Password Hack/Malicious Email

[Greenbank]

Thanks. I've just changed my Wiggle password and checked I have no unexpected orders. Though you'd think they'd have the passwords stored hashed anyway.

Yes, but if the hackers get access to the website code they can intercept the plaintext password before it is hashed and compared to what is in the DB, that way they get a steady stream of plaintext passwords. What happens then is that they try the same email/password pair on a whole load of other websites in the hope that they're reused, or they sell the known logins to people who try to exploit them for more cash.

As I said, I have 689 different logins stored in Firefox, I obviously can't remember unique passwords for all of those so I let it generate unique passwords for me for each site.

[Ham]

OK, I get the idea of  a consistent message,but I'm sorry I can't buy into the Project Fear that says you have to have a different password for every site you visit. There are very clearly two types of site, maybe that should be 2.5

The first are those where you have security to identify yourself to others, like here. There is no or little PI here, if someone wants to imitate me here or any other similar site, so be it. Yes, they could send out begging messages in my name, but that could be anyone's name. If a kindhearted soul sent money because I "needed train fare to get to my dying mother" or whatever, that would be a learning experience for them (hint: it would also be 40 years too late). Personally I confess I use one fairly crappy password for all those.

The second are the limited number of sites I trust with stuff, such as banks, Google, Amazon, Paypal. Those all have secure, unique passwords and 2FA - the 2FA stopping any password hack dead in its tracks. Why wouldn't you have 2FA? (two factor authentication)

The 2.5 type are those sites that you might subscribe as a service, like Adobe, that arguably deserve some kind of elevated security. I can't see that there would be any benefit to a hacker logging in to these, so I tend to lump them with type 1. You don't save card details on shopping sites "for convenience" now, do you?

In addition, I regularly check my credit reference file with one of the free services to see any early signs of identity theft, there are too many sources to block from the personal end, awareness of the possibility and monitoring are the only defence.

And yes, I am reliant on my phone as a physical device. Truth is we (almost) all are one way or the other.

[Greenbank]

Sure, but my thinking is that if you've got to use a password manager to remember 10% of your passwords for the really secure things then it's relatively trivial to use it for the remaining sites.

I need to sort out 2FA on everything important (I've got it on some but not all) though, it's not all setup so far. Should really sort out an Authenticator app and get everything into that too.

[Ham]

Sure, but my thinking is that if you've got to use a password manager to remember 10% of your passwords for the really secure things then it's relatively trivial to use it for the remaining sites.

I need to sort out 2FA on everything important (I've got it on some but not all) though, it's not all setup so far. Should really sort out an Authenticator app and get everything into that too.

Not so. Assuming you use some kind of long passphrase, it doesn't materially affect the security to use a couple of characters to id the site, so correcthorsestaplebattery could become correcthorse01staplebattery and correcthorse02staplebattery (or, non-numeric, eg "go", "am" whatever) with close to zero security impact on security especially with 2FA implemented but allowing you to remember the password without reference to a password manager (and the less said about those who trust a central DB PW repository the better). The only issue is where you have limitations that break your security by, say, limit of 12 characters with a special (not itself a problem, just when it clashes with other specifications)

Oh, and Google authenticator is supported by our employer and most systems, so was my choice.

[ian]

The failure point of passwords is that people won't use password managers and they won't use unique passwords and they won't use difficult passwords. It's like asking people to secure their house by digging a moat and then complaining 'but they didn't have a moat!' when they're robbed.

Anything that needs to be properly secure should be two factor authentication by now.

I mostly use the password manager to generate passwords now (and all the sites that break password managers, I hate thee), but I have a pool of generic ones mostly in use with older sites. The only real trouble I've had over the years is that some chap called Henry in Peru took over my Netflix account (which used a very old, known pwned password that I'd forgotten about). He watched some terrible stuff and if I meet him, we shall have words about his cinematic choices.

It's often harder that it needs to be – in 2020 to log into a Cisco VPN I have to copy and paste my password from Keychain Manager (the two factor bit is OK, the Microsoft Authenticator app works as promised). OK, it's a bit of an FWP, but I'm doing this before coffee.

[Hot Flatus]

Somebody got into my Spotify, but got shut out pronto. My email is well pwned. I use a really easy password for anything not involving payment or much personal info, everything else has really complex different passwords that I'll never remember

[drossall]

With a password manager, you only have to type one password - the master one. The manager does the rest. That makes memorable passwords irrelevant.

[ian]

Moats make doors irrelevant. I don't know why more people haven't dug them.

