Password breach discussion.

About this bulletin board and the Pale Moon website

Moderators: FranklinDM, Lootyhoof

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Password breach discussion.

Unread post by Moonchild » 2018-01-05, 14:56

John, please stop picking fights. Final warning.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

John connor

Re: Password breach discussion.

Unread post by John connor » 2018-01-05, 15:43

NVM Not worth my time. The forum fog is think and how one comes across can be obscured.
Last edited by John connor on 2018-01-05, 15:51, edited 1 time in total.

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Password breach discussion.

Unread post by TwoTankAmin » 2018-01-05, 16:46

I have basically used the same password on any non-important sites for years with no issues. But on sites that matter, ones with financial importance etc. I use long junk pwords that I write down offline to remember. I do not really care if my account here, or on any of the few other non-essential sites where I am actually registered as a member, is hacked. What I do care about is bank accounts, brokerage accounts and Places like Ebay where I spend money.

As a non-tech savvy person, it seems to me that I have a static IP addy unless I turn off my router and disconnect from the net for some time, then I might get a new one assigned. So if somebody did obtain my password and did try to post something say to get me banned, I assume I could at least defend that because the IP# I always use would not be the one used by whomever stole my information. Anybody who knows me from this site knows how little I know about how things digital work.

I have been doing online financial transactions going back to the days of direct dialing into each sites system. I have had zero issues in that time which could be traced back to my system security, What I have experienced is both Target and Home Depot being hacked and causing my CC company to issue me new cards as a result. This past year was the first time since I got my first CC in the early 1970s that I disputed a charge as being fraudulent. I was vindicated and received a new account number very rapidly.

The thing is, the sites where I am using the same screen name and password are unessential. I believe I can count the sites where I am using this common user ID and pword on my fingers. The same applies to sites where I use a different more convoluted screen name and more secure pword. Each of those sites has its own pword. My idea of dual forms of identification are to consider one's screen name as something that can be made as complex as a pword except for the use of capitals. How easy is it to determine a screen name that is almost as complex as a pword and then to have a 16 character pword on top of that?

It is simple, hackers can crack most any hardware or software out there today, just give them enough time. But I wonder how fast one can crack two 12-16 digit nonsense strings in order to gain access. If I am lazy and do not have my reading glasses on and mistype my info a few times trying to log on someplace, I get a warning that my account will be locked after one or two more tries. Good luck getting around that by trying to guess both my username and my pword. On my main account which has the most value, my greatest security is not software or hardware related, it is my broker. He knows me and my habits. So earlier this years when I submitted an online request to transfer funds from that account to my bank account which was 4-5 times larger than I normally move, my phone rang few minutes later, he was calling to confirm I had actually made that transfer.

What hackers count on is folks being lazy and believing they have nothing to worry about. So most folks behave stupidly, virtually throwing out the welcome mat by how they deal with this sort of stuff. I do not, nor have I ever, stored any passwords on any device. I store no cookies, including super cookies. I know that technology is not and never will be secure, so it it is up to me to behave in ways which make it more difficult, not easier, for somebody to get access to things I do not wish them to have. This is why I cannot now and will never use Windows 10. It is spyware no matter what explanation they offer for why they are doing it. Nor will I willingly bug my home by using a digital assistant. Finally, I have little use for the cloud.

As with anything I write here, this is just this person's opinion.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

John connor

Re: Password breach discussion.

Unread post by John connor » 2018-01-06, 02:46

I fed this website https://verify.4iq.com/ a bunch of E-mail addresses this morning and I haven't gotten anything back.

dark_moon

Re: Password breach discussion.

Unread post by dark_moon » 2018-01-06, 11:43

You shouldnt use such sites

John connor

Re: Password breach discussion.

Unread post by John connor » 2018-01-06, 12:19

dark_moon wrote:You shouldnt use such sites

It was mentioned here: viewtopic.php?f=17&t=17917

Perhaps my privacy addons messed up the input form for the E-mail. I'll try Chrome with one E-mail address and see what happens.

Edit- Ah, and here's what I get:

This email account is already in our verification queue.

If you did not receive the verification email, it will be sent to you soon.

Please check your inbox or spam folders. Sometimes mail is automatically filtered and easily missed.
Last edited by John connor on 2018-01-06, 12:21, edited 2 times in total.

JSB2000

Re: Password breach discussion.

Unread post by JSB2000 » 2018-01-06, 17:05

TwoTankAmin wrote:What hackers count on is folks being lazy and believing they have nothing to worry about.
True. And they also count on overconfident folks who believe that because something is "inconsequential," that the need to protect it is less important than something they deem to be "more important."

Or, to put it simply, "So what if they manage to hack that forum account. Big deal. My brokerage accounts are uber-protected. What could they do?"

That last part is the key. "What could they do?" Chances are, plenty. Because social engineering is the key to hacking. Read any of Kevin Mitnick's books. I'd recommend "The Art of Deception" followed by "The Art of Intrusion." But either one will do. Afterwards, reread your post and ask yourself: Do you feel the same way? Where are the vulnerabilities in it? If someone with Kevin Mitnick's mindset targeted you, how would they go about it?

Personally, after reading Mr. Mitnick's books, I couldn't look at security the same way ever again, either computer related or "real world." Whenever someone states some variation of "It's no big deal. So what if someone manages to hack that? It's trivial/non-important. What's the worst that can happen?", the hair on the back of my neck stands straight up.

And why I'm changing my password on here right after posting this.

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Password breach discussion.

Unread post by TwoTankAmin » 2018-01-06, 19:37

I skimmed The Art of Intrusion. When I got done I actually felt more safe than before I read it. I could find almost nothing that applied to my situation.

1 am retired. I am not in prison. I am not in control of anybody else's assets/money. I am almost impossible to scam, especially online. I never assume anything is safe, I assume the opposite to be true. I own and use only one device to be online. I have never used wireless for this purpose.

So please tell me, what real harm can be done to me were I to reveal my password for this site for all to see? The only potential risk I have from being a member here is that I do donate to support the browser. So people like Moonchild, and those to whom he gives access, know my real name and that I use PayPal. Neither of those two bits of information are secret. I have used PayPal since 2002 without a single issue. I must be lucky. I have banked online since the days of direct dial in the 90s without a single issue. I must be pretty lucky. I have done a fair amount of brokerage related things online since the early 1990s without issues. I must be very, very lucky. I best not go out in a thunder storm as I probably have so little luck left i would get hit by lightning :lol:

None of this means I am safe five minutes from now. What it does show is I do know how to be pretty careful about what I do online and that it seems to lower the odds that I am an actual specific target or even a random one.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Password breach discussion.

Unread post by Moonchild » 2018-01-07, 07:26

TwoTankAdmin: there is another side to this story, too. That is the side of the website operators and fellow community members, conveniently forgotten in your rather selfish analysis of this...

What do you think would happen if you were to publicly post your password to your account here? Most likely scenario: your account will be logged into by someone running a spambot - this will likely result in a flood of posts and private messages, e-mails being sent out from the forum with spam contents, before one of our few staff members can react to kill the account. This in turn will cause a big support headache for our staff, may get our mail server blacklisted preventing delivery of all palemoon.org outbound mail, and more very unpleasant things that nobody wants to deal with or try to rectify.

It's not just about you, it's about all of us.

Changing your password is a good measure to keep not just you, but all of us on the more pleasant side of the internet.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

JSB2000

Re: Password breach discussion.

Unread post by JSB2000 » 2018-01-07, 15:19

TwoTankAmin wrote:I skimmed The Art of Intrusion. I could find almost nothing that applied to my situation.
Moonchild wrote: It's not just about you, it's about all of us.
What Moonchild stated is EXACTLY what you missed when you skimmed the book. In most cases, Mitnick wasn't interested in hacking you for what YOU have. He was using you as a step in the ladder towards gaining a bigger prize. Attacking the weakest link in a bigger chain, per se.

