Author Topic: You have a secret that can ruin your life  (Read 2414 times)

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15975
You have a secret that can ruin your life
« on: November 18, 2012, 12:21:43 PM »
Kill the Password: Why a String of Characters Can’t Protect Us Anymore

click to enlarge pic.
“This summer, hackers destroyed my entire digital life in the span of an hour,” says Wired senior writer Mat Honan.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

In 413 BC, at the height of the Peloponnesian War, the Athenian general Demosthenes landed in Sicily with 5,000 soldiers to assist in the attack on Syracusae. Things were looking good for the Greeks. Syracusae, a key ally of Sparta, seemed sure to fall.

But during a chaotic nighttime battle at Epipole, Demosthenes’ forces were scattered, and while attempting to regroup they began calling out their watchword, a prearranged term that would identify soldiers as friendly. The Syracusans picked up on the code and passed it quietly through their ranks. At times when the Greeks looked too formidable, the watchword allowed their opponents to pose as allies. Employing this ruse, the undermatched Syracusans decimated the invaders, and when the sun rose, their cavalry mopped up the rest. It was a turning point in the war.

The first computers to use passwords were likely those in MIT’s Compatible Time-Sharing System, developed in 1961. To limit the time any one user could spend on the system, CTSS used a login to ration access. It only took until 1962 when a PhD student named Allan Scherr, wanting more than his four-hour allotment, defeated the login with a simple hack: He located the file containing the passwords and printed out all of them. After that, he got as much time as he wanted.

During the formative years of the web, as we all went online, passwords worked pretty well. This was due largely to how little data they actually needed to protect. Our passwords were limited to a handful of applications: an ISP for email and maybe an ecommerce site or two. Because almost no personal information was in the cloud—the cloud was barely a wisp at that point—there was little payoff for breaking into an individual’s accounts; the serious hackers were still going after big corporate systems.

So we were lulled into complacency. Email addresses morphed into a sort of universal login, serving as our username just about everywhere. This practice persisted even as the number of accounts—the number of failure points—grew exponentially. Web-based email was the gateway to a new slate of cloud apps. We began banking in the cloud, tracking our finances in the cloud, and doing our taxes in the cloud. We stashed our photos, our documents, our data in the cloud.

Eventually, as the number of epic hacks increased, we started to lean on a curious psychological crutch: the notion of the “strong” password. It’s the compromise that growing web companies came up with to keep people signing up and entrusting data to their sites. It’s the Band-Aid that’s now being washed away in a river of blood.

Loads more here


  * Reuse passwords. If you do, a hacker who gets just one of your accounts will own them all.
  * Use a dictionary word as your password. If you must, then string several together into a pass phrase.
  * Use standard number substitutions. Think “P455w0rd” is a good password? N0p3! Cracking tools  now   have those built in.
    * Use a short password—no matter how weird. Today’s processing speeds mean that even passwords like “h6!r$q” are quickly crackable. Your best defense is the longest possible password.


  * Enable two-factor authentication when offered. When you log in from a strange location, a system like this will send you a text message with a code to confirm. Yes, that can be cracked, but it’s better than nothing.
  * Give bogus answers to security questions. Think of them as a secondary password. Just keep your answers memorable. My first car? Why, it was a “Camper Van Beethoven Freaking Rules.”
  * Scrub your online presence. One of the easiest ways to hack into an account is through your email and billing address information. Sites like Spokeo and offer opt-out mechanisms to get your information removed from their databases.
    * Use a unique, secure email address for password recoveries. If a hacker knows where your password reset goes, that’s a line of attack. So create a special account you never use for communications. And make sure to choose a username that isn’t tied to your name—like m****—so it can’t be easily guessed.

Anyone who goes to a psychiatrist should have his head examined.

Offline Baby Farts

  • Korat forum specialist
  • *****
  • Posts: 3338
  • Seeek!
Re: You have a secret that can ruin your life
« Reply #1 on: November 18, 2012, 05:58:31 PM »
Exaggerated a bit.  Why didn't he have all those photos of his daughter and messages backed-up?  iTunes does it automatically every time you sync.  iTunes backs up all of the phone data, pictures, messages, contacts, etc...even if the phone is remotely wiped you can still go into iTunes and restore it.  What's the big deal?

Someone at his work probably installed a key logger on his pc without him knowing and got his pw. 19 character pw with alphanumeric and symbols thrown in??  Sorry, you don't just guess passwords like that. Some one was copying his keystrokes.