[citoyen]

And cycling sites do get targeted:-

https://road.cc/content/news/wiggle-investigating-suspected-cyber-attack-274553

Just changed my wiggle password to something random. I think that's going to finally encourage me to go through all of my (checks, ugh) 689 logins stored in Firefox and make sure they're all on a unique password. Once that's done I'll then import the lot into a password manager so I have access to them on my mobile too. Just need a master password I'll never forget!

Just read about this elsewhere. I've checked my order history and the last purchase was in April, and it's for something I remember buying. Phew! I've changed my password anyway.

Checked on HIBP and it seems that one of my email addresses has been pwned a few times, but not recently - some of the sites listed include Myspace, which I've not visited for many years. The hack was also some years ago, so it's a bit late to be worrying about it.

I also used HIBP's password checker function and luckily it seems that none of my 'favourite' passwords have been compromised. Whether that's by luck or judgment, I'm not going to take any chances and will change the lot... Probably should do that safe password vault thing. Is 1password still the favourite choice for that?

[Mr Larrington]

Moats make doors irrelevant. I don't know why more people haven't dug them.

Also you can store crocogators in them.  Handy for waste disposal.

[citoyen]

Moats make doors irrelevant. I don't know why more people haven't dug them.

If I don't keep the gutter to the soakaway clear of leaves, we often get an impromptu moat outside our back door when it rains.

[ian]

Also, as mentioned elsewhere, male crocogators have permanent erections which makes them irritable party guests.

That said, they can do a now-you-see it, now-you-don't routine which is surely more impressive than the average magician. Warning: this act may be unsuitable for children's parties.

Also, once you've seen it, it's hard to see crocogators in quite the same light again. Google at your peril.

[quixoticgeek]

I've had a very malicious email from someone today. It purports to be from someone who claims to have installed malware on my device - it doesn't say which and has the base version of my password. That is actually correct. It claims to have recorded me wanking to a porn site. It also says it will send a video to 9 random contacts if I don't cough up.
Now, the password isn't one I use, because I adapt it for every site I access and use. I don't log into any porn sites - though I do use them for research purposes, natch.
I suspect someone has accessed the database of a company somehow and is sending the details to as many people on the hacked list as possible.
However, just to be on the safe side, how would I check if my computers are infected? I would know how to do that on a Windoze machine, but on Ubuntu? And android?

When I first got one of these emails it scared the crap out of me, it has a password I've used (a low security throw away "oh fuck I need a password for this thing?!?" password). and I went through to see where I'd used it (turns out live journal).

But when you then get another dozen of them in quick succession, you see that it's scatter gun scam.

Mark as spam and ignore.

J

[quixoticgeek]

The base password thing I think is because some password schemes only depended on the first few letters and used an insecure hashing scheme that makes it easy to decrypt what they were. They may or may not actually have the rest of the password.

(though of course some hacked sites stored full passwords in plain text)

There is a particular brand of password processing that is really fucking annoying.

When you sign up you can put in a password, say:

"Correct horse battery staple"

and it accepts it and everything is fine, then you go to log in, and you type in:

"Correct horse battery staple"

and it says wrong password.

What has happened is it's stored a hash of "Correct horse ". But when you try to login it takes the full input field "Correct horse battery staple" makes the hash, and compares the two, then fails.

If you can work out what arbitrary length the dev set, you can login by cutting your password short, but usually you get locked out before you can make enough attempts. It's really fucking annoying...

Anything that needs to be properly secure should be two factor authentication by now.

2FA is great right up to the point when it isn't. A while back my phone, which is my second factor for many things, died. I needed to order a new one. In order to do that the transaction needed a 2nd factor code in the form of an SMS sent to my pho... oh crap. I was stuck in a loop where I couldn't buy a phone because my phone was broken...

J

[ian]

I had the same issue, my old iPhone died and the only way to order a new one is through the procurement system which, you guessed, is behind the VPN which needs the two-factor code...

There's a setting somewhere in the Microsoft authentication management that let me send the code to another device.

[quixoticgeek]

I had the same issue, my old iPhone died and the only way to order a new one is through the procurement system which, you guessed, is behind the VPN which needs the two-factor code...

There's a setting somewhere in the Microsoft authentication management that let me send the code to another device.