The question isn't "can I be hacked." It's "if someone gains access to something I feel is inconsequential, how can that be used to cause damage, gain credibility with someone else in your name, gain access to something more important, etc." Your strength of your security inevitably affects other people's security.

Kudos on the steps you've taken thus far: You do seem to be ahead of the game in many ways. But one of Mitnick's most common attack vectors was with vigilant people who let that vigilance slip due to overconfidence. Just saying.

John connor

Re: Password breach discussion.

Unread post by John connor » 2018-01-07, 17:17

Off-topic:
From my years of reading about hacks and reading about them as they come out today, I can say that no matter what you do, there will always be a vulnerability in one facet or another. And it seems there are more vulnerabilities now than ever. The only way to stay ahead of the game is to know how they do it, and take preventive measures to counter it. The phrase 'know your enemy' goes a long way, and being overly paranoid is a good thing. I get a lot of flack at another forum for being too "paranoid" But I bet I won't be the one crying foul my crap was hacked, etc. One example of where they called me an idiot (hard to believe really) was when I said that I store my external HDDs I clone my systems to in a couple of fireproof safes and that I store my keepass database in an encrypted SFX archive on DVD/RW kept in a fireproof safe. In fact, my website is backed up to DVD/RW. They told me I had bigger things to worry about. How stupid can you get?! For one, if my house burns down, I still have my data, and two, I don't have to go through the long tedious process of resetting account passwords. Not only that, but in keepass, I store backup codes since I have 2FAed everything I could, up to and including Cloudflare and my domain register. I'd hate to lose that Info. Then I use Amazon S3 to offload attachments and I have that 2FAed twice. Granted there are weaknesses like everything else in 2FA, but it does add an extra layer of security and that's my modus operandi, i.e layers. I've done the same thing for my website to the best I could: layers.

Like in the physical word, the front door is always where the devil tries to enter and is where crime takes place (don't trust people that look like cops and knock at the door unless you can verify). Trust no one.

If you have an exposed IP not sitting behind a reverse proxy and you have just one tiny little server vulnerability, one could pry it open. That's how the NSA operates.
Last edited by John connor on 2018-01-07, 17:19, edited 1 time in total.

Maarten

Re: Password breach discussion.

Unread post by Maarten » 2018-01-08, 19:35

John connor wrote:
dark_moon wrote:You shouldnt use such sites

It was mentioned here: viewtopic.php?f=17&t=17917

Perhaps my privacy addons messed up the input form for the E-mail. I'll try Chrome with one E-mail address and see what happens.

Edit- Ah, and here's what I get:

This email account is already in our verification queue.

If you did not receive the verification email, it will be sent to you soon.

Please check your inbox or spam folders. Sometimes mail is automatically filtered and easily missed.
Has anyone gotten a response? Have the administrators tried this before posting the link? To me it looks like a honeypot. I've entered my mailadress too, two days ago. No response yet. It can not take two days to check if an email address is in a list, not even a list of a few million.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35473
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Password breach discussion.

Unread post by Moonchild » 2018-01-08, 19:59

I've received a response today; it's just really slow to get processed.
My low-priority e-mail had one hit and it was a real password that *had* been used once upon a time (they mask most of the password, but left enough to be recognizable). The other e-mail I used had zero hits.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
Isengrim
Board Warrior
Board Warrior
Posts: 1325
Joined: 2015-09-08, 22:54
Location: 127.0.0.1
Contact:

Re: Password breach discussion.

Unread post by Isengrim » 2018-01-08, 20:25

I also just got responses for all three of the emails I submitted, within a minute of each other. I would guess that they have some kind of intentional delay to prevent spam. None of my emails got hit, but somehow that doesn't leave me feeling very reassured.
Last edited by Isengrim on 2018-01-08, 20:25, edited 1 time in total.
a.k.a. Ascrod
Linux Mint 19.3 Cinnamon (64-bit), Debian Bullseye (64-bit), Windows 7 (64-bit)
"As long as there is someone who will appreciate the work involved in the creation, the effort is time well spent." ~ Tetsuzou Kamadani, Cave Story

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Password breach discussion.

