Archive of 1.4 billion credentials in clear text found in dark web archive
A data dump containing over 1.4 billion email addresses, passwords, and other credentials, all in clear text, has been found online by security shop @4iQ. The 41-gigabyte file was discovered on December 5 and had been updated at the end of last month, indicating the data is both current and being used by third parties. The …
COMMENTS
-
-
-
-
Tuesday 12th December 2017 11:47 GMT Wensleydale Cheese
Re: 12345? That's amazing, I've got the same combination on my luggage!
"123 here for me."
No problem. If you have a two lock case you can go one better - the other can be 456.
I went one better in the 90s, and used my 6 digit home phone number for a briefcase.
I then changed jobs and found I didn't need a briefcase any more. I also moved house.
Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.
I finally dug it out of an old CV that was lying around on my hard drive
-
Tuesday 12th December 2017 12:13 GMT Roland6
Re: 12345? That's amazing, I've got the same combination on my luggage!
Wind forwards about 15 years and I wanted to use the briefcase again. One of the locks had got nudged and for the life of me I couldn't remember that old phone number to unlock it. Old phone bills had been chucked out years before.
I finally dug it out of an old CV that was lying around on my hard drive
Know the feeling, I've got a whole bunch of encrypted files scattered through my projects archive, I simply wrote the passphrase in the margin of my then current notebook/diary. If I ever want to access these files and the disk is still readable, it will be a long skim read through my old notebooks/diaries...
-
Tuesday 12th December 2017 14:47 GMT Anonymous Coward
Re: 12345? That's amazing, I've got the same combination on my luggage!
"...I finally dug it out of an old CV that was lying around on my hard drive"
You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average.
-
Tuesday 12th December 2017 17:40 GMT Wensleydale Cheese
Re: 12345? That's amazing, I've got the same combination on my luggage!
"You probably could have brute-forced the combos in much less time than searching your hard drive. Each lock only had a code space of 1000 combinations, and since they can be tried independently, you'd only have to make 1000 attempts on average."
Full marks to Apple's Spotlight in this case.
I did a search for content using my old street name and Spotlight came up with that CV in a matter of seconds.
Brute forcing the lock turned out to be unnecessary.
-
-
-
-
-
Tuesday 12th December 2017 09:57 GMT Muscleguy
Re: 12345? That's amazing, I've got the same combination on my luggage!
My wife uses her birthday. A friend she sometimes stays with to help with the kid has her alarm similar so Mrs Muscleguy can remember it.
Unsurprisingly having married someone with a very good memory she leans on me a lot to remember stuff. My sisters were amazed that I could still remember our phone number for the house we lived in in Southern NZ in the mid 1970s and the next house too. Some things just stick in my mind. I never actually tap it in any more but my wife's mobile # she has had since the '90s is burned into my mind too.
-
-
Tuesday 12th December 2017 03:18 GMT eldakka
Has an analysis of the types of accounts been done?
Over the decades of the internet, I've created thousands of 'throw-away' accounts that have used simple passwords along those lines.
Temporary email accounts, one-off accounts on a site that I must register for (and that required me to create a 2nd account - one-off email account - to receive the registration email for) that I felt some one-off need to comment on that particular article, an account I've never used since on a site I may have never visited again.
For those types of accounts, I'm not going to try a complex password I'm just going to put in abcd1234 or whatever reaches the minimum password requirements.
Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.
-
-
Tuesday 12th December 2017 08:44 GMT Steve Davies 3
Re: Has an analysis of the types of accounts been done?
A lot depends upon the level of obfuscation you give to the username you are creating
for example
RocketMan@eltonj.com
or
SlowMotion@man.co..uk
are low levels on obfucation
and
TR6DBP966G@gmail.com
Is a higher level.
But easy for you to remember if you had a Triumph TR6 with the registration number DBP966G
and finally
Df_Rg!Th$Y&jU@hotmail.com
is higher still but pretty well impossible for a human to remember so it gets written down somewhere... Doh!
-
-
-
Tuesday 12th December 2017 15:02 GMT Andy The Hat
Re: "The only password phrase to remember is that for Keepass."
Only hypothetical issue is the password/keystroke grabber trojan inserted into the apparently valid download file by some script kiddie. Instead of hitting only one password you can get tens.