What a lot of sites now seem to offer is some emergency backup codes, which you can write down to use if your second factor breaks. Which works well for stuff that uses google authenticator etc... but stuff that needs an sms, nope. I also get really annoyed at SMS as a second factor due to the assumption that an SMS is instant. I have had all manor of issues with accessing a bank account when abroad, as the sms with the authentication code took about 10 minutes to arrive, and the code had a 5 minute validity... This is also an issue with some sites that email a code, grey listing means that the mail takes a while to arrive...

*sigh* security is hard...

J

[ian]

The various authentication apps should generate live codes without needing SMS. Apple lets you authorize from any device you own.

[quixoticgeek]

The various authentication apps should generate live codes without needing SMS. Apple lets you authorize from any device you own.

Yep, however a lot of banking etc... don't use the authenticator apps, but instead sms you. Every time I do a bank transfer I get an SMS to authorise it.

The only apple devices I own are a IIe and some late 90's powermac...

J

[Ham]

*sigh* security is hard...

To be fair, it is supposed to be....

There's always a balance between functionality and security, but shit programming is shit programming, and shit standards are shit standards.

In days of yore, my favourite trick was to use alt-255 to create a non-breaking space that wasn't the same as a space, sometimes just at the end (or start) of a pw.

[ian]

The various authentication apps should generate live codes without needing SMS. Apple lets you authorize from any device you own.

Yep, however a lot of banking etc... don't use the authenticator apps, but instead sms you. Every time I do a bank transfer I get an SMS to authorise it.

The only apple devices I own are a IIe and some late 90's powermac...

J

I wasn't saying you need an Apple device, just that there are ways to make the process easier yet still secure (sure, someone could have stolen one of my devices, but you still need to be logged in). There are better systems that reliance on passwords which we know don't really work as people don't manage them and they're routinely stolen.

Stupid things – which everyone knows are stupid – like insisting on rAnD0m PaSsW0rDs01$% and changing them every month just encourage poor practices, yet they keep insisting on them. It's like giving someone a 1kg front door key and wondering why they hide it behind the porch rather than carry it around.

[citoyen]

2FA is great right up to the point when it isn't. A while back my phone, which is my second factor for many things, died. I needed to order a new one. In order to do that the transaction needed a 2nd factor code in the form of an SMS sent to my pho... oh crap. I was stuck in a loop where I couldn't buy a phone because my phone was broken...

I had a similar problem recently when my iPhone 6S was out of service and I had to use my ancient 4S until it was repaired.

You very quickly discover just how dependent you are on your phone when you suddenly find there are all sorts of things you can no longer do. Hardly any current apps work on the 4S.

[drossall]

There is a particular brand of password processing that is really ... annoying. When you sign up you can put in a password ... and it accepts it and everything is fine, then you go to log in ... and it says wrong password.

Bad design. The password entry box should have a length limit the same as the password length limit, and reject your password as too long. But what actually happens, on some systems, is that it accepts your 20 characters, truncates them to 16, and stores the result. Then, as you say, to sign in you have to guess first what happened, and second whether they truncated at 16, 12 or something else.

[ian]

2FA is great right up to the point when it isn't. A while back my phone, which is my second factor for many things, died. I needed to order a new one. In order to do that the transaction needed a 2nd factor code in the form of an SMS sent to my pho... oh crap. I was stuck in a loop where I couldn't buy a phone because my phone was broken...

I had a similar problem recently when my iPhone 6S was out of service and I had to use my ancient 4S until it was repaired.

You very quickly discover just how dependent you are on your phone when you suddenly find there are all sorts of things you can no longer do. Hardly any current apps work on the 4S.

Modern life innit. Until about a decade ago, I was convinced I didn't need a smartphone, then my wife got me an iPhone 4 and the rest is history (ok, perhaps more than a decade ago, but I remember we were in Boston and having an argument about my haphazard phone use). I can't imagine not having a smartphone now, it's inveigled its way into my life.

The mothership just sent me an iPhone 8 which I was prepared to be annoyed about, but actually, I'm struck that compared to my XR, it's the perfect size for a phone.

[citoyen]

Modern life innit. Until about a decade ago, I was convinced I didn't need a smartphone, then my wife got me an iPhone 4 and the rest is history (ok, perhaps more than a decade ago, but I remember we were in Boston and having an argument about my haphazard phone use). I can't imagine not having a smartphone now, it's inveigled its way into my life.

Have you read Super Sad True Love Story? It's set in a "near future" but is really just an exaggerated version of the present. And not exaggerated all that much. Trump seems to be doing his best to accelerate the US towards the Rupture...
https://en.wikipedia.org/wiki/Super_Sad_True_Love_Story

Recommended.