[craftkiller]

> there does not seem to be any way for _me_, the person affected, to know what password were breached

You should be using a unique randomly-generated password for each website. That way, one breach doesn't lead to multiple accounts getting hijacked AND you'll know which passwords were breached solely based on the website list. The only passwords I still keep in my head are:

  1. The password to my password manager
  2. The password to my gmail account
  3. The passwords for my full disk encryption

All of those passwords are unique and not used anywhere else. Everything else is in my password manager with a unique randomly generated password for each account. And for extra protection, I enable 2fa on any site that supports u2f/webauthn.

I used to reuse the same password for everything, and that lead to a pretty miserable month where suddenly ALL of my accounts were compromised. I'd log in to one account and see pizzas I never ordered. Then I'd open uber and see a ride actively in-progress on the other side of the country. It was not fun.

[taftster]

Yes! Me too. Not adding anything here except a confirmation on the above approach. You kind of need your email password as a "break glass" scenario. But mostly, you just need your password manager.

[DaSHacka]

and root disk encryption, unless you have some alternative method set up.

[imp0cat]

That's the default in this day and age, no?

[taftster]

I mean, probably should be. But for me, no. Well, not my personal computer anyway. That's a mistake, I know. But corporate computer yes.

So no, I don't think "in this day and age" necessarily. And I believe that the vast majority of "normal" users don't do full drive encryption either. But yes, we should.

[akerl_]

Last I looked, windows and Mac installs both push the user to set up bitlocker or FileVault, respectively. You have to actively say no if you don’t want it.

[taftster]

I deliberately dodged there, as you noted. I do not have full disk encryption setup. I know that I'm probably have a very bad day if I come to lose my laptop, etc. I should do this, no doubt.

But I'm not sure. While maybe good password management is starting to soak into common computer usage, I don't think disk encryption is all that common just yet across the average user. It should be. But the average user is just moving to their phone anyway, with face id and encryption by default, instead of maintain their own personal device.

Corporate devices seem to be a bit better in this regard, though.

[subscribed]

Nice. Now I'd like to know WHICH password got leaked.

That way the breach impact can quickly be limited.

Troy probably would share that information for a price. Not sure whom to pay though - the "good" guy who won't say a word, or a criminal who will happily share it with me?

It's possible the latter would be cheaper too.

[Jaxan]

They don’t store email addresses with password in the database. That would be way too risky. These are separate databases, so you can lookup your email address, and separately check a password.

[cestith]

I think for passwords they only store a hashed version.

[tengwar2]

Also if possible, use a unique email address for each site. I know that's not feasible for most people, and some sites (e.g. LinkedIn) are structured so that email addresses become linked, but it does provide useful isolation.