security challenge. And it has to be the ecosystem, not just passwords, products and code here and there.
Yes I did use spaces - makes it easier to remember (imo) and also adds an additional character to the char set of course.
I would imagine a 20+ character password would be essentially uncrackable (to a brute force attack anyway) even if it were just lower case letters. Until we have quantum computing of course - that will indeed be a game changer and I suspect short or long passwords will be the least of our worries!
Interesting I wonder if their calculations are based on assuming that you know in advance that the char set is restricted? As unless I have misunderstood something a properly hashed password would not reveal that, so you still need to try all the possible combinations. Or thinking further perhaps they are assuming you would first try just numbers then just lower case letters, and so on. That would probably be more efficient (for some values of efficient). And would certainly be effective for simpler short passwords using a restricted character set.
An interesting conundrum, I hadn't thought about attack strategies in that way before. (Mainly because I've never had reason to).
multi factor authentication (MFA) may help somewhat.
But when the quantum computing race ends - regardless of the “winner”, the world will never be the same. It will be like all bank accounts will be unprotected, all financial transactions and institutions will be open, as will be all military and government secrets. All transport, power, utility control systems, satellite commands will be open and vulnerable. All the firewalls will become transparent, and so total systems meltdown.
Bit of a game changer.
Nothing to worry about. I’m sure we will have something in place.
Sorry - off topic.
“ Ford... you're turning into a penguin. Stop it.” HHGTTG
^ No it won’t, encryption methods safe from quantum computers are being developed (if not used already).
They are already in use though not widely at this time.
My Apple password has said basically everyone has been going on a data leak.
Couldn’t be bothered to change any of the passwords and I’ve never been hacked up to now.
Sent from my iPhone using Tapatalk
Hope so. I guess like any tech it’s a game of cat and mouse. I see Apple has already implemented PQ3 into iMessage.
“ Ford... you're turning into a penguin. Stop it.” HHGTTG
How does a ‘data leak’ even compromise passwords? They should only be stored hashed (and so unreadable).
Bitwarden has changed my life since I converted to it year ago. I now have around 120 passwords saved. I hope that BW is safe otherwise I am fooked.
Sent from my SM-A536B using Tapatalk
Had 1Password for years but now using Bitwarden which means I can finally dump Dropbox. Good stuff.
I moved to Bitwarden from LastPass several years ago following the second LastPass major data breach and its move to a business model where the free version could only be used on a single device. It's great for use across multiple platforms and has recently become far better integrated with Apple iOS and iPadOS.
As a result of this thread I looked at the area in my iPhone to see that there were 74 password changes recommended. Most were from many years ago with a long gone email address and associated password. I probably updated 10 - 12 passwords this afternoon.
Thanks all for your posts. Some of the comments are somewhat concerning!
Having looked at Bitwarden, what versions as people using as I’m thinking of the free version initially although I have some reservations given the fact that a third party has access to all of my passwords in one place.
Sitting on the fence on this.
B
If you don’t have any cross platform concerns then crack on with iCloud Keychain or go for passwords.google.com. I use all three.
I use a password manager for everything possible and where not this system
https://xkcd.com/936/?correct=horse&battery=staple
They don't have your passwords, they have the encrypted store (vault). Without your master password they cannot access it, and the master password never leaves your device, only the hash of the password is sent.
The third party i.e. Bitwarden does not have access to your passwords. It stores your passwords in an encrypted state using AES-256 bit encryption (and other techniques) to which you, and only you have the key/master password.
When I started my IT career - some time ago! - DEC (Digital Equipment Corporation, makers of PDP and VAX) advised that it was computationally infeasible to crack any password with more than 6 characters at the time.
These days, nobody brute forces passwords, which is what the table refers to. Instead they use "Rainbow Tables" - effectively pre-compiled complete lists of encrypted passwords, which can be searched much more quickly than brute forcing. Hence use of Multi-Factor authentication for most sensitive uses.
As tapes hang around longer than disks they have been bolstering encryption against quantum computing for a while now. https://research.ibm.com/blog/crystals-quantum-safe
Posting Permissions