The question being, is that a valid scenario for such password vaults?
My password vault was used to contain only memory hints to the passwords as I never knew whether the vault itself was secure or purely an obfuscated pipe to a central server ...
-
-
This post has been deleted by its author
-
Monday 18th December 2017 16:47 GMT Charles 9
Re: Has an analysis of the types of accounts been done?
"For home use, you should have a notebook, pen and a safe. All your passwords should be written on paper. This way, they can only be stolen by someone breaking into your house and stealing your safe."
Or your spouse who ALSO knows the combination...or a close associate of yours who cleans enough to figure it out and knows what's at stake.
"Software is not secure. Wise up. Don't become a statistic."
Neither's the safe if you have family or a significant other. Put it this way. If someone REALLY wants to to get you and you have a bad memory, you're basically screwed because your adversary can out-memorize you.
If software's not secure, why does the government (including the security sectors) use it? Put it this way, if someone can break KeePass, they'd find bigger fish cracking government communiques that use the same algorithms.
-
-
-
This post has been deleted by its author
-
Tuesday 12th December 2017 12:01 GMT Cuddles
Re: Has an analysis of the types of accounts been done?
"but pretty well impossible for a human to remember so it gets written down somewhere... Doh!"
Why do people keep insisting that writing down passwords is in some way a bad thing? The vast, vast majority of hacks are done remotely. A post-it note on my desk is just about the safest possible place to store a password, because I can guarantee no hacker will ever see it (no, I don't have a webcam or any other connected bullshit that could expose it). Even if I get particularly unlucky and someone breaks into my house, the chance of them caring about some passwords or having the connections to sell it (or finding a buyer who actually cares about a single person's password when billions are available online) are essentially zero; they're just going to nick the TV and whatever else they can easily flog to a mate
A workplace where you don't want all the random people wandering around to have access to your passwords is a bit of a different matter, but since we were talking about accounts created for personal use that's not so relevant.
As it happens I actually use a password vault because I'm willing to trade a bit of security for the convenience of not having to carry a stack of post-it notes around with me. Also, with my handwriting post-its would make my credentials so secure that even I would never be able to use them.
-
Tuesday 12th December 2017 15:50 GMT Naselus
Re: Has an analysis of the types of accounts been done?
"Df_Rg!Th$Y&jU@hotmail.com
is higher still but pretty well impossible for a human to remember"
Speak for yourself. I named my daughter Df_Rg!Th$Y&jU@hotmail.com and so, in my case, I feel it would be a rather obvious username to go with.
-
This post has been deleted by its author
-
-
-
Tuesday 12th December 2017 08:51 GMT sorry, what?
Re: Has an analysis of the types of accounts been done?
Personally, I use mailinator.com accounts, where there are no passwords, and fake names when doing this sort of forced registration. The only stuff sent to these accounts is marketing trash or offer codes etc., neither of which will be particularly troublesome for someone else to access.
Because there's no password at all, and the account names relate to the site being accessed along with fake names etc. I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D
-
Tuesday 12th December 2017 11:56 GMT Anonymous Coward
Re: Has an analysis of the types of accounts been done?
"I don't think I leave anything wedge shaped that can be used against me. I could be wrong, of course, since I don't have a degree in psychology :D"
I do have a degree in psychology and can think of no particular area I studied which would help here.
A PhD in the study of subconcious habits and thought patterns might do the trick.
-
-
Tuesday 12th December 2017 17:36 GMT William Towle
Re: Has an analysis of the types of accounts been done?
> Just like those irish folk are always trying to inject SQL on me with their O'this and O'that.
My colleagues and I were discussing the problem with handling that recently, and noted there didn't seem to be a catchy name for it.
I suggested that in keeping with "the Emergency" and "the Troubles" (and so on) that it should be called "the O'Bother".
-
-
This post has been deleted by its author
-
-
Tuesday 12th December 2017 23:26 GMT Kiwi
Re: Has an analysis of the types of accounts been done?
Therefore my own internet usage history has created several thousand (knowingly) crappy-password accounts and several hundred strong (at the time) password-accounts. Horses for courses.
Same here. Not thousands maybe, but could be hundreds.
