Password Message.

[JohnC6]

I keep getting this message when I log into TP after a history clear. My password is strong so I don't really want to change it. Also, I have a different password for everything.

Here's the message. It's from Safari..allegedly..and comes with a yellow alert warning triangle and a Safari logo imposed, bottom right.

"This password has appeared in a data leak,which puts this account at high risk of compromise.Safari can create a strong password for you. Would you like to change your password for "talkphotography.co.uk? "


Underneath are two option boxes. 'Change now' white lettering on a blue background and 'Not now' in black on a grey background.

If this is a phishing scam what do they hope to gain ? Maybe they think I use the password for other websites..ie my banking ?

 

[Plain Nev]

It all sounds a bit vague to me, and a means of putting your data in their care. I'd just change it yourself, if you're concerned.

 

[Eucris]

I keep getting this message when I log into TP after a history clear. My password is strong so I don't really want to change it. Also, I have a different password for everything.

Here's the message. It's from Safari..allegedly..and comes with a yellow alert warning triangle and a Safari logo imposed, bottom right.

"This password has appeared in a data leak,which puts this account at high risk of compromise.Safari can create a strong password for you. Would you like to change your password for "talkphotography.co.uk? "


Underneath are two option boxes. 'Change now' white lettering on a blue background and 'Not now' in black on a grey background.

If this is a phishing scam what do they hope to gain ? Maybe they think I use the password for other websites..ie my banking ?

Simple solution: don't clear your history / cookies.

 

[Matthew Grey]

I keep getting this message when I log into TP after a history clear. My password is strong so I don't really want to change it. Also, I have a different password for everything.

Here's the message. It's from Safari..allegedly..and comes with a yellow alert warning triangle and a Safari logo imposed, bottom right.

"This password has appeared in a data leak,which puts this account at high risk of compromise.Safari can create a strong password for you. Would you like to change your password for "talkphotography.co.uk? "


Underneath are two option boxes. 'Change now' white lettering on a blue background and 'Not now' in black on a grey background.

If this is a phishing scam what do they hope to gain ? Maybe they think I use the password for other websites..ie my banking ?

Do a Google search for "Have I been Pwned" I cant post the link as I only just joined and it will send the spam detector into over drive.

But you can put your email address in their and it will tell you all the places your details were compromised.

 

[GetBusyLiving]

I would think this has only a chance of being genuine IF you allow Safari to store your passwords, otherwise how would it know.

Personally, I'd take no notice of the message but change the password directly yourself if you are concerned (I would be).

I use a paid NordVPN and Nordpass account for all my stuff.

 

[lindsay]

I get that sometimes in Edge actually on Win11, I just ignore it.

 

[Matthew Grey]

I would think this has only a chance of being genuine IF you allow Safari to store your passwords, otherwise how would it know.

Personally, I'd take no notice of the message but change the password directly yourself if you are concerned (I would be).

I use a paid NordVPN and Nordpass account for all my stuff.

Passwords are regularly released on the Internet. A lot of online companies now monitor this to warn people when their email address has been listed. Safari wouldn't have to be storing the password to know it was compromised as they would see it listed publicly. Don't ignore these warnings. Change your passwords.

 

[Eucris]

Passwords are regularly released on the Internet. A lot of online companies now monitor this to warn people when their email address has been listed. Safari wouldn't have to be storing the password to know it was compromised as they would see it listed publicly. Don't ignore these warnings. Change your passwords.

Safari DOES need to store the password to know that it is vulnerable.

 

[Matthew Grey]

Safari DOES need to store the password to know that it is vulnerable.

No. Safari just needs to know your email address. As soon as it pops up on a list with a password beside it, they know its been stolen and at that point the password is public.

 

[Box Brownie]

The one thing that irritates me is that Edge (none too sure if IE also did it?) invites me to let "it" remember the password for a site.

I always decline with "never for this site"

 

[Matthew Grey]

The one thing that irritates me is that Edge (none too sure if IE also did it?) invites me to let "it" remember the password for a site.

I always decline with "never for this site"

Google does this too. I'm sure it adds another layer of risk as your doubling the places your credentials are stored. That said, I allow Google to store it for convenience as it then synchronises to my phone. Log in one device, and im logged in on both. But yeah, logically it must add risk.

 

[GetBusyLiving]

As I said, I have a paid-for password manager where almost all of my information is stored, however, finance passwords--bank account, PayPal etc. are primarily in my head, with a copy hand-written in in a hidden location. Nordpass will also ask me to store information other than passwords but I always decline the offer.

