Travel Technology - Strong passwords

http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard

yikes! i just went through and reset all my passwords after reading this.

So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo’s Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.

Here’s what happened:

At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.

The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.

At 5:00 PM, they remote wiped my iPhone

At 5:01 PM, they remote wiped my iPad

At 5:05, they remote wiped my MacBook Air.

A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.

Who uses only 7 character passwords? There's the mistake.

Not using Google 2-factor authentication = stupid.

Apple not offering it as an option at all = really stupid.

I'm glad the article was updated to indicate that the password was gained by other means.

Yes brute forcing a password is certainly possible, and it's made a lot easier when short passwords, dictionary and non-complex passwords are used. However, the majority of online sites prevent such attacks these days by locking the account after incorrect logins.

My best guess is that the password was stolen through other means, eg. using a trojanised computer, falling for a phishing attack ... Or, the challenge questions for the Apple account not being secure.

Not using Google 2-factor authentication = stupid.

Apple not offering it as an option at all = really stupid.


^^

And make a small investment: 1Password

^^

And make a small investment: 1Password
is 1password better than lastpass?

is 1password better than lastpass?

maybe...
Lastpass is free*

1password is $50

Both appear to support most everything out there...

Report from Gizmodo now is that the "hacker" socially engineered his way into the account:

http://gizmodo.com/5931931/hackers-got-into-honans-icloud-account-with-deception-no-password-required

So, no 2-factor AND tech reps who'll let someone sweet talk their way into an account that can wipe all your devices. Niiiiiice :D

I wish there was more uniformity in character limits, both in number and types of characters. Since Windows 2000, a password on a Windows computer can be as many as 127 characters, including spaces, but many banking and credit card sites allow no more than 12-14 characters. Some sites also do not allow the use of some special characters.

I like being able to create a simply remembered sentence (one of my passwords used to be "I want to play golf!") that is more difficult to guess than a single word or character combination. I also like that certain websites require you to pick a phrase and picture that will be displayed sometime during the logon process--it certainly seems a good additional defense to phishing scams.

ZD net says that he actually discussed with the hacker how he got in.

Wonder then if he found our first from the Hacker or first from Apple?

I also like that certain websites require you to pick a phrase and picture that will be displayed sometime during the logon process--it certainly seems a good additional defense to phishing scams.The challenge phrase/picture seems like such a simple addition to the login process (as compared to Google's send-a-text method, which is certainly more secure but probably more costly to implement) that I can't see why more sites don't have it.

maybe...
Lastpass is free*

1password is $50

Both appear to support most everything out there...

Lastpass is free. Lastpass Premium [similar to 1Password] is not free.....and not sure if there are lastpass apps for iPhone and iPad?

Lastpass is free. Lastpass Premium [similar to 1Password] is not free.....and not sure if there are lastpass apps for iPhone and iPad?

Lastpass does have an ipad browser app.

Lastpass is free. Lastpass Premium [similar to 1Password] is not free.....and not sure if there are lastpass apps for iPhone and iPad?

The LastPass Premium is IIRC $10/year and gives you access to the full functionality of the mobile apps, which are available for Android and iOS.

Not using Google 2-factor authentication = stupid.

Apple not offering it as an option at all = really stupid.

Agreed 1000%.

The LastPass Premium is IIRC $10/year and gives you access to the full functionality of the mobile apps, which are available for Android and iOS.

Sorry but it's $12/yr: https://lastpass.com/features_joinpremium.php

1Password [which is more prevalent for Mac users] is a one time purchase [$39.99]. I like 1Password because it stays on your computer and not loaded in a cloud [although you have option to upload to your dropbox]. I back up and keep multiple copies just in case. And sync with my two devices regularly.

Here's a comparison of the two apps:

1Password wins
http://www.40tech.com/2011/05/16/lastpass-vs-1password-whose-syncing-method-is-more-secure/
http://www.techerator.com/2011/03/why-i-left-lastpass-for-1password/

Lastpass wins
http://fusiongrokker.com/post/my-experience-moving-from-1password-to-lastpass

Bottom line - you can't go wrong with either, YMMV! :)

I've been thinking it is time to upgrade to one of these password managers, but I'm not sure I want the workarounds that I've read about when using mobile devices. I use Chrome on my iPad and my wife uses Chrome on her Nexus 7. Ideally, one of these password managers could support Chrome whether on IOS, Android, or Windows and that would be the perfect solution for us.

None of them are there yet from what I see. If I'm wrong please share your opinions!

I use Roboform installed on my computer (PC running Chrome, Firefox & IE) and have mobile Roboform apps running on an iPad, Android 4.0 phone and Android 4.1 tablet. The passwords sync between the four devices regularly, so I've never encountered any issues with cross-platform use.

