Announcement
Collapse
No announcement yet.
Hacker attacks are coming in...
Collapse
This topic is closed.
X
X
-
Quoth Mytical View PostNo password is hacker proof. You can make the most complicated one, heck even somehow use Egyptian Hieroglyphics, and if somebody gets a keylogger on your computer..oops. However to make it more effective here are some simple rules.
1) Use passwords that nobody would associate with you. Things that have nothing to do with you in any aspect. No, not something you hate (this would still be associated with you), but things that don't even have six degrees of separation.
2) Use alphanumeric, with special characters. 10 is good, 15 is better. Random upper and lower case for the letter part of it is even better.
3) Make it something that you remember, but keep rule number 1 in mind.
4) Do not write it down, anywhere. Bad idea. (Especially not right next to the computer ).
5) Change it frequently. Even slight changes can help, but complete changes (ie none of the letters, numbers, or symbols of the old one used in the new one) are better.
6) Don't use the same one for multiple places. If somehow somebody gets a hold of one, you don't want them to get access to EVERYTHING.The large print giveth, and the small print taketh away.
Comment
-
Heh, it is not easy . As for sites that have certain limits, use the maximum of their limits. IE if it is 9 characters alpha/numeric only..then use ALL 9. Of course if they won't let you use special characters, you will have to not use them.
Edit : Also for things that contain nothing to much (say forums, etc) then using the same password wouldn't be too bad. As long as you don't fill out your profile with name, address, etc etc.Engaged to the amazing Marmalady. She is my Silver Dragon, shining as bright as the sun. I her Black Dragon (though good honestly), dark as night..fierce and strong.
Comment
-
Quoth Taboo View PostThe Deviantart one was through something secondary that works through Deviantart, I believe, and did not effect most users - but it's always a good idea to change your passwords every so often anyway, not only for security but also for your own peace of mind. =)
Comment
-
Quoth blas View PostWhat does spoofing mean?
For example, my gmail sends out mail that says it's from another provider's address entirely. Of course, I own that second email address, but I wouldn't have to to still send out mail claiming to be from there.
The best way to determine if your account was hacked vs spoofed is to check your mail sent folder. If there is mail there that you didn't send, then you were hacked. If not, then it's likely the spammers spoofed your email address and you're just getting bounces from bad addresses.
However, since you mention that it's people on your contact list that got the messages, that points to it likely being a hack.
Quoth Mytical View Post5) Change it frequently. Even slight changes can help, but complete changes (ie none of the letters, numbers, or symbols of the old one used in the new one) are better.
If you have a strong password, then I don't think there's not a lot of reason to change it unless you believe it's been compromised.
^-.-^Faith is about what you do. It's about aspiring to be better and nobler and kinder than you are. It's about making sacrifices for the good of others. - Dresden
Comment
-
I keep a GPG-encrypted text file on a network drive that has my passwords in it, in case I forget any of them. Something like that is probably a bit too much work for somebody who's not technically inclined, but it's pretty quick and easy if you are.
One way of making complex but easy-to-remember passwords is to use a simple form of two-factor authentication where you create a complex password, write it down, and keep it somewhere convenient (in your wallet, maybe), then create simpler passwords for different situations and combine them.
For example, let's say my complex password is "2_5eSuS+". That's kind of hard to remember, so I'll keep it written down and on me. Then I'll decide my password for Amazon.com is "b@con" and my password for customerssuck.com is "w4lm4rt", and both of those only stay in my head. My actual password for logging in to Amazon.com will be "2_5eSuS+b@con", which is practically uncrackable, and my password for customerssuck.com is "2_5eSuS+w4lm4rt". Even if somebody gets ahold of my written password, there's still no way they'll be able to guess the "b@con" on the end of that.
Of course, that doesn't work so well for sites that don't let you use special characters, or enforce a maximum length on passwords... but web masters who do that really need a good talking-to about security.
Comment
-
Quoth Andara Bledin View PostBasically, the return address on an email doesn't have to be the actual address of the sender.
Quoth Andara Bledin View PostFor example, my gmail sends out mail that says it's from another provider's address entirely. Of course, I own that second email address, but I wouldn't have to to still send out mail claiming to be from there.
In addition, if example.com uses SPF records or DomainKeys (and does not state that gmail is allowed to send email from that domain), and the receiving server uses that information, then the email will be rejected.
Antispam measures can make life difficult when using that setup that you have described. So far, it sounds like you have not yet been hit. Here's hoping it stays that way.
Quoth Andara Bledin View PostThe best way to determine if your account was hacked vs spoofed is to check your mail sent folder. If there is mail there that you didn't send, then you were hacked. If not, then it's likely the spammers spoofed your email address and you're just getting bounces from bad addresses.
As for how the email got through the ISP's firewalls, many providers now use variations on SMTP Auth to determine who is allowed to send email using their servers. SMTP Auth can be configured to restrict to a range of IP addresses, require a successful login before sending, and other options. Reading sufficient information from the email client on the machine would allow a malicious program to send email using her ISP without ever writing a single thing in her sent mail folders.
Also, since her account is actually on another server, the only way to tell definitively if the account was hacked is to contact the maintainers of the server (likely the ISP), and ask them to review all accesses to the account, both sending and receiving. They can validate that the incoming data came from the correct computer, at least.
Quoth Andara Bledin View PostHowever, since you mention that it's people on your contact list that got the messages, that points to it likely being a hack.
Quoth Andara Bledin View PostI have yet to hear a convincing argument that this is a useful thing to do.
If you extend your password out to 20 characters, this only takes you up to 36 bits of entropy, or about 68,719,476,736 possible passwords. This is crackable in under a week using a quad core computer and well made code.
Convincing enough yet?
Quoth Andara Bledin View PostIf you have a strong password, then I don't think there's not a lot of reason to change it unless you believe it's been compromised.
Comment
Comment