Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Perhaps implement some type of “password canary” - some type of test account(s) with known high-entropy passwords.

Have an automated system send periodic login requests (or any other requests which contain sensitive information that shouldn’t be logged) for this account, and have another system which searches log files for the password.

If it’s ever found, you know something is leaking.



And regularly check for that password on haveibeenpwned and other breached password databases.


Do you trust the database to not have been hijacked to capture checked passwords?

A better advice is to delete accounts you don't use. If not possible (illegal in EU now) scramble private data and the password.

Download the databases yourself and check them locally.

Changing passwords regularly also limits the damage.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: