I have been watching your videos and I am very impressed with your thought that goes into each video. I have had a few of my customers hit with breaches and one was hit with a ransomware virus. We got it cleaned off and now safe however it was painful! Getting users to change the passwords is painful until an event happens. My question is (a little off topic) what do you use for customer WOL functionality? For instance a server not restaringt after a power outage.
@@LAWRENCESYSTEMS I was really asking what software you use? I know you use solarwinds, however I am looking for something that will work through a firewall or I may need to place some kind of host software on a PC that will "wake" another device.
@@jimsragetogm-uspsa4151 How would you "wake" a powered off system using WOL? Since you are working with servers you should take his advice and send commands to the management module(s). They usually have web interfaces but you could write scripts using their CLI software, e.g ASU for IBM, RACADM for Dell, etc... If the servers are on managed PDUs you could automate the "wake" process to be ran when a power outage is resolved.
No matter how it tries to prove that it is safe, it doesn't seem a bright idea to me to use such website to check passwords I've used anyways (p.s.: I've watched the video I know it uses parts of the hashes)
While I found my login name on the list for accounts not used in over 15 years, none of my passwords appeared used before. I also change passwords regularly. I quit using lastpass a few years ago. Mainly because I didn't like the password generator. It was always giving a capital and lowercase of the same letter in the password. I know it's not the same, but I like them all different.
SHA1 can’t be reverse engineered? Get your head out of 2005 and join 2019 when this vid was posted. There’s a reason no modern browser (Google, Mozilla, or Microsoft) allows SSL carts based on SHA1 since 2017. Often they won’t even allow an “advanced” option to proceed past the warnings and flat out prevent further attempts to connect. Those browsers have been warning against SHA1 certs since 2015. This IS NOT NEW! If you’re going to post Infosec information, at least attempt to be current.
Lawrence Systems / PC Pickup- Assuming you said “not easily reverse engineered” vs “cannot be reverse engineered,” the statement is still massively wrong. It’s true that the first successful collision of SHA1 took the equivalent of 6600 years of processor time. However, with the improvements of Rainbow Tables, a successful collision can be had in approximately 5 minutes using just an ordinary computer. It doesn’t need to be a fancy nation state sponsored super computer. Even random passwords that are over 30 characters long are defeated in minutes. That’s a very easy hack. It’s for this reason that security experts have been saying since about 2012 that passwords alone are no longer viable for security.
Once again, it was not the point of my video, I was not encouraging people to use SHA1 for security. Also if you have five minutes to crack it... :) d87cb14fc96359a02429eb2c7c0245a79ba2e1e7
Ehhm... So i put a password i use/used/will use in some random website to be "checked" if it was pwned? Riiiight... If i could download the whole db to check offline then maybe. Otherwise anything entered there i'd consider burned for password ;)
"If i could download the whole db to check offline then maybe." At the link in the description, you can download a copy of the list that was uploaded/created on 17 Jan 2019. It has options for downloading over torrent and cloudflare (if torrent isn't available). It'll give you a a 7z compressed file that contains the list of the hashed passwords. You can choose between the list with SHA1 or NTLM hashes and each of those either ordered by prevalence or ordered by hash value.
I hate this site. I'd prefer to enter a hashed PW, and not rely on shitty javascript with 'telemetry' hanging out where I enter a password.. obviously any password in this form you should consider already compromised.
My emails are pwned but none of my passwords
Also, note that you can sign up on that website to get an email whenever your email address appears on any of the breaches he finds.
your terminal looks really cool
I have been watching your videos and I am very impressed with your thought that goes into each video. I have had a few of my customers hit with breaches and one was hit with a ransomware virus. We got it cleaned off and now safe however it was painful! Getting users to change the passwords is painful until an event happens.
My question is (a little off topic) what do you use for customer WOL functionality? For instance a server not restaringt after a power outage.
Use motherboard boards that have IPMI / "Lights Out functionality
@@LAWRENCESYSTEMS I was really asking what software you use? I know you use solarwinds, however I am looking for something that will work through a firewall or I may need to place some kind of host software on a PC that will "wake" another device.
@@jimsragetogm-uspsa4151 How would you "wake" a powered off system using WOL?
Since you are working with servers you should take his advice and send commands to the management module(s).
They usually have web interfaces but you could write scripts using their CLI software, e.g ASU for IBM, RACADM for Dell, etc...
If the servers are on managed PDUs you could automate the "wake" process to be ran when a power outage is resolved.
can you talk about entering email address over command line for this api
I have never used their API for email checking.
Why doesn't LastPass include the API?
My old pw is on 5 list 😁☕️
Same i change dem
numbers have gone up! It's 3,861,493. People are still using password as their password
So website and github project are different things ? That’s confusing
Have I been pwned password
*proceeds to type in password*
Yup! :)
No matter how it tries to prove that it is safe, it doesn't seem a bright idea to me to use such website to check passwords I've used anyways (p.s.: I've watched the video I know it uses parts of the hashes)
As usual, great vid
While I found my login name on the list for accounts not used in over 15 years, none of my passwords appeared used before. I also change passwords regularly.
I quit using lastpass a few years ago. Mainly because I didn't like the password generator. It was always giving a capital and lowercase of the same letter in the password. I know it's not the same, but I like them all different.
Thanks
i had my password stolen on an online schooling account. A SCHOOLING ACCOUNT.
Lastpass is not that secure
How so?
SHA1 can’t be reverse engineered? Get your head out of 2005 and join 2019 when this vid was posted. There’s a reason no modern browser (Google, Mozilla, or Microsoft) allows SSL carts based on SHA1 since 2017. Often they won’t even allow an “advanced” option to proceed past the warnings and flat out prevent further attempts to connect. Those browsers have been warning against SHA1 certs since 2015. This IS NOT NEW! If you’re going to post Infosec information, at least attempt to be current.
I said "not easily reversed" I know why it is no longer used, but SHA1 is what the site uses for comparison
Lawrence Systems / PC Pickup- Assuming you said “not easily reverse engineered” vs “cannot be reverse engineered,” the statement is still massively wrong. It’s true that the first successful collision of SHA1 took the equivalent of 6600 years of processor time. However, with the improvements of Rainbow Tables, a successful collision can be had in approximately 5 minutes using just an ordinary computer. It doesn’t need to be a fancy nation state sponsored super computer. Even random passwords that are over 30 characters long are defeated in minutes. That’s a very easy hack. It’s for this reason that security experts have been saying since about 2012 that passwords alone are no longer viable for security.
Once again, it was not the point of my video, I was not encouraging people to use SHA1 for security. Also if you have five minutes to crack it... :)
d87cb14fc96359a02429eb2c7c0245a79ba2e1e7
It wasnt funny till you find the password peepee has been pwned
Ehhm... So i put a password i use/used/will use in some random website to be "checked" if it was pwned? Riiiight... If i could download the whole db to check offline then maybe. Otherwise anything entered there i'd consider burned for password ;)
Please watch the video before commenting. It's using hashes.
Watch the video! By using the bash script or doing it manually you are not sending your password.
@@LAWRENCESYSTEMS Yeah ... should have watched to the end before typing. ***FACE->TABLE***
"If i could download the whole db to check offline then maybe."
At the link in the description, you can download a copy of the list that was uploaded/created on 17 Jan 2019. It has options for downloading over torrent and cloudflare (if torrent isn't available).
It'll give you a a 7z compressed file that contains the list of the hashed passwords. You can choose between the list with SHA1 or NTLM hashes and each of those either ordered by prevalence or ordered by hash value.
I hate this site. I'd prefer to enter a hashed PW, and not rely on shitty javascript with 'telemetry' hanging out where I enter a password.. obviously any password in this form you should consider already compromised.
I’ve always heard it pronounced “pony’d”.
My password is: G3T R1CR0!!3D