Scraped data of 2.6 million Duolingo users released on hacking forum - eviltoast

The scraped data of 2.6 million DuoLingo users was leaked on a hacking forum, allowing threat actors to conduct targeted phishing attacks using the exposed information.

  • I_Has_A_Hat@lemmy.ml
    link
    fedilink
    English
    arrow-up
    43
    ·
    1 year ago

    I wish more websites allowed random words as passwords instead of forcing numbers and special characters (but not THAT special character, you have to use one of the ones on this list).

    People change their passwords by one letter or digit because they’re tied to these restrictive formats. If 5-6 random words was the norm, people would update more than just one character when needing to change passwords.

    “poison navy series ruler handshake papaya” is a fantastic password.

    “Ilovemygrandkids!123” is a horrible password.

    • hatter@lemmy.world
      link
      fedilink
      English
      arrow-up
      29
      ·
      1 year ago

      Just use a password manager and a unique, long, random generated password for every site. There’s no need or reason to know the password to anything other than your password manager and your primary email.

      • deft@ttrpg.network
        link
        fedilink
        English
        arrow-up
        13
        arrow-down
        5
        ·
        1 year ago

        in like a decade the use of a password manager will be a bad idea. i don’t know how but it will be.

        • demlet@lemmy.world
          link
          fedilink
          English
          arrow-up
          16
          arrow-down
          2
          ·
          1 year ago

          Hmm, a single point of access for every password you have? I don’t see the problem…

          • SleveMcDichael@programming.dev
            link
            fedilink
            English
            arrow-up
            20
            ·
            edit-2
            1 year ago

            The thing is the average person either can’t or can’t be bothered to remember even a dozen actually secure passwords, so they fall back to a couple of simple derivations of a common password, meaning each and every site a user signs up on represents an additional single point of failure.

          • Chriskmee@lemm.ee
            link
            fedilink
            English
            arrow-up
            9
            ·
            1 year ago

            Lucky until we get actual quantum computing, it’s not worth the years on a supercomputer to crack a single stolen set of encrypted passwords.

    • stevedidWHAT@lemmy.world
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      2
      ·
      1 year ago

      Agreed! I also think that the next steps would be getting rid of the need for users to even know their own password and instead replace with other securities like biometrics (with sufficient permutations possible to match or exceed passwords) and a physical device or something else entirely that removes the need to let the user in on what the exact password is

    • JJROKCZ@lemmy.world
      link
      fedilink
      English
      arrow-up
      3
      ·
      1 year ago

      Tools like Bitwarden will let you fairly customize the randomly generated password it makes. You can tailor it to not use certain characters for those sites that don’t allow it. And each vault object can be customized like that independently so you don’t compromise all your passwords by not allowing _ or (, you can also have it do pass phrases like you gave an example of