PDA

View Full Version : Hacks - what are users to do?



MiniMatt
14-06-2011, 09:02 PM
So, ignoring for the time being whether hackers are scum of the earth, new age anarchists shining a shit beacon on crap corporate security or both - what is the ideal method for end users to maintain security given that this sort of thing is always going to be with us.

In the olden days the stock advice was seperate passwords, all changed regularly. With so many different online venues all requiring of personal logins this is now no longer viable - or at least it's only viable if you keep a post-it note of passwords, or a password pattern like "password1, password2, password3" - which is kind of defeating the object.

So, lately I moved into "low, medium and high" passwords. I only have to remember three passwords - one for forums, facetube etc, one for "middling" security (generally games), and one for super duper high security that's only used for bank + credit card. This worked for a while but I'm now constantly changing my low and medium security passwords as forums and now games are hacked daily.

I've tried utilising the fact that the username forms one half of the equation and using different email addresses for each site - this obviously is easiest with your own domain such that anything@domain.com gets sent to you. Trouble with this approach is that when I forget passwords and have to use the remind-me service I can never remember if I signed up with RPS@domain.com or RockPaperShotgun@domain.com.

So - given that hacking will always be with us, given that someone learning your email address and password for Obscure Forum X will likely then try that same combination against Facebook, Steam, Amazon, Paypal, banks, credit agencies, MMORPGs etc - what are folks preferred strategies for keeping their junk secure?

Lilliput King
14-06-2011, 09:11 PM
Bit low-fi, but maybe just keep different passwords for everything and put them down in a notebook or something.

Lacero
14-06-2011, 09:16 PM
One really good way is to use different dates of birth on different websites (if legal), that way you've got far fewer problems with identity theft.

You would need some kind of pattern to remember them though, if someone calls you on the phone and you have to answer the security questions getting the dob wrong can be awkward :D

Dubbill
14-06-2011, 09:17 PM
You can use LastPass (https://lastpass.com/) to generate random passwords for you and store them so you never need to remember them. It's ideal for forums and sites that require registration but don't store any valuable data. You can then reserve your super secret personal passwords for sites for online banking, MMOs, etc.

8-bit
14-06-2011, 09:34 PM
I have always had a notepad with all my passwords written down and they are all completely random and long, the ones I use regularly (like this site) I memorize. problem is having a good password doesn't make much difference when some jerk decides to, for example, hack the psn which means you have to change all of them.

what I want to know is what happens if the kids who are holding this information get their server hacked into by someone who will actually use it in the way everyone is afraid of.

ColOfNature
14-06-2011, 09:38 PM
@8-bit: if your passwords are all different, why would someone hacking any one account mean you need to change them all?

8-bit
14-06-2011, 09:43 PM
just being overly cautious, I don't really know much about what these sort of people are capable of and if my psn account is tied to my email I guess there was a chance they could get to that too.

DigitalSignalX
14-06-2011, 09:56 PM
I have a sort of internal algorithm for passwords based on the website name involving switching the letters around in a pattern and adding numbers based on the URL or title length. I use it for games too and to my knowledge have never had account issues. That way if I ever go back to a really old login (my yahoo account and Ultima Online logins are both over 10 years old now) I'll always be able easily deduce what my password is. Unfortunately, what ends up happening is I sometimes forget the actual account name then which makes me feel all kinds of stupid.

Lacero
14-06-2011, 09:58 PM
what I want to know is what happens if the kids who are holding this information get their server hacked into by someone who will actually use it in the way everyone is afraid of.

The same thing that usually happens in these cases, no one ever hears about it except the people with odd charges on their credit card bill or loans in their name. Or the people arrested for having cp website payments on their credit card. There's an incentive to take it seriously!

I really, really, wish I could go to visa or whoever and get an authorisation key I give to the website I want to be allowed to take payment. So instead of giving out enough information to them to buy things from anywhere I only give out enough for that merchant account to charge me. It's stupidly insecure the way it works right now.

MiniMatt
14-06-2011, 11:59 PM
I have a sort of internal algorithm for passwords based on the website name involving switching the letters around in a pattern and adding numbers based on the URL or title length. I use it for games too and to my knowledge have never had account issues.

