How did this extortionist get my (possibly) password?

I got one of these this morning. Curiously the password they used was the name of one of my FB contacts and one that to my certain knowledge I have never used as a password anywhere.

I have gone a long time without anyone offering me a share of their £millions if I help them get it out of Nigeria/Gambia/Guinea-Bissau etc. Today I got two.

I would be more impressed if the extortionist’s email said they knew I’d visited online plant nursery websites and had video of me drooling over horticultural porn. I might be willing to fork over a couple bucks to keep my cow-orkers from knowing how much I spent this past year on fig cuttings.

If you’re feeling deprived I can forward a passel of these to you from my spam folder. And Mrs. Belinda Hornsbottom has a need she thinks only I can fulfill, but maybe you would do. :dubious:

I get those, too, although I’ve never gotten one that had a password close to one I have used. I find it most amusing when they claim to have video of my doing things that are anatomically impossible. :slight_smile:

I got a new (to me) variant yesterday. I was BCC’d onto an email, ostensibly for a recipient I have never heard of, claiming to warn them that the authorities were about to swoop on them for child pornography offences. The email contained an attachment, a pdf I think, which was supposed to contain important info to help the recipient. My guess is that attachment contained malware and they were betting on people’s salacious curiosity to open it.

I’ve gotten a couple variants of these emails, and they all have a password that I haven’t used in at least 8 years.

I don’t know about Mrs Hornsbottom, but I think my email must have appeared on a list somewhere. Today I had offers from some ladies of dubious virtue and, surely no coincidence, some method to increase the size of my penis and a ‘special’ offer on Viagra to keep it up.

I’ve gotten from time to time emails threatening to send my friends, relatives, and co-workers photos of me wanking at the computer unless I send them a few hundred dollars. While not anatomically possible, it is technologically impossible – I’ve never had a web camera installed on my desktop.

To paraphrase Goldfinger, I don’t expect it to stop the emails, I expect it to irritate them. Did you notice the amount?

If the hacker has access to the user database (i.e. as in a major breach like Yahoo a few years back), it is trivial to figure out your password using a brute force attack unless your password is like 30 alpha/numeric/symbolic characters long.

That’s kind of why passwords are more or less useless unless complemented with biometrics or multi-factor authentication.

Good passwords aren’t useless. It’s just that almost nobody uses good passwords.

And for a remote access, biometrics aren’t going to be any better than passwords. If the attackers can get the password database, then they can also get the database with the biometric information, and spoof it.

Just to slightly clarify for anybody interested: websites nowadays will almost never actually store your password. In fact, they never even see your password: when you click “log in,” you are generally sending what’s called a “hash” of your password. Basically an algorithm scrambles the “Password123” you typed into a long sequence of seemingly-random characters. The website only records and looks for the hash, not the actual password.

Current hashing algorithms are effectively one-way, so even if a hacker gets access to the database, they can’t just “unhash” your password. HOWEVER, if your password is fairly short and especially if it is made up of fairly standard patterns (dictionary words, h4ck3r words, a few numbers at the end) it’s relatively easy to brute-force it.

If you’re actually concerned about security, it’s pretty much necessary to use a distinct password for each site, at least 15 characters long, and composed of random characters. In other words, you pretty much need to use a password manager.

One of the concerns about quantum computers is that a a quantum computer of a certain capacity will effectively break almost all current hashing algorithms.

The problem is older password encryption techniques were less sophisticated - and didn’t plan for advances in processor power. the original LANMAN (Microsoft) password storage broke passwords into 8-character pieces and converted to upper case before encrypting. It would take a few hours to decrypt all such passwords now, then a few tries to deduce upper/lower case needed.

A dictionary attack simply takes the encrypted database, and then encrypts every word in the English language (plus names, made up words, etc) and looks for a match. then for good measure, since processors are so fast, it can try the same trick with 00 to 99 appended; and then include some common punctuation (@, !, $, etc.) Surprisingly, English vocabulary is pretty small, so there are a few hundred thousand choices. Maybe a few million with suffix.

The old “aaaa, aaab, aaac” may sound funny but with a few decent processors and a couple of days, it’s not difficult to do. Most websites will lock a used after a few bad tries (or block someone’ address if they try and fail too often). But if you can download the database of encrypted passwords, there is no limit to the number of wrong tries. With a few terabytes of storage, you can prepare a “translated” dictionary ahead of time, if the hacked site uses standard encryption for the passwords.

My guess for PO is same as others’. You used the same or similar password once upon a time on many sites. One of them is hacked, so your email/password combo is compromised.

Best suggestion I’ve heard is this - have 3 passwords. One for general use, things like straight dope or facebook, where it would be embarrassing if hacked, but otherwise no big deal. One for real personal sites that you need to keep private and have a lot of private detail, like your email. And a third for sites with severe financial implications - like your bank, PayPal.

