![[staff profile]](https://www.dreamwidth.org/img/silk/identity/user_staff.png){kind=small}
Password security reminder: Please continue to treat your LiveJournal passwords as compromised
The tl;dr of this entry:
* Many legitimate older accounts have been broken into this week and used for spamming.
* This is not a security issue with Dreamwidth itself: we've confirmed the hijacked accounts were compromised through password re-use.
* Our investigation makes us think this is connected to 2020's LiveJournal security incident.
* For your safety, treat any password you have ever used on LiveJournal, on any account, at any point, as compromised.
* Do not reuse any password you have ever used on LiveJournal on any other site, but especially on Dreamwidth.
* If your Dreamwidth password is the same as any password you've ever used on LiveJournal, on any account, at any point, change it now.
* Please install a password manager, let it generate your passwords for you, and use it to remember your passwords.
The longer explanation:
Many folks have noticed a rash of accounts that have been broken in and used for spamming this week. After some investigation (and we're grateful to the information provided by the people who have been able to resecure their accounts!) we believe this is continuing fallout from an incident that security researchers have concluded was an ongoing, undisclosed password database compromise on LiveJournal.com, covering at least the time period between 2014 and 2017 and potentially covering a much wider range of dates.
During that period in 2020 when a password file claiming to be the passwords of 20+ million LiveJournal user accounts began more widely circulating on the black market, and after we disclosed the incident to our users because of the very high rate of user overlap and password reuse between our site and LiveJournal, LiveJournal released a statement claiming that the data contained in the black market password file was fabricated and the source of the data was not a LiveJournal compromise. They continue to deny that any of the records in that file are legitimate.
We do not believe LiveJournal's statement is accurate. At the time of the incident, we were able to obtain that black market password file, and we verified the accuracy of multiple records contained in the file, for LiveJournal accounts belonging to DW staff and volunteers and LiveJournal accounts belonging to a representative sample of helpful users we contacted to verify the accuracy of the records. Our examination of a representative sample of the file, both with our own accounts and the accounts of the users who helped us verify it, did not produce a single record that was not accurate: every record we examined, from an extremely thorough representative sample, was an accurate record of a password that had been used on the LiveJournal account in question at some point in the past. Our research into the accuracy of those records is what let us tentatively date the file as containing records from at least 2014-2017. This makes us believe it was not a one-time incident, but an ongoing security issue in which intruders were able to access the LiveJournal password database at multiple dates.
Troy Hunt, the security researcher who runs the service Have I Been Pwned, conducted his own independent research with his subscribers, which we assisted with, and he also concluded that the source of the data was legitimate and the file was a legitimate record of passwords that had been used on LiveJournal in the past. The data from that file is loaded into Have I Been Pwned, and if your email address and password was in that black market password file, it will be returned as a result if you enter your email address in Have I Been Pwned.
At the time of the incident, and once we were able to obtain access to the alleged LiveJournal password file circulating on the black market, we took steps to forcibly change the passwords of any user whose email address and password on Dreamwidth matched an email address and password present in the alleged LiveJournal password file. We also made upgrades to our password storage and handling at the time that would hopefully reduce the potential security risk to Dreamwidth users who had reused their passwords from LiveJournal and to prevent the use of passwords that appear in that alleged LiveJournal password file. However, this week's rash of account breakins have occurred among people who have confirmed that their Dreamwidth password had previously been used on LiveJournal, and several of them have confirmed their data did not appear in 2020's alleged LiveJournal black-market password file.
We don't know (and we probably will never know for certain) if there's an additional password file circulating, if the person who assembled the 2020 alleged LiveJournal black market password file held back additional records so that they could sell them later, or if there has been an additional security incident in which someone was allegedly able to obtain access to a newer LiveJournal password database and assemble a file that contains records from a later time period than we believe we were able to reliably date the information in the 2020 black market file.
At this point, for your own account safety, we must recommend that you act as though any password you have ever used on LiveJournal, at any point, for any account, at any time, even if it is not your current LiveJournal password, has been potentially compromised. Do not use that password on any other site, but especially on Dreamwidth. (Because of the high overlap of users between LiveJournal and Dreamwidth, anyone with access to a password file that claims to be LiveJournal passwords will also immediately try those email address and password combinations on Dreamwidth as well, because people reuse passwords across sites so frequently.)