Most of these compromises are phishing attacks where they send an email that looks like it's from facebook or yahoo or google or whatever that links to a login screen that looks real but is actually on a fake site that grabs your password.

You might think only newbies would be fooled by such phishing attacks but frankly they're getting better and better at it. I've seen phishing attacks I could easily have fallen for even for sites I'm *extremely* familiar with.

The most important thing is to NOT use the same password for multiple sites. Once they have your password for one site they try it on every other site and immediately gain access to those sites.

Do use 2-factor authentication if it's available. Especially for email which is often a back door to your other accounts through "forgot my password" things.

Most of these compromises are phishing attacks where they send an email that looks like it's from facebook or yahoo or google or whatever that links to a login screen that looks real but is actually on a fake site that grabs your password.

You might think only newbies would be fooled by such phishing attacks but frankly they're getting better and better at it. I've seen phishing attacks I could easily have fallen for even for sites I'm *extremely* familiar with.

The most important thing is to NOT use the same password for multiple sites. Once they have your password for one site they try it on every other site and immediately gain access to those sites.

Do use 2-factor authentication if it's available. Especially for email which is often a back door to your other accounts through "forgot my password" things.

Agreed. I've turned to two-step authentication for Gmail, Yahoo, Facebook and a few other sites. I wish more financial services sites would implement it, but of the many I use, only Chase seems to.

Most of these compromises are phishing attacks where they send an email that looks like it's from facebook or yahoo or google or whatever that links to a login screen that looks real but is actually on a fake site that grabs your password.

This particular attack used the last 4 digits of his credit card # - apparently recovered from Amazon - to social engineer Apple into resetting his iCloud account. Now the last 4 digits are the ones usually printed on receipts so that's no great security. Wired magazine has tried this since the story broke and the attack is still feasible.

http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

BTW, I disagree with blaming Amazon - you could have done the same attack with the credit card receipt we all say 'no thank you' to at the store and let the clerk throw out...

I suppose it's worth pointing out that lots of password vault apps available for mobile devices actually do really dumb things that don't secure your passwords very well. Paid or free, quite a few of them make some really elementary crypto mistakes.

A few researchers from Elcomsoft sum it up well in this white paper:

http://www.elcomsoft.com/WP/BH-EU-2012-WP.pdf

There's lots of crypto-geek stuff in there, but if you're even moderately interested in the particulars, it's well worth your time.

Long story short, mobile password safes often have serious problems if an even moderately skilled and motivated attacker steals or confiscates your phone.

To echo what a few others have said, I highly recommend not using the same password value for more than one account or using your Facebook/Google/whatever account to authenticate to other services.

Thanks for letting me blather.

-p

I've been thinking it is time to upgrade to one of these password managers, but I'm not sure I want the workarounds that I've read about when using mobile devices. I use Chrome on my iPad and my wife uses Chrome on her Nexus 7. Ideally, one of these password managers could support Chrome whether on IOS, Android, or Windows and that would be the perfect solution for us.

LastPass works fine with Chrome for Windows.

LastPass works fine with Chrome for Windows.

How secure are these PW managers?

I read where Google has a printout of access codes for situations where you don't have access to your mobile phone (traveling overseas). Does Yahoo and Facebook have a similar workaround?

Most banks, cc, and similar financial services, will lock you out after three wrong password attempts--so a brute force attack, by trying lots of passwords won't work in this situation--why every site that requires a password doesn't have the same "three strikes and you're out" I don't know.
A while back, someone from Venezuela was able to "hack" my gmail acct and reset my password and locked me out--fortunately gmail has ways of letting the real user of a gmail acct back in.^ Since switching to 2-step verification, I haven't had a problem with gmail. [I don't know how they got into my acct in the first place.:confused:]
[PS: One nice feature gmail has, is that you can see the ip addresses of the last several logons to one's acct, so if your acct was breached you could see the source.]

How secure are these PW managers?

I know lasspass locally encypts your passwords so it is pretty secure. I have heard that some of the mobile pw managers can be very unsecure however.

I read where Google has a printout of access codes for situations where you don't have access to your mobile phone (traveling overseas). Does Yahoo and Facebook have a similar workaround?

When you set up 2-step, you get a list of 10 codes, to be used if you don't have access to your cell phone or other method you chose.

I know lasspass locally encypts your passwords so it is pretty secure. I have heard that some of the mobile pw managers can be very unsecure however.

There's more to it than just whether it encrypts or not, but how it manages the ability to decrypt. Lots of pw managers encrypt and use a strong algorithm to encrypt, but leave the key to decrypt under the proverbial doormat. Others make brute-force attacks comparatively easy (another poster talked about account lockout after so many invalid attempts, and this person is absolutely correct, but if I'm the bad guy and I can steal your password database from your smartphone app, I can basically ignore that requirement. See the LinkedIn password breach for another instance of how this can work).

