Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 | 3 | 4 | 5 | 6
1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2225129 25-Apr-2019 23:23
Send private message quote this post

I just went through haveibeenpwnd with my wife - who just read the stuff article on a couple having their nest cam hacked (Here: ) Their username and password was dumped in a data breach, then checked against many sites like FB, Twitter, google, Nest, Spotify etc

 

The article says that only 1% of people use different passwords on different sites.

 

At my wifes work they use Kaspersky password storage and it has been a PITA for them. She isn't techy (she's the anti me when it comes to tech - and no cheeky comments from you young whipper snappers either...) so has trouble handling multiple passwords. Think of trying to get your Grandma to use keep pass or last pass or ...

 

Any way - I gave her some deliberate dodgy advice - and told her how and why it is dodgy. Because this dodgy advice is better than reusing passwords.

 

Choose a 6 - 8 char password - upper, lower. letter and char if possible. Not a word from the dictionary. That's your base pass word .. (yup - there's the dodgy bit right there). E.g tTlsh1w  (Twinkle twinkle ...)

 

For every site - take the first 4 chars of the site e.g. facebook would be face

 

Put the first two letter in front of the base pass, the last two at the end of the base pass. Upper or lower case it  if you want. fAtTlsh1wcE

 

This gives you a difficult to guess pass - that survives a password dump as it is unique for each site. By splitting the four letters it is not a word and not likely to be easily seen.

 

The chances of anyone manually aggregating passwords against a users email address, across multiple data breaches, and then manually recognizing a pattern is fairly low. It's a numbers game and auto picking the low fruit is the best way to get results.

 

Doing this dodgy thing is easy to teach - and scarily puts the user in the top 2% of all password users on the net.

 

 

 

Any whoo - back to the story. Verification.io came up as having been breached and leaking one of my email addresses. It turns out they are owned by a company called datalitics.com   How those dorks got my email address I don't know as i never signed in - they are an advertising, mailing PITN spammer scum type company - not giving them anything any time.   - so any password is void. but it does raise a question. how many times has my email addresses been added to insecure data banks and now gets checked as a log in in data dumps, and mass checking of email addresses against sites?One of my addresses registered as hacked twice, on two sites I never went near.

 

 

 

I posted a contat to them - using the breached address - it's already in their systems - and write the followin.g Basically going to run them through the GDPR process - force them to cough up how i got in their systems then make them remove me - and report this to the EU. Hopefully making their life more difficult and making thme think twice before skimming my or others info again.

 

 

 

"Your site was breached and data hacked out of it. Part of that data contained my email address (given here). As I have nothing to do with your site i want to know why my email address was scraped and used in your databases.

 

I make this request pursuant to the European Unions Privacy Policies. Failure to provide information requested will result in a complaint made according to EU law - which can result in large fines. "

 

 

 

 

 

 

 

 





nunz



BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2225183 26-Apr-2019 08:19
Send private message quote this post

The problem with the dodgy advice is when you get to a site that limits to eight characters (yes, they exist, check the screenshot before).

 

Also, the GDPR claim will just be ignored if they figure out you are not a EU citizen...





 
 
 
 


1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2225374 26-Apr-2019 10:02
Send private message quote this post

freitasm:

The problem with the dodgy advice is when you get to a site that limits to eight characters (yes, they exist, check the screenshot before).


Also, the GDPR claim will just be ignored if they figure out you are not a EU citizen...



And yet they threaten me with fines if i run a site. Seems they want their cake and to eat it too. Hmmm what happened to the european queen who told the poor to eat cake?

I have an EU based way to lodge complaint. Part of an eu business.




nunz



BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2225381 26-Apr-2019 10:07
Send private message quote this post

nunz:
freitasm:

 

Also, the GDPR claim will just be ignored if they figure out you are not a EU citizen...

 



And yet they threaten me with fines if i run a site. Seems they want their cake and to eat it too. Hmmm what happened to the european queen who told the poor to eat cake?

I have an EU based way to lodge complaint. Part of an eu business.

 

 

You are only responsible if you use your website to market/offer services and goods to the EU - including having an EU-based TLD (reason why I just let my geekzone.co.uk domain lapse). But yes, they made it extremely unnecessarily complicated.





1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2225530 26-Apr-2019 13:40
Send private message quote this post

freitasm:

 

nunz:
freitasm:

 

Also, the GDPR claim will just be ignored if they figure out you are not a EU citizen...

