Brianna Wu · Jul 11, 2020 · 12:27 AM UTC

Brianna Wu

Brianna Wu @BriannaWu

11 Jul 2020

The password is 64 digits, randomly generated, and unique. And somehow they still got it. Google’s Titan Product just stopped my campaign emails from leaking. Take infosec seriously, everybody. If not for yourself, then for your colleagues.

161

717

3,516

Bil Corry · Jul 11, 2020 · 1:50 AM UTC

Bil Corry @bilcorry

11 Jul 2020

Are you still able to log into it with your password? Curious if the password was reset somehow to a value the attacker knows.

Brianna Wu · Jul 11, 2020 · 3:25 AM UTC

Brianna Wu @BriannaWu

11 Jul 2020

Yes, I could before I changed it.

Bil Corry · Jul 11, 2020 · 4:12 AM UTC

Bil Corry @bilcorry

11 Jul 2020

That doesn’t bode well, it means it was captured via phishing, sniffed via MitM, stolen via keylogger/malware, stolen from a place that has it stored, observed if you typed it in, or perhaps brute-forced. Regardless, that’s what 2FA is for, so congrats on excellent OpSec!

Herley · Jul 11, 2020 · 5:11 AM UTC

Herley @_herley_

11 Jul 2020

It is nearly impossible to brute-force 64 bits password.

Bil Corry · Jul 11, 2020 · 7:04 AM UTC

Bil Corry · Jul 11, 2020 · 7:04 AM UTC

Bil Corry @bilcorry

11 Jul 2020

Replying to @_herley_ @BriannaWu

64-bits is not the same as 64-characters, but I agree, highly improbable, including if there’s a known weakness with how the password was chosen.

Jul 11, 2020 · 7:04 AM UTC

This tweet is unavailable

Brianna Wu · Jul 11, 2020 · 11:30 AM UTC

Brianna Wu @BriannaWu

11 Jul 2020

I have wondered though, if someone downloaded the 1Password hash itself (Dropbox, iCloud) could they brute force it? That password is non-trivial, but it’s not 64-characters.

more replies