One other thing that bothers me, but I do for the sheer convenience, is allowing a company to have my card details in their entirety---Amazon for example. I don't like it very much but one can't have everything if one wants the convenience.

I have recently put Google Pay (Wallet) on my phone in case I forget my cards and I have to admit it works very well, but there is that nagging feeling that it isn't particularly safe when most of the security on my phone relies on my fingerprint, While fingerprint recognition is supposedly more secure than facial recognition, both methods can be ignored and a four-digit pass-number put in instead. Four digits doesn't seem particularly secure and I would prefer six, but it is what it is I suppose.

I think lot of security relies on the shoaling principle in that when a predator comes along, you hope it's going to be someone else: and that's quite sad really.

 

[Pound Coin]

Safari will be using the new-ish Passwords app on MacOS. It's annoying that Apple sort of steer users towards this, even though they have an alternative password manager. I use 1Password, but I still have a number of passwords that are in Passwords, because I've been caught by Apple's attempt to get me to move...

 

[Faldrax]

As I said, I have a paid-for password manager where almost all of my information is stored, however, finance passwords--bank account, PayPal etc. are primarily in my head, with a copy hand-written in in a hidden location. Nordpass will also ask me to store information other than passwords but I always decline the offer.

One other thing that bothers me, but I do for the sheer convenience, is allowing a company to have my card details in their entirety---Amazon for example. I don't like it very much but one can't have everything if one wants the convenience.

I have recently put Google Pay (Wallet) on my phone in case I forget my cards and I have to admit it works very well, but there is that nagging feeling that it isn't particularly safe when most of the security on my phone relies on my fingerprint, While fingerprint recognition is supposedly more secure than facial recognition, both methods can be ignored and a four-digit pass-number put in instead. Four digits doesn't seem particularly secure and I would prefer six, but it is what it is I suppose.

I think lot of security relies on the shoaling principle in that when a predator comes along, you hope it's going to be someone else: and that's quite sad really.

I use Keypass as my password manager - it's Free, Open Source, and has ports to a range of platforms (I use it on my PC, Laptop, phone and Tablet) - it has the advantage that the password vault is stored locally (rather than on the password manager companies server - so a hacker would have to access your device, then have your vault, to access your password details).

 

[Eucris]

No. Safari just needs to know your email address. As soon as it pops up on a list with a password beside it, they know its been stolen and at that point the password is public.

Safari does NOT know the email address I use for this site.

If your password for Talkphography is NOT in the Safari password manager then you will NOT get the message that the OP got.

 

[JohnC6]

Safari will be using the new-ish Passwords app on MacOS. It's annoying that Apple sort of steer users towards this, even though they have an alternative password manager. I use 1Password, but I still have a number of passwords that are in Passwords, because I've been caught by Apple's attempt to get me to move...

Yes. I have an iMac, too .I don't have any passwords saved on it. I also have my passwords written down and kept in a safe place as Caroline (GBL)does.

 

[Pound Coin]

Yes. I have an iMac, too .I don't have any passwords saved on it. I also have my passwords written down and kept in a safe place as Caroline (GBL)does.

Run the app “Passwords” and see if it has anything in it.

 

[JohnC6]

Simple solution: don't clear your history / cookies.

I'm a compulsive 'clearer'

 

[JohnC6]

Run the app “Passwords” and see if it has anything in it.

Yes. A list.I didn't know that.

One re my bank shows "not saved" but all those that don't matter..or I think they don't matter are there. Eg. BBC-LBC Radio..Talkphotography. etc. It's so I can just click on to log in and not have to write my details each time. I do so on the understanding what good are they to anyone ? None are the same as anything sensitive..eg Financial or NHS App.

 

[GetBusyLiving]

I'm a compulsive 'clearer'

I use Brave and it is set to clear my history and cache every time I close it. It can be inconvenient as I have to log in to things every time I start up but it's safer.

 

[JohnC6]

I use Brave and it is set to clear my history and cache every time I close it. It can be inconvenient as I have to log in to things every time I start up but it's safer.

Macs use Safari. It's odd really. A lot of people complain about town/city centre CCTV ,police facial recognition cameras..ie at large gatherings or even just in town/city centres but just accept what computers do which is way more intrusive.

 

[Mr Bump]

run your email through a checker like below for sure

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

haveibeenpwned.com

 

[Pound Coin]

It's useful to do that, but it doesn't mean that your password is compromised, just that your email address is on a list of logins that is in a data breach. It is good practice to change the password if it has been in a breach. If you have changed your password since the data breach you should be OK. Also, if you have different (and more secure) passwords for each login, then you are far more secure than if you use the same or similar passwords for logins.