Plus, with my hatred of farcebroke but occasional like to find others, I've now had at least a couple of dozen single-sign-in (no not single-sign-ON) FB accounts that were used once, search the name, close the private window, never remembered the password again. Or the account name etc.
-
-
-
Tuesday 12th December 2017 13:03 GMT Prst. V.Jeltz
That is actually a pretty good idea. If my email address (and quite possibly password ) is on a dark web archive that is actively in use I'd like to know!
And its not like the dilemna of removing botnet clients from machines where you're actually changing the machine , and therefore breaking the law / could be responsible for god knows what breaking.
Its just an email. I guess there are probably some spam laws that will rule this out.
-
Tuesday 12th December 2017 13:43 GMT Anonymous Bullard
Today is your lucky day: https://haveibeenpwned.com
-
Tuesday 12th December 2017 14:33 GMT Prst. V.Jeltz
Thanks. I didnt really trust that site before so hadnt tried it . I have now and lo and behold:
"In August 2016, the Unreal Engine Forum suffered a data breach, allegedly due to a SQL injection vulnerability in vBulletin. The attack resulted in the exposure of 530k accounts including usernames, email addresses and salted MD5 hashes of passwords."
and also
"Onliner Spambot (spam list): In August 2017, a spambot by the name of Onliner Spambot was identified by security researcher Benkow moʞuƎq. The malicious software contained a server-based component located on an IP address in the Netherlands which exposed a large number of files containing personal information. In total, there were 711 million unique email addresses, many of which were also accompanied by corresponding passwords. A full write-up on what data was found is in the blog post titled Inside the Massive 711 Million Record Onliner Spambot Dump."
-
-
-
Tuesday 12th December 2017 14:43 GMT Jamie Jones
At the last place I worked, an automated password cracker was used that did email users if their password had been cracked.
These were internal users, on the corporate network.
This lead to one support ticket that simply read: "How do you know my password is 6inches? Have you or your staff ever slept with me?"
True story!
-
-
Tuesday 12th December 2017 07:45 GMT Jin
Not because we are silly or lazy.
Being able to create strong passwords is one thing. Being able to recall them is another. And, being able to recall the relations between the accounts and the corresponding passwords is yet another.
At the root of the password headache is the cognitive phenomena called “interference of memory”, by which we cannot firmly remember more than 5 text passwords on average. What worries us is not the password, but the textual password. The textual memory is only a small part of what we remember. We could think of making use of the larger part of our memory that is less subject to interference of memory. More attention could be paid to the efforts of expanding the password system to include images, particularly KNOWN images, as well as conventional texts.
-
-
Tuesday 12th December 2017 13:06 GMT Prst. V.Jeltz
Re: Not because we are silly or lazy.
Thats what I do , but I keep the formula for blending domain name in my head , so i can easily work out what my password for a given site is - and i need to up the algorythm a bit to make it more secure.
If a "password masher" is going to produce a result that means nothing to you - why base it on the domain? surely random would be better?
-
This post has been deleted by its author
-
Monday 18th December 2017 10:37 GMT Saul Dobney
Re: Not because we are silly or lazy.
The password masher takes a simple password and mashes it against the domain seeded with some fixed options to produce a strong password. That strong password is unique to the domain, so the password doesn't get used anywhere else, so no password leakage. By hashing the domain, the password and some hidden fields, reverse engineering back to the simple password is very very hard, (more so since there's are additional level of personalisation possible). The simple password stays local, but doesn't need to be stored or written down itself, while the code for mashing runs locally, again so the password itself doesn't get exposed.
-
-
-
-
-
-
Wednesday 13th December 2017 23:31 GMT elDog
No problem. After 2-3 generations of your spawn that'll become automatic
Typing a 500 character string into a text box will be embedded in the DNA of the great-grandchildren of this currently procreating generation.
This will be passed own via pure genetics from the one or more parents that contribute genetic code to the little embryotic robot. The little kid will be able to bring up the holographic portal just after birth and enter its U500.
If, in unfortunate circumstances, the little human cyborg loses its U500 - no problem. We'll terminate the current one and issue you a permit to start another. (SROFF excepted).
-
Thursday 14th December 2017 05:43 GMT Anonymous Coward
Re: No problem. After 2-3 generations of your spawn that'll become automatic
"If, in unfortunate circumstances, the little human cyborg loses its U500 - no problem. We'll terminate the current one and issue you a permit to start another. (SROFF excepted)."
