
Now that they have cracked the passwords what next?
It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?
Along with the LinkedIn password dump, dating site eHarmony has confirmed that some of its users’ passwords have also been published online, possibly by the same attacker as that obtained the LinkedIn data. The company has responded with the usual “the security of our users” bromide here. It says all affected user passwords …
It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?
There is the potential blackmail angle (as mentioned in the article)
But dating sites also have a *LOT* of personnal information about a person: Date of Birth, Place of Birth, Current Address, Credit Card information, children's details, general background information, pictures, etc. A gold mine if you want to steal someone's identity.
But dating sites also have a *LOT* of personnal information about a person: Date of Birth, Place of Birth, Current Address, Credit Card information, children's details, general background information, pictures, etc. A gold mine if you want to steal someone's identity.
So....you just make them nearly correct rather an actually correct? OK, doing that for credit card info isn't normally possible. But for DOB, placed of birth and everything else it can be. I guess for a dating site - where you might want prospective matches to know that you live in town X rather than Y then you might put the more accurate details in free text.
I'll bet that if you scanned the date of birth field in many sites you'd find a disproportionate number of people born on Jan 1st.
> Now that they have cracked the passwords what next?
If they did manage to gain access to the lusernames as well,
[1] try those credentials against every financial site until you get a hit
[2] profit!!!
Otherwise, if the passwords are unencrypted, add the entire password file to a dictionary, SHA-encrypt it, and look for matches against the SHA-encrypted LinkedIn passwords.
It's a dating site, is the hacker going to become a match maker or try to steal your prospective date?
I tried eHarmony once, and I say good luck to them if they try to steal my prospective date. The only match they could find for me at the time was already my ex. It says a lot that they tried to make a match that had already failed as spectacularly as that one.
Use complex passwords for each website and then write them down with pen and paper and put them in your desk draw. I know some 'security' experts will say you should never write down your passwords, but in reality your much more likely to get your passwords stolen by trojans or leaked online than have a physical break in by someone who is going to steal your passwords. The sort of person who breaks into your house is more likely going to be there looking for quick cash by nicking games consoles, TVs, and laptops etc he can flog down the pub.
There are an increasing number of sites that insist your password should include capitals AND numbers/symbols (but not all symbols are allowed). So long passphrases are not always possible.
Interestingly this place is I think the last place that I still use the portmanteau password i used to use pretty much everywhere. I have graduated to more intricate portmanteaus. They are all related but only to me.
My current serious passphrase consists of three words separated by one or more numbers or symbols. The three words are a phrase which makes sense to me... and are direct literal translations of that phrase from English into three different languages, two of which are not Indo-European languages. (I _did_ use one made-up language from a fictional universe. Good luck guessing which one.) And I periodically change the 'padding', the numbers and symbols. Yes, it's crackable, but not easily.
My non-serious password is a simple English word... with unusual capitals. I use it for places where I simply don't care if someone figures it out, such as El Reg. And I use throw-away email addresses for such places, too. The email address which I used to set up my El Reg commentard account is an address I use _only_ for commentarding. I don't _care_ if anyone works out what that account is; there is no identifiable data there, other than my name. My 'profile' is deliberately misleading, including the picture. (Hint: I didn't really attend Evil Empire University, Mos Eisley, Tatoonie.)
1) always write down your passwords in a book beside your computer
( Computer hackers cant read your paper notebooks)
2) Always make it easy to remember
Tiemekangaroodownsport ( nice)
3) tell everyone on-line what your password is, twitter is the best tool for that
4) on a serious note , if you are joining a dating site, are married and have a week password, you deserve to be caught
I always use numbers, letters and the other ones whose names I forget right now.
And I make them like 20 or 30 characters long. Where I can. It is surprising the amount of sites that won't let you use more than 14 characters or stop you from using the others ones whose names I still can't remember.
No one is cracking the strong ones of mine, unless they have a few thousand years and half the computers in the world hooked up. They could, however, take a screenshot, or god forbid, have a look in my desk at the big piece of paper that says 'PASSWORDS TO REMEMBER FOR IMPORTANT SITES'.
So I'm not complacent. No, sir. Not me.
I'll give you an example of one of my un-crackable ones -
******************************
Obviously I'm not so stupid as to give you the real password - that would just be moronic, but I'm sure you get the picture.
If it is the password hashes which have been compromised, it doesn't matter if the original password is a long phrase or a random mix of symbols. The attack works by finding a string which gives the same hash value as one in the file, the string doesn't need to be the same as the original, as millions of passwords hash to the same value.
Checking back through my logs, I found this in my spam folder, sent in June last year to a unique e-mail address used only for eHarmony. Odd that a 419 scammer should have ended up with it.
I'm sure there are other crooks out there to whom it would have been far more valuable.
From info <at> freelotto.co.uk Thu Jun 9 03:17:13 2011
X-Spam-Flag: YES
X-Spam-Score: 18.547
Received: from EXFE02.easyxchange.co.uk (ex01.easyxchange.co.uk [62.233.64.252]) by xxx (Postfix) with ESMTP id 112086608F for <UNIQUE Eharmony ADDRESS>; Thu, 9 Jun 2011 03:17:07 +0100 (BST)
Received: from User ([178.111.129.176]) by EXFE02.easyxchange.co.uk with Microsoft SMTPSVC(6.0.3790.1830); Thu, 9 Jun 2011 03:15:51 +0100
From: Free Lotto Company <info <at> freelotto.co.uk>
Subject: CLAIM YOUR 2011 AWARD OF 4MILLION GBP
Date: Thu, 9 Jun 2011 03:17:02 +0100
Congratulation,You have therefore been qualified for a lump sum payout of
4,000,000.00 (Four Million British Pounds) in cash In your favor, To
redeem your prize instantly,you are to contact your Lottery Agent
Mr.Williams Wilcox.
Email: sirwilliamwxdept@aol.co.uk
Tel:+447404586428