Feeds

back to article Dating site eHarmony plays data-breach me-too

Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data. The company has responded with the usual “the security of our users” bromide here. It says all affected user passwords have …

COMMENTS

This topic is closed for new posts.
Anonymous Coward

Now that they have cracked the passwords what next?

It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?

1
0
Silver badge

It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?

There is the potential blackmail angle (as mentioned in the article)

But dating sites also have a *LOT* of personnal information about a person: Date of Birth, Place of Birth, Current Address, Credit Card information, children's details, general background information, pictures, etc. A gold mine if you want to steal someone's identity.

0
0
Anonymous Coward

Personal details...

But dating sites also have a *LOT* of personnal information about a person: Date of Birth, Place of Birth, Current Address, Credit Card information, children's details, general background information, pictures, etc. A gold mine if you want to steal someone's identity.

So....you just make them nearly correct rather an actually correct? OK, doing that for credit card info isn't normally possible. But for DOB, placed of birth and everything else it can be. I guess for a dating site - where you might want prospective matches to know that you live in town X rather than Y then you might put the more accurate details in free text.

I'll bet that if you scanned the date of birth field in many sites you'd find a disproportionate number of people born on Jan 1st.

0
0

To quote Hugh Laurie....

.....every one lies.

And on Dating websites every lies so much they almost inadvertently go all the way round to telling the truth.

0
0
Pirate

> Now that they have cracked the passwords what next?

If they did manage to gain access to the lusernames as well,

[1] try those credentials against every financial site until you get a hit

[2] profit!!!

Otherwise, if the passwords are unencrypted, add the entire password file to a dictionary, SHA-encrypt it, and look for matches against the SHA-encrypted LinkedIn passwords.

0
0
Silver badge

It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?

I tried eHarmony once, and I say good luck to them if they try to steal my prospective date. The only match they could find for me at the time was already my ex. It says a lot that they tried to make a match that had already failed as spectacularly as that one.

0
0
xyz
Bronze badge

Good, can someone bring that pit down?

I've never been near the place but the amount of (spoofed?) junk I get from them annoys the hell out of me. I've never been happy with a Christian Fundamentalist dating site anyway.(do a google)

2
0
Pint

Re: Good, can someone bring that pit down?

Right. The very people we don't want breeding.

0
0
Thumb Up

Good idea on the passphrases...

XKCD has a nice justification for what you're suggesting:

http://xkcd.com/936/

6
1

Use complex passwords for each website and then write them down with pen and paper and put them in your desk draw. I know some 'security' experts will say you should never write down your passwords, but in reality your much more likely to get your passwords stolen by trojans or leaked online than have a physical break in by someone who is going to steal your passwords. The sort of person who breaks into your house is more likely going to be there looking for quick cash by nicking games consoles, TVs, and laptops etc he can flog down the pub.

1
1
Silver badge

Pass phrases Vs Passwords

There's a discussion of passwords & pass phrases Here at Cambridge University's Computer Lab.

0
0
Bronze badge

Re: Pass phrases Vs Passwords

I maximised the randomness of using a passphrase (three words) by using three different languages and by adding numbers and symbols as padding. Someone here downvoted me. Says all that need be said about some people.

0
0
Thumb Down

Sheltered world you inhabit

There are an increasing number of sites that insist your password should include capitals AND numbers/symbols (but not all symbols are allowed). So long passphrases are not always possible.

Interestingly this place is I think the last place that I still use the portmanteau password i used to use pretty much everywhere. I have graduated to more intricate portmanteaus. They are all related but only to me.

0
0
Bronze badge

Re: Sheltered world you inhabit

My current serious passphrase consists of three words separated by one or more numbers or symbols. The three words are a phrase which makes sense to me... and are direct literal translations of that phrase from English into three different languages, two of which are not Indo-European languages. (I _did_ use one made-up language from a fictional universe. Good luck guessing which one.) And I periodically change the 'padding', the numbers and symbols. Yes, it's crackable, but not easily.

