|
|
|
|
|
|
by cassianoleal
900 days ago
|
|
|
> the company doing nothing to prevent or detect this. How would they do that? I'm not defending 23andMe but I really don't see how a service can detect that the password I chose on their website is the same I chose on a different one. Not without: a) them knowing what my chosen password is; and b) them knowing my passwords on other websites. |
|
|
Where I work the security team monitors PW leaks and run them against our userbase if we find matches we lock their accounts and force a reset, that password also goes into a file and becomes pema-banned from being chosen.
we also force multifactor, which isn't bullet proof (heck if you used the same TOTP in 2 sites your hex key could get stolen) but it does go a long way. 2 factor is super annoying though and lots of places only offer crap methods like SMS (I loath to give out my phone number). personally I'd rather use just a strong site-specific password than be forced to provide my phone number.