And if that's not possible (the maternal unit is medically barren or post-menopausal)?
-
-
This post has been deleted by its author
-
Tuesday 12th December 2017 10:26 GMT John Robson
Re: STOP. In the name of love.
Slightly missing the point of the XKCD cartoon there.
Password managers are clearly a good way to go - I have no idea what most of my passwords are, and I don't need to. That much the article has correct.
But there are a host of passwords which I *do* need to remember.
WiFi codes are one obvious example, and actually they are one where the correcthorsebatterystaple is a decent mechanism (assuming you can choose random words).
I am slightly surprised that such an article doesn't major on keys/certs - register with a site by sending it your public key/cert, and bingo.
-
Tuesday 12th December 2017 14:22 GMT ShortLegs
Re: STOP. In the name of love.
"https://diogomonica.com/2014/10/11/password-security-why-the-horse-battery-staple-is-not-correct/"
And the author of that article is not wholly correct either. Actually, he is very wrong. The assumption inherent in his article is that all users will have access to a password manager all of the time.
It ignores what happens when I go to work, and my employer does not use a password manager. Worse, when my employer insists on several different credentials for each application, e.g. PC/network userID and pwd, credentials for the Intranet, different credentials for the various "apps" hosted from this (email, SAP, MIS, etc), credentials to access the legacy mainframe via terminal. And all of these with their own, unique, username format and password requirements. No single sign-on, no commonality of user ID and/or password, no consistency of password requirements.
And then I go to my part-time (Reservist) role, with another set of credentials, again one set for local logon, one set for remote DII access, one set for JPA access... and again, no commonality between the various userIDs or passwords.
And thats before we run into "your password has locked as it has not been access for 6 weeks"... requiring a call to the Helpdesk, and antoher temporary password.
The userID/password combination is the LAST line of defence; we ought to be looking at the security of the front end (3 login attempts then account lockout), the security of the userID/password database, and the encryption of the database itself.
As techies, we look at this ass-backwards.
-
This post has been deleted by its author
-
Tuesday 12th December 2017 18:02 GMT Charles 9
Re: STOP. In the name of love.
""The assumption inherent in his article is that all users will have access to a password manager all of the time." You don't have a smartphone? You can run passwordsafe on that. Or you can use Google's smartlock in Chrome, https://get.google.com/smartlock/ . These methods have some drawbacks, but it's all better than the crappy horse stable thing."
Unless, of course, it's blacklisted by the corporate network as time-wasting (or not on the whitelist of places employees are allowed to go to conduct business on company time).
Of course, no local apps not approved by the IT department, so no password safes due to SPoF issues.
""Ultimately, Passwords should die. As a longer term strategy, we are moving to kill the use of passwords as the single authentication mechanism, and enforcing multi-factor authentication as the default everywhere.""
Until people start LOSING their second factors and so on. The first problem with passwords is that we have bad memories. The second problem with passwords is that they're also the best option we have. IOW, the best option is unacceptable, meaning we're basically screwed unless we take a few steps back and go back to human-on-human contact where everyone simply knew everyone else on sight.
PS. The first consideration of any security measure is taking the Stupid User into consideration.
-
Wednesday 13th December 2017 01:58 GMT Kiwi
Re: STOP. In the name of love.
@ShortLegs.
"The assumption inherent in his article is that all users will have access to a password manager all of the time." You don't have a smartphone?
Nope. And some of the places I've worked one would not be appropriate or allowed.
Or you can use Google's smartlock in Chrome, https://get.google.com/smartlock/ .
Fuck off. Use chrome? Trust google with my data? Might as well find the lowest possible criminal scum on the web and invite them round for a party, let them sleep in the house afterwards, and let them stay while I go out to work. With all my passwords and accounts written down in plain sight.
These methods have some drawbacks, but it's all better than the crappy horse stable thing.
Not when you're suggesting a "solution" from Google. BTW, what happens when they decide that they're not going to support it any more? Not much change of that happening though, not like google has ever removed a product with little warning before...
