We'd like to remind Forumites to please avoid political debate on the Forum. This is to keep it a safe and useful space for MoneySaving discussions. Threads that are - or become - political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

'How to have lots of passwords without struggling to remember them' blog discussion

124

Comments

  • macutmore
    macutmore Posts: 28 Forumite
    Even encryption is being succesfully 'decrypted' nowadays, using the power of the cloud itself. It's only the inconvienience of the time it takes, but the potential reward might just outweigh that.

    At least if you use stronger individual passwords, those that have the weaker ones will ultimately be victims first before you or better still instead of you!
  • John_Pierpoint
    John_Pierpoint Posts: 8,393 Forumite
    Part of the Furniture 1,000 Posts
    I'm noticing that a lot more sites are making rules for passwords along the lines of
    "Password is case sensitive, it must be at least 8 characters including two letters 2 numbers and 2 punctuation characters"
    The last requirement can cause problems if you are trying to use "the cloud" from a "foreign" keyboard.
  • safetygirl
    safetygirl Posts: 46 Forumite
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!
    :):):):):):):j:):):):):):)
  • macutmore
    macutmore Posts: 28 Forumite
    edited 15 May 2011 at 12:46PM
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!


    That's a good 'million dollar question', & it seems the likes of Sony & facebook are still trying to work that out somehow. It wouldn't be 'one' responsible individual in my guess. The sheer power of multiple computing (cloud botnet style), & simple passwords (lets start with abc123 etc) make it a bit easier. The likes of an SQL injection attack & beyond start to get a bit more complex.

    It is now possible on accounts like gmail and facebook to enable a feature called "login approval", which effectively locks out a hack attempt by positively identifying yourself using a unique security code if any attempt is made to login to your account from a different computer.

    http://m.readwriteweb.com/archives/facebook_launches_login_approvals_new_secure_two_factor_authentication.php

    :T
  • cgk1
    cgk1 Posts: 1,300 Forumite
    Tenth Anniversary 1,000 Posts Combo Breaker
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them? the reason for asking is that no matter how complex your password, if a program is used it will crack them no matter what? Im not techy so feel free to correct me if i am wrong!

    Most facebook passwords are of the weak dictionary types. Passwords are the weak link in any system so martin's advice of using dictionary words is pretty lousy.
    It is now possible on accounts like gmail and facebook to enable a feature called "login approval",

    Yes and no - Gmail and google accounts use two-factor authentication (if you turn it on) - you put in your password and then you are required to put in a random number generated from an app - this is good.

    Facebook's "login approval" is as much use as a chocolate fireguard, it allows you to log in from a strange machine and then simply sends you an email saying you've done it - relying on the user seeing the email before the account is changed and they are logged out. the system described in your link does not seem to be currently available to UK customers. A waste of time in it's current form.
  • cgk1
    cgk1 Posts: 1,300 Forumite
    Tenth Anniversary 1,000 Posts Combo Breaker
    macutmore wrote: »
    Even encryption is being succesfully 'decrypted' nowadays, using the power of the cloud itself. It's only the inconvienience of the time it takes, but the potential reward might just outweigh that.

    At least if you use stronger individual passwords, those that have the weaker ones will ultimately be victims first before you or better still instead of you!


    Which is why two-factor is the way to go - I use lastpass with a strong password and also a Yubikey. Unless they manage to steal the actual yubikey off me they are straight out of luck.
  • asbokid
    asbokid Posts: 2,008 Forumite
    edited 16 May 2011 at 11:26PM
    cgk1 wrote: »
    safetygirl wrote: »
    How did the hackers crack sony and facebooks user passwords? Did they guess them randomly or have a program which did it for them?
    Most facebook passwords are of the weak dictionary types

    I don't buy that old chestnut for a minute.

    The theory of these attacks being brute force dictionary-based attacks is a very tall fairytale.

    This is a myth put out by company insiders and stooges who would rather cast aspersions on the victims than admit liability for their own security failings.

    Think about the scale of the task of performing a successful brute force attack over the internet. It would be vast, and there are time constraints involved, too.

    Remember you've got to submit the correct username and password combination before the authentication server locks you out. That typically happens after n incorrect password tries on the same account.

    The OED has 100,000 commonly-used words, and there are maybe another 10,000 more words that are popular proper nouns. 110,000 words to choose from, two cases for every letter, and five goes to get it right. No chance!

    Much more likely is that the security breaches occur in the authentication systems of the companies themselves. That often includes data theft by disgruntled former employees who leave with inside knowledge and then sell that data to criminals.

    Alternatively, passwords can be stolen on-the-wire, using packet sniffing tools. Until recently, facebook did not offer encrypted HTTP sessions during login. At any point along the network path from the user to Facebook's authentication server, login passwords could be sniffed using off-the-shelf tools like wireshark.

    Or malicious code can be installed remotely onto the PC of a victim. That code typically includes its own deep network packet inspection capabilities, and keystroke logging.

    The next time the victim logs into his Facebook or Sony account, his password is automatically picked up by the malicious code that is running on his machine. The malicious code secretly forwards his password to a listening socket that has been set up by the hacker on another machine that he has also hacked (so as to obfuscate the audit trail).

    We are not talking script-kiddies here. We are into the realms of serious organised crime. When you think about the vast sums stolen in the numerous internet-based attacks on the banking system, this is a multi-billion dollar black industry.
  • MothballsWallet
    MothballsWallet Posts: 15,855 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
  • Eco_Miser
    Eco_Miser Posts: 4,766 Forumite
    Part of the Furniture 1,000 Posts Photogenic Name Dropper
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
    I keep the encrypted database on a pendrive, so there's nothing on the computer even if it gets stolen, and the data on the pendrive is still secure.
    Eco Miser
    Saving money for well over half a century
  • Stompa
    Stompa Posts: 8,351 Forumite
    Part of the Furniture 1,000 Posts Name Dropper
    I use one of those password database programs (can I mention the one I use personally?) that saves the data in its own format, and can save it as a CSV file that can be loaded into a spreadsheet (handy for keeping a copy on the old pen drive).
    I hope the CSV file is not stored unencrypted?
    Stompa
This discussion has been closed.
Meet your Ambassadors

Categories

  • All Categories
  • 347.1K Banking & Borrowing
  • 251.6K Reduce Debt & Boost Income
  • 451.7K Spending & Discounts
  • 239.4K Work, Benefits & Business
  • 615.2K Mortgages, Homes & Bills
  • 175K Life & Family
  • 252.7K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 15.1K Coronavirus Support Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.