Oooh - I kinda like that. Sufficient to stop a sub-six month brute force crack, stops dictionary attempts in their tracks yet individually memorable and more importantly stops wide radius single attempt logins dead (ie. RPS forum gets hacked, that email/pass combo then tried once against a long list of more juicy targets - which is essentially where the realistic threat now lies). Hmm, I like that a lot.

soldant
15-06-2011, 02:16 AM
I use LastPass. The more secure passwords are ones I haven't got a hope in hell of remembering. Some common websites I have an easy to remember password for but there's so little information attached that it's entirely useless. Main thing to remember with LastPass though is to ensure you have a strong master password.

Cooper
15-06-2011, 02:38 AM
The simplest solution:

Keep important & money-involved accounts on a different email address than you would forums & other logins.

I have one basic email & password combo (and use the same pseudonym and false DoB) for all sites like RPS, forums etc. where -all- you need is an email & name.

So if my email for Bethesda gets snatched, big deal.

My Steam etc. are all on seperate email accounts & passwords.

Pretty much the same method as OP

Thing is, if your 'throwaway' details get nabbed, you -don't- have to go about changing it. Put simply, the chances those email details are going to be used to try and login somewhere like here are nil. So far, most of what has been nabbed (bar the PSN thingy) has been pretty low-level stuff.

OctaneHugo
15-06-2011, 02:38 AM
I used three passwords as well (occasionally tacking on numbers and capitalization if I have to/want to), but don't specifically assign them to anything - which occasionally leaves me spending 3 minutes typing all kinds of different words and numbers into a text box if I forget which one I used for that site.

I store most of my passwords for forums and anything more important is one of the many variations that I forget myself. Problematic sometimes, but I like to think I'm less stupid and more really, really good at securing my accounts.

I also have about 8 different Gmail accounts, and if I ever feel like it 2 old Yahoo accounts. And for anything temporary I use GuerrillaMail. And on sites that for whatever reason require a name and DOB I use a fake combo. Which technically means I live a double life.

Kablooie
15-06-2011, 02:57 AM
LastPass looked interesting, but data is stored online . . and they had a potential breach already.

Me, I'm not comfortable handing my data to anyone out there.

As for passwords, I won't divulge what method I use. There's always a compromise between security and convenience, yeah.

solipsistnation
15-06-2011, 04:34 AM
After the Gawker Media Embarassment (whoops, my usual low-security password was in there, and I'd used it for medium-security stuff too. derp.) I usually use a base password with something specific to the web site tacked on. Even if somebody managed to retrieve my RPS password, they'd have to figure out which piece was the base and which was site-specific (not too difficult, honestly), but ALSO the site-specific part I use on any other sites that have a similarly-formed password.

I have a high-security password which is a little more complex and which can vary in a few ways. I may forget which way was used on which site, but I can usually figure it out.

PayPal can be set up to use your cell phone as an authentication token, so if a naughty person gets your password, they would still need your actual phone in order to log in as you.

Dirtyboy
15-06-2011, 05:39 AM
The Usability of Passwords (http://www.baekdal.com/tips/password-security-usability)

Maralinga
15-06-2011, 01:40 PM
Here's a few offline password managers (http://www.lifehacker.com.au/2011/05/the-best-password-utilities-that-dont-store-your-data-in-the-cloud/) for those that may be interested.

There's pros and cons to whichever method of storing passwords you might use, though using something like a password manager potentially allows you to use stronger passwords overall as you only really need to remember the one for the manager itself.

Ezhar
15-06-2011, 10:29 PM
Use complex (random letters and digits) passwords with 10+ characters.
Use a different password for everything
Use a different email address for every signup (Gmail's plus hack (http://www.lifeclever.com/two-gmail-hacks-for-fighting-spam/) is great for this)
Use a password manager (e.g. KeePass) to keep track of them (and avoid typing them in)
Keep your personal data on a need to know basis:

Do they really need your actual birthdate or does any 18+ work?
Are you expecting them to ship you something? No? Then don't put in your real address.
Why even use your real name, unless you're signing up for a service where that matters for credit card verification or so your friends can find you.
Few sites will ever need your phone number.



And whilst these break-ins are annoying to users, they're actually beneficial in the long run: Companies that have been neglecting security for far too long are now spending some time and money to fix their shit. At least a little bit. DDOS attacks however are just plain stupid.

