back to article Google: All your leaked passwords are belong to us – here's a Chrome extension to find them

During its incessant web crawling, Google's search engine constantly encounters credentials dumped by hackers or left exposed by the careless. And because it can, the ad confectionery copies and encrypts these spilled usernames and passwords. Armed with this info, the Chocolate Factory directed its software engineers, in …

  1. This post has been deleted by its author

  2. Tim J

    Which password manager to plump for?

    I've finally decided to give in - but which password manager is the choice of the Regerati?

    1. Graham Dawson Silver badge

      Re: Which password manager to plump for?

      Bitwarden. Open source and capable of self-hosting.

      1. Graham Dawson Silver badge
        Linux

        Re: Which password manager to plump for?

        Now to figure out if it's the self-hosting or the open source that earned the downvote...

      2. Anonymous Coward
        Anonymous Coward

        Re: Which password manager to plump for?

        If it's just for you, definitely Bitwarden. If you want a family account (which allows easy secure "sharing" of passwords between, say parents, or parent and child) then 1Password (this is a subscription, but IMO it's worth it).

        AC because I don't want to give away information about which Password Manager I'm using, obvs.

        1. Jamie Jones Silver badge

          Re: Which password manager to plump for?

          Why not? Sounds like you don't trust it!

        2. Graham Dawson Silver badge

          Re: Which password manager to plump for?

          Bitwarden also has sharing and family accounts. For a fee, I believe.

          1. Anonymous Coward
            Anonymous Coward

            Re: Which password manager to plump for?

            (same AC as posted about BitWarden and 1Password)

            In that case, compare prices and factor in BitWarden is open source (more easily auditable). It wasn't around/mature/as multiplatform when I invested in getting other half and childen to use 1Password, but I probably would have done had it been. One thing 1Password does which I haven't seen in other managers I've used, is the addition of a super-strong generated additional key used in conjunction with your (one strong) password. That's needed to connect to your 1PW account from any new device (as well as your username and password).

            The other option possibly worth mentioning is Enpass which is free on most platforms with one-off payment for Android/iOS app, but has the distinction of using /your/ cloud storage of choice in /your/ storage account (e.g. Google Drive, iCloud etc).

    2. matjaggard

      Re: Which password manager to plump for?

      Chrome. Trivial to use. Just have to trust Google a little.

      1. sanmigueelbeer
        Joke

        Re: Which password manager to plump for?

        I heard ZTE and Huawei is about to launch to launch a password repository app for Android.

        100% guaranteed to be safe and secure.

    3. Anonymous Coward
      Anonymous Coward

      Re: Which password manager to plump for?

      I broke down and installed the unfortunately named KeepAss a while ago. It seems to work well enough, it usually just fills in the username/password automatically. It doesn't seem to like every site though. Nothing fancy. But some of the plugins are nice. Things like making remote backups when you add or change a password. I can't remember if it supports mobile devices or not--if that's something you care about, be sure to look for it. Bonuses: It's free, and I don't have to keep my passwords on someone else's hardware.

      I still don't completely trust it though, so all of the really important ones go into an encrypted OneNote tab. Only slightly higher tech than a notebook by the computer labeled "Passwords"

      1. Anonymous Coward
        Anonymous Coward

        Re: Which password manager to plump for?

        What you do with your donkey is none of our business...

        But if you mean KeePass (keepass.info), it's available in many flavours incl Mac, iThings, Windows, Linux, even Java JavaScript, Blackberry and Palm OS... and source code is available if you fancy porting it to something like PDP11

        1. FrogsAndChips Silver badge

          Re: Which password manager to plump for?

          Also available on Android as KeePass2Android.

    4. big_D Silver badge

      Re: Which password manager to plump for?

      1Password is good, although I currently use LastPass.com.

      At my last employer we used an offline password vault (Keepass) for all company passwords - they had contract clauses with many customers that didn't allow sensitive information to be stored in the cloud.

      Another used encrypted directories on Linux, with each user having a personal key and their key was added to each password file that they should have had access to. Worked reasonably well, but a real pain when a new admin started or left the company and you had to visit each file individually and add/remove a key from the access list, for example.

    5. Anonymous Coward
      Anonymous Coward

      Re: Which password manager to plump for?

      Keepass. Free, open source, non-cloud, cross-platform, subject to EU bug bounties, and getting a code audit.

      1. Anonymous Coward
        Anonymous Coward

        Re: Which password manager to plump for?

        pwSafe, FTW.

        FOSS for Windows, a paid-for port is available for OSX.

    6. Anonymous Coward
      Anonymous Coward

      Re: Which password manager to plump for?

      I can recommend pass. Open-source (it's just a bash-script), usually available in the repositories (so easy to install), works with GPG (so you can use it with a hardware-token) and integrates nicely with git (for syncing the database over multiple machines).

      https://www.passwordstore.org/

    7. Carrot007

      Re: Which password manager to plump for?