Also, in the article, the guy does say that:- "Ultimately, Passwords should die. As a longer term strategy, we are moving to kill the use of passwords as the single authentication mechanism, and enforcing multi-factor authentication as the default everywhere." Anyway, what do you do to solve the problems you list? I read your post, but I don't see you make a better suggestion. Some techie you are! ;-)
No no fucking NO. Unless you can come up with a trustable "dongle" or other thing that works in EVERY instance, that is small enough to easily transport, it's not going to fly. I have a pile of convenient gadgets, bottle openers, mini torches and the like I've received over the years that could go on my key ring (physical thing the car/house/bike/etc) keys are on. Not a chance they'll ever get there though, like a lot of people I prefer to keep my key rings to a minimal set, to the point that when I could afford multiple vehicles I'd swap in/out the vehicle keys based on what I was using. So for a lot of people keyring-based dongles would be a no go.
Phones aren't entirely secure, and liable to failure/theft/breakage/flat batery etc.
Until someone can make something convenient to carry that does the job across the board, 2FA will continue to crop up and quickly die. (though at least ID+building access cards can help in a lot of workplace related cases)
@Batfink. Lastpass is shite IMO. Stick with a local password manager. Which is why the Google smartlock thing isn't something I use.
I use computers in more than one place. If I was to use a password manager I'd use local+cloud (Nextcloud that is) and move the profile, or perhaps have it on USB but see above re keyrings.
@John, WiFi codes. Write the code on the access point. If someone has access to the AP, it's game over anyway.
Not really. Sure they could factory-reset it, but then a) it'd be discovered quickly and b) would be of limited use (your reset would wipe the ISP details so no WAN connection). The admin is fairly well locked down and I haven't yet found a way to break it, so unlike a lot of crappy ISP-supplied ones, just visiting the admin page won't get you anywhere even if you are plugged in by cable.
That said, I have stored the relevant info on the router in the past, in a place where getting to the router wasn't going to be easy for miscreants.
-
Wednesday 13th December 2017 09:26 GMT John Robson
Re: STOP. In the name of love.
Two factor authbstill tends to use a password as one of the factors...
I can’t get to my AP very easily - it’s ceiling mounted. Writing it there is no help. A long, but typeable, key is a good compromise between usability and security. If I was being really paranoid I’d have a radius server and post connection authorisation dropping me onto an appropriate vlan. Of course the connection would be cert based as well...
-
Thursday 14th December 2017 14:06 GMT John Robson
Re: STOP. In the name of love.
>>Write the code on the access point. If someone has access to the AP, it's game over anyway.
>Not really. Sure they could factory-reset it, but then a) it'd be discovered quickly and b) would be
>of limited use (your reset would wipe the ISP details so no WAN connection). The admin is fairly
>well locked down and I haven't yet found a way to break it, so unlike a lot of crappy ISP-supplied
>ones, just visiting the admin page won't get you anywhere even if you are plugged in by cable.
Depends what they do with physical access - most routers will happily give you and ethernet connection without question. That might be the valuable thing. Or you could put in an ethernet/wireless bridge to which you can later connect at will.
If the issue is protecting the WiFi passcode then you are correct physical access isn't necessarily game over (although many devices have a physical button to let devices connect without auth for thirty seconds.)
-
Thursday 14th December 2017 21:44 GMT Kiwi
Re: STOP. In the name of love.
Depends what they do with physical access - most routers will happily give you and ethernet connection without question. That might be the valuable thing. Or you could put in an ethernet/wireless bridge to which you can later connect at will.
If the issue is protecting the WiFi passcode then you are correct physical access isn't necessarily game over (although many devices have a physical button to let devices connect without auth for thirty seconds.)
WPS can (theoretically) be turned off (I say theoretically because I've never checked to make sure it doesn't work).
If you're paranoid, you can set your wired network up with no DHCP and even install a firewall box between the router and the rest of the network that only allows known machines to work, or in some other way messes with unknown machines.
E-W bridge may be a bit sneakier, depending on what tools the victim uses to check for such things. I'd expect that in most places "nothing" is used, only a few high security places performing scans on a regular basis. Is it possible to have one that won't show up in any logs in a more secure place? I was asked by someone recently (a housewife with the computer literacy of your average insect) about a device that was showing up on her Mac, which is just the wifi range extender she has (they're not entirely transparent to the network)
I can think of many ways to hide the hardware, but not sure how to always get them out of logs and the like. At least using static IP's (not DHCP) would make them invisible to most home routers, and probably most SM businesses as well (at least ones that don't specialise in IT)
-
-
-
-
-
-
-
-
Tuesday 12th December 2017 18:08 GMT William Towle
Re: Length is Everything
When creating an(other, sheesh) account for myself recently I encountered my first system that refused my usual password scheme - mix of alphanumeric and non-alphanumeric symbols, around a dozen characters long, ... you know the drill.