My non-serious password is a simple English word... with unusual capitals. I use it for places where I simply don't care if someone figures it out, such as El Reg. And I use throw-away email addresses for such places, too. The email address which I used to set up my El Reg commentard account is an address I use _only_ for commentarding. I don't _care_ if anyone works out what that account is; there is no identifiable data there, other than my name. My 'profile' is deliberately misleading, including the picture. (Hint: I didn't really attend Evil Empire University, Mos Eisley, Tatoonie.)

0
1
Megaphone

Password Advice

1) always write down your passwords in a book beside your computer

( Computer hackers cant read your paper notebooks)

2) Always make it easy to remember

Tiemekangaroodownsport ( nice)

3) tell everyone on-line what your password is, twitter is the best tool for that

4) on a serious note , if you are joining a dating site, are married and have a week password, you deserve to be caught

2
0
Coat

"and have a week password"

"7days"? "168hours"?...

6
0
Thumb Up

Re: "and have a week password"

10180m1nute5, 604800s3c0nd5. That last one is almost secure :)

0
0
Anonymous Coward

Errm

For your one requirement before using a password: "that the phrase is unknown to Google" .. surely you're risking your password by doing this? Putting it out there on the web in a way...

1
0
Anonymous Coward

Re: Errm

You're only telling uncle Google - they already know your DOB, address, inside leg measurements, sexual preferences and deviances anyway.

1
0
Thumb Up

Time to do *something*...

... about the username/password scheme. Take a look at this idea:

http://bitSplit-enterprises.com/CerebraLockDemo.html

0
0
Anonymous Coward

Sites should start doing some kind of two-factor using mobile

Google does it with a soft token app or an SMS i think. So no need for tokens. (In before hurr durr I don't have a mobile)

0
0
Facepalm

I have an un-crackable password

I always use numbers, letters and the other ones whose names I forget right now.

And I make them like 20 or 30 characters long. Where I can. It is surprising the amount of sites that won't let you use more than 14 characters or stop you from using the others ones whose names I still can't remember.

No one is cracking the strong ones of mine, unless they have a few thousand years and half the computers in the world hooked up. They could, however, take a screenshot, or god forbid, have a look in my desk at the big piece of paper that says 'PASSWORDS TO REMEMBER FOR IMPORTANT SITES'.

So I'm not complacent. No, sir. Not me.

I'll give you an example of one of my un-crackable ones -

******************************

Obviously I'm not so stupid as to give you the real password - that would just be moronic, but I'm sure you get the picture.

1
1
Bronze badge

Long or short doesn't matter

If it is the password hashes which have been compromised, it doesn't matter if the original password is a long phrase or a random mix of symbols. The attack works by finding a string which gives the same hash value as one in the file, the string doesn't need to be the same as the original, as millions of passwords hash to the same value.

0
0

About time too

Checking back through my logs, I found this in my spam folder, sent in June last year to a unique e-mail address used only for eHarmony. Odd that a 419 scammer should have ended up with it.

I'm sure there are other crooks out there to whom it would have been far more valuable.

From info <at> freelotto.co.uk Thu Jun 9 03:17:13 2011

X-Spam-Flag: YES

X-Spam-Score: 18.547

Received: from EXFE02.easyxchange.co.uk (ex01.easyxchange.co.uk [62.233.64.252]) by xxx (Postfix) with ESMTP id 112086608F for <UNIQUE Eharmony ADDRESS>; Thu, 9 Jun 2011 03:17:07 +0100 (BST)

Received: from User ([178.111.129.176]) by EXFE02.easyxchange.co.uk with Microsoft SMTPSVC(6.0.3790.1830); Thu, 9 Jun 2011 03:15:51 +0100

From: Free Lotto Company <info <at> freelotto.co.uk>

Subject: CLAIM YOUR 2011 AWARD OF 4MILLION GBP

Date: Thu, 9 Jun 2011 03:17:02 +0100

Congratulation,You have therefore been qualified for a lump sum payout of

4,000,000.00 (Four Million British Pounds) in cash In your favor, To

redeem your prize instantly,you are to contact your Lottery Agent

Mr.Williams Wilcox.

Email: sirwilliamwxdept@aol.co.uk

Tel:+447404586428

0
0
This topic is closed for new posts.