Safari warning of Reasontalk password leak?

List your suggestions here for the reasontalk.com website (not Reason feature requests)!
Forum rules
Keep in mind that this forum is for Reasontalk.com suggestions, and not for support on your Reason Studios software.
Post Reply
User avatar
Re8et
Competition Winner
Posts: 1551
Joined: 14 Nov 2016

26 Mar 2024

I got this warning yesterday on my Safari homepage, just for Reasontalk.

Something in the line of:

'a recent leak on Reasontalk data, your password might be at risk, bla bla bla...'

Anyone else received this???
What was it about???

User avatar
huggermugger
Posts: 1470
Joined: 16 Jul 2021

26 Mar 2024

I haven't seen it yet. but Thanks for the heads up.

User avatar
joeyluck
Moderator
Posts: 11294
Joined: 15 Jan 2015

26 Mar 2024

Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.

User avatar
Re8et
Competition Winner
Posts: 1551
Joined: 14 Nov 2016

26 Mar 2024

joeyluck wrote:
26 Mar 2024
Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.
It was on top of the homepage, I opened a page, and it got away.
No screenshots taken.

I never got an Alert like that before, and looking into Safari prefs, I can't get any info from where it came from, logs, or anything like that...


User avatar
Loque
Moderator
Posts: 11365
Joined: 28 Dec 2015

27 Mar 2024

Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?
Reason13, Win10

User avatar
Re8et
Competition Winner
Posts: 1551
Joined: 14 Nov 2016

28 Mar 2024

Loque wrote:
27 Mar 2024
Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?
Username... sort of...( I mean, youtube, it's Re8et, the same) password no, absolutely not.

There is nothing under privacy, I checked everywhere...
There should be something! That is what I thought... but no... nothing...
It disappeared as it appeared leaving no traces....

False Alarm? Maybe it's Safari that glitched... :question:

User avatar
Loque
Moderator
Posts: 11365
Joined: 28 Dec 2015

28 Mar 2024

Re8et wrote:
28 Mar 2024
Loque wrote:
27 Mar 2024
Yea, probably your username and password was found in a database of have accounts.

You don't use the same username and password for different accounts? Do you?
Username... sort of...( I mean, youtube, it's Re8et, the same) password no, absolutely not.

There is nothing under privacy, I checked everywhere...
There should be something! That is what I thought... but no... nothing...
It disappeared as it appeared leaving no traces....

False Alarm? Maybe it's Safari that glitched... :question:
Maybe the ransomware just suppressed the message. Everything is fine now :clap: :thumbup:
Reason13, Win10

User avatar
Re8et
Competition Winner
Posts: 1551
Joined: 14 Nov 2016

04 Apr 2024

joeyluck wrote:
26 Mar 2024
Do you have a screenshot? Where exactly did you see this? I use Safari and have never seen warnings like that on the homepage.
OK, I have another warning, this time it's Amazon. Clicking the link, opens up Amazon...
The Reason warning was basically the same...
Screenshot 2024-04-04 alle 17.20.15.jpg
Screenshot 2024-04-04 alle 17.20.15.jpg (68.14 KiB) Viewed 9997 times

User avatar
Pepin
Posts: 633
Joined: 16 Jan 2015

04 Apr 2024

I believe the warning just means the password itself was seen in a data leak. The leak may be from a different person's account on a completely different website, but the password itself is the same.

https://support.apple.com/guide/securit ... 3b/1/web/1

User avatar
huggermugger
Posts: 1470
Joined: 16 Jul 2021

04 Apr 2024

I got a massive warning yesterday - many of my passwords were recently detected in leaks. Most of them were passwords that used keyboard patterns that are easy for me to recall - apparently I'm not the only one who thinks that way. So I replaced them all, using Safari's strong pwd generator. I'm glad Safari is on top of this stuff.

User avatar
crimsonwarlock
Posts: 2467
Joined: 06 Nov 2021
Location: ##########

04 Apr 2024

Wow, I can't believe the amount of miss-information on that support page, as it constantly talks about 'comparing passwords'. It is basically nonsense to monitor for passwords, as the online databases mostly (besides some brain-dead installs) have only an encrypted version of the password. And the same password is (again, in most cases) differently encrypted in separate systems. The way this works is that the login-system encrypts your entered password when you try to login, and compares that to the encrypted version in your account. This is why you can't ask for your password if you lose it because the organization you ask doesn't have your password, and elaborate systems are in place to get you a new password.

