'1731, 2033, 9854' blog discussion

124

Replies

  • Speaking of risky behaviour, Martin could equally well post three passwords of three users of this site. He and an unknown number of people would be able to access this information and use it to access other sites, obvious examples would be ebay, paypal, amazon.

    I'm not saying that Martin or any of the people that have access to the MSE database are untrustworthy, but people sign up to lots of sites using the same password. Any of them could turn out to have a rogue employee, and it's easy to use this data to hack into paypal etc. (a process which can be automated on grand scale).

    This actually happened to me.

    So please, use a different password on forums like this one from paypal, banks, amazon, etc.
  • meester wrote: »
    Speaking of risky behaviour, Martin could equally well post three passwords of three users of this site. He and an unknown number of people would be able to access this information and use it to access other sites, obvious examples would be ebay, paypal, amazon. I'm not saying that Martin or any of the people that have access to the MSE database are untrustworthy, but people sign up to lots of sites using the same password. Any of them could turn out to have a rogue employee, and it's easy to use this data to hack into paypal etc. (a process which can be automated on grand scale).

    Password security is certainly a very important issue, and it is always wise to have a different password for each website you use. However, just as an aside, it is fairly likely that the passwords on this forum (as with almost all websites now) are encrypted by the forum software so that neither Martin, the builders on the forum, nor yourself can actually view them. This is why you often have to "reset" a password entirely if you have forgotten it, or have it sent via email to you. If your password is discovered, it is most likely because a) it was too easy to guess b) it was entered onto a fake/phishing site (i.e. a site linked to from an email that looks and pretends to be your bank's website and asks for security information, but is actually just a means to get hold of your passwords) or c) was picked up by a keylogger held within a virus on your computer system.

    Most user databases hold passwords in an encrypted form, so that they cannot be viewed as simply as you may think.
  • HobbesUK wrote: »
    Password security is certainly a very important issue, and it is always wise to have a different password for each website you use. However, just as an aside, it is fairly likely that the passwords on this forum (as with almost all websites now) are encrypted by the forum software so that neither Martin, the builders on the forum, nor yourself can actually view them. This is why you often have to "reset" a password entirely if you have forgotten it, or have it sent via email to you. If your password is discovered, it is most likely because a) it was too easy to guess b) it was entered onto a fake/phishing site (i.e. a site linked to from an email that looks and pretends to be your bank's website and asks for security information, but is actually just a means to get hold of your passwords) or c) was picked up by a keylogger held within a virus on your computer system.

    Most user databases hold passwords in an encrypted form, so that they cannot be viewed as simply as you may think.

    Nobody knows how the passwords are stored. Even if a given website is running standard forum software that stores password hashes, it would be very simple for the owner to change it to store the passwords in plaintext. It is safest to assume that every website you signup to knows your password. And it's simply wrong to say that 'almost all' websites encrypt your password. I've had my password emailed to me by numerous websites. I just searched in my inbox for some passwords I use, and it has been EMAILED to me on signup by over 150 different websites. One particularly egregious example is greasypalm which sends out its weekly spam with links to their website including my username and password on each link (no less than 20 times in a single email), all unencoded in plaintext. If you clicked on one of these links, your personal details (already sent insecurely over the internet) would be in your browser's history, and also in any proxy servers, etc. that your data might be passing through.

    Even if the passwords are stored as a hash rather than plaintext (as is the case with vbulletin, which powers this site), if you had access to the database, which will give you have the hashed password, it's easy to run a dictionary and/or bruteforce attack by hashing candidate passwords and comparing them against the stored value (you could do check thousands of passwords per second, whereas a brute force attack on a banking website would be severely throttled by the speed of the web server and likely safeguards).

    It's complete rubbish to imply that all you have to worry about is weak passwords, phishing and viruses.
  • [Deleted User][Deleted User] Forumite
    2.2K Posts
    Part of the Furniture 1,000 Posts Combo Breaker Name Dropper
    ✭✭✭✭
    meester wrote: »
    Speaking of risky behaviour, Martin could equally well post three passwords of three users of this site
    No he couldn't...

    1) He probably doesn't have direct access to the SQL database in question, and
    2) The MSE forums run on VBulletin, which MD5-Hashes everyone's passwords on registration.
  • If card companies want to be able to use the disclosure of PIN as a get out for claims of fraud then they should also ensure that the machines make it easy to hide those details. I would like to see a cover over the keypad with glass that can only be seen through when looking at the correct angle, that way people in the queue would have no idea what keys you press.

