Jump to content

October is Cybersecurity Awareness Month

Student of Trinity

By Student of Trinity
in General

 Share

Recommended Posts

Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

True story: a couple of weeks ago, I received a notification that Google had blocked an attempt to log into my Gmail account from Ukraine, using my password. My best guess on what happened is that I'd stupidly registered for some forums using my Gmail address as a contact email address and the same password for the forum that I used for my Gmail account, and one of those forums had been compromised. I've now changed my passwords and enabled mandatory phone authentication for any attempts to log in with an unrecognised computer.

 

Let this be a lesson to all of you -- this stuff really does happen to real people. Use unique passwords for anything important.

 

edit: okay i clicked the link and what. oh well i'm going to leave this post here anyway because it's still good advice

Link to comment
Share on other sites
springacres
Garrulous Glaahk

springacres

Posted
Posted

The real world isn't much better with the recent credit/debit card breach at Target. I'm waiting to find out if I'm a victim.

I didn't bother to wait, just headed down to the bank and got myself a new one today.

 

And as annoying as mandatory phone authentication is, I have it for both my Google account and my bank's web branch. Better safe than sorry.

Link to comment
Share on other sites
Dintiradan
Easygoing Eyebeast

Dintiradan

Posted
Posted

December is Month Awareness Month.

 

But seriously, I've gotten into the habit of using unique passwords for everything now, and I manage it using the Schneier Method. I don't write down passwords for stuff that really needs to be kept secret (i.e. banking, keyring passphrases), but passwords for random forums on the web? Sure. If someone breaks into my house and gets access to the files in my desk drawer, they're not going to gain access to any place they wouldn't already have access to with saved cookies on my desktop.

Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

December is Month Awareness Month.

 

But seriously, I've gotten into the habit of using unique passwords for everything now, and I manage it using the Schneier Method. I don't write down passwords for stuff that really needs to be kept secret (i.e. banking, keyring passphrases), but passwords for random forums on the web? Sure. If someone breaks into my house and gets access to the files in my desk drawer, they're not going to gain access to any place they wouldn't already have access to with saved cookies on my desktop.

 

There's always steganography. My dad used to use a password made out of the first character on every line of one of the diplomas he kept on his wall: easy to remember, long and entropic enough to be secure, and it's not likely an intruder would guess to look there for a password.

Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

I use one password for everything, but it's so freaking unique and amazing, no single person could figure it out. It doesn't even contain anything related to me, or anything on the internet, no numbers, no real words. Aka it's uncrackable.

 

until the day you use your email and password to sign up for a service that stores your password in cleartext and that service gets hacked into

Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted (edited)

 

 

until the day you use your email and password to sign up for a service that stores your password in cleartext and that service gets hacked into

protip: you have no real way of proving the former (unless the site says rubbish like "maximum character length" in which case they are imbeciles and move your business elsewhere). Also, even sites that use md5 hashing aren't really secure anymore because GPUs.

 

Personally, for all auth systems I code, I use salted PBKDF2 with sha256 hash algorithm and a large number of iterations. This is deliberately chosen because it takes a long time (computing-wise) to check, which is what you want to thwart brute-force attacks. The salting also prevents simple keysearches.

 

Of course, all of this is moot if the user doesn't secure their password appropriately. having "password" as your password everywhere is stupid, but there's not much I can do to prevent that. You should always use a unique password for every site you visit because you have no way of knowing if their side is secure. Firefox (and presumably all the others) has a handy "master password" feature, which encrypts all the other passwords with one password you have to remember. This moves the point of vulnerability from every site you use to just your machine.

Edited by drone riots
remember: you are simultaneously the weakest and the strongest link in the security chain
Link to comment
Share on other sites
keira
Easygoing Eyebeast

keira

Posted
Posted (edited)

Yeah, here's a protip for anyone buying a pre-built computer: Since you're already getting ripped off, you might as well shell out the extra $100 for an OEM version of Windows. That way you have an operating system that's actually secure and not loading with all the rubbish companies put in. First off, it'll make your system much faster, secondly, they usually stick in "support" programs that will allow remote control (at the very least this could be a user with admin privs and RDP access). Historically these have been...less than secure, and all these will have admin permissions (doooooom).

 

Also, for email users: If you haven't already, for the love of god use GPG. Any person with POP or IMAP access (if you have Gmail you have this) can use Enigmail with Thunderbird. It makes signing and encrypting messages easy and simple. Most people say "when would I need to use that" and my answer is usually "when wouldn't you?". At the very least it's insurance in case your email account gets compromised.

Edited by drone riots
E21DDBDE
Link to comment
Share on other sites
Sudanna
Understated Ur-Drakon

Sudanna

Posted
Posted

I use the same password for everything, and that password is a single real word. Because I value convenience much, much more than I value "safety". I can deal with something bad happening every once in a while. Minor inconvenience that occurs every single day of my life, multiple times? More [censored] to manage and time to spend on "cybersecurity"? No. I simply cannot be arsed.

Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

I use the same password for everything, and that password is a single real word. Because I value convenience much, much more than I value "safety". I can deal with something bad happening every once in a while. Minor inconvenience that occurs every single day of my life, multiple times? More [censored] to manage and time to spend on "cybersecurity"? No. I simply cannot be arsed.

 

the calculus on this changes a little when you have an online banking account that anyone with the login details could turn upside down and shake until all the money falls out

 

(i never used my standard password for that, fortunately)

Link to comment
Share on other sites
Questionably Legal
Garrulous Glaahk

Questionably Legal

Posted
Posted

I seem to be halfway between MMXPERT and Sylae. I use the same basic string of nonsense letters & numbers as a start, and then add on specific characters based on the site I'm making the password for. This doesn't extend to my bank passwords though. Those are completely unique.

 

 

Nalyd,

You have so little money that you're completely indifferent to someone stealing it, and ruining your credit as well?

Link to comment
Share on other sites
The Almighty Doer of Stuff
Understated Ur-Drakon

The Almighty Doer of Stuff

Posted
Posted

I use the same password for all my message boards, my diet website, and nationstates (silly things that don't matter) with minor variations for stupid character restrictions. Everything else has unique passwords. Minecraft has a string of words, and Facebook has a much longer string of words because for a while someone kept compromising my account over and over again despite repeated password changes. I even scanned for malware and found none. I think it was one of my political apps. I trust the organizations involved but there might have been security holes in the apps. Alternately it could have been the NSA disagreeing with my political leanings. All I know is when I deleted the apps the fraudulent access stopped. Nobody else seems to have complained about it though. Maybe I'm just special.

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted

I use the xkcd method everywhere, with 4-5 random ordinary words. It's good memory training.

 

Of course, the way websites handle trust, my email account is the only truly important one. Every website will gladly send a password reset token to your email address - unencrypted, naturally. That's pretty much broken from a security perspective.

 

(Also, my bank made me buy one of those gadgets that compute one-time transaction codes using the card.)

Link to comment
Share on other sites
  • 2 weeks later...
Student of Trinity
Magnificent Ornk

Student of Trinity

Posted
  • Author
Posted

We have one of those things, too. It's awesome. You plug your ATM card into this little red plastic box, and type your PIN into its keypad. Then you go to the bank's website on your computer. With each transaction, a little portion of the screen starts flashing jumbled black and white squares, and you hold the little red box up to the screen, to let it see the pattern. After a while, it's seen enough, and it spits out a six-digit TAN code. The only link between the TAN generator and the internet is optical. It sounds like something I'd post as a joke, but it's real.

Link to comment
Share on other sites
Lilith
Hatchling Cockatrice

Lilith

Posted
Posted

Of course, the way websites handle trust, my email account is the only truly important one. Every website will gladly send a password reset token to your email address - unencrypted, naturally. That's pretty much broken from a security perspective.

 

To elaborate a little on this, it's pretty bad even if your email account itself is secure: unencrypted emails are trivially easy to intercept in transit.

Link to comment
Share on other sites
Aran
Magnificent Ornk

Aran

Posted
Posted

To elaborate a little on this, it's pretty bad even if your email account itself is secure: unencrypted emails are trivially easy to intercept in transit.

 

Well, at least mail server traffic is mostly encrypted end-to-end now, for what that's worth, so it should (in theory) only be trivial if you own one of the relays or can intercept a TLS connection. It's still not something you want to entrust with anything more important than a forum password.

 

The annoying thing is that it isn't hard to encrypt those mails, since most script languages have gnupg bindings.

Link to comment
Share on other sites
adc.
Unflappable Drayk

adc.

Posted
Posted

True story: a couple of weeks ago, I received a notification that Google had blocked an attempt to log into my Gmail account from Ukraine, using my password. My best guess on what happened is that I'd stupidly registered for some forums using my Gmail address as a contact email address and the same password for the forum that I used for my Gmail account, and one of those forums had been compromised. I've now changed my passwords and enabled mandatory phone authentication for any attempts to log in with an unrecognised computer.

 

Let this be a lesson to all of you -- this stuff really does happen to real people. Use unique passwords for anything important.

 

edit: okay i clicked the link and what. oh well i'm going to leave this post here anyway because it's still good advice

 

Same stuff, but I registered on a whack a** game guide. I basically use one password when I register (except SWTOR, my brother knew that so I had it changed). When I tried to log into my Youtube, it said somebody attempted to open my account from China. lolcow so it had the same password with SWTOR

 

Advice: Passwords would look worthless, but can save 1337 tons of stress. So no more "who the heck would hack my account anyway?" quote.

-----

-Nightwatcher

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...