"Your new password needs to be at least 14 characters in length", this one asserted. I thought again.
Looking back, there was a very literal interpretation (two, in fact) that may well have sufficed. I wonder now if they foresaw that, and the phrases were specifically disallowed...
-
-
Tuesday 12th December 2017 09:49 GMT Kaltern
Such an enigma...
Makes you wonder why a system hasn't been invented that obfuscates passwords as they're being typed in, hence storing them in an encrypted format on the server side, so noone could easily guess what it is.
Oh.
Seriously tho. What's more secure, a password, or simply biometrics? I actually don't know the answer to that, but I would have assumed fingerprints would, at the most simplistic level, be the most secure way to log in to your average website.
I mean, fingerprint scanners are almost ubiquitous in their presence now, virtually all modern smartphones have them, which we trust to login to banking and other sensitive things. How difficult would it be to stick one in every keyboard made now and the future? You can even buy USB scanners for a few quid.
They don't have to be NSA-approved, nor do they need to be of highest military specification. And for really sensitive stuff, why not have a combination of both - at least that way it'll be as simple as typing the password while having your finger(s) scanned.
Within 2 years, every single home PC could have one, and then webmasters could incorporate this into their security by way of a simple plugin. Facebook, could adopt this, which would mean the sheeple of the world will quickly fall in line.
I genuinely wonder why this isn't a thing.
-
Tuesday 12th December 2017 10:04 GMT sitta_europea
Re: Such an enigma...
"... I mean, fingerprint scanners are almost ubiquitous in their presence now, virtually all modern smartphones have them, which we trust to login to banking and other sensitive things. ..."
Speak for yourself.
I'll use Internet banking when I can buy a 64 gigaqubit quantum computer and there's a way to encrypt the communications, storage and credentials that's been mathematically proved uncrackable (in any amount of time; not just in time of, say, the order of the age of the universe - that's just difficult, and I want impossible). Of course then I'd want similar proof that the implementation was correct, but I'm not holding my breath. After all, HSBC did let anybody into anybody's account if you just put the password in wrong ten times, and then there was...
https://www.theregister.co.uk/2017/12/11/mobile_banking_security_research/
-
Tuesday 12th December 2017 10:28 GMT Kaltern
Re: Such an enigma...
The point is, passwords are no more secure than fingerprints, but fingerprints ARE more secure than passwords. What you're describing is typical overreaction to security issues that are pretty much beyond your control. Millions of people use internet banking, regardless of how some few of us view the inherent security issues, and in my opinion, while it is only a sticking plaster, biometrics would be a much larger bandage than the current reliance on passwords.
It doesn't matter how much 'we' trust online banking, or anything else. It's here, it's being used, and we should probably try to improve things as much as we can, to avoid people who cannot engage their brain to remember more than 'pa55word'.
-
Wednesday 13th December 2017 03:31 GMT Kiwi
Re: Such an enigma...
but fingerprints ARE more secure than passwords.
You sure about that?
How about you come round to my place for a coffee and we can talk more about it.
Don't worry about washing your cup afterwards, I'll take care of that.
It doesn't matter how much 'we' trust online banking, or anything else. It's here, it's being used, and we should probably try to improve things as much as we can
On that we agree.
-
-
Tuesday 12th December 2017 23:31 GMT fidodogbreath
Re: Such an enigma...
I'll use
Internetbanking when I can buy a 64 gigaqubit quantum computer and there's a way to encrypt the communications, storage and credentials that's been mathematically proved uncrackableFTFY. Unless your bank is already using some kind of mythic "uncrackable" security, your account can still be pwned by many other methods: attacks on the bank's systems, ATM skimmers, spear-phishing bank execs and sysadmins, social engineering the call center, finding one of your checks in a dumpster after it was scanned by whoever you sent it to, etc.