 



And yet they threaten me with fines if i run a site. Seems they want their cake and to eat it too. Hmmm what happened to the european queen who told the poor to eat cake?

I have an EU based way to lodge complaint. Part of an eu business.

 

 

You are only responsible if you use your website to market/offer services and goods to the EU - including having an EU-based TLD (reason why I just let my geekzone.co.uk domain lapse). But yes, they made it extremely unnecessarily complicated.

 

 

My understanding is that if an EU person goes to my (NZ based) website and does business - then I end up under the GDPR process.  Ditto if I'm a European citizen living in NZ (as my wife is for instance being Welsh) 

 

The email address is also used by my wife. Therefore GDPR should apply. If not the business office in mainland Europe and UK can be my EU link.

 

 

 

 

 

 

 

 




nunz

1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2225801 26-Apr-2019 20:45
Send private message quote this post

sparkz25:

 

This is a good test on you password strength

 

https://howsecureismypassword.net/

 

And this is good to see if you password has been pwned

 

https://haveibeenpwned.com/Passwords

 

I use these a bit for clients to show them how crap their password is and how long it will take to crack their crappy password

 

 

 

 

howsecureismypassword - I had a weird experience. Looking up a password generator for linux. Top link is

 

howsecureismypassword    dot com

 

Has an article on secure passwords etc.  Noticed lots of links to Dashlane. Hovered over them and they are all coded similar to: http://www.tkqlhce [dot] com/click-9015211-13120273

 

Clicking on those links goes to the actual dashlane site. as certified with a green certificate.

 

Is dashlane using some kind of hack or obfuscation to get traffic to its site?  They are the clear beneficiary of the site and the redirects.

 

 

 

No - the pc is not virused. A clean install of mint linux,   Same result off a live boot USB. Something weird with that site and dashlane

 

 





nunz



BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2226177 27-Apr-2019 10:58
Send private message quote this post

@nunz The dashlane site is https://howsecureismypassword.net/ - you clicked something else - the .com is fake and just a site with affiliate links. They probably do some "arbitration" - as in realised they can put a cheap ad on Google and get more from when people land on their page and click the affiliate link to go to the actual Dashlane site from there.





 
 
 
 


2009 posts

Uber Geek
+1 received by user: 417

Subscriber

  # 2226587 28-Apr-2019 06:37
Send private message quote this post

It is certain that size does matter! My wifi password/easily remembered phrase, with 22 characters, was going to take sqillions of years to crack!! Perhaps a trifle OTT.

 

 


1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2226700 28-Apr-2019 11:56
Send private message quote this post

linw:

It is certain that size does matter! My wifi password/easily remembered phrase, with 22 characters, was going to take sqillions of years to crack!! Perhaps a trifle OTT.


 


I disagree. Complexity matters

There are long phrases commonly checked for. Eg cracking Christian sites id check ForGodSoLovedTheWorld. 22 chars and commonly used

Before wpa2 there were encryption types requiring 11 chars or 13 chars or other lengths. Common phrases, poetry, song lyrics, industry jargon, scripture were all common phrases and commonly broken. Cpus were 100k slower back then

Anything under 7 chars is probably in a hash db but so are the most common 3000 ish words used in English and combinations of 3 or 4 of those words.

E.g HorseCatFunnyHuman is 18 chars but is in hash dbs.
However words less commonly used like onomatopoeia or Decatur arent as they are rarely used.

Complexity beats length.

Password1234 12 chars. Instant break
Qwerty123456 12 chars instant break
Qawsedrftgyh 12 chars instant break
Qwsaerfdtyhg 12 chars.. instant break.

All patterns on a keyboard try typing them ... you will see what i mean.

Crackers know that folks in similar industries have similar passwords and password patterns.

Uppercase 8 chars and a number and or symbol ... common pattern.

E.g Shane2019! Much more easily hacked than
19sha!ne20 same chars and words etc but different pattern.
Even sHane!2019 is less hackable...uncommon pattern
2 or 4 numbers ... birth date or current years. Common.

Brute force is a really clever skill in the right hands involving psycology and clever maths. Keyboard patterns.. right verse left hand dominance eg
Yjhikb all right hand single hand on keyboard. How many passwords involve one hand holding shift while other types ...mostly on one side of keyboard?

