Announcement

Collapse
No announcement yet.

internet password security - the game has changed

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • internet password security - the game has changed

    So kids, the recent wave of security issues resulting in people's computers and private info getting ripped off shows no signs of letting up.

    Currently, there is claimed to be an unknown vulnerability in vBulletin, the software currently used by PSB and thousands of other forums worldwide.

    What does this mean? If you are using the same password for your PSB login (or any other forum) as anything else, especially for the email account you signed up with - change it.

    It also means that the days of getting away with re-using the same passwords everywhere are over.

    I would highly recommend you use different passwords for each site, and to do this, the easiest way to do it is with a password manager (because remembering one or two passwords is hard enough, more than a handful is impossible - and people generate REALLY shitty passwords).

    One of the best, if not the best available is called "KeePass" - fully open source, and free. There's no real excuse not to use one.

    KeePass can record your passwords in an encrypted database so you only need to remember one (good) password to encrypt your database with. Every other password can be either auto-typed or copied and pasted out of Keepass. It can generate secure random passwords for you that you don't need to remember.

    KeePass is available here: KeePass Password Safe

    You can set it up to sync via dropbox between multiple computers, to your phone, etc.



    Set up unique passwords for every site. Stress less.
    “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

  • #2
    Oh... and to clarify why I am posting this (now):

    2 high profile forums have just recently been hacked that run vBulletin.

    Macrumors (a massive apple forum)
    and
    vbulletin.com

    i.e., the forum for the support of the forum software. The Macrumors hack resulted in 860,000 users having their passwords, email addresses, etc. exposed. Doesn't matter how good your password is, the way most forum software stores it is reasonably easy to break (it isn't very hard encryption to break for speed purposes so the forums can cope with so many hits).

    And nobody knows exactly why yet. There is no patch out yet. and given vBulletin's home site just got hacked, it could be some time in coming. Which means the PSB forum (and others) are probably right now insecure.

    But this isn't a problem exclusive to vBulletin. PHPBB has repeatedly been hacked. As have most other forums. Adobe just recently got hacked, and 129 million account details (including passwords) were leaked. PSN has been hacked. Evernote recently hacked. Linkedin got hacked, LivingSocial, etc.

    Assuming your password is safe anywhere on the internet is folly. Assume that it will be stolen (along with your email address) via a hack, wherever you use it, sooner or later.


    Given that, the only sane stance is to use unique passwords for each site.... because I guarantee that people use the same email address for multiple forum signups, and it doesn't take a rocket-scientist hacker to assume that maybe the email and password you used for say, PSB is the same one you used for say, perthriders, macrumors, or maybe your email account, iTunes account, eBay, Amazon, motomummy, etc.
    Last edited by thro; 19-11-2013, 08:12 AM.
    “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

    Comment


    • #3
      - Have your own domain name, eg thro.com.au
      - Have catch-all email hosting, ie everything that goes to thro.com.au still gets through.
      - Use a different email address for each web site that requires an email address, eg psb @ thro.com.au
      - It's not perfect... actually, it's bugger all... but it's at least something. Also means that you can trace and filter spam easily.
      Last edited by Phildo; 19-11-2013, 02:01 PM.
      One owner. Only driven gently on Sundays. Sold to best offer. First to see will buy. Reward offered for safe return. Coming soon to a cinema near you. Available for a limited time only.

      My waterbed broke this morning. Oh, I don't have a waterbed. Bugger.

      Comment


      • #4
        So where it says enter PASSWORD and then retype PASSWORD am I supposed to be typing something else?

        I was just following the directions....
        Do you remember the good old days before the internet?

        when arguments were only entered into by the physically or intellectually able.

        Comment


        • #5
          Those damn Russians

          (Back in the good old days)
          Every one has a story.....

          http://www.perthstreetbikes.com/foru...updates-82338/

          Comment


          • #6
            EWallet is another good app. You can back up to your desktop or the cloud. But why use cloud backup when that's where the hackers are?
            "Speed Kills". The stupid person's answer to a complex problem.

            Comment


            • #7
              Interesting [MENTION=7023]thro[/MENTION].

              Because everything I've been reading lately has suggested not using generators, that the best way is to come up with a personal method of creating a long password for any particular site.

              For example, there's a hell of a lot more entropy in "gippoisafuckingidiotbutrichhasniceeyes" than there is in "299Akskdje0)@!:"

              And, if you come up with some method of creating a site password that's unique to you, that's easily repeatable and that's unlikely to create lots of variants, then all you have to remember is that method and you have super secure passwords for everything that you don't have to remember for each place.
              "Once upon a time we would obey in public, but in private we would be cynical; today, we announce cynicism, but in private we obey."

              Comment


              • #8
                Originally posted by Hamster View Post
                EWallet is another good app. You can back up to your desktop or the cloud. But why use cloud backup when that's where the hackers are?
                Plus, what if it's fine? How can you access your stuff if it's in the cloud but there's no clouds. Worse still what if it starts to rain. Other people could see your private stuff if it falls from the cloud.
                I dunno, this cloud stuff sounds very shaky to me.
                Originally posted by mekon
                Why are pirates called pirates?
                Because they Arrrrrr

                Comment


                • #9
                  Originally posted by Captain Starfish View Post
                  Interesting thro.

                  Because everything I've been reading lately has suggested not using generators, that the best way is to come up with a personal method of creating a long password for any particular site.
                  Entropy is a function of character set and length.

                  There is more entropy in 32 (or 64 - or 1024, etc. - keepass has no fixed limit on password length, it can generate/store as big as the remote site will take) totally random characters than a human will come up with and remember (the XKCD comic is actually not really correct any more).

                  if you have to remember them, shorter (than 32 character fully random or whatever) passwords generated via a method known to you makes them able to be remembered, but if you are not remembering them (and with a password manager, you don't have to), 100% random is better.

