Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
MacRumors Forums: Security Leak
- Thread starter MacRumors
- Start date
- Sort by reaction score
Yes Virginia, size DOES matter. Keep it LOOOOONG
Please explain why the four words is that much more secure ... it is simply because it is more than twice as long
While there is debate about the value of password padding, clearly including spaces, special characters, and numbers will increase the combinations and permutations that need to be tested by a hack.
HOWEVER, any kind of special formula that becomes popular will rapidly move to the front of the hackers' testing, so be careful about adopting anything published rather than using the same info to create your own scheme.
The combinations of padding, acronyms, mnemonics, inclusive character sets, and site reminders that is LONG is your best bet.
Please explain why the four words is that much more secure ... it is simply because it is more than twice as long
While there is debate about the value of password padding, clearly including spaces, special characters, and numbers will increase the combinations and permutations that need to be tested by a hack.
HOWEVER, any kind of special formula that becomes popular will rapidly move to the front of the hackers' testing, so be careful about adopting anything published rather than using the same info to create your own scheme.
The combinations of padding, acronyms, mnemonics, inclusive character sets, and site reminders that is LONG is your best bet.
for what it's worth,
vBulletin.com got hacked as well. The hackers claim they got access to our moderator account due to that hack/breach.
http://www.vbulletin.com/forum/foru...7195-important-message-regarding-your-account
arn
vBulletin.com got hacked as well. The hackers claim they got access to our moderator account due to that hack/breach.
http://www.vbulletin.com/forum/foru...7195-important-message-regarding-your-account
arn
Im in agreement on what you are saying. I suppose I'm someone who has determined that many of the (as you said) opinionated/emotional conversations which exist everywhere....radio, TV, reality shows, have nothing in common with helping humanity. It does supply an outlet for the person who truly enjoys attacking the views and opinions of others. Especially on the web where it is not easy to strike out with physical retaliation. It is always easy to bully up on a person and what they are doing and saying, if you are hiding behind a keyboard miles away.
Perhaps MR should have done the same thing vBullitin did.
"We take your security and privacy very seriously. Very recently, our security team discovered sophisticated attacks on our network, involving the illegal access of forum user information, possibly including your password. Our investigation currently indicates that the attackers accessed customer IDs and encrypted passwords on our systems. We have taken the precaution of resetting your account password. We apologize for any inconvenience this has caused but felt that it was necessary to help protect you and your account."
It's not as simple function on vb3. Not sure if they wrote that themselves or it's a feature in vb5.
We'll auto-change passwords for people who haven't changed their passwords after all the emails go out, so they'll have to use password recover to get back in.
arn
Number 882, here's my two cents.
Really, what is the big deal if someone can log in using my info. What are they going to do? Post malicious, venomous comments in my name? Nobody would even notice with all the abuse that takes place daily on just about every online forum, it would just be more noise. If you want to help prevent things like this from happening in the future then try your best to be considerate of others and to be the best example that you can be. If this type of behavior catches on then all sorts of trouble will soon disappear.
Really, what is the big deal if someone can log in using my info. What are they going to do? Post malicious, venomous comments in my name? Nobody would even notice with all the abuse that takes place daily on just about every online forum, it would just be more noise. If you want to help prevent things like this from happening in the future then try your best to be considerate of others and to be the best example that you can be. If this type of behavior catches on then all sorts of trouble will soon disappear.
What you say is true--unfortunately that only applies if that password is only used here on MacRumors. For some who use the same password on multiple sites, the ramifications are not so simple. Best practice--one site, one password.
Well, I got the email and literally right after (within 30 minutes) I had my twitter, gmail, and Facebook all hacked. 
Well, I got the email and literally right after (within 30 minutes) I had my twitter, gmail, and Facebook all hacked.
Sucks to use the same email/username/password for everything. Hope you learned your lesson.
I've finally given in and installed LastPass and I have now created different 32 character passwords for all the sites I am registered on. Hopefully this works out, it was a pain to manually re-enter them on my iPhone though. Hopefully I won't have to re-enter them manually all that often from now on...
