ZDoom

[Rachael]

This post is just a friendly reminder, to everyone, to PLEASE keep ALL of your accounts secure across every site you use, in order to prevent unwanted access by outsiders.

No administrator for ANY reputable site will *ever* ask for your password directly, and neither will ZDoom.

Additionally, please *never* use the same password for all sites. If you need a way to keep track of your passwords on different sites, consider a utility like KeePass and never give away your master password.

Also, be vigilant and keep malware off of your machine. Remember, Windows is not the only platform that can contain malware, especially these days where scripting technologies and virtual machines allow for malware to be hosted on literally any platform and even be fully cross-platform compatible. Yes - that means your Linux, your Raspberry Pi, your Android Phone, your iPhone, your iPod, and your Macintosh can all have malware on them, and it's important to protect yourself.

Keep in mind that for a multitude of reasons, pass phrases are far more secure than passwords. For example: "My_D0g_I$_AweSom3" (don't actually use that, obviously, it's just an example of what you should go for with passwords - note the use of mixed case and unpredictable punctuation/numeral replacements)

Additionally, for any sites that offer it, if you have a smart phone, always enable 2-factor authentication.

Never give your password for ANY site to another person. Even if they are an administrator/moderator!

If you believe your password is weak, PLEASE PLEASE PLEASE take this opportunity and change it to something stronger. Put it someplace safe if you think you'll forget it. It's really important that you, and only you, have access to your account. Thank you!

[Rachael]

Hello, everyone - A massive data breach dubbed "collection #1" occurred. I have been trying to figure out what websites were hacked for this one - nothing I've found on it so far is specific about where the data has come from. (So far it appears ZDoom is unaffected) Nevertheless, it's a good time to remind you all, don't share your passwords with anyone, use a different password for every site, and since every site and its grandmother these days requires you to create an account for some ungodly reason use a password manager (that's not an excel spreadsheet!).

If you want to learn more about this one, simply type "collection #1" into Google and you'll get plenty of results on it. I've included a link to an article discussing it as well. And always, stay safe, and have fun!
https://www.pcmag.com/news/366043/colle ... n-email-ad

---
Thanks Ghastly from the ZDoom Discord server also for mentioning - you can also check the site https://haveibeenpwned.com/ and put your email there, to see if your email has been affected by this breach - or any past ones.

Also thanks to Tristan885 - he mentioned you can use the same site to check to see if your password has been breached. https://haveibeenpwned.com/Passwords - probably useful if you use the same password on every site, but personally, I don't plan to be putting my password there to check - still, though, if you're brave, you can do it, or if you change it to something else right after, that will work too

(If you wish to discuss this, I've unlocked the topic)

[Lilybeth Fanwell]

First question. So guests can post on ZDoom forums now? Interesting decision...

Anyways (thanks to a number of world events over the years [just my personal opinion]), things are raining down hard for them websites. I guess the only thing is to check your account info from now infected websites, if you dare. Safeguarding your email should have already been presumed. Your website accounts is in question of jeopardy. If time permits, you can still access the accounts before any damage has been done. Otherwise, they are at risk in the least of being snooped.

Have a good day.

[Princess Viscra Maelstrom]

it seems my main account was part of that breach, should i be concerned?

[Rachael]

Yes - make sure to change your password on all websites that use that email - and if you need to, use a password manager like KeePass to make them all unique to every site. If you already did that, there's nothing more you can do, short of abandoning that email address entirely.

[Enjay]

Also thanks to Tristan885 - he mentioned you can use the same site to check to see if your password has been breached. https://haveibeenpwned.com/Passwords - probably useful if you use the same password on every site, but personally, I don't plan to be putting my password there to check - still, though, if you're brave, you can do it, or if you change it to something else right after, that will work too

I'm not sure how useful that site is. I just tried a whole bunch of random passwords (some of them very random). Only one came up as never having been seen before - and it wasn't even one of the more obscure ones.

[Rachael]

Try typing "God" in there. (AFAIK It's one of the ones on the list for common passwords for hackers and pen testers) That one comes up just fine.

I cannot assert how useful that tool is, and as I said, I will not use it myself because that requires giving passwords to a site that I have no idea what they will do with it. But if you trust the site, then it seems useful enough, indeed - though you are right to question how useful it really is, since it is essentially asking you for passwords and that gives the site owner the ability to build a brute force database or something else equally nefarious.

Nevertheless, if everything is taken at face value (and so far I haven't seen actual reason not to), the database they are using only checks against the existing compromises that the site has chronicled, so if a common password is coming up as "not pwned" it just means it hasn't shown up in a password dump yet.

[Graf Zahl]

Maybe that's because so many people use "password" as their password or some date with personal significance.

Of all the passwords I use only two came back as potentially compromised, both for accounts I registered under a fake name on some sites where I didn't want to disclose personal information and where I didn't care about security.

Try typing "God" in there. (AFAIK It's one of the ones on the list for common passwords for hackers and pen testers) That one comes up just fine.

I cannot assert how useful that tool is, and as I said, I will not use it myself because that requires giving passwords to a site that I have no idea what they will do with it. But if you trust the site, then it seems useful enough, indeed - though you are right to question how useful it really is, since it is essentially asking you for passwords and that gives the site owner the ability to build a brute force database or something else equally nefarious.

According to the fine print the entire password hashing is done client-side in Javascript - the process is explained in detail in the FAQ section. If it wasn't I'd guess that some big red warning signs have already sprung up somewhere else on the internet because that'd be one hell of a phishing scheme otherwise.

[Apeirogon]

That strange...from all my emails it found compromised only those which I dont actively use, and which I used only on several different sites.
The one I use now, last few year, dont seems to be compromise, despite fact that I actively use it to register at some sites which marked as "hacked".

[Rachael]

If you registered to a site after it has experienced a data breach, it has to experience another data breach in order for your data to be compromised. In other words - data breaches only affect the data that was available at the time of the breach - not new data - unless the breach is still open or it has been breached again.

And normally, experiencing a data breach causes sites and the organizations that run them to be a little bit more careful about safeguarding your data in order to prevent that second breach. It's hugely embarassing, and for corporations, it's really expensive.

Nothing can change the fact that a site "was" breached at one time - that will remain on a corporation's public reputation until the end of time - but if they handled the breach correctly, then your account that was registered *after* the site was hacked will be safe.

[Enjay]

Maybe, just by chance, I typed some common keystrokes. I didn't actually try any of my own passwords.

These made me laugh though:
1234

This password has been seen 1,256,907 times before

password

This password has been seen 3,645,804 times before

[Graf Zahl]

Scary, isn't it...?
That's roughly 0.6% of all breached passwords being 'password'...

[Princess Viscra Maelstrom]

do i have to worry about the password of my email itself, or just everything connected to it?

[wildweasel]

do i have to worry about the password of my email itself, or just everything connected to it?

If that password and email appear together at all, change the passwords everywhere. Because of the nature of the breach (it cannot be verified what all databases are present in it), it's likely that anybody with that information will try that combination anywhere they can, including emails (most likely to be attempted).

[Princess Viscra Maelstrom]

damn. i didn't really want to change my email password, but i guess i have no choice now...