Magnificent Ornk Student of Trinity Posted December 21, 2013 Share Posted December 21, 2013 I'm just going to leave this here. Click the link at your own risk. There are dangerous things out there on the internet, after all. AnthonyKes 1 Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted December 21, 2013 Share Posted December 21, 2013 The real world isn't much better with the recent credit/debit card breach at Target. I'm waiting to find out if I'm a victim. springacres 1 Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted December 21, 2013 Share Posted December 21, 2013 (edited) Want to maintain your security and privacy online? Better take advice from the biggest threat to your personal security and privacy online. Edited December 21, 2013 by drone riots oh i see what this is about Callie, Aran and nikki. 3 Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted December 21, 2013 Share Posted December 21, 2013 True story: a couple of weeks ago, I received a notification that Google had blocked an attempt to log into my Gmail account from Ukraine, using my password. My best guess on what happened is that I'd stupidly registered for some forums using my Gmail address as a contact email address and the same password for the forum that I used for my Gmail account, and one of those forums had been compromised. I've now changed my passwords and enabled mandatory phone authentication for any attempts to log in with an unrecognised computer. Let this be a lesson to all of you -- this stuff really does happen to real people. Use unique passwords for anything important. edit: okay i clicked the link and what. oh well i'm going to leave this post here anyway because it's still good advice springacres 1 Quote Link to comment Share on other sites More sharing options...
Garrulous Glaahk springacres Posted December 21, 2013 Share Posted December 21, 2013 The real world isn't much better with the recent credit/debit card breach at Target. I'm waiting to find out if I'm a victim. I didn't bother to wait, just headed down to the bank and got myself a new one today. And as annoying as mandatory phone authentication is, I have it for both my Google account and my bank's web branch. Better safe than sorry. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast Dintiradan Posted December 21, 2013 Share Posted December 21, 2013 December is Month Awareness Month. But seriously, I've gotten into the habit of using unique passwords for everything now, and I manage it using the Schneier Method. I don't write down passwords for stuff that really needs to be kept secret (i.e. banking, keyring passphrases), but passwords for random forums on the web? Sure. If someone breaks into my house and gets access to the files in my desk drawer, they're not going to gain access to any place they wouldn't already have access to with saved cookies on my desktop. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted December 21, 2013 Share Posted December 21, 2013 December is Month Awareness Month. But seriously, I've gotten into the habit of using unique passwords for everything now, and I manage it using the Schneier Method. I don't write down passwords for stuff that really needs to be kept secret (i.e. banking, keyring passphrases), but passwords for random forums on the web? Sure. If someone breaks into my house and gets access to the files in my desk drawer, they're not going to gain access to any place they wouldn't already have access to with saved cookies on my desktop. There's always steganography. My dad used to use a password made out of the first character on every line of one of the diplomas he kept on his wall: easy to remember, long and entropic enough to be secure, and it's not likely an intruder would guess to look there for a password. Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Callie Posted December 21, 2013 Share Posted December 21, 2013 Whoa, CyndiTM has an incredibly compressed torso. I'm worried our ironic feline friend will succumb to heart failure, and then nobody will stop and think before they connect (which is apparently done exclusively in boldface). Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt MMXPERT-seraph of thermodynamics Posted December 21, 2013 Share Posted December 21, 2013 I use one password for everything, but it's so freaking unique and amazing, no single person could figure it out. It doesn't even contain anything related to me, or anything on the internet, no numbers, no real words. Aka it's uncrackable. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted December 21, 2013 Share Posted December 21, 2013 I use one password for everything, but it's so freaking unique and amazing, no single person could figure it out. It doesn't even contain anything related to me, or anything on the internet, no numbers, no real words. Aka it's uncrackable. until the day you use your email and password to sign up for a service that stores your password in cleartext and that service gets hacked into Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt BMA Posted December 21, 2013 Share Posted December 21, 2013 The games and ciphers on that site were quite entertaining. Phone authentication's a real plus, we could all post our passwords in public, and still only the holder of the phone would be able to get past the second tier. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted December 21, 2013 Share Posted December 21, 2013 (edited) until the day you use your email and password to sign up for a service that stores your password in cleartext and that service gets hacked into protip: you have no real way of proving the former (unless the site says rubbish like "maximum character length" in which case they are imbeciles and move your business elsewhere). Also, even sites that use md5 hashing aren't really secure anymore because GPUs. Personally, for all auth systems I code, I use salted PBKDF2 with sha256 hash algorithm and a large number of iterations. This is deliberately chosen because it takes a long time (computing-wise) to check, which is what you want to thwart brute-force attacks. The salting also prevents simple keysearches. Of course, all of this is moot if the user doesn't secure their password appropriately. having "password" as your password everywhere is stupid, but there's not much I can do to prevent that. You should always use a unique password for every site you visit because you have no way of knowing if their side is secure. Firefox (and presumably all the others) has a handy "master password" feature, which encrypts all the other passwords with one password you have to remember. This moves the point of vulnerability from every site you use to just your machine. Edited December 21, 2013 by drone riots remember: you are simultaneously the weakest and the strongest link in the security chain Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt MMXPERT-seraph of thermodynamics Posted December 21, 2013 Share Posted December 21, 2013 I just realized that the ultimate password is pasword. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Randomizer Posted December 21, 2013 Share Posted December 21, 2013 Hackers are still amazed how many multiple user computers still have default passwords years later after being installed. Somethings never get changed. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted December 21, 2013 Share Posted December 21, 2013 (edited) Yeah, here's a protip for anyone buying a pre-built computer: Since you're already getting ripped off, you might as well shell out the extra $100 for an OEM version of Windows. That way you have an operating system that's actually secure and not loading with all the rubbish companies put in. First off, it'll make your system much faster, secondly, they usually stick in "support" programs that will allow remote control (at the very least this could be a user with admin privs and RDP access). Historically these have been...less than secure, and all these will have admin permissions (doooooom). Also, for email users: If you haven't already, for the love of god use GPG. Any person with POP or IMAP access (if you have Gmail you have this) can use Enigmail with Thunderbird. It makes signing and encrypting messages easy and simple. Most people say "when would I need to use that" and my answer is usually "when wouldn't you?". At the very least it's insurance in case your email account gets compromised. Edited December 21, 2013 by drone riots E21DDBDE Aran 1 Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Sudanna Posted December 21, 2013 Share Posted December 21, 2013 I use the same password for everything, and that password is a single real word. Because I value convenience much, much more than I value "safety". I can deal with something bad happening every once in a while. Minor inconvenience that occurs every single day of my life, multiple times? More [censored] to manage and time to spend on "cybersecurity"? No. I simply cannot be arsed. Quote Link to comment Share on other sites More sharing options...
Ineffable Wingbolt MMXPERT-seraph of thermodynamics Posted December 21, 2013 Share Posted December 21, 2013 Your password is safety isn't it. Goldengirl and Aran 2 Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Sudanna Posted December 22, 2013 Share Posted December 22, 2013 Try it and find out. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted December 22, 2013 Share Posted December 22, 2013 I use the same password for everything, and that password is a single real word. Because I value convenience much, much more than I value "safety". I can deal with something bad happening every once in a while. Minor inconvenience that occurs every single day of my life, multiple times? More [censored] to manage and time to spend on "cybersecurity"? No. I simply cannot be arsed. the calculus on this changes a little when you have an online banking account that anyone with the login details could turn upside down and shake until all the money falls out (i never used my standard password for that, fortunately) Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Sudanna Posted December 22, 2013 Share Posted December 22, 2013 I have exactly that thing, actually! I don't have very much money, though, so meh. Quote Link to comment Share on other sites More sharing options...
Easygoing Eyebeast keira Posted December 22, 2013 Share Posted December 22, 2013 I have exactly that thing, actually! I don't have very much money, though, so meh. Yes, because banks never just let you get negative dollars and then give you a second butthole with overdraft fees. Aran 1 Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon Sudanna Posted December 22, 2013 Share Posted December 22, 2013 I repeat: totally not worth it. Quote Link to comment Share on other sites More sharing options...
Garrulous Glaahk Questionably Legal Posted December 22, 2013 Share Posted December 22, 2013 I seem to be halfway between MMXPERT and Sylae. I use the same basic string of nonsense letters & numbers as a start, and then add on specific characters based on the site I'm making the password for. This doesn't extend to my bank passwords though. Those are completely unique. Nalyd, You have so little money that you're completely indifferent to someone stealing it, and ruining your credit as well? Quote Link to comment Share on other sites More sharing options...