If your Dreamwidth password is the same as any password you have ever used on LiveJournal, for any account, at any point, even if it is not your current LiveJournal password, please change it immediately by going to the Change Password page. Use a strong password that you have never used on any other site. We strongly recommend that you install and use a password manager that will generate and remember the passwords for you: two that our staff and volunteers use and like are 1Password and Bitwarden. (We've previously also mentioned a program called LastPass; we no longer recommend it because of their mishandling of their own recent security incident. Neither 1Password nor Bitwarden sponsor us, we have no financial connection to them, and we receive no benefit from those recommendations: we just use the services ourselves and are satisfied with them.)
Again, to be clear, this is not a security incident with Dreamwidth itself: we have no reason to believe that we've had any security problems, and we do actively monitor and look for them. The issue on Dreamwidth is that people have used the same password they've used for LiveJournal, and to the best of our ability to determine from the outside, we believe LiveJournal has been unable to fully resolve the security incident that resulted in a password file circulating on the black market in 2020. If your Dreamwidth password is one that you've never used on LiveJournal, you don't have to take any action. If your Dreamwidth password is the same as one you've ever used on LiveJournal, at any point, for any account, even if it isn't your current LiveJournal password, please immediately change your password on both sites and make sure that you never reuse your LiveJournal password on any other site ever again.
Our recommendation to treat any password you have ever used on LiveJournal as actively compromised and likely to be exploited will continue to be in force until LiveJournal is willing to publicly disclose the results of their investigation into the source of the 2020 black market password file, their conclusions as to how the author of that file was able to assemble 20 million records with an extremely high rate of accuracy as determined by the representative sampling verification of multiple security researchers, and the steps they've taken to resolve the attack vector used by the author of that file so that the attack vector can't be used again to assemble newer records. We also strongly recommend that you treat any public disclosure from LiveJournal as suspect unless it is accompanied by a report from an independent security research team verifying the accuracy of its contents.
All comments on![[site community profile]](https://www.dreamwidth.org/img/comm_staff.png)
dw_news entries relating to security issues are screened. If you have a question that we believe would benefit from a public answer, we may unscreen your comment when we reply to it.
* Many legitimate older accounts have been broken into this week and used for spamming.
* This is not a security issue with Dreamwidth itself: we've confirmed the hijacked accounts were compromised through password re-use.
* Our investigation makes us think this is connected to 2020's LiveJournal security incident.
* For your safety, treat any password you have ever used on LiveJournal, on any account, at any point, as compromised.
* Do not reuse any password you have ever used on LiveJournal on any other site, but especially on Dreamwidth.
* If your Dreamwidth password is the same as any password you've ever used on LiveJournal, on any account, at any point, change it now.
* Please install a password manager, let it generate your passwords for you, and use it to remember your passwords.
The longer explanation:
Many folks have noticed a rash of accounts that have been broken in and used for spamming this week. After some investigation (and we're grateful to the information provided by the people who have been able to resecure their accounts!) we believe this is continuing fallout from an incident that security researchers have concluded was an ongoing, undisclosed password database compromise on LiveJournal.com, covering at least the time period between 2014 and 2017 and potentially covering a much wider range of dates.
During that period in 2020 when a password file claiming to be the passwords of 20+ million LiveJournal user accounts began more widely circulating on the black market, and after we disclosed the incident to our users because of the very high rate of user overlap and password reuse between our site and LiveJournal, LiveJournal released a statement claiming that the data contained in the black market password file was fabricated and the source of the data was not a LiveJournal compromise. They continue to deny that any of the records in that file are legitimate.
We do not believe LiveJournal's statement is accurate. At the time of the incident, we were able to obtain that black market password file, and we verified the accuracy of multiple records contained in the file, for LiveJournal accounts belonging to DW staff and volunteers and LiveJournal accounts belonging to a representative sample of helpful users we contacted to verify the accuracy of the records. Our examination of a representative sample of the file, both with our own accounts and the accounts of the users who helped us verify it, did not produce a single record that was not accurate: every record we examined, from an extremely thorough representative sample, was an accurate record of a password that had been used on the LiveJournal account in question at some point in the past. Our research into the accuracy of those records is what let us tentatively date the file as containing records from at least 2014-2017. This makes us believe it was not a one-time incident, but an ongoing security issue in which intruders were able to access the LiveJournal password database at multiple dates.
Troy Hunt, the security researcher who runs the service Have I Been Pwned, conducted his own independent research with his subscribers, which we assisted with, and he also concluded that the source of the data was legitimate and the file was a legitimate record of passwords that had been used on LiveJournal in the past. The data from that file is loaded into Have I Been Pwned, and if your email address and password was in that black market password file, it will be returned as a result if you enter your email address in Have I Been Pwned.
At the time of the incident, and once we were able to obtain access to the alleged LiveJournal password file circulating on the black market, we took steps to forcibly change the passwords of any user whose email address and password on Dreamwidth matched an email address and password present in the alleged LiveJournal password file. We also made upgrades to our password storage and handling at the time that would hopefully reduce the potential security risk to Dreamwidth users who had reused their passwords from LiveJournal and to prevent the use of passwords that appear in that alleged LiveJournal password file. However, this week's rash of account breakins have occurred among people who have confirmed that their Dreamwidth password had previously been used on LiveJournal, and several of them have confirmed their data did not appear in 2020's alleged LiveJournal black-market password file.
We don't know (and we probably will never know for certain) if there's an additional password file circulating, if the person who assembled the 2020 alleged LiveJournal black market password file held back additional records so that they could sell them later, or if there has been an additional security incident in which someone was allegedly able to obtain access to a newer LiveJournal password database and assemble a file that contains records from a later time period than we believe we were able to reliably date the information in the 2020 black market file.
At this point, for your own account safety, we must recommend that you act as though any password you have ever used on LiveJournal, at any point, for any account, at any time, even if it is not your current LiveJournal password, has been potentially compromised. Do not use that password on any other site, but especially on Dreamwidth. (Because of the high overlap of users between LiveJournal and Dreamwidth, anyone with access to a password file that claims to be LiveJournal passwords will also immediately try those email address and password combinations on Dreamwidth as well, because people reuse passwords across sites so frequently.)
If your Dreamwidth password is the same as any password you have ever used on LiveJournal, for any account, at any point, even if it is not your current LiveJournal password, please change it immediately by going to the Change Password page. Use a strong password that you have never used on any other site. We strongly recommend that you install and use a password manager that will generate and remember the passwords for you: two that our staff and volunteers use and like are 1Password and Bitwarden. (We've previously also mentioned a program called LastPass; we no longer recommend it because of their mishandling of their own recent security incident. Neither 1Password nor Bitwarden sponsor us, we have no financial connection to them, and we receive no benefit from those recommendations: we just use the services ourselves and are satisfied with them.)
Again, to be clear, this is not a security incident with Dreamwidth itself: we have no reason to believe that we've had any security problems, and we do actively monitor and look for them. The issue on Dreamwidth is that people have used the same password they've used for LiveJournal, and to the best of our ability to determine from the outside, we believe LiveJournal has been unable to fully resolve the security incident that resulted in a password file circulating on the black market in 2020. If your Dreamwidth password is one that you've never used on LiveJournal, you don't have to take any action. If your Dreamwidth password is the same as one you've ever used on LiveJournal, at any point, for any account, even if it isn't your current LiveJournal password, please immediately change your password on both sites and make sure that you never reuse your LiveJournal password on any other site ever again.
Our recommendation to treat any password you have ever used on LiveJournal as actively compromised and likely to be exploited will continue to be in force until LiveJournal is willing to publicly disclose the results of their investigation into the source of the 2020 black market password file, their conclusions as to how the author of that file was able to assemble 20 million records with an extremely high rate of accuracy as determined by the representative sampling verification of multiple security researchers, and the steps they've taken to resolve the attack vector used by the author of that file so that the attack vector can't be used again to assemble newer records. We also strongly recommend that you treat any public disclosure from LiveJournal as suspect unless it is accompanied by a report from an independent security research team verifying the accuracy of its contents.