Complexity is the most important thing. Hash dbs can beat lots of long passes.




nunz

Mad Scientist
20461 posts

Uber Geek
+1 received by user: 2790

Trusted
Lifetime subscriber

  # 2226707 28-Apr-2019 12:11
Send private message quote this post

Could I be informed of what is hash db and what isn't? Thanks





Swype on iOS is detrimental to accurate typing. Apologies in advance.




BDFL - Memuneh
63871 posts

Uber Geek
+1 received by user: 14333

Administrator
Trusted
Geekzone
Lifetime subscriber

  # 2226724 28-Apr-2019 12:30
One person supports this post
Send private message quote this post

Batman:

 

Could I be informed of what is hash db and what isn't? Thanks

 

 

A Hash DB is a database of common passwords and their hash codes.

 

A Hash is a number calculated from a string - also called digest. There are Hash types that will always calculate unique numbers for different strings, and in some codes you can't determine which string was the original used for the calculation - which would then require a brute force attacker to go through all the strings possibilities to find the equivalent hash.

 

In some cases, brute force attackers can test the calculated hash from their guess strings and once successful they are stored in a database - next time you see a hash code just check the database to see if it was already calculated.

 

From a systems side, that's why it is important for systems to store an encrypted version of a hash, perhaps add a random element to the string before it is hashed (called a "salt"). On the user side, a longer password may not be as secure because it's common and the hash has already been calculated. A mix of letters, numbers, special characters on a long password will be harder to guess.

 

However if you have a complex password but the system is not encrypting or adding a salt, then if that system is breached, the password will be worthless. That's why you never use the same password in more than one place.

 

Obviously there's a lot more than just that and it's complex. But this is just a quick overview.

 

For a quick play, go to https://www.fileformat.info/tool/hash.htm and use the String hash field. Enter "password" there. You will see the different hash methods and how that string is represented. Now search "5f4dcc3b5aa765d61d8327deb882cf99" and you will see that "password" in MD5 is common knowledge. People wouldn't even have to use much compute power to figure out that a password in a user database is that value, would they?

 

Now calculate something different but common using that page again and then enter the MD5 into this page https://hashkiller.co.uk/Cracker/MD5... See how fast it is?





1370 posts

Uber Geek
+1 received by user: 284

Subscriber

  # 2226745 28-Apr-2019 13:01
Send private message quote this post

freitasm:

Batman:


Could I be informed of what is hash db and what isn't? Thanks



A Hash DB is a database of common passwords and their hash codes.


A Hash is a number calculated from a string - also called digest. There are Hash types that will always calculate unique numbers for different strings, and in some codes you can't determine which string was the original used for the calculation - which would then require a brute force attacker to go through all the strings possibilities to find the equivalent hash.


In some cases, brute force attackers can test the calculated hash from their guess strings and once successful they are stored in a database - next time you see a hash code just check the database to see if it was already calculated.


From a systems side, that's why it is important for systems to store an encrypted version of a hash, perhaps add a random element to the string before it is hashed (called a "salt"). On the user side, a longer password may not be as secure because it's common and the hash has already been calculated. A mix of letters, numbers, special characters on a long password will be harder to guess.


However if you have a complex password but the system is not encrypting or adding a salt, then if that system is breached, the password will be worthless. That's why you never use the same password in more than one place.


Obviously there's a lot more than just that and it's complex. But this is just a quick overview.


For a quick play, go to https://www.fileformat.info/tool/hash.htm and use the String hash field. Enter "password" there. You will see the different hash methods and how that string is represented. Now search "5f4dcc3b5aa765d61d8327deb882cf99" and you will see that "password" in MD5 is common knowledge. People wouldn't even have to use much compute power to figure out that a password in a user database is that value, would they?


Now calculate something different but common using that page again and then enter the MD5 into this page https://hashkiller.co.uk/Cracker/MD5... See how fast it is?



Adding to this excellent answer.

There are databases out there with petabytes of data of precalculated passwords using common hash algorithms.

The dbs have been made by taking common words, making common variations on them eg cash Cash CASH cAsh c@sh ca$h and also cash2019 and cash19 and cash69 cash666 cash777 (you would be shocked how often 69 is used) then run through the common password hashing algorithms and stored.

Also scraped passwords.. if one human uses them others will too.

Patterns also appear e.g christian sites john3:16 john10:10 so they are hashed too.

Crackers go for low hanging fruit 99% of the time unless they are after a specific target. Avoid common patterns, keyboard patterns, add something different to the word than the common substitutions, choose less common words if you use them and if you can go random. Expanded chars including macrons acute graves etc all help.. in nz dont use maori. Its common to us. Choose swahili or pygmy or tokpisin if you want to use words.


