|
Steve Gibson and Leo Laporte talked in detail about what happened to Mat on their Security Now podcast last week. It was a perfect storm of failure by Amazon, Apple, and Mat. Worth a listen if you're curious what happened.
Earlier this year they also reviewed some password managers for iOS but some of them have Mac/PC/Android versions as well. Sadly they didn't really talk about 1Password. He did mention an episode or two later that he looked into 1PW and after exchanging emails with the devs was pretty impressed. |
Originally Posted by packetshard
(Post 19126615)
I can't stress enough that you shouldn't use the same password for more than one thing, and really think long and hard about using your Facebook/Google/whatever account to authenticate to some other service.
The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password). It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure. |
Originally Posted by richarddd
(Post 19132932)
What would you use to authenticate? And what would you do if you lose or forget that?
The problem is how to make sure the password reset mechanism is safe. Virtually everything has some method of giving you access if you lose your password (for example, would you want to be permanently locked out of your bank account if you forgot your password). It's relatively easy to design encryption that can withstand brute force attacks. It's a lot harder to make sure people aren't locked out forever (or inconvenienced to the point of absurdity) and are secure. I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name. The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here: http://xkcd.com/936/ |
Originally Posted by packetshard
(Post 19133171)
I read (here maybe?) that someone recommended creating an email address specifically for user accounts and password resets and only using said email account for these purposes (not for regular correspondence, etc.). Also, maybe naming it something that doesn't identify with you or your name.
The other thing that helps is recognizing what makes a good password in the first place, particularly as it relates to how human memory works. Randall Munroe, who draws XKCD, nails it here: http://xkcd.com/936/ A few words strung together makes a great password. It should be impervious to a dictionary or brute force attack and is relatively easy to remember. There is the issue of using a unique password for each site, which cuts down on memorability, although you can use a general password with a unique portion for each site, such as MyLongPasswordForFT, MyLongPasswordForCiti, MyLongPasswordForTwitter. xkcd is a high point of current western civilization. |
i think great difficultly can be added to crack a password by adding caps, numbers, characters, and characters that are not on a keyboard. we now would have some 250 characters to use. not hard to use ***, as it is on the num pad. not hard to use €ąŁ as they can be done with an alt key on a MS keyboard. with a mac, one can easily add ➤✺‡ which makes cracking with a machine algorithm really difficult, and take a really long time.
i would presume if one just uses letters, a program could crack a 9 letter code in a matter of minutes. |
https://www.grc.com/haystack.htm calculates how long a brute force attack might take. Go from 9 to 15 letters and it would take a long time to crack.
|
Originally Posted by gfunkdave
(Post 19130065)
Do you really think you would have such a guarantee with Apple or IBM behind it?
|
Originally Posted by 77five
(Post 19133846)
no...not really...but if they did and I catch them...i have the option of big lawsuit...no such thing with small operators...
You could sue a small company just the same...and probably more easily, since a small company wouldn't be able to throw ten attorneys at you. |
|
Originally Posted by LIH Prem
(Post 19161611)
|
I wanted to look at my cable internet e-mail last night. I have not used it in over a year, and forgot the password. I hit the "forgot password" link, and it let me pick a new one by answering one challenge question - where was I born. This seems insanely easy to figure out for a hacker.
I have set up two factor authentication on my Gmail account, and am also playing with LastPass. It is probably worth the $12 a year. I have been switching everything to strong passwords and using special characters when possible, but not all sites allow it and it is becoming unmanageable. Add in a new job that has added another dozen or so passwords to my life and it is worth the $1/month. |
| All times are GMT -6. The time now is 2:42 am. |
This site is owned, operated, and maintained by MH Sub I, LLC dba Internet Brands. Copyright © 2026 MH Sub I, LLC dba Internet Brands. All rights reserved. Designated trademarks are the property of their respective owners.