Thanks for confirming that you have forgotten your point. Catch you on the flip side whilst you are worrying about "1password being hacked".
Last edited:
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Complaint from MacRumors users about the recent security issue.
- Thread starter Orange Furball
- Start date
- Sort by reaction score
Thanks for confirming that you have forgotten your point. Catch you on the flip side whilst you are worrying about "1password being hacked".
This is the first I've heard of a breach.
It's not the first time I've heard it, but I didn't know they were this easy.
Easy? It depends on what you know. Performing heart surgery is easy for some people.
I think it's a false dilemma. MR may well be at fault for their use of vBulletin. OTOH, it's clear that we will have -- and will continue to have -- breaches of website databases. Anyone who practices Safe Password -- unique password for each site -- will automatically limit the scope of damages for any compromised website database.
You are left with an extremely uncomfortable question: how is it that you don't know your password wasn't compromised a long time ago?
The strangeness of your message is presuming that one entity or the other should get the "blame". Ultimately, MR is responsible for this failure. At the same time, users who wish to minimize the nonsense when these failures happen can do that very easily.
That sentence doesn't quite parse, but I think I understand what you meant.
I already noted in the discussion: I got bit by the Gawker breach. I was re-using the same password on multiple sites. The difference: rather than get upset, I promptly dealt with deploying unique passwords on all the sites I was using.
I also used the same password on multiple systems. The difference is that I took decisive action when I recognized the problem with that approach.
Interestingly, I noticed that I wasn't really upset at Gawker for the failure. I was mostly upset with myself for failing to have a Trust No One strategy. I do now.
Hey, did everyone read the post from the guy that did the hack? Well, I'm assuming it's him. Arn confirmed this guy's proof.
----------
----------
OK, you know you're comparing an online website (like MacRumors) to an application that runs locally on your Mac, right?
We have no idea what you're talking about.
Would you like to explain?
For any prevention-oriented approach, the trick is to operate with the best knowledge and practices that we currently have.
For password management, the best current approach is to use generated passwords that are unique for each site. When things like Secure Quick Reliable Login come online, that may well be the way to manage passwords.
Anybody who uses the same password on multiple site will continue to get a bag of hurt. They may know about the breaches of that shared password, or they may not even know when their accounts are compromised.
Does that make sense? Do you understand the difference?
Last edited:
I am not comparing them. I am saying you folks that think everything is peachy because you use a software like this, or some encrypted password are very wrong. You can believe what you would like, and think your info is safe, but if a hackers wants something they will find a way.
So far, neither 1Password nor LastPass has been compromised. Steve Gibson has talked about both systems on his Security Now! podcast; he is quite positive on both systems. Everything is peachy.
At the same time, Gibson and other experts are working to create a system that will be even peachier.What exactly are you recommending that users do to manage their passwords? What actions should we take because you make some FUDdish comments about 1P and LP? I see absolutely no reason to change my approach at all.
Why should we listen at all to any recommendations at all that you make about passwords and security?
I don't think he actually read that article. He clearly just skimmed the first couple of sentences.
So far, neither 1Password nor LastPass has been compromised. Steve Gibson has talked about both systems on his Security Now! podcast; he is quite positive on both systems. Everything is peachy.
What exactly are you recommending that users do to manage their passwords? What actions should we take because you make some FUDdish comments about 1P and LP? I see absolutely no reason to change my approach at all.
Why should we listen at all to any recommendations at all that you make about passwords and security?
I did not suggest you should do anything. I am saying for you cast stones at people for using one password think about the fact that you are only making a bit harder for the hacker to get your information. If they want to keep trying they will, and those sources are not impossible to hack. Right now sure things are peachy, but what happens if they are hacked? No one saw MR getting hacked, but it happened.
What would you do if iTunes got hacked? I am assuming you use it, but if not ok. Your CC number, street address, and email would all be exposed. How would that make you feel? You would be blaming Apple to no end. Sure MR did not have your personal info, but for some it did. You need to see things from not just your view, but others.
----------
I did read it. Yes I realize it makes it harder for hackers, but the thought that it is impossible is crazy. Yes those are go ways to make it harder for hackers, but in no way is 100% secure.
I want to thank the staff for noting the issue on the forums and on the front page.
Also, let's not fight here. It never ends well.
Also, let's not fight here. It never ends well.
What do you mean "if they |1password] are hacked"?
My encrypted 1password file is stored on my Macs hard drive. It's not on some online website/service.
If someone wants to hack it, they need to specifically hack my computer.
I don't want to keep arguing, but doesn't computer hacking happen all the time? With your setup all your passwords are in one place right?
I just want people to realize there is not a 100% hack free way to keep passwords.
No you are right. I just think people are not realizing that having secure passwords is not on everyone's list of important things to do. Not saying it should not be, but making people feel like they are dumb for MR getting hacked, and their stuff being easy to get to is kind of crazy. MR is to blame for this whether people want to admit it or not. They are not at fault for peoples info not being secured on other sites, but they are the ones that got hacked. Us as users could do nothing to stop it. Whether you had personal info or not on MR. This was not a good thing, and MR should be held accountable.
Saying that 1P and LP only make it "a bit harder" for people to hack your password is utter nonsense. That is completely inconsistent with what the experts say about both of these tools. Experts have looked very hard at both of these tools, and there are no known risks.
Let's have a FUD-free discussion, OK?
Sounds like a decidedly pointless thing to speculate about. Given the design and means of accessing those tools, the experts think they are quite secure. Speculating about the risks of something the experts think is secure is just FUD.
Nonsense. There are plenty of known vulnerabilities in vBulletin. Just google on "vbulletin vulnerabilities" to get yourself up to speed. Website databases have been hacked, and they will continue to be hacked. All security experts are recommending: practice Safe Password. Have a unique password for each website. And use one of the password-management systems to generate those passwords and manage all of them for you. Simple.
Why do you think that question is relevant to how individuals manage their website passwords?
If Apple were to leak credit card numbers, they would deserve much criticism.
Your analogy is completely flawed. Unlike iTunes, nobody needs to store any personal information on the MR website. If someone needs to exchange street addresses, don't use PMs to do that. Given the known vulnerabilities in vbulletin, it's a poor place to store any information you wish to keep private. Simple.
And you need to make sure your points actually make rational sense. Please explain: why in heaven's name does anybody need to store any personal information on the MR website?
Why do you trust Apple with your personal info? Oh wait I forgot just like MR Apple is perfect in every way. My bad I forgot that we were on the most bias site in America.
You can't continue to see things your way. I never have, and never will use one password. I also realize there were people that did have the password from this site used on other things. These same users did not know any better, and most people don't. If you want to continue to be naive and believe all these people use password management tools. Please continue, but I know that most don't. MR should take the fall for this one, and that is all there is to it. Yes users need to be more careful, but there was nothing they could have done to stop a hacker. Yes there data being accessed was their fault, but the site being hacked was all on MR.
They have.
There are tons of pissed off users. Some users are closing their accounts, which hurts a business that charges for ads based on the number of users. MacRumor's being hacked is being written about on prominent sites over the Internet, which doesn't help MacRumor's reputation in any way. MacRumors has notified users via email, as well as a sticky link at the top of the forums that doesn't go away until a user clicks the X. Arn, the owner, apologized.
What more do you want?
As much as I would like to join the angry mob (and trust me, I would), I actually don't think this was handled that poorly. I agree with some (a lot) of the suggestions that people have given, but given the circumstances and limitations at the time, I don't think a lot of people are giving enough credit where it was due.
As for the rest of you, you need to do your part to keep yourself safe. I'm not using it as an excuse for this incident, but this isn't going to solve your problem and any future problems.
As for the rest of you, you need to do your part to keep yourself safe. I'm not using it as an excuse for this incident, but this isn't going to solve your problem and any future problems.
What exactly is the point of quoting someone's entire article and failing to address any of the points discussed?
Why do you ASSume I trust Apple with my personal info? Do you realize you can have an iTunes account without a credit card?
We have absolutely no idea what this was supposed to mean.
You're free to do whatever you wish. Memorize all your passwords. Write 'em on a bunch of 3x5 cards. Whatever. Just realize: if you use the same password on multiple hosts, it will end up biting you.
Another nonsense statement. Where did anyone in this discussion ever say that?
When Gawker had their database breach back in 2010, I realized it as an opportunity to take responsibility for managing my passwords. I didn't worry about having Gawker "take the fall" for the breach, I just dealt with it like an adult.
If you use the same password on multiple sites, you will continue to risk its compromise. You will never ever know if/when your account has been compromised. Until you stop sharing passwords, there is absolutely no way out of that dilemma. Blaming this problem on one website is completely silly.
Since you're sharing passwords, your MR data could well have already been compromised through one of those other websites. Or it could be compromised tomorrow. You may never ever know if/when it gets compromised. If you're concerned about your private data on MR, continuing to ignore that risk is strange and creepy.
Here are the questions you failed to address from my last message. Please answer:
1. Why do you think that question [about the potential of iTunes being hacked] is relevant to how individuals manage their website passwords?
2. Please explain: why in heaven's name does anybody need to store any personal information on the MR website?
Why do you ASSume I trust Apple with my personal info? Do you realize you can have an iTunes account without a credit card?
We have absolutely no idea what this was supposed to mean.You're free to do whatever you wish. Memorize all your passwords. Write 'em on a bunch of 3x5 cards. Whatever. Just realize: if you use the same password on multiple hosts, it will end up biting you.