SALTS are considered over rated by crackers. One salt to rule them all...means one crack opens them up.

Modern encryption methods involve algorithms that deliberately churn cpu power to slow brute force down.

In the end ... using same pass in two places means that both sites are vulnerable to the least well prtected site. Only as strong as weakest link so dont reuse.
If i ran a site with a flawed encryption type .. and millions do... then giving me your pass adverises it to the world.




nunz

482 posts

Ultimate Geek
+1 received by user: 282


  # 2227630 29-Apr-2019 21:14
2 people support this post
Send private message quote this post

OK, so being prompted by this thread and taking the advice of others I'm now well on my way to better online security.

 

 

 

Here's my learning from this experience.

 

  • Lastpass - Two thumbs up, thanks for the tip from the GZ community. I'm sure other password managers are great but I'm happy with this and I even have the wife using it now.
  • Online accounts - Bloody hell, you quickly lose track of just how many you have. I have about 35 in my vault now and I reckon I'm only 1/3 of the way through them. Everything from the obvious to (Forums, Facebook etc...) to the less obvious (obscure retailers that you bought 1 item from last year) to all of your utility accounts. They add up quick!!
  • Cancelling accounts - Online retailers make it annoyingly difficult for you cancel an account you no longer want. I decided as I was updating all my passwords I would cancel as many obsolete accounts as possible that I didn't use anymore to reduce my online footprint. They don't make it easy.
  • Updating passwords - Some websites also don't make it easy to update passwords. For two accounts, for the life of me, I could not find anyway to change my password. In the end I logged out and clicked the forgot password link as there was no other easy way to do it.
  • 2FA - I've enabled it for as many services that provide it. I'll look into Authy later once I get everything into LastPass.

 

 

That's it for now. Quite a bit of work to get set-up but I'm already feeling much better that I'm now more secure.

 

 

 

Thanks GZ for the poke in the ribs to do something about it.


93 posts

Master Geek
+1 received by user: 30


  # 2240351 18-May-2019 09:35
One person supports this post
Send private message quote this post

I use Apple Keychain now to manage my passwords. I use to use the same 3 passwords for everything except my email which I would change every 72 days. Now I’ve been going through the process of changing all my passwords and allowing Keychain to suggest the new complex password. Hoping to have 100% unique passwords for all sites but annoyingly a lot of websites won’t accept the keychain generated passwords.

4839 posts

Uber Geek
+1 received by user: 2770

Trusted

  # 2240361 18-May-2019 09:55
Send private message quote this post

I'm no expert on passwords and some of the sites I've joined, I've used pretty weak passwords.

 

If you're going to use a remembered phrase as a password, maybe making up a nonsense phrase like this would be a good idea: "BigWheelsAndIntercomsMakeDave79000IntoBetterTeacher"


1 | 2 | 3 | 4 | 5 | 6
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Dunedin selects Telensa to deliver smart street lighting for 15,000 LEDs
Posted 18-Jul-2019 10:21


Sprint announces a connected wallet card with built-in IoT support
Posted 18-Jul-2019 08:36


Educational tool developed at Otago makes international launch
Posted 17-Jul-2019 21:57


Symantec introduces cloud access security solution
Posted 17-Jul-2019 21:48


New Zealand government unveils new digital service to make business easier
Posted 16-Jul-2019 17:35


Scientists unveil image of quantum entanglement
Posted 13-Jul-2019 06:00


Hackers to be challenged at University of Waikato
Posted 12-Jul-2019 21:34


OPPO Reno Z now available in New Zealand
Posted 12-Jul-2019 21:28


Sony introduces WF-1000XM3 wireless headphones with noise cancellation
Posted 8-Jul-2019 16:56


Xero announces new smarter tools, push into the North American market
Posted 19-Jun-2019 17:20


New report by Unisys shows New Zealanders want action by social platform companies and police to monitor social media sites
Posted 19-Jun-2019 17:09


ASB adds Google Pay option to contactless payments
Posted 19-Jun-2019 17:05


New Zealand PC Market declines on the back of high channel inventory, IDC reports
Posted 18-Jun-2019 17:35


Air New Zealand uses drones to inspect aircraft
Posted 17-Jun-2019 15:39


TCL Electronics launches its first-ever 8K TV
Posted 17-Jun-2019 15:18



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.