So, it is impossible to check for a password in a password manager, against known stolen databases, as those databases don't actually contain the passwords. It is possible to get a list of obvious passwords generated from an encrypted database, with a dictionary attack. In this case, words in a dictionary are encrypted (hashed) and you get a list of hashes that have the original password linked. Known obvious keyboard patterns are also in dictionaries. However, if the password system is using unique additional strings (a 'salt') it is near impossible to generate the exact hash for a given word in the dictionary. It also shows that easy to remember passwords can be near unbreakable, like 'purplesproutsbaseballflower' (because that is not in any dictionary) :puf_bigsmile:

The one thing that can be checked against stolen databases, is your email-address, as that is almost always needed to create a login. You can search for that on special websites:
- https://haveibeenpwned.com
- https://haveibeenbreached.com

Finally, if you use passwords that are random or strange (like my example) and long enough (at this time at least 16 characters), there is little to worry when your info is in a data-breach. Although, your email address will most certainly end up in a spam database :puf_wink:
-------
Reached the breaking-point. CrimsonWarlock has left the forum.

User avatar
DaveyG
Posts: 2599
Joined: 03 May 2020

04 Apr 2024

XKCD on passwords:

Image

User avatar
crimsonwarlock
Posts: 2467
Joined: 06 Nov 2021
Location: ##########

04 Apr 2024

DaveyG wrote:
04 Apr 2024
XKCD on passwords:
Exactly :thumbup:
-------
Reached the breaking-point. CrimsonWarlock has left the forum.

User avatar
Pepin
Posts: 633
Joined: 16 Jan 2015

04 Apr 2024

The xkcd approach is good for the rare situation where you need a password memorized.
But beyond that, it's very important to keep all passwords unique, which means using a password generator and manager (unless you have an incredible memory). The best password doesn't protect you from social engineering, but unique passwords limit the damage.

User avatar
jam-s
Posts: 3207
Joined: 17 Apr 2015
Location: Aachen, Germany
Contact:

04 Apr 2024

Even better to use individual email addresses and passwords for each site. If you include the domain name of the site in the mail address you can even see who got breached or leaked your data.

User avatar
Loque
Moderator
Posts: 11365
Joined: 28 Dec 2015

04 Apr 2024

crimsonwarlock wrote:
04 Apr 2024
DaveyG wrote:
04 Apr 2024
XKCD on passwords:
Exactly :thumbup:
There are still enough sites limiting password length to less than 16 characters... Hard disc space is expensive you know...
Reason13, Win10

User avatar
DaveyG
Posts: 2599
Joined: 03 May 2020

05 Apr 2024

jam-s wrote:
04 Apr 2024
Even better to use individual email addresses and passwords for each site. If you include the domain name of the site in the mail address you can even see who got breached or leaked your data.
I only recently learned that gmail effectively gives you infinite "subaddresses" on the account that can be used for this very purpose.
If your gmail address is dave@gmail.com you can use dave+anyword@gmail.com and it will get to you. So your Reason login could be dave+reason@gmail.com etc

As for character limits scuppering the xkcd method then yes, there are those, but most sites scupper it by insisting you include a mix of digits, special characters and upper case etc. And then there are those sites that don't allow special characters at all.

User avatar
crimsonwarlock
Posts: 2467
Joined: 06 Nov 2021
Location: ##########

05 Apr 2024

Loque wrote:
04 Apr 2024
There are still enough sites limiting password length to less than 16 characters... Hard disc space is expensive you know...
DaveyG wrote:
05 Apr 2024
As for character limits scuppering the xkcd method then yes, there are those, but most sites scupper it by insisting you include a mix of digits, special characters and upper case etc. And then there are those sites that don't allow special characters at all.
There are still a lot of login-systems built by ignorant idiots.
-------
Reached the breaking-point. CrimsonWarlock has left the forum.

Post Reply
  • Information
  • Who is online

    Users browsing this forum: No registered users and 0 guests