      Notepad, obviously ;-)

      1. Anonymous Coward
        Anonymous Coward

        Re: Which password manager to plump for?

        notepad is my 2nd choice, my first choice is good old MS Word (doc). And if you're in any doubt whether I value my privacy, no, it's not a printout, hidden in one of the books that nobody would ever touch (ot taped over my screen), it's all over my computers, so no-one has to search too long to find it. Helpfully, I also gave it a title ("my passwords") to make it easy to remember, although, in the moment of unfounded paranoia, I changed the title to something's that not in English. Also, I recommend my method to all my friends who believe I'm a "computer specialist" because I know how to enter bios. And the best part is that it's not a windup. There, I confessed. Anonymously. Huge relief!

    8. jelabarre59

      Re: Which password manager to plump for?

      I've finally decided to give in - but which password manager is the choice of the Regerati?

      The password manager plugin for JPilot?

    9. anothercynic Silver badge

      Re: Which password manager to plump for?

      You can use 1Password... you do *not* need a subscription. You can use it in standalone mode where you create your vault and possibly sync it via Dropbox or iCloud (if you are so inclined).

  3. tip pc Silver badge
    Paris Hilton

    Any Safari equivalents?

    Any Safari equivalents?

    Obvious Paris icon

    1. Anonymous Coward
      Anonymous Coward

      Re: Any Safari equivalents?

      Keychain works quite well for Safari users.

      I end up with too many options on my work machine - and crazy situations where I go to open a shell to a remote system.

      - It kicks off a browser for authentication

      - That requires me to log into a system

      - The password for which is handled by a password manager

      - The password for the password manager is handled by a different password manager

      - Which then has its password saved.

      So it all 'just works' but it could trigger an epileptic whilst it cycles through everything it needs to do to let me log in.

      1. tip pc Silver badge

        Re: Any Safari equivalents?

        I use keychain but i was wondering about any equivalents that would check the stored passwords in safari against exploits.

        1. John Robson Silver badge

          Re: Any Safari equivalents?

          Ah - no idea.

          Annoyingly you can't even get kechain to give you a list of 'weaker' passwords you haven't got round to updating yet...

  4. Anonymous Coward
    Anonymous Coward

    Constants in life

    Death

    Taxes

    Getting hacked

    Only the last one is optional, be prepared.

    1. Tigra 07
      Trollface

      Re: Constants in life

      Taxes are also optional...If you like the idea of going to prison...

      1. Scott 53

        Re: Constants in life

        Taxes are also optional...If you like the idea of going to prison...

        Or if you like the idea of buying Cadburys

  5. Dan 55 Silver badge

    Google knows all

    With Android (WiFi password backup) and Chrome (websites login + sync), they probably know a huge percentage of passwords used worldwide.

    I guess if you trust Google enough to use those two, you're de facto okay with this plug-in too.

  6. DropBear

    The number of forums that forced me to register for a single comment or to view an image every now and then and the number of small online shops I might buy something from once every three years or so are legion. Due to their number there's no way in hell I'll ever use distinct passwords for each, not even through some "schema". Also due to their number it's basically a given that at any particular moment in time whatever password I used with more or less all of them is already compromised. I would not be able to update them all before the new one would leak too from whichever of them is the weakest link - even if I would remember every single one of these places, which I don't come anywhere even close to.

    It's a lost battle I'm not in the mood of fighting so no password managers for me - not that anyone would seem to bother posting in my name anywhere (or to they? Is this the real DropBear?!? Dun-dun-dun...) or buying me anything (card numbers are not involved - I only ever buy CoD at these shops, the whole point is that they are country-local). Yes, there are some higher value accounts, less than a dozen, that I do try looking after slightly better - but they are a drop in the ocean compared to the rest, and funnily enough their passwords tend to stay un-compromised. Regardless, most (that allow it) already also use 2FA anyway (TOTP if it's up to me; SMS if it's up to my bank - thanks a lot...)

    All in all, a password manager - either online or offline - just sounds like such a catastrophic single point of failure (and such a juicy target to grab for anyone ever driving by - which is 100% a "when" not an "if") that I just can't stomach using one - at least this way my small collection of more precious passwords is only stored in my brain...

    1. Palpy
      Pint

      @Dropbear, re points of failure and risks

      Yes, something like KeePassX can put all your candy in one jar, so if that jar gets stolen and opened then your candy is free for the taking. But the KeePassX database is encrypted, and the bad actors have to get to it before they can steal it and try to break the encryption.

      To my mind, it's all about degrees of risk and degrees of effort. For example:

      If a nation-state wants your candy, for some reason, then they will get your candy. That's the highest level of attack, but, for most of us, the most unlikely.

