I thought vBulletin’s username/passwords are encrypted by default?
Did they get information elsewhere?
Yes, thanks, Ed!
27 minutes after the SDMB email, I got SPAM email from my own (listed) email. Passwords are now changed. I haven’t logged in here for years but made the beginner’s mistake. I say this as a warning to others who occasionally re-use passwords. Change those passwords.
The only thing obscurity is good for in a security scheme is letting your users know that your security sucks and that they shouldn’t trust you with any sensitive information. If your security is actually good, then you want to let people know that it’s actually good. Security by obscurity is the equivalent of telling Indiana Jones that the Ark will be studied by “Top. Men.”: All it does is assure him that it won’t actually be top men.
What I want to know about this attack, is whether the security hole that allowed it to happen has been fixed. There’s no sense in changing passwords, etc., if they attackers can just steal the new passwords too.
- I actually am somewhat dubious about proprietary encryption, as there’s no way to vet it. So I stick with open source. Though even that may not be perfect: while today’s encryption is mathematically strong, there is some evidence that the ~SNA has crippled certain implementations of it.
2a. I’ve puzzled over the 1 basket problem since the 1990s, when I created a password file using PGP. (I now use KeePass). You need to create a long and strong password and only use it locally on your computer. In other words, don’t use it for your email. You can consider creating a hint sheet which won’t reveal the password but will provide a puzzle that converts “Things only known to you and your close family,” into the real password. Of course if somebody with access to your computer starts asking suspicious questions, then… well you actually have gained useful intel about their character, right? Not to mention a signal to change your high security password.
2b. If a bad guy has a key logger installed on my machine, they can capture my password, though Keepass can defeat some versions of such attempts, maybe. But they will need to download the KeePass file as well. Then they can commit all sorts of mayhem.
-
My approach is to keep myself appraised of popular bad-guy techniques. The go-to website for this is Krebs on Security. Here’s a chart on what can be done on a hacked PC. Here as tools for a safer PC which I haven’t read yet - only discovered just now. Small businesses should read this page.
-
I use a low security password at the dope, one that is not a variant of the ones I use for ecommerce or email.
Unless they also want to read the Giraffe board, good luck with that.
How about forcing the boards to send a routine email? Subscribe to a thread and have it email you, then see where it goes.
FWIW I saw a really cool suggestion for creating a long password full of digits, upper and lower case letters that is nevertheless super easy to remember. It’s not original, absolutely perfectly hackproof, guaranteed 100% unique or ideal for everyone at all times, so if that’s a deal killer, please skip the rest of this.
OK. Think of your address when you were a kid and simply memorize the sentence, e.g., “My childhood home was at 18509 Throatwarbler St. in Mangrove CA”. Your password is Mchwa18509TSiMC. If you want less length, leave off the “in Mangrove CA” part. If you need 5 more digits of security add the ZIP. Of course you could start instead with “I grew up at” or “We lived at” or “Our house was at”, etc. Whatever’s easiest to remember. (If they require a symbol you can always append an exclamation point!)
Hope someone finds this helpful as I did
I use a different password for every site that requires one, including this one. So am I correct in thinking the worst case scenario for somebody like me is that someone might be able to sign on this board and impersonate me? Or is there some dire possibility I’m missing?
The problem with such a password is it’s vulnerable to exactly what apparently happened here - somebody hacking into a website and stealing a list of passwords. And with a complicated password like you’ve described, you’re probably going to use it at multiple sites.
It’s not dreadful as far as password mnemonics go. The danger with doing anything formulaic like this is that it may be possible with several passwords to build up a pattern. If personal details are discovered (such as your address history) then you are vulnerable. The same can be said of using a derivative of the website as part of the password.
My mnemonics refer to memorable events, personal gifts, plans and ambitions, elementary school friend’s middle names and things of that nature. Stuff stored only in my head that has not been written down before and cannot be derived from any history of me. I combine these with numbers that I have memorised in my distant past: things such as phone numbers, car registration numbers, entry number in a charity fun-run from two decades ago – stuff that is already locked in there for whatever obscure reason and so is not a memory burden. And it may not be ideal, but I store the mnemonics in plain sight in a word document so that I know what password applies to which location. Look at that document and you will find stuff like school bus route, Bill’s middle name, Craig’s gift, 2002 travel destination. Good luck trying to decode that one.
My problem here is that the SD password was an old one that I had used in a number of non-critical sites and had never gotten around to changing. As a result of this hack, the website where I once bought some contact lenses now has a new and unique password. It took me a few minutes to change passwords at half a dozen sites and update my mnemonic file. If I am honest, the hackers probably did me a small favour.
Welcome back, cookies are in the kitchen.
I’m almost sorry to see my password go… had the same one for mumblemumble years… snifff…
(I did follow the link from the email but also jumped a bit back and forth from where it took me, to verify that either it’s legit or someone has copied the whole board)
Well. Since I got the e-mail about the issue and changed my password and all, I thought I would just post to let people who remember me know that I’m still around and lurking in the shadows.
Can I ask why you bother deleting stuff from your junk e-mail account? I can’t even be bothered to tidy up my useful accounts, with all the storage on offer these days… let alone my junk one…
What am I missing?
Anyway, I, too, thought it was phishing… fortunately, my password wasn’t one I used for anything else, either.
Meh, if someone gets into an account of mine, I might have to get a life.
I realize to some of you it could be a big deal, like if you foolishly used the same username/password here as on your banking site, or something like that, no need to point that out to me. If you are in that group, though, remember to change all your passwords not just the one here.
I just use “password” for every password including this Board. Simple that way.
BTW some years ago I could easily find a fellow Doper’s IRL identity (as he posted a question about his website) by Googling his e-mail address which was visible in his SDMB profile. It seems nowadays there is no option to directly display the e-mail address but there is an option to let other users download a vCard. When you change your password you might also want to check that option is disabled.
I still use the account for when I sign up for free stuff and want to actually try something out like a grocery store card or get a free towel at the ballpark. If I end up liking the service I move it to another email. Not sure why I never moved the SD over other than in my mind it was a zecurity feature. I do similar things for three otber accounts. That is I use a junk email address for one or two real site communications and the rest is junk. That way I don’t really build up too much junk in one account. BTW the worst spammers are the Democrats. I recieve about 5 trash emails from them everyday. Mortgage companies come in second.
I use my gmail account on IPhone so I am logged in all the time. Can it still be hacked? Also I changed my Straight Dope password.
probably the N fkin SA