and you could simplify this, too, by using an easy-to-remember hash algorithm that gives you a string like this, dependant of the service (or service domain), e.g. if this is your Facebook password:
"Facebook"
→ pick every fourth letter, append index of first "e"
→ "ek4"
prepend this to $basePassword
→ "ek4Ykwctam$?"
But, don’t use this exact algorith, of course And probably don’t use this method. IANASecurityexpert!
Phrases are useful, particularly if they don’t relate to stuff you talk about regularly, but are stuff you remember very well yourself. Add a few symbols and numbers, and you’re off and running. I’ve used a similar system for years, but I did finally decide to use a password program. The only thing better than a fairly meaningless phrase is something like aV23xce$78gnKlq!.
I wouldn’t be surprised if most of us here are pwned on most of our accounts (but congrats to tekk for being one of the exceptions!). Shame we can’t be bothered to pass strong consumer protection laws that force industry to use better standards to prevent hacks, and require an immediate admission of it when it does happen instead of letting us know six months later long after the damage is done.
Searchability. It’d be really slow to search through it if it were a plain text file, the whole point of a database is to trade disk space for making that sort of thing fast (and convenient, via other ways, but fast for sure.)
I’m sure there are frat boys right now going “nuh-UH! Jerry took the largest dump in history after the Alpha Delta BBQ last spring, our toilet was clogged for a week! And Booter has pics to prove it”
So what exactly does it mean if your email adress has been “pwned” but not the associated password? Just that the adress will show up in lists for spam but the account can’t be logged into?
Spam and possibly phishing attempts to get your actual password.
So how do you find out what site your email has been “pwned” for? Changing all my passwords would probably take a week!
The Have I Been Pwned? site shows the list of breaches associated with your email address, just scroll down if it comes up with breaches. If you use a different password for every site, you just have to change the ones on the affected sites. If you reuse passwords…well…good luck.
ETA: The list will also detail whether or not passwords were recovered, or if it was “just” personal details like name, email, address, porn habits, etc.
My primary email came up with 2 breaches - disqus and onliner spambot. The latter was a huge breach in 2017 of 711 million email addys which explains the occasional phishing email, he goes into the details on his blog for those concerned. I was worried about the malware component of this breach but i certainly have never opened up any attachment i don’t know and if you run regular malwarebytes scans and such there’s not a lot more you can do.
ETA: I just realised i don’t even have a disqus account so i have no idea why one of my breaches comes up as disqus. Unless maybe i commented on a discussion that didn’t require an account but i entered my email address, though i can’t think why i would have. Odd.