Welcome to Open Carnage

A resource for Halo 1 modding and tech, with unique means of rewarding individual content creation and support. Have a wander to see why we're worth the time! EST. 2012

Sign in to follow this  
Followers 0
Tucker933

Hackers hold 7 million Dropbox passwords ransom

Started by Tucker933,

23 posts in this topic

Posted (edited)

That's another thing. Since I use a proper password manager, I've no reason to create a weak one =P.

Edited by nil

Share this post

Link to post
Share on other sites

Members of Open Carnage never see off-site ads.

Posted

I had a system for creating my passwords. I'd progressively make a new one every few months and whatever services I started using in that time will keep the password, but new services get the new one. The actual system I mentioned was how I created new passwords, they all have two things in common but even if you knew one of my passwords and knew the similarities, you probably wouldn't be able to guess the other ones at this point. I haven't made a new password in like two years though, lol

oVoXWXc.png

Share this post

Link to post
Share on other sites

Posted

That doesn't help anything when most passwords are stolen by getting them from hacked databases or through third party applications that sell the information to people like the Russian Business Network. Having a way overly complicated password is useless. Once you have something moderately complex, you're fine from brute force attacks or dictionary attacks.

You can't really do much about that, other than using sites that only use PGP keys. The site you're logging into shouldn't know what your password is, if it's truly secure.

Kavawuvi and NeX like this

Share this post

Link to post
Share on other sites

Posted

You can't really do much about that, other than using sites that only use PGP keys. The site you're logging into shouldn't know what your password is, if it's truly secure.

 

This x1000. I get people at work all the time (basic tech support) that don't know their password, and expect the company or service to simply tell them what their password is.  If they know your password, then they have a decryption algorithm in place, which means their encryption is useless if someone gets their hands on it. Much easier to make an encryption and never worry about decryption for passwords at least. That's why every password recovery utility i've ever had to use (for myself or at the behest of someone else) has simply used alternate verification and then reset the password to a random series of characters, until such a time as the account holder changes it themselves.

 

Foolish mortals.

Floofies and Kavawuvi like this

KsqHutE.png

Share this post

Link to post
Share on other sites

Posted (edited)

You can't really do much about that, other than using sites that only use PGP keys. The site you're logging into shouldn't know what your password is, if it's truly secure.

Yes. Private keys aren't transmitted from your computer, and you can encrypt them with a password which is also not transmitted from your computer. The only thing stored on a database is your public key. I use public keys in place of a password for ssh with my Halo server and raspberry pi.

Screen%20Shot%202014-10-19%20at%2011.55.

 

The only downside is portability. If you wanted to use a public terminal, you'd need to bring your key, perhaps in a flash drive. You'd need some sort of security to prevent the key being stolen from the flash drive.

 

This x1000. I get people at work all the time (basic tech support) that don't know their password, and expect the company or service to simply tell them what their password is.  If they know your password, then they have a decryption algorithm in place, which means their encryption is useless if someone gets their hands on it. Much easier to make an encryption and never worry about decryption for passwords at least. That's why every password recovery utility i've ever had to use (for myself or at the behest of someone else) has simply used alternate verification and then reset the password to a random series of characters, until such a time as the account holder changes it themselves.

 

Foolish mortals.

 

I mentioned on "Everything's fucking shit" about the textbook website emailing my password to me in plain text. Now it's in my inbox in plain text. I bet it's stored in plain text. If it's encrypted, I'm sure whatever decrypts it can be stolen easily if the database is hacked, making encryption useless.

 

Screen%20Shot%202014-08-28%20at%2011.50.

Edited by 002
Floofies likes this

Share this post

Link to post
Share on other sites

Posted

I mentioned on "Everything's fucking shit" about the textbook website emailing my password to me in plain text. Now it's in my inbox in plain text. I bet it's stored in plain text. If it's encrypted, I'm sure whatever decrypts it can be stolen easily if the database is hacked, making encryption useless.

 

Holy balls.....

But yes, that was precisely my point.

Floofies likes this

KsqHutE.png

Share this post

Link to post
Share on other sites

Posted (edited)

The second factor is most commonly a cell phone but doesn't have to be (and it would suck if you didn't have cellular connection or something..). Dropbox supports the Google Authenticator app for mobile devices including tablets which you have (and Apple would use push notification or iMessage or something?). I avoid enabling multi factor for services that don't provide backup codes, though.

Edited by nil

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing Tech Chatter

  • Recently Browsing   0 members

    No registered users viewing this page.