This is going to take some getting used to.
I hate how some sites still only let you use crap passwords. Why impose limits such as a 16 character limits on a password? I don't get what they gain from it.
This is going to take some getting used to.
I hate how some sites still only let you use crap passwords. Why impose limits such as a 16 character limits on a password? I don't get what they gain from it.
Who said I did? Out of all of my accounts, only my gmail was the same as the forum and then they used the email to hack into everything else
hey, wait.. you gotta lead by example to some extent.. telling people to be good using a writing style which is at least moderately condescending and opinion fueled (i.e.- standard forum post) isn't going to go over so well..
#
That still means you reused at least one password, but you probably reused other passwords as well. Each account belonging to a given person should always be unique, and those passwords should also be both long and randomly generated. That's what password managers are for.
As an additional note, the services you mentioned (Google, Twitter, and Facebook) all support multi-factor authentication. You should enable it for those accounts.
Although I agree that using different passwords for each site/account if a GOOD idea. The older I get the harder it is to remember all the different usernames/passwords. Not to mention all the answers to the security questions some sites have decided to impose on me.
Sorry, got off topic with my security questions comments.
Back on topic…. it's a bummer that the site got hacked.
I have not read through all the posts so I apologize if this was already covered. Would I be correct in assuming the pop-up that kept asking me to login when I would click on a thread to read it was part of the hack?
I just closed the pop-up and did not enter any information since it seemed out of place. Especially since I was already logged into the forum. But I can't help but wonder how many users may have re-entered their information into the pop-up.
So…. short of having to write down all the different passwords for a lot of sites on a piece of paper (not very secure), use a password manager (more secure), or use PGP to encrypt a text file with all my passwords in it (very secure), are there any other solutions that are easy/simple to use without compromising security more than necessary?
Jon…
Sorry, got off topic with my security questions comments.
Back on topic…. it's a bummer that the site got hacked.
I have not read through all the posts so I apologize if this was already covered. Would I be correct in assuming the pop-up that kept asking me to login when I would click on a thread to read it was part of the hack?
I just closed the pop-up and did not enter any information since it seemed out of place. Especially since I was already logged into the forum. But I can't help but wonder how many users may have re-entered their information into the pop-up.
So…. short of having to write down all the different passwords for a lot of sites on a piece of paper (not very secure), use a password manager (more secure), or use PGP to encrypt a text file with all my passwords in it (very secure), are there any other solutions that are easy/simple to use without compromising security more than necessary?
Jon…
Fair enough, they probably are just as secure. Or at least close enough to not be concerned about. I just trust PGP to be very secure since I have been using it for a long time and do not have any experience with password managers.
Also, it's my understanding that "some" password managers sync to servers on the Internet. If that's true, unless they use end-to-end encryption between the server and user device, they would not be as secure as using PGP locally on the device.
But like I said, I have not used password managers so my above comments about them may not be accurate.
Jon
Well, I got the email and literally right after (within 30 minutes) I had my twitter, gmail, and Facebook all hacked.
So.... the stolen passwords have been cracked now?
How am I supposed to know? Just coincidence that the email I use for this forum got hacked when I only use that email for this forum and my social media sites?
LastPass, 1Password, and KeePass perform all encryption and decryption on the local machine. All servers ever get is an encrypted blob, and only the user has the key. Also, KeePass is free and open source, meaning outside developers can see exactly how it works and make sure there's nothing fishy going on.
See this post if you haven't already: https://forums.macrumors.com/posts/18357437/
In short, the answer to your question is to use a password manager. They are as secure and easy to use.
Did your password consist of dictionary words? Because it looks like "the hacker" wasn't able to get Arn's password. He had to pay someone else to figure it out for him. Surely the dude didn't pay to get your password? I mean, what's in it for him for getting your social media sites?
If you haven't already, you should read post 779 in this thread.
Is that all that vBulletin did -- reset everyone's password? Regarding they being hacked, I don't see a Notice at the top of their forums (like MacRumors did), or anything on their Facebook or Twitter pages about it. Nothing on their main website either.