Unread post by TwoTankAmin » 2018-01-08, 21:13

What Moonchild stated is EXACTLY what you missed when you skimmed the book. In most cases, Mitnick wasn't interested in hacking you for what YOU have. He was using you as a step in the ladder towards gaining a bigger prize. Attacking the weakest link in a bigger chain, per se.
I am not part of a chain as far as I can tell. I only lead to myself. And the places I visit that somebody might want to hack are used by a huge number of people. I consider the biggest potential threat to my privacy and security on the net would be if I were to use Windows 10, the IOT or any of the digital assistants out there or the cloud. I download no apps etc.

What I glean from what was said in response to my question, is that one has to be a fool to register on any site, even this one. Since I cannot control how other users may deal with their approach to security, I, and every other member here is at risk from one lone careless person. As a result, why would anybody wish to become a registered member here or on almost any other site on the net? Just look at the basic facts regarding how most users approach security.
More than 50pc of people use the top 25 most common passwords, according to password manager Keeper, with a significant 17pc - almost one in five - of all users having "123456" as their protective code.

Keeper compiled the list by scouring 10 million passwords leaked in data breaches. Predictably, the most popular passwords include variations of "123456" and "qwerty", as well as "password" and "google"..........

"While it's important for users to be aware of the risks, a sizeable minority are never going to take the time or effort to protect themselves," said Keeper. "The bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies."
from http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/

It seems to me the greater risk is because this site stores pwords and that is what is most likely to be hacked. If I were clever and expert enough couldn't I just create a brand new account here and hack to my heart's content? Why do I need another members ID to do this?

According to the latest numbers on the Forum main page there are 3,769 registered users here. If just one of them has an easy to guess pword, we are all at risk. That is a crappy situation at best- all it takes is .02% of the forum members to slip to put the rest at risk.

Also, if the above article is on target, then it is mostly Moonchild's responsibility to insure that users cannot have passwords that put all members on this site at risk. Only a site's Admins can determine the password rules that must be followed. As best I can tell my password here does not need to be more than 7 characters, needs no alphanumeric characters nor capitals since mine has none of these.
“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

John connor

Re: Password breach discussion.

Unread post by John connor » 2018-01-09, 04:56

I finally got an E-mail from this 4iQ website and one of my passwords was stolen, but the E-mail doesn't say from where and the password in the E-mail is all in asterisks excpt the last three characters. WTH is that! If I don't know the website, how can I change the password? I looked at three website passwords associated with that E-mail address and non of those passwords match the last three characters. Being pissed off at the asinine way the E-mail was sent, I contacted them and told them the situation. After I clicked submit I see this:



Image



This has to be a company run by the Chinese or some damn thing. However, they have offices in Californiastan and Spain.

User avatar
Nigaikaze
Board Warrior
Board Warrior
Posts: 1322
Joined: 2014-02-02, 22:15
Location: Chicagoland

Re: Password breach discussion.

Unread post by Nigaikaze » 2018-01-09, 14:20

John connor wrote:but the E-mail doesn't say from where and the password in the E-mail is all in asterisks excpt the last three characters. WTH is that!
Yep, same here with one o' mine. I'm pretty sure it was from a LinkedIn breach a while back (which I already knew about and changed long ago), but the way they present the "stolen" data is certainly less than helpful.
Nichi nichi kore ko jitsu = Every day is a good day.

User avatar
TwoTankAmin
Keeps coming back
Keeps coming back
Posts: 777
Joined: 2014-07-23, 13:56
Location: New York

Re: Password breach discussion.

Unread post by TwoTankAmin » 2018-01-09, 16:04

“No one has ever become poor by giving.” Anonymous
“Everyone is entitled to his own opinion, but not to his own facts.”" Daniel Patrick Moynihan
"The good thing about science is that it’s true whether or not you believe in it." Neil DeGrasse Tyson

Locked