Not Mine

Story: Millions of Gmail accounts hacked, was yours one of them?Total Replies: 15
Author Content
Scott_Ruecker

Sep 11, 2014
12:45 PM EDT
I have a password that no one, not even me could guess. I have used it for a couple of years now and I still have to "look it up" to get it right.
montezuma

Sep 11, 2014
1:22 PM EDT
I guess to be secure all these passwords need storing somewhere (with a password safe?) and this storage needs a password located physically rather than virtually.
mrider

Sep 11, 2014
2:06 PM EDT
I seem to recall reading somewhere that in all likelihood few, if not none, of the accounts were hacked so much as they were either harvested from computers running malware, or were guessed based on password reuse from other sites.
seatex

Sep 11, 2014
2:09 PM EDT
Not mine. But I have my own mail server and only use gmail as a secondary.
Browser72

Sep 11, 2014
3:04 PM EDT
http://2briancox.wordpress.com/2014/07/31/how-to-create-a-go...
jdixon

Sep 11, 2014
3:50 PM EDT
Mine apparently wasn't affected.
tuxchick

Sep 11, 2014
8:43 PM EDT
I write all of my logins in a paper notebook. "Don't write down your passwords" is the dumbest advice ever.
Fettoosh

Sep 12, 2014
1:21 AM EDT
Quoting:How do you like this password. Kifak*Ya*Zalemeh#1


I use foreign words that makes meaningful sentence but written in Latin alphabets. I don't even need to write them down.

And no, I don't use this one at all.



gary_newell

Sep 12, 2014
6:44 AM EDT
I have a couple of email accounts and one was on the list but the password was well over 10 years old.

I would imagine that the password wasn't guessed for these lists. I would imagine that when signing up to a forum or other service the user and password details were not encrypted.

This highlights the need to keep separate passwords for separate tasks. For my emails and important accounts I have a password, for forums I use a different password and for banking I have ultra secure passwords. (and banks have their own security as well).
Scott_Ruecker

Sep 12, 2014
9:42 AM EDT
Quoting:I write all of my logins in a paper notebook. "Don't write down your passwords" is the dumbest advice ever.


I hear you there Carla, I started and am constantly updating a list I keep of passwords to all the websites I have username and passwords for. As I come across them (and there are many) I update my list..
Bob_Robertson

Sep 12, 2014
10:06 AM EDT
> "Don't write down your passwords" is the dumbest advice ever.

When physical access was how one generally reached a computer, keeping the password "virtual" was a good idea.

Now that the attack vector is "virtual", that is, through the network, a password written down has no relation what so ever to any physical machine.

The separation is still there, one physical, one "virtual", they've just swapped places.

Writing down the password for my laptop and keeping that with me would still be a bad idea today, because then the physical attack vector works for both.

As a security "expert" once told me, "Something you have, something you know, something you are." When all three are used, it's a good security as you can get.

Reminds me of a datacenter in Japan where the door locks scanned the back of my hand, making a thermal map of the blood vessels (or would that be nuclear wessels?) while I passed the pass-card over the pick-up.

gus3

Sep 12, 2014
11:47 AM EDT
"Something you are" would bring a TOS warning for some of us. ;-)
tuxchick

Sep 13, 2014
7:09 AM EDT
Bio-scanners suffer the same weakness as any other credential- the scans are digitized and stored, just like passwords and encryption keys. So we're back to square one, with the bonus fun of crude hacks like ripping your eyeball out to get past a retina scanner.
Steven_Rosenber

Sep 15, 2014
2:02 PM EDT
Making users jump through hoops to create an acceptable password obscures the fact that brute-force attacks just don't happen, and that most passwords are compromised either through social-engineering phishing attacks or outright theft of poorly (or non-) encrypted data.
CFWhitman

Sep 15, 2014
2:47 PM EDT
Well, brute-force attacks don't happen directly on the account. How brute-force attacks happen is that someone hacks into a large system ( often using malware or social engineering to get his hands on some good set of credentials), steals the username/password database (which is encrypted), and then runs local brute-force attacks on his copy of the encrypted passwords at his leisure. Once he's discovered a password, he can then log onto the original site as the user in question.
hkwint

Sep 17, 2014
4:44 PM EDT
Adding to what CFWhitman said, there are rainbow-tables for those websites that don't use salt. And - shame on them - but there are many of them!

Dumbest thing is, if you have a good 15-char password with reading signs, apostrophes and the whole pletora out of a 92 char-set, then there's other devices / services which don't accept (shame on you darn Vodafone!) or simply drop (thanks for nothing for trying three days to retype my pw without luck Zyxel) those. Can't we just make a name-'n-shame wall for those stupid websites which not let you use a safe password?

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!