Firstly, it does not matter on which website you see this new warning. The new message is a warning about the username/email and password combination that you just entered. That combination has been compromised in a breach of a website/app. What that actually means is you need to change your password on all websites/apps where you are using the same username/email and password combination.

Firstly, it does not matter on which website you see this new warning. The new message is a warning about the username/email and password combination that you just entered. That combination has been compromised in a breach of a website/app. What that actually means is you need to change your password on all websites/apps where you are using the same username/email and password combination.

https://support.google.com/chrome/thread/23534509?hl=en

Iow, it's the email address/password combination you used that has been compromised, somewhere, not necessarily here.

I have never seen that pic nor was I even aware of this capability. I do use chrome for first visits or searching as I have chrome locked down. My other browser is Edge. I don't like it but it does work better on forms mainly because I keep chrome on tight leash. Sometimes chrome wont even show a required "captcha" popup because I loaded it with so many blocking extensions.

My normal desktop "office" system has McAfee via Dell and I pay for subscription to McAfee. OTH my surface pro has only windows 10 plus I do pay for Malware Bytes premium. One thing I noticed on the surface pro. If I browse to Seti@home and select "Number Crunching' and then the most popular thread "server panic" I ALWAYS get a warning that a trojan was found. Some site in u.nu had or has a trojan or is well known for poor security and is on Malwarebytes list. McAfee shows no problem, but who knows? The following is a screen grab from my SP4. BTW SETI has a "server panic" so often they start a new thread as the messages are too long. Currently # 118 If you read the message behind the "trojan warning" you can understand why they constantly have panics: a 20,000 WU cache size and any # of gpus you want (as long as you are a member of the club).

Because they have a database with 4 billion combinations in them to check against. Which is nothing, when compared to the other freely available checkup https://haveibeenpwned.com/

So I take it both sites are just checking in lists that have been found online?

I do know one of my older passwords was found out from somewhere, because I occasionally get requests by email for me to pay somebody a few grand in bitcoins so they don't tell the world I watch porn or something. And they quote a password I used several years ago.

Surely, a website/forum/whatever can store passwords in some kind of secure form so they can't just be read when hacked? Some way the server can check I entered the right password but it doesn't actually know what it is?

And I assume the Google one is better, as I assume it's checking the email address AND password, whereas your link only checks the email address. It said I had been compromised, but it didn't tell me what password was used, so I have no idea if I have to change it again or not. I can't remember the password used on the site it mentioned, as I haven't used it for ages.

It is called a one way hash and salt. Math. You put in a number, your password converted to a number, and it spits out a different number. Done right there is no way to put the result number in and backtrack to the password. Hackers get the hash file and brute force build up what each password was.

So is it possible to create such a system which cannot be brute forced cracked? Or would take more power than is available in current computers?

Because they have a database with 4 billion combinations in them to check against. Which is nothing, when compared to the other freely available checkup https://haveibeenpwned.com/

So I take it both sites are just checking in lists that have been found online?

I do know one of my older passwords was found out from somewhere, because I occasionally get requests by email for me to pay somebody a few grand in bitcoins so they don't tell the world I watch porn or something. And they quote a password I used several years ago.

Surely, a website/forum/whatever can store passwords in some kind of secure form so they can't just be read when hacked? Some way the server can check I entered the right password but it doesn't actually know what it is?

And I assume the Google one is better, as I assume it's checking the email address AND password, whereas your link only checks the email address. It said I had been compromised, but it didn't tell me what password was used, so I have no idea if I have to change it again or not. I can't remember the password used on the site it mentioned, as I haven't used it for ages.

Back in the windows nt days, we were able to crack 12 digit passwords in a matter of minutes, on older hardware (Pentium 166Mhz), with a DVD containing 3-4Gb of passwords (rainbow tables).

If back then it took only 2 minutes to crack a password, it'll take mere few seconds to crack them using 4000+ core GPUs.

Also, the generation of 2-4 GB of rainbow tables took nearly a year.

With current hardware, and an optimized algorithm, 100GB Blu-ray discs filled with rainbow tables can be generated in the same amount of time. Meaning, once the table is out in the open, even 15 digit passwords containing asci characters (letters, numbers, capital letters, symbols and spaces), can be hacked in a matter of minutes.

Doesn't this require you to try millions of times to log in? The server should notice this is a hacking attempt and lock you out.

I do know one of my older passwords was found out from somewhere, because I occasionally get requests by email for me to pay somebody a few grand in bitcoins so they don't tell the world I watch porn or something. And they quote a password I used several years ago.

Firstly, it does not matter on which website you see this new warning. The new message is a warning about the username/email and password combination that you just entered. That combination has been compromised in a breach of a website/app. What that actually means is you need to change your password on all websites/apps where you are using the same username/email and password combination.

https://support.google.com/chrome/thread/23534509?hl=en

Iow, it's the email address/password combination you used that has been compromised, somewhere, not necessarily here.

Thanks!
I first saw it on Boinc forums.

I knew for 4 months, my password was compromised, as i got scam mails in my inbox, extorting me into showing what I did, if I didn't return the email; but I don't really care (haven't done anything worth spreading).
They don't know I have different levels of passwords, and the password they got, was the lowest level, mainly forum passwords. 😆