backtop


Print 59 comment(s) - last by Smilin.. on Jun 21 at 11:30 AM


  (Source: icanhascheezburger)
Facebook, Gmail, and Twitter pages defaced as mob mentality rules

Today everyone's favorite (or least favorite, perhaps) cyberbanditsLulzSec, leaked 62,000 peoples' email addresses and passwords.

The listing, which can be found here in text file form, has lots of different users and passwords.  A few notes -- the passwords appear to be all 15 or less characters and don't include capital letters (the last entry seems a fluke).  

This could simply be a coincidence that speaks to peoples' password tendencies these days, or it could be a sign that LulzSec used brute force attacks to crack these passwords.  

Using an SSD-driven rainbow tables approach, a 14-character hashed password can be cracked in about 5 seconds; cracking 62,000 passwords would take approximately three and a half days, at most (probably less if you exclude capitals).  Of course that's for Windows passwords, which use MD4 hashing.  More secure sites likely use MD5 and SHA1, in addition to salting, and a high iteration account -- of course there's plenty of sites that are probably using MD4 with no salting or -- as the Sony hacks showed -- storing passwords as cleartext in web accessible databases.

Many users whose email addresses were hacked subsequently had their Twitter or Facebook accounts illegitimately accessed and defaced [source].  It appears that the internet equivalent of a mob is behind these attacks -- thousands of individuals have downloaded the file containing the passwords and begun to try to access peoples' accounts.

The Next Web has been promoting a tool to find if you've been hacked, stating, "We've promised we won't say who built it, but can absolutely 100% assure it wasn't LulzSec and there's no email harvesting going on."

That said, the widget -- originally hosted here -- is the work of an unknown developer, so entrusting it with your emails might not be wise.

As always you can maintain safety online by:

  1. Using one-time use accounts for your various online registrations (to avoid one account being compromised allowing others to be compromised).
  2. Use passphrases with numbers, capital letters, and preferably ASCII symbols.
  3. Make sure your passwords are over 20 characters long.
  4. Don't reuse passwords.
  5. Don't share passwords with anyone.
While the above may seem difficult, it will allow you to remain safe from cybercrime online, for the most part.

 



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Password recommendations
By croc on 6/16/2011 8:57:11 PM , Rating: 5
Th1s_1s_My_b@nk_@cct_p255wd_for_jun_20ii...

40 characters, uc & lc, odd characters (_ @) etc. Easy to remember, hard to brute force, and only valid for a month... Now, find a bank that will let you use that password. Many have a much shorter string policy, or don't allow the use of _-+=~`!@#$%^&*() characters or all of the above. It is not the public's fault, in some cases, that they have a 'weak' password, it is the password policy of that institution.


RE: Password recommendations
By Darkefire on 6/16/2011 10:52:12 PM , Rating: 2
That is exactly what my bank does, which forces me to use a much weaker password than I would normally have. Fortunately they've got a few additional security checks in place if a computer tries to access my account from a previously unused location, but I'd still prefer to be able to use symbols again.


RE: Password recommendations
By probedb on 6/17/2011 2:58:54 AM , Rating: 4
Yep and try somewhere like amazon which only allows 8 characters and no symbols!!

You try and have secure passwords and companies don't let you for no reason what-so-ever.


RE: Password recommendations
By quiksilvr on 6/17/2011 8:59:56 AM , Rating: 2
? My amazon password is 9 characters and I changed it recently.


RE: Password recommendations
By jabber on 6/17/2011 10:15:46 AM , Rating: 3
Using 20 characters for Amazon currently.

In fact going round upgrading all my important passwords today.


RE: Password recommendations
By wrekd on 6/17/2011 10:15:17 AM , Rating: 2
They probably don't want too many phone calls from the old fogies that forget...well everything. Even the password reset option can be difficult for them.


RE: Password recommendations
By The Raven on 6/17/2011 11:32:15 AM , Rating: 3
I think you are incorrect about Amazon, but last I checked AMEX limited you to 8 as well. Freaking AMEX!


RE: Password recommendations
By MozeeToby on 6/17/2011 12:47:05 PM , Rating: 2
The problem is that you're still a key-logger away from having your banking information stolen. 'Something you know and something you have' is the way to go for anything finance related. Find a bank that will give you a SecureID token or a one time pad (apparently these are quite common in Europe but almost unheard of in the US).


RE: Password recommendations
By CZroe on 6/17/2011 1:01:30 PM , Rating: 2
Good luck typing something like that into a touch-screen smartphone banking app while in line and needing to know some account/balance details. Most have two different pages for symbols and you have to switch between three different keyboards for each character!


"It looks like the iPhone 4 might be their Vista, and I'm okay with that." -- Microsoft COO Kevin Turner














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki