MSE Password leak? 14 September 2021 at 9:12AM in Site feedback 4 replies 84 views

cosmoray

My Microsoft Edge Password Monitor is telling me that my MSE passwords for clubs, forums and the cheap energy club have been leaked. Any sign it's been a general leak from MSE Towers or is it just me? Anyone else had the alert?

MSE_Stephen

Hi cosmoray

Many password managers now monitor passwords. They check if a password you have used has been found online and then they let you know all the other sites where they notice you have re-used the same password. 

The message is not stating that MSE leaked your password. They are stating that the password manager has noticed you re-using a password - leaked elsewhere - for your MSE logins.

Here are some examples of this on Chrome and Apple.

cosmoray

That makes a lot of sense. Thanks!

EssexExile

I've also found that Chrome thinks passwords have been compromised if you use them on an unusual device. I have a laptop that I only use on holiday, when log into things on that Chrome puts up a warning.

jamesd

MSE, does MSE have effective protection against distributed dictionary attacks in place? By distributed I mean say ten thousand computers trying, so slow timeouts to one won't be an effective try rate limiter, it takes a central per-account flag to notice it's happening and react, as well as helpful general slowness to respond, say baseline and never less or more than one second response plus jitter. Even response is required to stop fast fails that make it easy to know it's going to fail and move on to the next, jitter to block certain types of related analysis. Please also see point 2 below.

cosmoray,

You might find these thoughts on when to be worried or not useful:

1. Be worried and change if you use the same username or email address to log in as at the compromised site. This makes it much more likely that tying the same combination in different places will work, because it's easy to try, just one pair per place then move on to the next in the list of say half a million places.

2. Less but a little where half of your login credentials are exposed by the site itself. For example, everyone here who posts discloses their account name and that compromises it, meaning that half of the problem - finding a valid account - is solved and only the passwords need to be tried. The compromised by the site credential can then have millions of previously used anywhere passwords tried against it to see whether any work. Potentially regarded as authoritive accounts like those of frequent posters are potentially at more exposure to possible attempts. More secure would be a different login credential from the posting one.

3. Be minimally worried where the user name part of your login credential isn't shared between sites and isn't disclosed by the site, because the attempts to log in with a password used elsewhere have also got to correctly guess what login user ID you're using and this makes it far, far slower. Sites that use email addresses where you use a different email address for every site would be a highly secure setup where you could have low concern about merely the password having been used elsewhere. Anti-spam places like SpamGourmet or the ability to add extensions to gmail account names are handy for this because they make it easy to create new addresses just by typing them. Note that SpamGourmet is apparently blocked inbound and outbound by MSE's main email system and forum account screens, but forum automated emails work fine, so you can't use that one here. At the moment I have well in excess of five hundred email addresses for this reason and for mail filtering and have been using SpamGourmet for twenty years. If I get an email from "my bank" to the email address I used here I know instantly that it's fake because it was sent to an address the bank didn't have instead of the real one.