 

[Box Brownie]

run your email through a checker like below for sure

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

haveibeenpwned.com

I have checked one particular address and it found 4 breaches between 2015 and 2019

Suffice to say AFAIK since then I have changed passwords on various occasions primarily because I forget them and have do "forgotten password" reset.

 

[GetBusyLiving]

It's useful to do that, but it doesn't mean that your password is compromised, just that your email address is on a list of logins that is in a data breach. It is good practice to change the password if it has been in a breach. If you have changed your password since the data breach you should be OK. Also, if you have different (and more secure) passwords for each login, then you are far more secure than if you use the same or similar passwords for logins.

The annoying thing after checking for compromised email accounts, as that it will always appear as compromised even after you have changed the password, so you have to be aware of when you first noticed the compromise and know that afterwards you changed the PW.

 

[Eucris]

The annoying thing after checking for compromised email accounts, as that it will always appear as compromised even after you have changed the password, so you have to be aware of when you first noticed the compromise and know that afterwards you changed the PW.

So if someone knows my email address and I change my password from PASSWORD1 to PASSWORD2 what have I achieved, absolutely nothing. It doesn't make my account more secure.

 

[GetBusyLiving]

So if someone knows my email address and I change my password from PASSWORD1 to PASSWORD2 what have I achieved, absolutely nothing. It doesn't make my account more secure.

It does. You're email address is out there everywhere. Every time you register for something, buy something, or even give your email address to another person, you release your email. But knowing that, the worse a bad actor can do is send you spam emails. By changing your password in the event of a breach, you render knowledge of your email address useless to a bad player.

 

[Faldrax]

It does. You're email address is out there everywhere. Every time you register for something, buy something, or even give your email address to another person, you release your email. But knowing that, the worse a bad actor can do is send you spam emails. By changing your password in the event of a breach, you render knowledge of your email address useless to a bad player.

Not entirely - there are a number of degrees of vulnerability.
If you don't change the password, and use the same email/password combination on multiple sites then it's clear that a bad actor can potentially access your details on these other sites.
If you do change the password you have removed that direct vulnerability, but the bad actor still has a known 'good' email that can be used as a basis for some form of brute force attack to gain access.
They can also use the email as a target for phishing attacks - it they have your name and email from one breach, such phishing emails can address you personally, making them appear more genuine.

 

[GetBusyLiving]

Not entirely - there are a number of degrees of vulnerability.
If you don't change the password, and use the same email/password combination on multiple sites then it's clear that a bad actor can potentially access your details on these other sites.
If you do change the password you have removed that direct vulnerability, but the bad actor still has a known 'good' email that can be used as a basis for some form of brute force attack to gain access.
They can also use the email as a target for phishing attacks - it they have your name and email from one breach, such phishing emails can address you personally, making them appear more genuine.

That may be true, but I stand by comment about the email address being out there for almost anyone to access. Knowing one's email is not a route to fraud unless the owner of said email clicks on things sent to them. On it's own, an email address is not really much good to a criminal apart from sending spam and trying to get you to click on things or open attachments. The same applies to bank account number and sort code, in themselves, they are not a lot of use -- unless some repenting thief decides to credit your account instead of trying to steal from it -- many businesses, for example, have account and sort code info on their letterheads.

 

[Mr Bump]

people are missing the point , yes you find your email is compromised and yes you change some passwords but people are lazy
they use passwords on multiple sites , they use rubbish passwords time after time, the best thing to is use a random password manager
on everything and never use a password in more than two places every single one different.

 

[GetBusyLiving]

Yes, the Knights of Old (KNP) trucking company found out about poor passwords to their great cost when a hacker did them with ransomware by exploiting a weak password on one of their employees accounts.

 

[Box Brownie]

run your email through a checker like below for sure

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

haveibeenpwned.com

I note that 'they' are sponsored by 1Password

The only such password manager on the site

 

[JohnC6]

run your email through a checker like below for sure

Have I Been Pwned: Check if your email address has been exposed in a data breach

Have I Been Pwned allows you to check whether your email address has been exposed in a data breach.

haveibeenpwned.com

Four data breaches including this one.

Hopamedia Breach

Hopamedia data breach happened on 30 August 2020 and leaked Email addresses, Geographic locations, Names, Phone numbers, Telecommunications carrier.

www.northit.co.uk

 

[JohnC6]

people are missing the point , yes you find your email is compromised and yes you change some passwords but people are lazy
they use passwords on multiple sites , they use rubbish passwords time after time, the best thing to is use a random password manager
on everything and never use a password in more than two places every single one different.

Agree.. As mentioned in an earlier post,I do have different and strong passwords for each webstite.