Another nonsense statement. Where did anyone in this discussion ever say that?
When Gawker had their database breach back in 2010, I realized it as an opportunity to take responsibility for managing my passwords. I didn't worry about having Gawker "take the fall" for the breach, I just dealt with it like an adult.
If you use the same password on multiple sites, you will continue to risk its compromise. You will never ever know if/when your account has been compromised. Until you stop sharing passwords, there is absolutely no way out of that dilemma. Blaming this problem on one website is completely silly.
Since you're sharing passwords, your MR data could well have already been compromised through one of those other websites. Or it could be compromised tomorrow. You may never ever know if/when it gets compromised. If you're concerned about your private data on MR, continuing to ignore that risk is strange and creepy.
Here are the questions you failed to address from my last message. Please answer:
1. Why do you think that question [about the potential of iTunes being hacked] is relevant to how individuals manage their website passwords?
2. Please explain: why in heaven's name does anybody need to store any personal information on the MR website?
So what do you propose? Precisely what is the definition of "accountability" that you've been hawking throughout this thread? Do you want Arn jailed or fined because the site was hacked (joining legions of other companies and government agencies that have been hacked)?
I'm sure Arn is as upset as you are and while yes, things could have been handled differently, why not just chalk it up to a life lesson and learn from the experience instead of beating a horse to death?
What exactly is the point of quoting someone's entire article and failing to address any of the points discussed?
Why do you ASSume I trust Apple with my personal info? Do you realize you can have an iTunes account without a credit card?
You're free to do whatever you wish. Memorize all your passwords. Write 'em on a bunch of 3x5 cards. Whatever. Just realize: if you use the same password on multiple hosts, it will end up biting you.
Another nonsense statement. Where did anyone in this discussion ever say that?
When Gawker had their database breach back in 2010, I realized it as an opportunity to take responsibility for managing my passwords. I didn't worry about having Gawker "take the fall" for the breach, I just dealt with it like an adult.
If you use the same password on multiple sites, you will continue to risk its compromise. You will never ever know if/when your account has been compromised. Until you stop sharing passwords, there is absolutely no way out of that dilemma. Blaming this problem on one website is completely silly.
Since you're sharing passwords, your MR data could well have already been compromised through one of those other websites. Or it could be compromised tomorrow. You may never ever know if/when it gets compromised. If you're concerned about your private data on MR, continuing to ignore that risk is strange and creepy.
Here are the questions you failed to address from my last message. Please answer:
1. Why do you think that question [about the potential of iTunes being hacked] is relevant to how individuals manage their website passwords?
2. Please explain: why in heaven's name does anybody need to store any personal information on the MR website?
1. I am suggesting like MR (which you claim no one should have personal info on) there are other sites which people freely give their personal info away. Apple was just one I thought of off the top of my head. Why you would have an iTunes account without a CC is beyond me. I am merely suggesting that yes while you don't keep personal data on MR. People do. I am not one of them as I have said many times, and you keep trying to use that. I have, and never will keep personal info on MR. Most anyone would have no issue giving their CC or anything else to Apple for iTunes. I know these are completely different services, but I am just using the fact that no one worries about Apple getting hacked. Which none of the people thought anything about MR either.
If you want a different example what about the PS network? I did not see anyone screaming they should have not put personal info on that when it got hacked. No one expected it to get hacked. That has nothing to do with having different passwords, or having a service like lastpass. When they hacked it all the CC, and everything else personal was available to them. Same goes for MR. That is the only point I am trying to make. We both agree having personal info on MR was not the smartest thing, but it still happened.
2. Again I will say I do not, nor will I ever put personal info on MR. Why trusted them with that I don't know. The reason they put it on there was for the market place. People selling and buying. My opinion was that was not smart, but again that does not mean MR is not the blame for the hack. Yes they did not need to put personal info on the site, but being hacked is something out of their hands.
Guess we will agree to disagree, but I answered your questions to be of my ability. If you need clarification let me know.
Sorry I just felt people jumped on the OP, and suggested it was all the users fault for putting anything personal on MR. I am only defending the fact that there is blame to both parties, but MR is the main place the blame should go.
When I say held accountable I mean like what I have saying all along. Instead of people saying "well you should have not put that info on MR" why not just say what it is. MR screwed up, and got hacked. There were too many people acting as if it was just another day, and everything was fine.
I don't expect anyone to go to jail, and maybe I have gone a bit too far, but I see this so much on this site. Whether it be MR, or Apple. They are never to blame, and if people suggest they are. It becomes a blood bath for the people that blame them. Again maybe I have made more out of this than I should have, but sometimes it just gets old hearing how great these two are.