Internet banking is an attack vector, but it's far from the only one.
-
-
Tuesday 12th December 2017 10:25 GMT Pascal Monett
Oh not biometrics again
First of all, there is no such thing as a reliable biometric scanner. Fingerprints can be faked, especially on consumer-grade equipment. Facial recognition is still rather unreliable, can be easily fooled and requires a rather important back-end. Other more exotic methods (like iris recognition, or back-of-the-eye blood vessel mapping) are still in the lab, or eventually at the NSA, but nowhere else.
The problem with biometrics is not even its reilability, it's the fact that the legitimate owner of the biometric cannot change it when it is compromised. So anything biometric is only useable until it is compromised, which means it is next to useless in any environment that needs true security.
Let us not pretend that your Twitter account needs NSA-level security.
-
Tuesday 12th December 2017 10:34 GMT Kaltern
Re: Oh not biometrics again
Reading before understanding - a common issue here sadly.
I stated we DON'T need NSA-level security. So your killer tagline at the end of your post was sadly wasted on those able to do more than skim through for keywords to throw scorn at.
Next, Biometrics could very simply be changed in EXACTLY the same way we change regular passwords. Send an email asking to be changed, re-scan fingerprint. I fail to see how this is an issue.
And stating that biometrics are only usable till compromised, is pretty much a strawman argument - in that ALL security is useful till compromised.
I think you are mistaking my suggestion for simple password replacement, for high security biometric eyeball scanning to get into NASA's secret Area 52, where they develop and test new security systems*.
* this may or may not be true...
-
Tuesday 12th December 2017 11:02 GMT Roland6
Re: Oh not biometrics again
Next, Biometrics could very simply be changed in EXACTLY the same way we change regular passwords. Send an email asking to be changed, re-scan fingerprint. I fail to see how this is an issue.
Most people only have 8 fingers and two thumbs, and current biometric scanners only use a handful of data points (hence why they are so easy to fool), whereas each character of a password can use most of the keys on a standard keyboard...
-
Tuesday 12th December 2017 13:25 GMT Joe Harrison
Re: Oh not biometrics again
When I had my eyetest recently the optician took a photo of my retina, without asking me, and stored it on their who-knows-if-secure system. If they are doing this for everyone it surely has to undermine the biometric eyeball Area 52 security.
Area 52 probably claim that you can't get in with a fake eyeball photo, just like Apple claimed you couldn't unlock their phone with a 3D printed face.
-
Tuesday 12th December 2017 16:12 GMT Naselus
Re: Oh not biometrics again
"When I had my eyetest recently the optician took a photo of my retina, without asking me, and stored it on their who-knows-if-secure system. "
It's worse that that - I leave copies of my fingerprints all over the place all the time, stored on tabletops, doors, and the devices I use to log into the web services he's suggesting I should unlock with my fingerprint...
-
-
Tuesday 12th December 2017 10:53 GMT Roland6
Re: Oh not biometrics again
>Facial recognition is still rather unreliable, can be easily fooled and requires a rather important back-end.
As far as my son and daughter are concerned facial recognition works perfectly on the Xbox One!
They enter the room and most of the time the Kinect automatically logs them in as me, I go in and get logged in as one of them; largely making parental controls even more pointless (IE on the Xbox has a 'feature' that after a couple of minutes on xbox.com, automatically logs into the parent account, regardless of whichever account on the Xbox is actually signed on).
My son (age 12) has finally decided parental controls are a nuisance and has simply turned them off, at least he hasn't yet bothered with the content restrictions, but to watch "The Grand Tour" he needs 'relaxed' ratings I think it will be a couple of years before he has need to play around with these...
-
-
Tuesday 12th December 2017 11:29 GMT Pen-y-gors
Re: Such an enigma...
There are good reasons - biometric ID and passwords are very different creatures.
Biometrics mean that a known individual is accessing the system (assuming no-one's used the old cutting-off-the-finger trick, or the old R.Austin Freeman 'Red Thumb' method for faking fingerprints, written in 1907)
Passwords mean that someone with the password is accessing the system. So you can give your password to someone else if you want. And a good defence is that someone must have intercepted your password or shoulder-surfed you in an Internet cafe.
-
Tuesday 12th December 2017 12:53 GMT Charles 9
Re: Such an enigma...