Make a password with a phrase of pair of words… be clever, add punctuation upper, lower case and numbers. Like 1Born2BWild3! That’s not going to be in any dictionary attack (but, it probably is now). Make it unpredictable. Don’t just add a number on the end, that’s way too easy.

Unfortunately, the real world is very, very far removed from the ideal. It was announced in the past week that Facebook had been keeping the plain text of passwords in a log file that many employees had access to (which some took advantage of). Who knows who else got their hands on it given Facebook’s permissive attitude towards user data.

This was discovered in January of this year and “steps taken”. Which probably means Facebook did nothing, as usual.

This sort of thing is far from rare.

In order for that to work, the words chosen have to actually be random. Words that combine into a meaningful phrase are not random. That is to say, if you told me that your password started with “1Born2B”, then I’d have a pretty easy time guessing that the next part would be “Wild”, I might guess the 3, and the exclamation mark wouldn’t be too hard to guess, either. In other words, that’s only a little more secure than the first seven characters.

You also need more than two words. Four might be enough; five certainly is (again, if they’re truly random).

But typical encryption encrypts the entire password at once. If they can get a significant fragment then the game is already over. Plus, the number of common phrases is far higher than the number of individual words, plus the possibility of misspelling or adding arbitrary numbers or punctuation anywhere makes it far less predictable than a word -

There are so many song and movie titles, classic lines from movies, commercials, etc. Plus, puns on these…

Titles - Star Wars, Store Wars, Star Words, War of the Worldly, Fawlty Towers, Get Smart, Beverly Hills 90210, Lethal Weapon II, A New Hope, Lawn Order, Breaking Bad …
Lines: (Ram the words together, or put random numbers or punctuation in between)
Luke I am Your Father
Use the Fork Luke
These Arent the Droids
Move Along
Ill B Back
Hasta La Vista
Heres Johnny
My Hovercraft Is Fool of EEEls
I Think I Need a Beeger Box
Speedy Gonzales Friend of Everyones Seester
I Tawd I Taw a Puddytat
Book Him Danno
Stay Outa The Meadow
Elementary Watson

… need I go on? I haven’t even mentioned lines form songs… (“Get Your Motor Running”) You can be totally unpredictable based on your personal sense of humor or favorite shows. The main problem is how fast (and accurately) you type. This sort of password is far less predictable and far less susceptible to a dictionary attack.

As I tell people when I’m explaining this - if you have more than one kid, don’t use your children’s names. Because if one figures out that the password is the other’s name, then they know you love the other one more.

Both of these statements are wrong, or at least misleading.

Any encryption worth the name won’t allow partial matches. So, if I have a password “StraightDope1,” there is no way that an attacker can know that they got “StraightDope” correctly, and that they are only missing the “1.” (Note that there were obsolete encryption schemes that had weaknesses in them that did allow such attacks, but they have been replaced.)

It is true that if a human knows that your password starts with “We the People,” then they are likely to be able to guess your password. But, the attackers that most people are concerned with- anonymous ones on the web- are using automated attacks, and the intelligence behind them is pretty low. I’ve played with John the Ripper, and the password-guessing algorithm it uses is pretty lame. It might break “passw0rd,” but it’s never going to break a multi-word password, unless that password has already been compromised.

This is not correct. If it were then all a hacker need do to defeat it is send the hash, they would not need to guess the password at all. In effect, the hash would become the password and the server’s hash database just as insecure as storing passwords in plain text. You need to send the password to the server, using a secure connection to avoid snooping, then the hash is performed on the server side.

To be clear, I’m not referring to a situation where the attacker knows part of the password (it would be quite contrived for such a situation to come up). I’m just using the ease of auto-complete to illustrate that the whole password is only slightly more secure than the first part. And yes, there are lots and lots of meaningful phrases, but they’re far fewer than meaningless phrases.

I agree with your overall point, but I would not use the word “encryption” since passwords are generally stored using hashing and hashing is a one-way algorithm. Something encrypted can be decrypted.

I was amused by getting one of these, first startled that I saw my password for throw-away accounts in a spam email, but it wasn’t hard to figure out what was going on. I would be much more worried if they got one of the passwords for a bank or email account, which are all unique.

As to the creation of good passwords, one way to get around dictionary attacks is to simply have a famous phrase or saying and using the first letter of each word. Or the first letter of the words in titles to various movies or author names or whatever else you like. Tmoagtiwmw - Too much of a good thing is wonderful* - Mae West. If you need punctuation or numbers, hacker-speak works on a very large percentage of letters. Tm0@gt!wmw looks like complete gibberish but if you know how it’s formed, it’s not too hard to remember compared to actual random characters.

*That’s apparently not the actual correct quote, but it’s what made it onto a pillow I used to see regularly.