|
|
Apple News: Apple ID hacking attempts?
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status:
Offline
|
|
I actually got a log-in allow notification with the map and passcode entry request — someone in Sao Paolo had apparently tried to log in using my Apple ID with the correct password and was only stopped by two-factor authentication.
Holy shit.
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Online
|
|
Ars Technica covered this too, as an " MFA Fatigue Attack". Oh, and AT&T has just admitted a data breech (method unknown) of 73 million current & former accounts. Including 49 million unique email addresses, and almost 44 million Social Security numbers. Plus snailmail addresses, phone numbers, date-of-birth, full names, plus (salted & hashed?) passwords.
Hope everyone is following good security practices: long random passwords, unique to every site. No reuse of passwords anywhere. This quarantines a compromise to a single account or service. Also, keeping the keys to everything you own on a single smartphone may not be so smart. Desktop or laptop, passwords on an encrypted thumb drive, roll your own solution. So a single smartphone breech doesn't reach everything. Ideally, spread things around so there isn't a single point of failure. It's less convenient, but good security always is.
If you haven't already, sign your emails up to the Have I Been Pwned website. Should your email(s) appear in data leaks, the site will email you with the details. I don't know of a similar service for leaked Social Security numbers.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Hot take: if the password is long enough using mostly lowercase dictionary words is fine (and easier to type).
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Online
|
|
I like the Stanford password recommendations as a guide for creating passwords. It covers what length to use for various character groups (like all-lowercase) as well as sentence-passwords made of dictionary words. However, this guide has been unchanged since at least 2014. I'd add at least two characters to each recommendation, and at least two extra words to any sentence password.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
There's always an XKCD.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
This-is-the-ideal-password-f0rmat.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
Wait which O is a zero? I keep forgetting. And do you choose a new multi-word sentence for each website/login?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Don’t reuse passwords.
A good password manager will use a font which disambiguates a capital “o” from a zero.
Edit: I misunderstood your post. Though the XKCD mentions memorization, you shouldn’t actually do that without a password manager net (IMO).
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Also relevant…
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
I never got into password managers. Is there something that works across any Apple/Android/Amazon/Windows device seamlessly? My iPhone keeps trying to recommend impossible passwords which is completely useless to me when I want to log in on Chrome on my work laptop.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
1Password is what I use.
If you can install Dropbox on your work laptop there’s a Chrome plugin.
They claim it works on everything. Isn’t Amazon shit Android?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
I'm trying to get away from Dropbox. It's becoming nagware, and since they got rid of hotlinking all of those years ago it doesn't really do anything for me that I can't do through OneDrive or Google Drive. The last killer feature was keeping my car tunes on it so they're synced across my tuning laptop, home desktops, and also available online. I'm doing that with Google Drive now but I'm not impressed with its slow syncing. Either way I'd only access Dropbox on my work laptop through the web interface.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
It looks like they have their own servers if you want to use those, but I’m not familiar with it.
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
1password no longer requires dropbox. Which is good for me having multiple devices with 1password on it (phone, ipad, 2 laptops) and not wanting to pay dropbox for >3 devices.
This-is-the-ideal-password-f0rmat.
idealpasswordBas3-sitesuffix!
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Originally Posted by andi*pandi
idealpasswordBas3-sitesuffix!
I’m not sure I understand. Does this mean reuse the bas3 and change only the suffix?
That’s the same as reusing a password.
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status:
Offline
|
|
"Ideal password base" - "website" - "!"
I think? Is the risk that a person or even automated system, if they got the password into plain text, could recognize the site name as part of the password and extrapolate that to other sites? How many intrusions result in the password being revealed in plain text?
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
What to worry about here isn’t a brute-force intrusion on an account, it’s an intrusion on a site with poor security.
(
Last edited by subego; Apr 3, 2024 at 03:00 PM.
)
|
|
|
|
|
|
|
|
|
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status:
Offline
|
|
sitesuffix is not the site name but a clue. So for this site it might be AppleNN or something. (except on this site I use a completely random pw).
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status:
Offline
|
|
Then you have to remember all your different site suffixes.
There’s also the problem of the sheer number of sites where the only appropriate suffix is Hive-of-Scum-and-Villainy
|
|
|
|
|
|
|
|
|
Administrator
Join Date: Jun 2000
Location: California
Status:
Online
|
|
Originally Posted by subego
... the sheer number of sites where the only appropriate suffix is Hive-of-Scum-and-Villainy
Ah, you've banked at WF or BofA also?
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|