                  If your password has words in it (even mutated via numbers) it will fall a lot more quickly to dictionary based attacks than otherwise.

                  But, these days crackers also have tables of basically every hash for a few common algorithms (e.g.,. MD5) - from memory the entire key-space for X characters (where X = I can't remember how many, but something like 8-9 or more) will fit on a 1.5tb drive, "cracking" a password is simply a case of looking up the hash in some cases now. There are also on-line services using amazon cloud services to brute force passwords (i.e., far more horsepower available than an individual has using their own computers).

                  The main point is to make sure your passwords are unique between sites. UNIQUE is far more important than making them difficult these days - difficulty is just a matter of how long until the hash is broken once a site is hacked (one minute, one hour, one day, one week, etc.). If you don't re-use that password elsewhere, a cracker having the hash that they can potentially crack isn't going to impact any of your other log-ins, no matter how quickly or slowly he breaks it.

                  Hypothetical example: If someone breaks into PSB and cracks your PSB password's hash - if it is unique all he can use it for is PSB. Which he hacked anyway....
                  Last edited by thro; 19-11-2013, 08:08 AM.
                  “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

                  Comment


                  • #10
                    Or make them unique between classes of sites.

                    If someone gets my password for PSB, do I really give a shit that they can now log into three or four other forums?
                    "Once upon a time we would obey in public, but in private we would be cynical; today, we announce cynicism, but in private we obey."

                    Comment


                    • #11
                      What happens when Keepass gets hacked .
                      Adventure before Dementia

                      Comment


                      • #12
                        Originally posted by Morgs View Post
                        What happens when Keepass gets hacked .
                        This is what I always think, I dont know fuck all but it seems to me having a treasure chest of passwords seems like they just need to crack one and they get them all. Rather than just cracking one site. Maybe it has awesome security though.

                        Also how do I know you arent a Nigerian scammer [MENTION=7023]thro[/MENTION] and keepass is your site to steal all my info?
                        My mum always used to say, when life hands you lemons "kill mob within spell duration with a soul gem of adequate quality for the mob's level to trap its soul"

                        Comment


                        • #13
                          Originally posted by Morgs View Post
                          What happens when Keepass gets hacked .
                          • Keepass does not store anything other than a single file on your computer
                          • An attacker needs to get hold of your keepass database file, which is 256bit AES encrypted
                          • when you set up keepass, you can select how many encryption "rounds" it will perform on your database. by default it picks a number that ensures that it will take one second per decryption attempt on your current machine (this means it will take one second to unlock your database, which isn't a big impact to you, but slows down brute-force massively (1 attempt per second or so, instead of several billion per second). To brute force your keepass database would take several hundred trillion years at current processing speeds. This can be bumped up as processors get faster. A 1 second delay isn't a problem for a password manager, but for a web forum the encryption couldn't be that slow or it would slow the site down massively.


                          You can also set up 2 factor authentication, so that Keepass requires either a file, or to be running on the Windows account associated with your accounts Windows SID. Which is a 128 bit GUID number that is unique to your windows account on your computer.

                          So in summary: if your KeePass database gets stolen, you have quite some time before somebody breaks the encryption (in theory via brute force, at least a trillion years or so even if they only searched 1% of the key-space). If it is stolen, you'd still be recommended to change your passwords, but the likelihood of them being obtained is very low.

                          As far as being a scammer? Keepass has been around over 7 years, and is open source. Anyone is free to inspect the source code to verify that it does what it says and nothing else.

                          We're having a security audit at work at the moment, by ex DSD (Australian version of the NSA) and ex GCHQ (UK's NSA) staff. I asked them which password manager they use. They use Keepass.


                          But hey, write them down on paper, use LastPass or 1password or Excel, or Notepad or whatever if you don't trust it.
                          Last edited by thro; 19-11-2013, 09:15 AM.
                          “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

                          Comment


                          • #14
                            Originally posted by thro View Post
                            There are also on-line services using amazon cloud services to brute force passwords (i.e., far more horsepower available than an individual has using their own computers).
                            it surprises me that sites dont protect themselves from brute force attacks. you know something like only one attempt permitted within a given time and enforce a minimum length, to reduce probability of successful attempt to something very very small. same as web search tools protect themselves from getting bot spammed 1 search per user per 10 seconds ect.
                            Originally posted by Bendito
                            If we get to a stop and we are missing a dozen bikes and you are last, it was your fault. Don't be that guy. No one likes that guy.

                            Comment


                            • #15
                              Originally posted by g0zer View Post
                              it surprises me that sites dont protect themselves from brute force attacks. you know something like only one attempt permitted within a given time and enforce a minimum length, to reduce probability of successful attempt to something very very small. same as web search tools protect themselves from getting bot spammed 1 search per user per 10 seconds ect.
                              Ahh this is a misconception. Yes, most sites limit log-ins to a limit of 3 failed attempts per hour or whatever.

                              However, if someone has previously broken into the site via security vulnerability and stolen the password hashes, these can be brute-forced offline (i.e., no login attempts).

                              Once the plaintext is found to generate the hash they stole, they know that this is the password. Which can then either be used to log into the site as that user, or tried on other sites that they haven't hacked yet, and quite often used as the same password on different sites by the user.
                              “Crashing is shit for you, shit for the bike, shit for the mechanics and shit for the set-up,” Checa told me a while back. “It’s a signal that you are heading in the wrong direction. You want to win but crashing is the opposite. It’s like being in France when you want to go to England and when you crash you go to Spain. That way you’ll never get to England!” -- Carlos Checa

                              Comment

                              Working...
                              X