Offline takeitor

  • Korat forum reporter
  • ****
  • Posts: 308
Re: You have a secret that can ruin your life
« Reply #2 on: November 18, 2012, 08:47:52 PM »
What he describes is perfectly possible.  Most people think that their email passwords do not have to be as secure as their bank, or financial ones.  They do not think that, having obtained their email password, the hacker can use this to obtain password for many other services - or in many cases, the passwords used are often identical.

I agree that, if all you passwords are strong, there is little chance of a hacker getting into these accounts directly (yet!), but it is fair to say that many people have weak passwords to all sorts of things that could be used to obtain, or reset, more important passwords.

There are so many easy targets out there that if you are relatively careful you should be fine.  Having said that, BF is absolutely correct to say that everything should be backed up... preferably twice!  Good job those Apple computers he uses can't have viruses or be hacked eh.....;).  nothing like being lulled into a false sense of security!

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15975
Re: You have a secret that can ruin your life
« Reply #3 on: November 18, 2012, 11:19:53 PM »
staggering lack of imagination in selecting codes protecting their most sensitive financial information.

You got it: 1234. What’s more surprising  or depressing  is the fact that it’s used by almost 11% of card holders. The runner-up, 1111, is used by more than 6% of us.

Here are the top 20:
Anyone who goes to a psychiatrist should have his head examined.


  • Guest
Re: You have a secret that can ruin your life
« Reply #4 on: November 19, 2012, 07:28:40 AM »
And still they have to look into their 'phones to find their password!

Offline Johnnie F.

  • Administrator
  • Korat forum specialist
  • *****
  • Posts: 6454
    • Korat-Info
Re: You have a secret that can ruin your life
« Reply #5 on: November 19, 2012, 08:28:44 AM »
And still they have to look into their 'phones to find their password!

..unless they attached a label with the PIN on the plastic sleeve of their ATM cards. :o

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15975
Re: You have a secret that can ruin your life
« Reply #6 on: November 19, 2012, 03:33:15 PM »

 25 Worst Passwords of 2011   hope your not on this list ;)

As some websites have begun to require passwords to include both numbers and letters, it makes sense varied choices, such as “abc123″ and “trustno1,” are popular choices. believe it or not.

# 1. password                       Hackers can easily break into many accounts just by repeatedly trying common
# 2. 123456                           passwords, Even though people are encouraged to select secure strong
# 3.12345678                        passwords many people continue to choose weak, easy-to-guess ones,
# 4. qwerty                            placing themselves at risk from fraud and identity theft
# 5. abc123
# 6. monkey                          Vary different types of characters in your passwords; include numbers,letters
# 7. 1234567                        and special characters when possible.
# 8. letmein
# 9. trustno1                        Choose passwords of eight characters or more. Separate short words with
# 10. dragon                        spaces or underscores.
# 11. baseball
# 12. 111111                       Don’t use the same password and username combination for multiple websites.
# 13. iloveyou
# 14. master
# 15. sunshine
# 16. ashley
# 17. bailey
# 18. passw0rd
# 19. shadow
# 20. 123123
# 21. 654321
# 22. superman
# 23. qazwsx
# 24. michael
# 25. football                                                     

Anyone who goes to a psychiatrist should have his head examined.

Offline thaiga

  • Korat forum specialist
  • *****
  • Posts: 15975
"123456" Maintains the Top Spot on SplashData's Annual "Worst Passwords" List

The 2014 list of worst passwords demonstrates the importance of keeping names, simple numeric patterns, sports and swear words out of your passwords.

Presenting SplashData's "Worst Passwords of 2014":

Rank Password Change from 2013
1    123456    No Change
2    password    No Change
3    12345    Up 17
4    12345678    Down 1
5    qwerty    Down 1
6    123456789    No Change
7    1234    Up 9
8    baseball    New
9    dragon    New
10    football    New
11    1234567    Down 4
12    monkey    Up 5
13    letmein    Up 1
14    abc123    Down 9
15    111111    Down 8
16    mustang    New
17    access    New
18    shadow    Unchanged
19    master    New
20    michael    New
21    superman    New
22    696969    New
23    123123    Down 12
24    batman    New
25    trustno1    Down 1

Passwords appearing for the first time on SplashData's list include "696969" and "batman."

MORE INFO HERE: splashdata
Anyone who goes to a psychiatrist should have his head examined.