JamesG
15-06-2011, 11:09 PM
@Kablooie

Lastpass data is stored online, but it is encrypted and decrypted locally using your master-password, which is never passed on to lastpass except as a cryptographic hash. Basically that means even with a complete dump of the lastpass servers, hackers would still need to brute force your master-password. If you have a strong master-password you have little to worry about (server side at least). I suppose someone could hack the lastpass site and install a malicious version of the client that syphoned off passwords, but in practical terms client side compromisation is probably more likely.

Still, my lastpass account does not contain my E-mail, paypal or banking passwords. It is also protected by two-factor authentication, as is my Gmail.

Oh, and any passwords that I might want on the move are memorised to avoid needing to log in to Lastpass on an untrusted system.

Cooper
11-11-2011, 01:19 AM
Worth necro-ing, I think?

Thing is, the Steam hack fazed me if I'm honest.

The passwords are 'hacked and salted' (which nicely got explained in the comments) so I assume, along with Steam Guard, I have little to worry about. (Billing address, name and email are always annoying to lose together. Though address and name are available to anyone with the cash to buy the voting list in the UK...)

But it did make me realise I use the same password (now changed!) for other places.

I've been meaning to overhaul my password system ever since the spate of attacks earlier in the year. And considered a manager -BUT- don;t like the idea of having my passwords stuck 'in the cloud' like LastPass.

Thinking of using KeePass
http://keepass.info/
And putting it on a portable (tough) USB.

Any experience for anyone using something like KeePass which encrypts and stores the passwords locally?

Kelron
11-11-2011, 01:31 AM
I prefer to keep my passwords in my head, although I have a single physical reminder for the most important ones (that shouldn't be decipherable for anyone who stumbled across it somehow). For low security stuff I have 3 passwords that I cycle through, sometimes I throw in a different number or capital letters if I want a bit of extra security.

For my email and bank accounts, I find a good way to remember multiple complex passwords is to think of a phrase or a rhyme and use bits of that (with some extra characters, not just the words of course). That way I can have long and different passwords for each account, but not struggle to remember them.

DigitalSignalX
11-11-2011, 01:43 AM
Some nice options out now for physical authentication - Lastpass sesame and Yubikey come to mind.

pmh
11-11-2011, 02:25 AM
I've been meaning to overhaul my password system ever since the spate of attacks earlier in the year. And considered a manager -BUT- don;t like the idea of having my passwords stuck 'in the cloud' like LastPass.

Thinking of using KeePass
http://keepass.info/
And putting it on a portable (tough) USB.

Any experience for anyone using something like KeePass which encrypts and stores the passwords locally?

I've used keepass before, but haven't extensively used the browser integration (which is usable, but not great). You can combine any of the encrypted "local" solutions with something like Dropbox to get something more highly-available.

At the moment, I just use Firefox's built-in password manager (with a master password) and their Sync utility to keep it across multiple devices.

Juan Carlo
11-11-2011, 04:27 AM
It's really not worth it to bother with password security on forums and stuff. I just use one simple password for all the forums I use. I just make sure that they all tie back to a dummy e-mail account that I just use for forums and which has no information about me. It's way simpler doing that than remembering 1,000 passwords as forum security gets hacked all the time--so why waste the effort?

As for my bank and steam and other stores I use alot, I do have more complex passwords that I memorize. I have an easy system to remember them, but it'd kind of defeat the purpose if I told you it.

Vexing Vision
11-11-2011, 10:47 AM
My gaming-related email-address is a pure forewarding address to my "real" address. It is completely inaccessible from the outside for anyone without the forewarding address. The emails are not even remotely connected and cannot be guessed.

I'm a follower of the XCKD password strength method (http://xkcd.com/936/). I generate a few random words and line them up. They mostly have do to something with the game or forum they're related to.


It did take me around 20 minutes until I figured out how to change my Steam password without installing the Steam-client. What a fucked up, useless website...

amusingthebrood
11-11-2011, 10:55 AM
It did take me around 20 minutes until I figured out how to change my Steam password without installing the Steam-client. What a fucked up, useless website...

You are a better person than me. I had a look this morning, failed to work out how and assumed that I couldn't and would have to wait until this evening when I got home.

Vexing Vision
11-11-2011, 10:58 AM
You are a better person than me. I had a look this morning, failed to work out how and assumed that I couldn't and would have to wait until this evening when I got home.

It's well hidden.

Click on "Support", select "Billing, Account, etc" issues (after logging in), then click on the tiny hidden "edit account" link on the top right above the "search for topic" field.

