Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames …
"Using a different, hard-to-guess password on every site is a very good start in this direction"
Do an article on how people who have been on the net for 10+ years can do this easily. I have millions of accounts for stuff and I use one generic password for a lot of them (except ones linked to money or my identity).
I hear you lot barking this all day - best practice, blah blah blah. But how are we actually supposed to do it?
I use DropBox, Firefox + Foxmarks password sync, and stuff like that. That should get you started.
"As many as two in five people use the same password for every site they use. That means access to a webmail account gives hackers a head start in accessing online banking or PayPal accounts linked to the same address."
You mean that there are online banking systems out there which rely only on an email address and passord for login creds? Or are you playing fast and loose with the truth?
Yess ... but
'Using a different hard-to-guess password for every site you visit ...'
This system is broken. I moderate two forums, post on three others, have paypal, banking, ebay and amazon accounts and also have passwords for my computer, my two email accounts, my university account (which has three separate passwords for various functions), my ABE books account, and even a password for posting on the Reg here. I could go on ...
Now, since it's impossible to remember all these hard-to-guess accounts (hard to guess == hard to remember) I have to have them aggregated somewhere, which means that if the aggregator gets lost or compromised the whole bang-shoot goes down.
Some other system is needed - perhaps based on the IP+Mac of the user's comp, and/or a challenge response system. Passwords are compromised simply because there's so much need to use the damn things.
So f-ing what?
My online banking requires:
1. A 10 character account number, not linked to my card or bank account number
2. Random characters out of my own silly long password
3. A card reader, and my bank card, in order to add a new payee/transfer money out
Even if they got in, there's not much they could do.
Email is dispensable, anything important/work based, should be on a secured server, and again, keep those passwords up to date boys and girls. Get my gmail account? I'll open another :)
"Gives hackers a head start in accessing online banking or PayPal accounts linked to the same address" != "there are online banking systems out there which rely only on an email address and password for login creds"
However, to take your point at face value, yes PayPal only requires an email address and password as login credentials. You can then make payments from that, which are linked to your bank account, and remove funds from there.
To discuss what was actually written in the article, before you badly paraphrased it, as a real world example Egg credit card requires the following login details;
First name, surname, date of birth, postcode, mother's maiden name and password.
Assuming you can access a user's webmail account I suspect you've got a good "head start" to finding their first name and surname (read a selection of emails till it crops up). From there if they have a facebook account linked to their webmail address you might be able to get their date of birth. Which just leaves a postcode to find. Figure that out for yourself, but it ain't that difficult.
So no, the article's not fast and loose with the truth, you've just misinterpreted it by not reading it properly.
One option are Password Generators such as PasswordMaker for FireFox.
Given a master password as a salt, they'll generate a hash against the site name and give you a different password for each site. You can choose the length, what range of characters to use and best of all the password itself for the site isn't permanently stored anywhere (on your machine anyway). Instead, the browser recreates it on the fly when you visit the site in question.
KeePass password safe
I'll let you figure out how to use it! Oh, and it is multi platform if you can endure Mono.
Horses for courses
You can probably group all the things you have passwords for into three categories :
1) Stuff you really really don't want anyone to break into (e.g. bank)
2) Stuff you'd rather people didn't break into (e.g. Facebook or LinkedIn)
3) Stuff you're not that bothered about (e.g ezines like the Reg or online electricity bill payment)
So now you only need three passwords. You also need a separate email address which you can use to receive password reminders for your category 1 stuff. You may as well give that the same password as your category 1 sites, because if someone cracks the email account they'll be able to get your password for the sites anyway.
Time for two factor authentication for the home?
Given we all have more passwords than we can ever remember and are forced to use a password manager like LastPass to keep sane, there is always the risk of the password to your password manager being stolen. There are ways to minimise this risk with use two factor authentication using Yubikeys or similar devices that makes having just the password not enough to compromise your life.
So isn't it time two factor authentication became standard for all computer authentication, then we can all go back to just one password to everything, as the bad guys still need your physical token?
"My online banking requires..."
Blah blah blah, you != everyone.
My UK online banking requires random characters from my password, account number (though that's based on my DOB, d'oh) and a numeric PIN. My US online banking requires a username and password.
@ Grease monkey
"You mean that there are online banking systems out there which rely only on an email address and passord for login creds? Or are you playing fast and loose with the truth?"
Nope, they are not playing fast with the truth - try American Express, now try not to laugh when you read this...
Access to your on-line account (credit card) is by username (last time I looked was letters only) and a password (min 6 characters and I think only numbers and letters, no special characters). Yep, that's all. Okay, it's not a bank, but has a lot of info on it, especially as you can link a debit card to it to make payment "easier" most of the info of which is in the clear.
So to save the planet (and money) my (very large company) has made it mandatory that we no longer receive paper statements and must all use the on-line system for checking/paying our corp amex cards....
@Horses for courses
You were doing so well until you got to the point about the paswword for your "password reminder" email account... :-)
Ok, I'm being a pedant, but I guess your way of looking at it makes sense.
As for AC at 16:02, yep, KeePass is good, I use it myself (and keep a backup elsewhere in case of loss/fire/corruption/stupidity
"before you badly paraphrased it"
Erm, in what way is quoting verbatim badly paraphrasing? The article clearly stated that given an email address and password would make it possible to hack into online banking. Paypal is not online banking. So what you were doing was adding something that wasn't included in the original article, which is worse than paraphrasing.*
Are you suggesting that people are stupid enough to actually set up their account so that it automatically pulls money from your bank account when they have insufficient funds in their Paypal account? Wow!