      If a script-kiddy wannabe is trying to get into your system, you're probably OK with basic security measures -- and you could probably store your passwords in a plain-text file, because the kid won't get onto your machine anyway. Low risk attack, but the attempt is not at all unlikely.

      I'm not telling you anything you don't already know, right? There is no absolute security. But for you and me, it's usually good enough to be just a little too hard to crack.

      I agree, too many accounts and too many passwords. So I keep all my "candy" in KeePassX, encrypted with a long password but one with a pattern I can remember. The other passwords vary in difficulty -- the one for my email is crazy long and jumbled, the one for the hiking forum shorter and simpler.

      But a password database like KeePassX can also store names, telephone numbers, addresses, account info, and so forth. So I use it like my mum used her address book -- anything I want to remember about stuff goes in there.

      Yes, all the candy is in that jar. But I'm less worried about someone stealing and then decrypting that file than I would be if those notes were scattered around various text and spreadsheet files. And I know if I just write them down on papyrus I'll lose them.

      That's my two scents.

      1. Anonymous Coward
        Anonymous Coward

        Re: @Dropbear, re points of failure and risks

        There's a massive group of bad actors between script-kiddies and state attackers.

        Any malware you run that allows virtual control of your PC means your candy is fully exposed (keyloggers et al.).

  7. STOP_FORTH
    Joke

    Default password

    Just use "incorrect" - then you get a prompt every time you enter it wrong.

    1. Scott 53

      Re: Default password

      I think Dilbert once told the PHB to change his password to five asterisks to make it easier to remember.

  8. stevebp

    What app for the iPhone would anyone recommend?

    I use one I got for free but now requires you to pay and so my wife can't use the same one - any suggestions?

    1. D@v3

      Re: What app for the iPhone would anyone recommend?

      KeePass works well enough for me.

      It's a little bit of a pain as you can't create / add new passwords to it in iOS, you need to do that on the desktop version and sync them across, but for managing your existing passwords, i find it to be pretty good.

      Free, locally stored encrypted database (i keep mine in dropbox so i can access it from multiple devices without having to constantly update various local copies).

  9. gungho

    Google security

    After their G+ breech & shutdown, would I trust Google with anything security related? No.

  10. Binra

    One to rule them all?

    From being a corporately captured and managed asset to becoming a digital input is not so big a jump. Doublethink is actually simpler and life outside gridlock is a lie.

    I first saw the PR in Trusted Reviews. It great how we can tell everyone what we are so they can simply be serviced. There was nothing in that article that hinted at being captured. At least the Register allows some indication of the underlying nature of 'trusting' Google with all your passwords - albeit without alarm, outrage, warning or protest.

    It isn't that privacy is possible - so much as proportionate checks and balances against acquiring undue and overwhelming influence.

    It would seem that there is great willingness to get in the nice man's car because he gives away sweeties.

    I remember the Internet - before A.I took over...

  11. TechDrone
    Thumb Up

    Another vote for Keepass

    My employer insisted we use it - 1 keepass per customer, only teams working with that customer even have access to the file.

    I use it at home too - Linux, Windows and 'droid versions. Same method applies though, sites for me are in one file, sites to share (eg utilities, joint accounts) are in another. The only 'droid device with it on is a tablet that never leaves the house, just to be sure.

    Like single signon, it does mean all your eggs are in one very tasty basket, but at least this way I can maintain random passwords for each account. And yes, the keepass file is backed up offline, and not even kept in the house in case something really entertaining happens with the kids chemistry set.

    The only other option is the little black book [with my poems in] but you can't copy/paste and if you lose it you're seriously screwed.

    1. Anonymous Coward
      Anonymous Coward

      Re: Another vote for Keepass

      Also, you can host KeePass on dropbox, and keep everything synchronised automatically across devices.

      I really like that option.

  12. Anonymous Coward
    Anonymous Coward

    Of course, being Google people will always assume they’re trying to siphon up all the data

    A remarkably sound assessment & highly recommended approach to google: always treat google like a highly-skilled pickpocket. Or a bank. They will try to siphon up your property, and do it with a robo-smile, claiming it's all for your own good.

  13. Harry Stottle

    Keepass - with Tusk - stored in Sync

    I used to use and recommend Roboform, until they made it increasingly difficult to host your own keys and insisted on driving everyone into their cloud. I might even have persisted with that, had they responded intelligently to my request for sight of their security audit or equivalent, and details of the security structure which would prevent them (or anyone else) getting at my key collection. Instead they responded with marketing hype.

    So then I did the research and went looking for any open source option which had not been caught with it's digital trousers around its ankles. That very quickly led me to Keepass.

    It's probably perfect for most Reg readers because you're likely to be on the geek spectrum, but it's way over the heads of "normal" users, which is a shame because it offers very strong and configurable protection.