All comments on
dw_news entries relating to security issues are screened. If you have a question that we believe would benefit from a public answer, we may unscreen your comment when we reply to it.
Password Managers
1) If you are a Safari user, and not likely to be a specific target (because you work in highly classified areas or whatever), I have been told the built-in Safari password manager in newer versions is sufficiently secure - it uses the Apple keychain credential storage system and does not store passwords in plaintext.
2) If you want the best UI and don't mind a paid service, 1Password. Also can handle stuff like 2FA (please use an authenticator app whenever possible, text message codes for authentication are really vulnerable)
3) If you want a good-enough UI and a decent free plan, BitWarden. For the slightly more paranoid, you can also run your own copy of the sync server instead of using their cloud storage (which is where LastPass got compromised). It's also open source.
4) For people who want to avoid other people's cloud services entirely and don't mind some UI friction, KeePassXC is open source and you have to handle syncing yourself (however, if you're the sort of person who would pick KeePassXC over Bitwarden I suspect you are already using it, heh).
Re: Password Managers
Re: Password Managers
I think a big reason people use external password managers is so that they can sync passwords between laptop and phone. Firefox and Chrome actually have a sync option built-in, though! (Warning: Chrome won't force you to set a master password before enabling sync, but it is *critical* to security. Always use a master password!)
Re: Password Managers
It does look like Firefox now stores passwords in encrypted form, which is good! The last time I checked (admittedly several years ago) they were still storing them in plaintext which is no good.
And yes, you absolutely need a master password, and it should be a good one. Ideally this is the only password you have to memorize - my tip for a memorable but hard to guess password is to pick a long quote or song lyric you will definitely remember, take the first letter of each word in the line, preserving capitalization, and include punctuation as well.
Re: Password Managers
https://github.com/unode/firefox_decrypt/
Re: Password Managers
Re: Password Managers
When you say "take the first letter of each word in the line", do you mean you're making random words rather than using the words themselves?
It's my understanding that, purely mathematically, "take on me take me on ill be gone in a day or two" is more secure than "TomTmoIbgInadot" - like that one xkdc comic.
If anyone knows: are song lyrics or even book/movie quotes considered insecure as passwords along the same veins as, say, your birthday or street address would be? Is it reasonable to assume that if someone is trying to break into your account, a hard-break attempt would include logic for "sensical / pre-existingly used sequence of words"? (From my surface level understanding of how hard basic text search is to code, I find it... difficult to believe?)
Re: Password Managers
One of those really clever ways to brute-force passwords involves trying to figure out which words and which letters are most likely to appear next to each other, and song lyrics in particular have a lot of websites that have a really exhaustive list of sample text (there being approximately 80,000 song lyrics databases out there). Ditto movie quotes, book quotes, etc. The "correct horse battery staple" technique XKCD recommends only works if the words are truly and honestly random and are less likely to have ever appeared next to each other in any known body of text. (I will also note that four words is generally not enough anymore, and there's a dictionary size problem: you need a large dictionary to select the random words from.) Our brains are really bad at randomness; most of us have a lot of the same associations between words that make us more likely to think of the next words from a much smaller list. (Think of those free-association party icebreakers: a lot of the times, people will say words that are similar to the one you were thinking of, right?)
A lot of the security advice for the average person with no elevated threat model (people like activists, journalists in oppressive regimes, etc) revolves around making your accounts harder than everyone else's to break into, because most malicious people will be satisfied with just breaking into the easiest 25% or whatever: for those people, if it's a question of "this is the only way I'll ever remember this master password", it's "okay-ish but not great" if you use a quote from something (but it's safer, if you do, to rephrase it or change a few words so it's not exactly the quote that's likely to be in quote databases). But every step you take to further transform the particular mnemonic you use is going to make things even safer against brute-force attacks.
Re: Password Managers
If you don't mind me picking your brain, what authentication app do you recommend? I've been using Authy, but I'd love an expert opinion on if it's any good, and if there's something better out there.
(As an aside, I hate that so many financial institutions either don't offer 2FA at all, or only offer SMS. They should be the most secure, ugh.)
Re: Password Managers
no subject
no subject
no subject
no subject
no subject