Understated Ur-Drakon The Almighty Doer of Stuff Posted December 22, 2013 Share Posted December 22, 2013 I use the same password for all my message boards, my diet website, and nationstates (silly things that don't matter) with minor variations for stupid character restrictions. Everything else has unique passwords. Minecraft has a string of words, and Facebook has a much longer string of words because for a while someone kept compromising my account over and over again despite repeated password changes. I even scanned for malware and found none. I think it was one of my political apps. I trust the organizations involved but there might have been security holes in the apps. Alternately it could have been the NSA disagreeing with my political leanings. All I know is when I deleted the apps the fraudulent access stopped. Nobody else seems to have complained about it though. Maybe I'm just special. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted December 22, 2013 Share Posted December 22, 2013 I use the xkcd method everywhere, with 4-5 random ordinary words. It's good memory training. Of course, the way websites handle trust, my email account is the only truly important one. Every website will gladly send a password reset token to your email address - unencrypted, naturally. That's pretty much broken from a security perspective. (Also, my bank made me buy one of those gadgets that compute one-time transaction codes using the card.) Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Student of Trinity Posted December 31, 2013 Author Share Posted December 31, 2013 We have one of those things, too. It's awesome. You plug your ATM card into this little red plastic box, and type your PIN into its keypad. Then you go to the bank's website on your computer. With each transaction, a little portion of the screen starts flashing jumbled black and white squares, and you hold the little red box up to the screen, to let it see the pattern. After a while, it's seen enough, and it spits out a six-digit TAN code. The only link between the TAN generator and the internet is optical. It sounds like something I'd post as a joke, but it's real. Quote Link to comment Share on other sites More sharing options...
Hatchling Cockatrice Lilith Posted December 31, 2013 Share Posted December 31, 2013 Of course, the way websites handle trust, my email account is the only truly important one. Every website will gladly send a password reset token to your email address - unencrypted, naturally. That's pretty much broken from a security perspective. To elaborate a little on this, it's pretty bad even if your email account itself is secure: unencrypted emails are trivially easy to intercept in transit. Quote Link to comment Share on other sites More sharing options...
Magnificent Ornk Aran Posted January 1, 2014 Share Posted January 1, 2014 To elaborate a little on this, it's pretty bad even if your email account itself is secure: unencrypted emails are trivially easy to intercept in transit. Well, at least mail server traffic is mostly encrypted end-to-end now, for what that's worth, so it should (in theory) only be trivial if you own one of the relays or can intercept a TLS connection. It's still not something you want to entrust with anything more important than a forum password. The annoying thing is that it isn't hard to encrypt those mails, since most script languages have gnupg bindings. Quote Link to comment Share on other sites More sharing options...
Well-Actually War Trall Khoth Posted January 2, 2014 Share Posted January 2, 2014 The annoying thing is that it isn't hard to encrypt those mails, since most script languages have gnupg bindings. But most users don't have (or care enough to get) the capability to read encrypted emails. Quote Link to comment Share on other sites More sharing options...
Unflappable Drayk adc. Posted January 2, 2014 Share Posted January 2, 2014 True story: a couple of weeks ago, I received a notification that Google had blocked an attempt to log into my Gmail account from Ukraine, using my password. My best guess on what happened is that I'd stupidly registered for some forums using my Gmail address as a contact email address and the same password for the forum that I used for my Gmail account, and one of those forums had been compromised. I've now changed my passwords and enabled mandatory phone authentication for any attempts to log in with an unrecognised computer. Let this be a lesson to all of you -- this stuff really does happen to real people. Use unique passwords for anything important. edit: okay i clicked the link and what. oh well i'm going to leave this post here anyway because it's still good advice Same stuff, but I registered on a whack a** game guide. I basically use one password when I register (except SWTOR, my brother knew that so I had it changed). When I tried to log into my Youtube, it said somebody attempted to open my account from China. lolcow so it had the same password with SWTOR Advice: Passwords would look worthless, but can save 1337 tons of stress. So no more "who the heck would hack my account anyway?" quote. ----- -Nightwatcher springacres 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.