"Biometrics mean that a known individual is accessing the system (assuming no-one's used the old cutting-off-the-finger trick, or the old R.Austin Freeman 'Red Thumb' method for faking fingerprints, written in 1907)"
What about the Gummi Finger? Proven to work by the MythBusters, even.
-
-
-
Tuesday 12th December 2017 10:57 GMT Tigra 07
Reminds me of this old gem...
When creating a password:
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50fuckingboiledcabbages
Sorry, the password must contain at least one upper case character.
50FUCKINGboiledcabbages
Sorry, the password cannot use more than one upper case character consecutively.
50FuckingBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessImmediately
Sorry, the password cannot contain punctuation.
NowIAmGettingReallyPissedOff50FuckingBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessImmediately
Sorry, that password is already in use!
-
Tuesday 12th December 2017 11:13 GMT Roland6
The linked article <https://medium.com/4iqdelvedeep/1-4-billion-clear-text-credentials-discovered-in-a-single-database-3131d0a1ae14 > is interesting.
This database seems to be an aggregation of a number of previous breaches and thus spans several years of Internet usage and can for any particular email address give an idea of the level of password re-use etc.
Interestingly, because of the aggregation, I see that even passwords of 10 characters have made it into the top 20.
I see that both in the linked article and here on El Reg, little real thought is being given as to how user credentials are stored, transported and looked up, particularly on websites.
-
Tuesday 12th December 2017 11:28 GMT The_H
I'd love to know where they get some of this stuff.
I recently had an iPhone imposed on me by my employer. Created an iCloud email address that I have used for absolutely nothing, and it's a weird combination of letters and numbers that I'll never remember. The only time it was ever used was on the brand new, out-of-the-box iPhone's setup screen... but by the end of the same day it had *hundreds* of spam emails in it. That email address somehow got out of the iPhone universe... and not thanks to me.
-
Tuesday 12th December 2017 11:39 GMT Zippy's Sausage Factory
It'd be nice if someone like HaveIBeenPwned would load this up and then tell you WHAT PASSWORD they had in that list. I can then use my password manager to find that password, plus I now know where the leak came from.
Oh wait, but then I might sue someone, and they might sue HIBP because - well, if your security got breached and nobody ever finds out, did it really happen? I mean, that's an approach that's working SO WELL for Uber right now...
-
-
Tuesday 12th December 2017 20:35 GMT Roland6
Re: Do you not think there's a slight flaw in the idea...
Re: It'd be nice if someone like HaveIBeenPwned would load this up and then tell you WHAT PASSWORD they had in that list.
Looking back, this is the substantive part of the email I received from HaveIBeenPwned when LinkedIn was Pwned:
"You've been pwned!
You signed up for notifications when your account was pwned in a data breach and unfortunately, it's happened. Here's what's known about the breach:
Breach: LinkedIn
Date of breach: 5 May 2012
Number of accounts: 164,611,595
Compromised data: Email addresses, Passwords
Description: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.
It would make sense for Troy to amend the lookup and to send the results (suitably secured) to the user entered email address, thereby getting around this issue...
-
-
-
Tuesday 12th December 2017 12:19 GMT Anonymous Coward
Somebody tell the banks
If you have the misfortune to hold an MBNA card, there's no option anywhere to change your password, short of hitting the "I've forgotten my details" link and going through the rigmarole of proving who you are by re-sharing supposedly secure details about yourself.
Yeah, that's secure.
A/c as I'm ashamed that an expensive divorce and my subsequent financial pain led me to MBNA's door. Still, only another 18 months and I'll be free of them forever!
-
Tuesday 12th December 2017 20:39 GMT Anonymous Coward
I have two accounts on there
Both of them have a similar password, which is what I use for throwaways - one for places I never need to look at the email (goes to a hotmail account I never login to) and the other for places I may need to look at the email (mostly used for online shopping at places that don't save your CC info or web forums)
They've had the same password for 15+ years so it is not surprising they were on the list. What I was surprised about is that my non-hotmail email address was not listed with a SINGLE other password, indicating nothing I consider more important and gets a better password was compromised. Out of a list of 1.4 billion I was kind of expecting I might need to go do some password changes on sites like amazon, ebay, facebook and so forth but I guess that can wait.