Goblin Squad Member
|
The article and email said no PW information was stolen, but people with obvious or weak PWs should change theirs. They also reset the login with FB to get rid of that data so that couldn't be used. Ita always best to change it your PW if your not comfortable that it would be hard to hack.
|
Goblin Squad Member
|
Encrypted passwords were taken. This means by now, weak passwords have been unencrypted, and if they belong to joe.blogs@gmail.com, and Joe uses the same password on gmail, he is now owned.
The hackers were most likely going after Kickstarter for this specific reason and not for the sites credentials. Email and social media creds are worth far more.
Encrypted passwords were taken. This means by now, weak passwords have been unencrypted, and if they belong to joe.blogs@gmail.com, and Joe uses the same password on gmail, he is now owned.
The hackers were most likely going after Kickstarter for this specific reason and not for the sites credentials. Email and social media creds are worth far more.
This is why you use a different email address, logon name and password for everything
|
Goblin Squad Member
|
and use password safe to keep track of them all.
My experience says that 80% of people don't do this however. Keeps me gainfully employed though!
and use password safe to keep track of them all.
My experience says that 80% of people don't do this however. Keeps me gainfully employed though!
While I agree it is better than using one password for everything I remain unconvinced by such programs due to the fact that one password still gives access to all of your passwords.
A virus or trojan targetting such an app only needs to capture your password for it and send over your database and thats you done.
I keep my list on a separate pc that never connects to any network. The file itself is encrypted and each entry is also encrypted by a simple substitution cypher which I can translate separately. Complicated? Yes but I rarely need to refer to it in any case as most logons and passwords I can remember
|
Goblin Squad Member
|
I agree with you, Steelwing. An offline repository, or some method of out of band authentication if far more preferable. This is generally not practicable for most end users however.
I use the safe I linked above, with the certificate/key option. To access the safe, you need to enter a password and also have the certificate somewhere locally, which is on an encrypted usb stick.
You're right again, in that malware written to work around these protections could still steal the whole database while in an unencrypted state, but from experience, the fraudsters and criminal gangs go for far lower hanging fruit. The people that have the skills to write such malware are working for governments or large criminal organisations and writing things such as stuxnet or ZeuS.
|
Goblin Squad Member
|
All arguments come down to the fact that the whole password system is broken as pointed out here.
I agree with you, Steelwing. An offline repository, or some method of out of band authentication if far more preferable. This is generally not practicable for most end users however.
I use the safe I linked above, with the certificate/key option. To access the safe, you need to enter a password and also have the certificate somewhere locally, which is on an encrypted usb stick.
You're right again, in that malware written to work around these protections could still steal the whole database while in an unencrypted state, but from experience, the fraudsters and criminal gangs go for far lower hanging fruit. The people that have the skills to write such malware are working for governments or large criminal organisations and writing things such as stuxnet or ZeuS.
Your system is certainly better than nothing I was just pointing out it still has flaws because when you are aware of the flaws you can protect yourself. Seen too many assume because they have one form of protection they can forgo others
All arguments come down to the fact that the whole password system is broken as pointed out here.
While passwords certainly have huge problems (you normally find that problem between the chair and the monitor) unfortunately biometrics and such like have currently not come of age in terms of giving false positives.
For example last study I saw gave retina scans around 80% reliability and fingerprint scans about 86%. While that sounds a pretty good rate imagine your card being refused in a filling station one time in 5 or in a restaurant
|
Goblin Squad Member
|
Did anyone have trouble changing their password? Nothing happens when I click the Change Password button.
You have to put in your new password in two separate text boxes, then put your old/current password in the text box below. That's how I did it and I got a confirming email afterwards.
|
Goblin Squad Member
|
Should be working. Did it welcome you with a "please change your pword" banner message upon logging in?
No the banner was missing and it showed up a day later so it worked then. For some reason just going into my account and trying to change it without that banner being there didn't work.
Goblinworks Executive Founder
|
Maybe I'm just a little too paranoid, but when I hear that my email address has possibly been compromised, I find the website through my bookmarks or the google rather than relying on something that showed up in my mailbox.
Good idea; I actually Googled the news story first rather than believe the email, then typed in the website name manually.
|
Goblin Squad Member
|
It's an email they send at the moment that you request it, by clicking the forgotten password link. I wasn't too bothered by it (and I really did forget my KS password).
Also if they did manage to get my financial information from KS, that non-reloadable gift card has been empty for a while (internet security, yo).
|
Goblin Squad Member
|
One thing I thought was useful with SWTOR, it came with an authentic actor key. Your pw stayed the same, but you had to put in the number the key generated before every log in.
I suppose they could hack your pw, but never get into your game.
If it's cost-effective, I'd love to see PFO use authenticators like that. I was happy to have them for WoW and SWTOR
|
Goblinworks Executive Founder
|
PS. Don't use correcthorsebatterystaple as your password.
If you use four uniform random words from the dictionary, you won't fall to a brute-force attack from somebody who knows that you used four random words from the dictionary.
To get a random word from the dictionary can be tricky: If you open to a page without caring which, you probably opened to the middle third, and your randomness is not uniform.
|
Goblin Squad Member
|
I've never set up two factor authentication because I don't like the idea of what happens if I lose my phone (which I've done before, and let's face it, can happen to anybody).
I asked around about this, and I'm told you get security questions instead. I'm not sure if that's actually true, but if it is, that really limits just how useful two factor authentication really is if the fallback is very-not-secure (for most people, at least) security questions.
|
Goblin Squad Member
|
| 1 person marked this as a favorite. |
I've never set up two factor authentication because I don't like the idea of what happens if I lose my phone (which I've done before, and let's face it, can happen to anybody).
I asked around about this, and I'm told you get security questions instead. I'm not sure if that's actually true, but if it is, that really limits just how useful two factor authentication really is if the fallback is very-not-secure (for most people, at least) security questions.
The answer to secrutiy questions...... don't use the real answer.
For example: What is the high school you graduated from? Answer = the sky is blue.
What is the make of your first car? I still ride a bike.
Secure and is like a PW, as long as you remember it, your fine and it won't be guessed by anyone who does or doesn't know you and what your real first car was or where you went to high school.
You could always lie too.....
|
Goblin Squad Member
|
I've never set up two factor authentication because I don't like the idea of what happens if I lose my phone (which I've done before, and let's face it, can happen to anybody).
I asked around about this, and I'm told you get security questions instead. I'm not sure if that's actually true, but if it is, that really limits just how useful two factor authentication really is if the fallback is very-not-secure (for most people, at least) security questions.
The answer to secrutiy questions...... don't use the real answer.
For example: What is the high school you graduated from? Answer = the sky is blue.
What is the make of your first car? I still ride a bike.
Secure and is like a PW, as long as you remember it, your fine and it won't be guessed by anyone who does or doesn't know you and what your real first car was or where you went to high school.
You could always lie too.....
Just like a sneaky assassin.... Never thought of this.