    With respect to websites and passwords you really should use different passwords for each site. Most sites do now only store a hash of the password but it doesn't change the fact that if you get to choose your own password then it does end up being sent to the site before being hashed and therefore could be logged. If you were to be duped into entering your details into a site pretending to be a well known site then at least you will have only disclosed the details for that site and not all sites you use.

    I try to avoid using sites who can email your password if you forget it - this proves that they store the password and not some hash of it, not to mention that email is a very insecure way of sending those details. Unfortunately it seems that thetrainline, qjump and virgintrains (and possibly all rail providers) rely on the same underlying system for their sites and just provide a different graphical look. So if you have an account at thetrainline you have to use the same password for all the sites and if you say you've forgotten the password then they will email you your password in plain text!
  • JimmyTheWigJimmyTheWig Forumite
    12.2K Posts
    Part of the Furniture 10,000 Posts Name Dropper Combo Breaker
    ✭✭✭✭✭
    redfred wrote: »
    With respect to websites and passwords you really should use different passwords for each site.
    While I can see the point in this, how many passwords would that entail? I can think of a dozen, at least.
    How could you possibly remember all of these passwords, and which password goes with which site? I think you'd end up with a written list (which a lot of people do in workplaces where IT insist on "difficult" passwords) which is much more dangerous.

    I think a better solution is to treat a password like you do a toothbrush - change it regularly and don't share it with anyone!
  • spanditspandit Forumite
    150 Posts
    While I can see the point in this, how many passwords would that entail? I can think of a dozen, at least.
    How could you possibly remember all of these passwords, and which password goes with which site? I think you'd end up with a written list (which a lot of people do in workplaces where IT insist on "difficult" passwords) which is much more dangerous.

    I think a better solution is to treat a password like you do a toothbrush - change it regularly and don't share it with anyone!

    To remember loads of different passwords you can link each password with the relevant website. For example, MSE starts with "M", so it's the password containing the "m". Using the same rule should make things easier, although you'd have to keep your "rule" secret.

    My father uses a way of remembering the PINs on all of his cards where each PIN is different. He uses a rule where his PIN is the (for example) 12th, 5th, 9th and 15th digit of the long number along the middle of the card. These are usually grouped in fours so it is easy to glance and see the numbers. As long as he doesn't give out which 4 digits he's looking at (and the fact that he's doing it!) he should be safer than using the same PIN for all cards. Another method is to make up a four letter word which can be typed out using predictive text on mobile phones (and hence on the keypad).
    If you find my post helpful please press the THANKS button.
  • miggymiggy Forumite
    4.3K Posts
    ✭✭✭✭
    Martin's point reminded me of something that happened to me not so long ago.
    I was having lunch in a quiet country pub with a companion. We were out of sight of the chap behind the bar but he had chatted with us so he knew we were there.
    He then answered the phone and proceded to take a booking, repeating all the details - including card number - to make sure he'd written them down right. The only one missing was the type of credit card!
    It's made me very aware that details given over the phone aren't exactly secure.
    Miggy

    MEMBER OF MIKE'S MOB!
    Every Penny a Prisoner


    This article is about coffeehouse bartenders. For lawyers, see Barrister. (Wikipedia)
  • No he couldn't...

    1) He probably doesn't have direct access to the SQL database in question,

    He owns the site, he 100% could get access if he wanted to.
    2) The MSE forums run on VBulletin, which MD5-Hashes everyone's passwords on registration.

    A Vbulletin distribution obtained from VBulletin hashes everyone's passwords, but you have absolutely no way of telling whether the Vbulletin running on any given website is unmodified. What happens if you sign up to a given website, let's say 'Crochet Talk', and they've modified their vbulletin/phpbb/whatever to email the email and passwords of all new users to themselves. They then try logging into paypal using those email and passwords, bam, you've lost money. Or they could login to your email account and look for personal data and use it to defraud you.
  • While I can see the point in this, how many passwords would that entail? I can think of a dozen, at least.
    How could you possibly remember all of these passwords, and which password goes with which site? I think you'd end up with a written list (which a lot of people do in workplaces where IT insist on "difficult" passwords) which is much more dangerous.

    I think a better solution is to treat a password like you do a toothbrush - change it regularly and don't share it with anyone!

    I'm a member of hundreds of websites I couldn't possibly change them all.

    Easier to keep a two or three secure passwords, e.g., for email, banking, and shopping and then for everything else (web forums, etc., where they don't have your financial info) use the same password.
This discussion has been closed.
Latest News and Guides

Cyber Monday deals

Here’s what the Deals Team have spotted

MSE Deal

How to find cheap PCR tests

The rule change comes into force tomorrow

MSE Guide