    My only real beef with it was the absence of what I considered to be the most user-friendly feature of Roboform - it's ability to act as a bookmark database and, having found the bookmark, take you to the site and login automatically. (like the password managers built in to most browsers)

    But then I found Tusk which does a reasonable job of imitating the Roboform functionality. I have it installed in both Firefox and Iron. Has its quirks and limitations but has done a good job of keeping the browser security under control without breaching the underlying "wallet".

    Limitation example: it can't capture newly created credentials while in browser. You have to open up Keepass (separately) to access things like its password generator, then add the new "account" to Keepass and save it. Then you have to deselect the Keepass kdbx file from Tusk and reselect it to get the updated version.

    That's a bit of a faff, especially if you're also a Sandboxie user. (has to be done outside the sandbox or it'll be forgotten at the end of the session)

    That's the kind of thing that stops it being "user friendly" enough for mere mortals, but digital warriors like us will find it reassuringly difficult.

    One other thing. Other Keepass commentards above have pointed out that its "non cloud". Which it is. But Tusk tries to nudge you into storing your keys in the cloud, so you can access them anywhere. It does have a "local file" option, which I use.

    But I'm also happy with the security of the cloud provider sync.com and have a 1Tb account with them (they also do free 5Gb accounts) They're the only cloud service who have managed to convince me that they offer true blind encryption (even they cannot see what I store in their box)

    So I'm happy to store my keyfile in Sync (stored as a "Local File"), where it's still protected by my strong password, but accessible from any of my devices.

    Strongly recommended for those who object to Security Theatre.

    1. FrogsAndChips Silver badge

      Re: Keepass - with Tusk - stored in Sync

      it's way over the heads of "normal" users

      I tend to disagree. Yes, it's highly configurable and extendable, and has advanced features that require some RTFM, but for a standard user all it takes is a few clicks to create a new entry and generate a unique secure password that will be accepted by most sites, which is all they need.

  14. steviebuk Silver badge

    I use...

    ...LastPass but beware, it's auto fill has a VERY annoying issue with E-bay. You'll make a listing and fill in the description, only to be told there is script in it, that isn't allowed.

    What are you banging on about? There is no script, I'm just trying to sell off my console retro collection. Then I look at the HTML code and sure enough, there's a big chunk of script.

    Where did that come from?! LastPissingPass.

    It's a known issue apparently and they say if you just whitelist the site, it doesn't auto fill in. But that doesn't work. I've had to turn off auto fill, but even that doesn't stop it injecting code into an e-bay listings description either. Annoying.

    Other than that, appear useful.

  15. Anonymous Coward
    Anonymous Coward

    Use 2FA!

    The Register users understand the improved security 2FA delivers and that, implemented well, it doesn't make logging on more difficult, let's hope for greater uptake by end users and wider implementation by developers, however...

    One problem with HaveIBeenPwned is that it doesn't link the user/password pairs so when it says password 123456 is compromised it may be (!) but perhaps never in combination with _your_ user ID. Obviously nobody would be stupid enough to give a site like HaveIBeenPwned a user/password pair to test (would they?) and even if they did a hacker would have to try it on a few million web sites. Google are proposing that those security concerns are addressed by their encryption & hashing approach (plus the assumption that we trust Google...).

    That means that the Google system should give fewer but "better" alerts i.e. whereas HaveIBeenPwned would just tell you that password:123456 is compromised Google might alert for a user/password pair of john/123456 but not for rumpelstiltskin761/123456. (AC because rumpelstiltskin761/123456 of course!).

    The next step would be to only alert if john/123456 is a compromised user/password pair on the site you are currently logging on to. Is my understanding correct that Google system doesn't (yet?) do that? I'd be relatively relaxed about even going that far if 2FA was more widely used.

    This reminds me of the story of a guy who went in to his local bank branch to complain that he couldn't use the ATM. Unable to remember his 4 digit PIN, he'd written it on the bank's external woodwork which had now been repainted obscuring his PIN. It wasn't a security risk because the number was only valid in combination with a specific debit card and, in any case, all possible 0000 to 9999 potential combinations are "known" (and, in HaveIBeenPwned terms, "compromised").

  16. Anonymous Coward
    Anonymous Coward

    Password Safe?

    Interesting that no one has mentioned Password safe: https://pwsafe.org/

    I use this as a simple encrypted password manager, with a damn strong unique password, with the file held on one of the many cloud storage providers.

  17. Alperian
    Go

    Keep calm and struggle on

    As long as I can last without catastrophe until we get some biometric/quantum/alienTechnology nukeproof solution I will be happy.

    At least when it is Google that has a leakage I suspect that a wadge of cash the size of a large planet will be directed at the problem.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like