There MUST be an easier way to do that, but that's the only thing I could find.

Megagun
11-11-2011, 12:26 PM
It's well hidden.

Click on "Support", select "Billing, Account, etc" issues (after logging in), then click on the tiny hidden "edit account" link on the top right above the "search for topic" field.

There MUST be an easier way to do that, but that's the only thing I could find.

That's for the Steam Support Account, which is different (or so I gather) from your regular Steam Account. I don't see the "edit account" link there; I see a "create Steam Support account" link there, instead...


As far as the topic goes: KeePass. I prefer to manage my passwords myself, rather than letting some third-party web-based tool do it for me. I also keep all my game and software CD/License keys in there, which is great for those MSDNAA-supplied license keys that like to disappear on the MSDNAA 'store'...

gundrea
11-11-2011, 01:16 PM
I'm a follower of the XCKD password strength method (http://xkcd.com/936/). I generate a few random words and line them up. They mostly have do to something with the game or forum they're related to.

While Randall Munroe may or may not be an excellent programmer an excellent cryptographer he is not.
His approach does increase brute force complexity by suggesting lengthening the password but reduces complexity by saying you should limit your range of characters to letters.

Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.

BillButNotBen
11-11-2011, 02:15 PM
I'm also a bit stuck on this.

Like many here I use 3 levels of passwords - Banks& Stuff, Secure Stuff (inc steam), and general rubbish (like forums).

But the problem is that over the years the number of sites has increased a lot... so the steam password/email is in use in a number of places. (sometimes with different gmail dot-hack addresses, and with different site-specific prefixes (but those are easy to guess, i now realise).

I've kind of decided to move over to Keepass. I keep looking longingly at LastPass, but I can't bring myself to trust it. They may only store hashed info, but that's all most sites do... doesn't mean it can't be un-hashed. It would be the most user-friendly option.

Keepass works pretty well on ONE pc. I've set it up to open minimised and locked, and then when I need to enter details I just CTRL-ALT-A and it usually inserts them correctly. But it's still a hassle... if i change a password on a site it doesn't automatically update on Keepass for example.

The problem is that, for some sites, I need to be able to remember the passwords... I use them on my cellphone and need to be able to type them in without it taking 6 hours (Ie: short and basic). I also need access at work sites on non-windows pcs, and I just got an android phone... keepassdroid is hardly quick and user-friendly.
Also, syncing involves dropbox, and you have to remember to keep a copy of keepass online, because if you lose your local copy you'd be screwed.

What I'm saying is I haven't worked out a great solution.... and the fact I have lots of legacy simple passwords from old sites and safer times doesn't help the matter.

QuantaCat
11-11-2011, 04:57 PM
www.ccc.de

you probably only "know" the "bad" hackers.

Also, yesterday, AnonAustria got the Wolo (http://www.monochrom.at/wolo)prize for anti-internet behaviour, because they released a bunch of private phonenumbers and adresses of police officers in austria. Which is in direct "violation" of hacker rule #8, as set out by the ccc.

So basically, all of "antisec" is bad hackery.

Kollega
11-11-2011, 05:20 PM
While Randall Munroe may or may not be an excellent programmer an excellent cryptographer he is not.
His approach does increase brute force complexity by suggesting lengthening the password but reduces complexity by saying you should limit your range of characters to letters.

Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.

I've found a good way to circumvent this (that unfortunately will require a lot of effort for you English-only types). You see, my keyboard has letters in other language on each key in addition to English, so i just input proper words in that language while having the typing language set to English, resulting in a string of random characters that is nontheless easily remembered. Presto!

Batolemaeus
11-11-2011, 05:30 PM
Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.

250.000^4 = 3906250000000000000000 (that's 3.9 * 10^21)
11 ascii chars including non-printing: 128^11 ~ 1.5 * 10^23
11 ascii chars including only those in regular use: 94^11 ~ 5*10^21

So four words in a small dictionary ignoring other languages or different spelling is about as good as 11 ascii chars including punctuation.
Even pretending you have a small cluster, you won't generate enough hashes to crack that easily, especially not with properly salted hashes going through 1k or more rounds of hashing the resulting hash with itself, creating a huge amount of overhead to sift through.
Dictionary attacks are incredibly unhelpful with such a high entropy. It's probably easier to find a hash collision...
And that's assuming the hash is exposed. Usually, it isn't.