i mean that as in, being able to enter my accounts without even using my password or without installing any virus in my computer. thank you!!

  • umbraroze
    48 months ago

    Depends on the type of account, but here are some of the common methods of how this might happen:

    • The attacker could be straight up guessing the password. (One possible way to mitigate this: the website can go “wow, 10 failed login attempts from that source. I’m going to ignore all attempts from there for 24 hours.”)
    • The attacker could be using previously exposed passwords. (One possible way to mitigate this: The websites should immediately require password reset for all users when that kind of data breach happens. For users: never use same password for multiple different services, certainly never reuse a compromised password even if it’s for a different service. Also: haveibeenpwned.com)
    • The attacker, currently using the same network, could hijack the session. (This was a really huge problem back in the day. In this day and age, websites should be using HTTPS, which limits this very much. Still possible if the site doesn’t use HTTPS, and through some other vectors, e.g. malware or hijacked network hardware).

    Also: Malware is a really scary big problem in that they’re rarely targeting you specifically. Why do that, when they can million people at the same time and sift through that stolen data for most valuable stuff, right?

      • @Nighed@sffa.communityEnglish
        48 months ago

        Email addresses are pretty much public, you give it out to people all the time. It’s no different to giving your physical address, it allows someone to link you to a location, but your house is there anyway if someone walks down the road and wants to break in.

      • slazer2au
        28 months ago

        No, that is not the point of that website. The point of HIBP is to inform you when accounts have been compromised in the past and highlight why you need to use seperate passwords for each site. You seem to be worries about attacks called Credential Stuffing and that attack is completely useless with a different password per site.

        The site creator and owner Troy Hunt is a national treasure and you can check him out online to see his ethos about security.