Long story short, it's complicated and just because "it encrypts the passwords" doesn't mean it hasn't done something stupid and vexing.

That said, Lastpass does a lot of things reasonably well. It had a fun incident last year (http://www.theregister.co.uk/2011/05/05/lastpass_password_reset/), and it certainly makes you wonder about the idea of a *service* where some other company has so much control over your key credentials, but they should be pretty motivated to do things well.

I can't stress enough that you shouldn't use the same password for more than one thing, and really think long and hard about using your Facebook/Google/whatever account to authenticate to some other service.

I know lasspass locally encypts your passwords so it is pretty secure. I have heard that some of the mobile pw managers can be very unsecure however.

Ok Thank You, But I am still usually very nervous about using these especially since there is no big corporation behind this. Whats the guarantee that they have good internal controls or their employees would not misuse the information. just my two cents

Ok Thank You, But I am still usually very nervous about using these especially since there is no big corporation behind this. Whats the guarantee that they have good internal controls or their employees would not misuse the information. just my two cents

Do you really think you would have such a guarantee with Apple or IBM behind it?

Steve Gibson and Leo Laporte talked in detail about what happened to Mat on their Security Now podcast last week. It was a perfect storm of failure by Amazon, Apple, and Mat. Worth a listen if you're curious what happened.

Earlier this year they also reviewed some password managers for iOS but some of them have Mac/PC/Android versions as well. Sadly they didn't really talk about 1Password. He did mention an episode or two later that he looked into 1PW and after exchanging emails with the devs was pretty impressed.

I can't stress enough that you shouldn't use the same password for more than one thing, and really think long and hard about using your Facebook/Google/whatever account to authenticate to some other service.
What would you use to authenticate? And what would you do if you lose or forget that?

The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password).

It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure.

What would you use to authenticate? And what would you do if you lose or forget that?

The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password).

It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure.

I agree with your premise that designing good password reset or recovery systems that strike the balance between ease of use and security is tough. I also agree that with a good salting mechanism, designing a password hashing function that mounts some reasonable defense against modern brute force attacks with GPU-based password crackers isn't *that* conceptually difficult, but for whatever reason, lots of systems fail to do so or do so badly.

I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name.

The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here:

http://xkcd.com/936/

I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name.

The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here:

http://xkcd.com/936/
Creating an email address specifically for password resets is one of the better ideas. It's floating out there generally, but doesn't get the attention it deserves. A separate email for each password would be ideal, but is not very practicable.

A few words strung together makes a great password. It should be impervious to a dictionary or brute force attack and is relatively easy to remember. There is the issue of using a unique password for each site, which cuts down on memorability, although you can use a general password with a unique portion for each site, such as MyLongPasswordForFT, MyLongPasswordForCiti, MyLongPasswordForTwitter.

xkcd is a high point of current western civilization.

i think great difficultly can be added to crack a password by adding caps, numbers, characters, and characters that are not on a keyboard. we now would have some 250 characters to use. not hard to use ***, as it is on the num pad. not hard to use €¢£ as they can be done with an alt key on a MS keyboard. with a mac, one can easily add ➤✺‡ which makes cracking with a machine algorithm really difficult, and take a really long time.

i would presume if one just uses letters, a program could crack a 9 letter code in a matter of minutes.

https://www.grc.com/haystack.htm calculates how long a brute force attack might take. Go from 9 to 15 letters and it would take a long time to crack.

Do you really think you would have such a guarantee with Apple or IBM behind it?

no...not really...but if they did and I catch them...i have the option of big lawsuit...no such thing with small operators...

no...not really...but if they did and I catch them...i have the option of big lawsuit...no such thing with small operators...

Shows a lot of faith in your ability to police large corporations.

You could sue a small company just the same...and probably more easily, since a small company wouldn't be able to throw ten attorneys at you.

http://arstechnica.com/security/2012/08/passwords-under-assault/

good article ..

-David

http://arstechnica.com/security/2012/08/passwords-under-assault/

good article ..

-David

Thanks! Good read. And scary too.

I wanted to look at my cable internet e-mail last night. I have not used it in over a year, and forgot the password. I hit the "forgot password" link, and it let me pick a new one by answering one challenge question - where was I born. This seems insanely easy to figure out for a hacker.

I have set up two factor authentication on my Gmail account, and am also playing with LastPass. It is probably worth the $12 a year. I have been switching everything to strong passwords and using special characters when possible, but not all sites allow it and it is becoming unmanageable. Add in a new job that has added another dozen or so passwords to my life and it is worth the $1/month.