*Which isn't the same as quoting verbatim.
Any proof it's from a phishing scam?
There's been a virus round for a few months that steals passwords, & no article I've seen about this has said anything to prove the actual method.
One idea I have yet to see implemented might help a bit.
Many sites collect personal questions (name of your pet, etc) but do not use that information to the best advantage. Instead of just using those personal questions to re-issue passwords, they could be used at each log on. In other words, you provide your username, your password and then the site picks one of the personal questions at random and you have to provide that answer as well. Otherwise, the failed log on is reported to the user at the next successful log on.
I developed that routine 25 years ago. Even Linux would benefit from such a routine. Let the user make up as many personal questions as they like to increase the security even further.
Even if someone guesses or somehow phishes the password it is very unlikely they will get all of the personal questions and their correct answers. Plus the user is notified if anyone attempts but fails to get in.
Yes, Virginia there are ways to make the use of logon faciltities much more secure even without making them more difficult to use. If I were to customise the Linux log on that is the first thing I would do.
A good way to...
...stampede lots of people into changing their passwords?
Call me a cynical old bastard (why not, those *are* my middle names) but if you can do some funky DNS hacking of "enough" DNS servers then surely herding the masses into your trap by releasing email addresses and made up passwords would be a good idea? Your provider panics, tells everyone to change their password and... "enough" pukka passwords fall into your lap to make a killing.
Is anyone else suspicious of this "mass phishing attack"? Wouldn't something have surfaced, somehow?
Just because I'm paranoid it doesn't mean they're not out to get me...
ps. SuperGenPass (just google it) - jobs the job for me (even I don't know what any of my site passwords are, including this one)
Some more password tips
Here's one way around it.
Have a password, have the same password for different services.
say your password is ... pa$$w0rd
your hotmail password could be something like myHMpa$$w0rd, your ebay would be pa$$w0rd4£bay etc, also like DR who suggests, have about 3 passwords and think about which is for what. (don't use pa$$w0rd, that's a very bad one)
"perhaps based on the IP+Mac of the user's comp, "
Your IP address can change every few hours, you MAC is limited to one pc / router.
And both are extremly simple to spoof, so are worse than a password!
That's the kind of philosophy I use, except that I keep my email password at tier 0.
Because I've seen stupid things like financial insitutions keep passwords in either an unencrypted or decryptable format- it was able to send me my own password!
I used to be one of those "I really should manage my passwords better" people and now I'm one of those rare as hen's teeth "I have a different password for every important or sensitive account". What's more, they're all secure as hell.
You've to be careful to backup the database file though, lest you lose it in a hard drive failure or something.
Anybody who knows, knows the real reason for this is because in the Microsoft OS, cryptAPI is broken, and MS didn't fix it more than 9 weeks ago, as regularly reported by ElReg.
No responsibility is to be held by anyone other than MS. So, MS, get your a+++ in gear and mend the entire internet. You're making it unsafe for anyone to use the net, and it isn't the fault of crappy coders or malevolent people.
In my little red book, Bill Gates is the first against the wall for the firing squad.
If you want an example...
... of a banking site that only uses a username (which can be an email address) and password, have a look at the American Express UK login page.
"Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports."
What do they mean by "old"? An account that is active but has been in existence for a longish time? That is just an email account. I have a couple of those. If they mean an abandoned account, how do you steal the login with a phishing site? Who logs in to an abandoned account on a phishing site if they no longer log in on the legitimate site?
And what constitutes a "fake" email account? One that uses an alias, like john1234?
This is simply speculation by some journalist with no clue.
We've reset your email password!
we've sent you an email with your new password!
For work + personal use I estimate that I have more than 50 passwords to remember, a lot of them which have to be changed frequently. Most systems also use their own specific set of rules for making a new valid password. This is of course utter madness!!
So, I have written my own encryption software to store all these in a file. The encryption uses rotating realtext and goes randomly up to a hundred levels deep. The strong master password (which is the only one to remember) is also encrypted randomly somewhere in the same file, but to a different random encryption level than the rest of the file.
Good luck to anyone trying to get anything out of that data. But this is the level of mad things we are having to go through to keep track of all those passwords!
Don't talk to me anout centrally stored ids like Open-id or similar, I trust these even less. Get this one hacked and they own all your stuff in one go.
Passwords today = epic FAIL.
@AOD - Password Generators
What a great idea! Then if someone gets your master password they don't just get one of your passwords, they get all of them, guaranteed.
Saves everyone lots of time and trouble.
Remembering different passwords
It's not that hard! Just create a little rule or algorithm for generating a password for a service, e.g. (just a random example) put the service name through ROT13 and add the ASCII code of its first letter (so when signing up for Yahoo, use LNUBB89). Then if you forget the password, you can deduce it again (but don't forget the rule!), while anyone cracking your password for one service most probably can't deduce the rule and break into others.
@ AC: 08:45
Actually, no, if your master password was somehow sniffed via a keylogger or something similar (remember it's only entered once per browsing session into the FF extension), this wouldn't divulge what options you'd configured regarding password length, whether to use l33t type mangling etc. Not forgetting that you can customise these on a per site basis.
Aside from that, if you have a keylogger or similar running then you have other security issues that you should be attending to.
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Trousers down for six of the best affordable Androids
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'