Safari warning of Reasontalk password leak?

[Re8et]

I got this warning yesterday on my Safari homepage, just for Reasontalk.

Something in the line of:

'a recent leak on Reasontalk data, your password might be at risk, bla bla bla...'

Anyone else received this???
What was it about???

[huggermugger]

I haven't seen it yet. but Thanks for the heads up.

[joeyluck]

Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.

[Re8et]

Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.

It was on top of the homepage, I opened a page, and it got away.
No screenshots taken.

I never got an Alert like that before, and looking into Safari prefs, I can't get any info from where it came from, logs, or anything like that...

[joeyluck]

Ok perhaps it was specific to you? Do you see anything under Privacy Report in Safari?

[Loque]

Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?

[Re8et]

Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?

Username... sort of...( I mean, youtube, it's Re8et, the same) password no, absolutely not.

There is nothing under privacy, I checked everywhere...
There should be something! That is what I thought... but no... nothing...
It disappeared as it appeared leaving no traces....

False Alarm? Maybe it's Safari that glitched...

[Loque]

Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?

Username... sort of...( I mean, youtube, it's Re8et, the same) password no, absolutely not.

There is nothing under privacy, I checked everywhere...
There should be something! That is what I thought... but no... nothing...
It disappeared as it appeared leaving no traces....

False Alarm? Maybe it's Safari that glitched...

Maybe the ransomware just suppressed the message. Everything is fine now

[Re8et]

Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.

OK, I have another warning, this time it's Amazon. Clicking the link, opens up Amazon...
The Reason warning was basically the same...

Screenshot 2024-04-04 alle 17.20.15.jpg (68.14 KiB) Viewed 2653 times

[Pepin]

I believe the warning just means the password itself was seen in a data leak. The leak may be from a different person's account on a completely different website, but the password itself is the same.

https://support.apple.com/guide/securit ... 3b/1/web/1

[huggermugger]

I got a massive warning yesterday - many of my passwords were recently detected in leaks. Most of them were passwords that used keyboard patterns that are easy for me to recall - apparently I'm not the only one who thinks that way. So I replaced them all, using Safari's strong pwd generator. I'm glad Safari is on top of this stuff.

[crimsonwarlock]

https://support.apple.com/guide/securit ... 3b/1/web/1

Wow, I can't believe the amount of miss-information on that support page, as it constantly talks about 'comparing passwords'. It is basically nonsense to monitor for passwords, as the online databases mostly (besides some brain-dead installs) have only an encrypted version of the password. And the same password is (again, in most cases) differently encrypted in separate systems. The way this works is that the login-system encrypts your entered password when you try to login, and compares that to the encrypted version in your account. This is why you can't ask for your password if you lose it because the organization you ask doesn't have your password, and elaborate systems are in place to get you a new password.

So, it is impossible to check for a password in a password manager, against known stolen databases, as those databases don't actually contain the passwords. It is possible to get a list of obvious passwords generated from an encrypted database, with a dictionary attack. In this case, words in a dictionary are encrypted (hashed) and you get a list of hashes that have the original password linked. Known obvious keyboard patterns are also in dictionaries. However, if the password system is using unique additional strings (a 'salt') it is near impossible to generate the exact hash for a given word in the dictionary. It also shows that easy to remember passwords can be near unbreakable, like 'purplesproutsbaseballflower' (because that is not in any dictionary)

The one thing that can be checked against stolen databases, is your email-address, as that is almost always needed to create a login. You can search for that on special websites:
- https://haveibeenpwned.com
- https://haveibeenbreached.com

Finally, if you use passwords that are random or strange (like my example) and long enough (at this time at least 16 characters), there is little to worry when your info is in a data-breach. Although, your email address will most certainly end up in a spam database

[DaveyG]

XKCD on passwords:

[crimsonwarlock]

XKCD on passwords:

Exactly

[Pepin]

The xkcd approach is good for the rare situation where you need a password memorized.
But beyond that, it's very important to keep all passwords unique, which means using a password generator and manager (unless you have an incredible memory). The best password doesn't protect you from social engineering, but unique passwords limit the damage.

[jam-s]

Even better to use individual email addresses and passwords for each site. If you include the domain name of the site in the mail address you can even see who got breached or leaked your data.

[Loque]

XKCD on passwords:

Exactly

There are still enough sites limiting password length to less than 16 characters... Hard disc space is expensive you know...

[DaveyG]

Even better to use individual email addresses and passwords for each site. If you include the domain name of the site in the mail address you can even see who got breached or leaked your data.

I only recently learned that gmail effectively gives you infinite "subaddresses" on the account that can be used for this very purpose.
If your gmail address is dave@gmail.com you can use dave+anyword@gmail.com and it will get to you. So your Reason login could be dave+reason@gmail.com etc

As for character limits scuppering the xkcd method then yes, there are those, but most sites scupper it by insisting you include a mix of digits, special characters and upper case etc. And then there are those sites that don't allow special characters at all.

[crimsonwarlock]

There are still enough sites limiting password length to less than 16 characters... Hard disc space is expensive you know...

As for character limits scuppering the xkcd method then yes, there are those, but most sites scupper it by insisting you include a mix of digits, special characters and upper case etc. And then there are those sites that don't allow special characters at all.

There are still a lot of login-systems built by ignorant idiots.