Strong passwords
#1
Original Poster
Join Date: Dec 2006
Location: Jersey
Programs: UA 1K, Marriott Lifetime PLT
Posts: 1,154
Strong passwords
http://www.emptyage.com/post/2867987...as-hacked-hard
yikes! i just went through and reset all my passwords after reading this.
yikes! i just went through and reset all my passwords after reading this.
So maybe you saw my Twitter going nuts tonight. Or you saw Gizmodo’s Twitter account blow up. Or you saw this in AllThingsD. Or this in the DailyDot. Although embarrassing, Twitter was the least of it. In short, someone gained entry to my iCloud account, used it to remote wipe all of my devices, and get entry into other accounts too.
Here’s what happened:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
Here’s what happened:
At 4:50 PM, someone got into my iCloud account, reset the password and sent the confirmation message about the reset to the trash. My password was a 7 digit alphanumeric that I didn’t use elsewhere. When I set it up, years and years ago, that seemed pretty secure at the time. But it’s not. Especially given that I’ve been using it for, well, years and years. My guess is they used brute force to get the password (see update) and then reset it to do the damage to my devices.
The backup email address on my Gmail account is that same .mac email address. At 4:52 PM, they sent a Gmail password recovery email to the .mac account. Two minutes later, an email arrived notifying me that my Google Account password had changed.
At 5:00 PM, they remote wiped my iPhone
At 5:01 PM, they remote wiped my iPad
At 5:05, they remote wiped my MacBook Air.
A few minutes after that, they took over my Twitter. Because, a long time ago, I had linked my Twitter to Gizmodo’s they were then able to gain entry to that as well.
#4
Join Date: Dec 2004
Location: London
Posts: 6,265
I'm glad the article was updated to indicate that the password was gained by other means.
Yes brute forcing a password is certainly possible, and it's made a lot easier when short passwords, dictionary and non-complex passwords are used. However, the majority of online sites prevent such attacks these days by locking the account after incorrect logins.
My best guess is that the password was stolen through other means, eg. using a trojanised computer, falling for a phishing attack ... Or, the challenge questions for the Apple account not being secure.
Yes brute forcing a password is certainly possible, and it's made a lot easier when short passwords, dictionary and non-complex passwords are used. However, the majority of online sites prevent such attacks these days by locking the account after incorrect logins.
My best guess is that the password was stolen through other means, eg. using a trojanised computer, falling for a phishing attack ... Or, the challenge questions for the Apple account not being secure.
#8
FlyerTalk Evangelist
Join Date: Sep 2000
Posts: 37,486
Report from Gizmodo now is that the "hacker" socially engineered his way into the account:
http://gizmodo.com/5931931/hackers-g...sword-required
So, no 2-factor AND tech reps who'll let someone sweet talk their way into an account that can wipe all your devices. Niiiiiice
http://gizmodo.com/5931931/hackers-g...sword-required
So, no 2-factor AND tech reps who'll let someone sweet talk their way into an account that can wipe all your devices. Niiiiiice
#9
Join Date: Aug 2010
Location: ORF
Programs: Amex Plat, AA, BA Silver, Marriott Plat, Choice Gold, HHonors Gold, IHG Diamond
Posts: 3,749
I wish there was more uniformity in character limits, both in number and types of characters. Since Windows 2000, a password on a Windows computer can be as many as 127 characters, including spaces, but many banking and credit card sites allow no more than 12-14 characters. Some sites also do not allow the use of some special characters.
I like being able to create a simply remembered sentence (one of my passwords used to be "I want to play golf!") that is more difficult to guess than a single word or character combination. I also like that certain websites require you to pick a phrase and picture that will be displayed sometime during the logon process--it certainly seems a good additional defense to phishing scams.
I like being able to create a simply remembered sentence (one of my passwords used to be "I want to play golf!") that is more difficult to guess than a single word or character combination. I also like that certain websites require you to pick a phrase and picture that will be displayed sometime during the logon process--it certainly seems a good additional defense to phishing scams.
#11
FlyerTalk Evangelist
Join Date: Jun 2002
Location: n.y.c.
Posts: 13,988
The challenge phrase/picture seems like such a simple addition to the login process (as compared to Google's send-a-text method, which is certainly more secure but probably more costly to implement) that I can't see why more sites don't have it.
#12
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
#13
Original Poster
Join Date: Dec 2006
Location: Jersey
Programs: UA 1K, Marriott Lifetime PLT
Posts: 1,154
#14
FlyerTalk Evangelist
Join Date: Nov 2002
Location: ORD
Posts: 14,231
Agreed 1000%.
#15
Join Date: Jun 2005
Location: Tri-State Area
Posts: 4,728
1Password [which is more prevalent for Mac users] is a one time purchase [$39.99]. I like 1Password because it stays on your computer and not loaded in a cloud [although you have option to upload to your dropbox]. I back up and keep multiple copies just in case. And sync with my two devices regularly.
Here's a comparison of the two apps:
1Password wins
http://www.40tech.com/2011/05/16/las...s-more-secure/
http://www.techerator.com/2011/03/wh...for-1password/
Lastpass wins
http://fusiongrokker.com/post/my-exp...rd-to-lastpass
Bottom line - you can't go wrong with either, YMMV!
Last edited by dtsm; Aug 6, 2012 at 12:16 pm