Post #401,860
5/18/15 10:35:50 AM
|
so I was careless...
having a fairly weak password for my dotmac (iCloud) account since Hector was a pup, and about three hours ago my inbox starts filling up with delivery failure notices: some Russians are using my address (though not, it would appear, my computer) to send spam (the messages all translate to the effect of "make thousands of dollars from home") to their fellow Slavs. So I change the password with Apple, Apple verifies. Nevertheless, the account remains stubbornly offline in the mail app. I can access the account via a browser (a test message sent from another account after the password switch showed up that way), but not from the app. I've quit, restarted, tried to take the account back online to no avail. Am I overlooking a step, does anyone suppose?
cordially,
|
Post #401,862
5/18/15 10:48:55 AM
|
does the mail app know about the new password? dumb question I know
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
|
Post #401,864
5/18/15 11:02:39 AM
|
Maybe had nothing to do with you
Just because they were using you as the "From" address doesn't mean they had access to your account. (Which doesn't get your app back online, of course.)
|
Post #401,866
5/18/15 12:07:07 PM
|
this is starting to look nasty
I attempted to access icloud from work; received a message that my account was disabled for security reasons. Went in to reauthenticate; was asked to provide date of birth...this was rejected as a mismatch. Used the "send me an email" (to a gmail account) to proceed; this got an instant reply two hours ago, but so far, nuttin'.
anxiously,
|
Post #401,867
5/18/15 12:32:20 PM
|
resolved?
Apple tech support said that their lockdown prevented me from reauthenticating even via the "security questions" absent a heart-to-heart talk with a human being. This being undertaken, he appears to have reinstated me. We'll see how long the fix lasts this time. I regret the expenditure of an hour of what is proving not to be a slow work day.
cordially,
|
Post #401,868
5/18/15 1:35:16 PM
|
Glad you got it worked out. Two factor?
|
Post #401,869
5/18/15 1:51:49 PM
|
Do you know for sure that you were actually compromised?
The stories I've seen where someone's account was hacked, it was much harder to regain control. Your story sounds like just plain bad process for changing credentials. ie: Typical helpdesk type call for "How do I update my password across multiple devices?"
I've got a few accounts that occasionally get several hundred bounce messages in a day for emails that didn't go out from my system. They're just using my address in the "From" line because it's a known-good address. Properly configured mail servers on the receiving end reject it (or at least I think they do) because the reverse lookup fails. [handwave] dkim entries [/handwave]
|
Post #401,904
5/19/15 10:24:47 PM
|
a day later...
Less than an hour after the last misdelivery notice arrived, I changed my iCloud password, and although there were a number of misunderstandings between Apple and me over the course of the next few hours, I note that no further "Delivery Notification: Delivery has failed" messages landed in my inbox following my first password change. This suggests either that the Russian assholes were spoofing my return address for just a couple of hours on Monday and then inexplicably left off, or that something changed that rendered my electronic addy unavailable. Since the password change was the principal change in the environment during taht narrow window, I'm inclined to think that this was the vulnerability that was exploited. Govno!
cordially,
|
Post #402,054
5/26/15 9:50:01 PM
|
sheesh!
My main online banking account has (had) a password not identical, but recognizably similar to the compromised dotmac password. Today I attempted to check my balance: username/password combination was not accepted. I reset these by phone; checked the various linked accounts. No untoward transactions. It's hard for me to think that this is a coincidence, though.
paranoiacally,
|
Post #402,057
5/27/15 8:06:48 AM
|
Likely scenario
"They" tried the credentials + variations at all popular services knowing that a serious chunk of the population recycles names and passwords. The bank password was sufficiently different that they didn't guess it within the allowed number of tries and the account was locked out.
|
Post #402,097
5/28/15 12:32:12 PM
|
concur
I knew that the bank password was weak, the equivalent of a screen door with a hook-and-eye "lock." Moreover, it was the last remaining "important" account that used a variation on that old password. I count myself fortunate to have got off with a brief scare. I've heard it said by IT boffins that any password you can remember is already not secure. Digression follows: In my childhood and teens I had this odd Aspergerish compulsion to maintain a personal calendar: I used to amuse/irritate my friends with this (Them: "Remember when we all went out to Zuma Beach after that [redacted] all-nighter so we could watch the sun rise? And then realized we were on the wrong side of the country for that?" Me: "Oh, yes, that would have been April 19, 1969"). This faded out in my very early twenties, and from about 1973 forward I'm no likelier to pinpoint the date of a trivial event than the next guy. That said, I can remember the exact dates of my first dozen or fifteen bonks. Hold that thought. I now record my passwords in a Field Notes notebook (two, actually), a medium impervious to most known electronic monitoring. These useful booklets also include serial numbers, usernames, email identities linked to product registrations, et cetera. I have a formula for processing bonk partner name/dates into passwords, so for important accounts, these passwords are recorded merely with a two-digit numerical code (01, 02, 03...) representing the erotic sequence, run through the formula, and entered. So, for example, if I wish to look in on my account in the Caymans (as if!) I consult my little notebook, note that it's "05" (ah, Drusilla!), run the particulars through my blender, and there we are. However, I know a few people who swear by so-called "password managers." Anyone here use these? cautiously,
|
Post #402,107
5/28/15 5:33:44 PM
|
Password storage.
I use a simple app on my phone that keeps an encrypted database, so I transcribe passwords as I need to. But I also trust browser storage for a number of sites (not banking or Paypal).
Wade.
|
Post #402,110
5/28/15 8:09:01 PM
|
Here's where I got my rule
|
Post #402,118
5/28/15 10:15:41 PM
|
XKCD to the rescue
|
Post #402,120
5/28/15 10:41:01 PM
|
:-)
|
Post #402,122
5/28/15 10:51:36 PM
|
That, too
Now find me a bank site that allows more than 12 characters.
|
Post #402,123
5/28/15 11:00:52 PM
|
Ford Credit will only take 8
Regards,
-scott
Welcome to Rivendell, Mr. Anderson.
|
Post #402,126
5/29/15 9:44:36 AM
|
Re: concur
I use 1Password, and have for years. I don't know my passwords to any* websites that I log in to. Each website gets a different password, and by default I try to make it as long as possible (1Password's current limit is 50 characters.) Of course there are always numbers and specials thrown in for good measure. It's been a great way to see who's secure and who's not. For example, about a year ago, I used 1Password to set my password at a bank. It happily let me set my password. My M.O. when using 1Password to set my password is to set it, then immediately log out and back in to test that it works. Well, the bank's website let me set my password. It was stored in the vault. I logged out, and could not log back in. After a call to the bank's customer support line, we determined that while the website would allow me to SET my password with certain special characters, it would not actually let me LOGIN using that same password with those certain special characters in it. *smh* Additionally, I just went round and round with a different customer support person about this on a different website. While the problem didn't actually end up being password-related, I submit this for fun: http://blog.mikevitale.com/2015/05/11/peloton-customer-support/* Not exactly true. I know a couple; they tend to be the ones that I cannot use my fingerprint on my phone to log in with. -Mike
@MikeVitale42
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety."
- Benjamin Franklin, 1759 Historical Review of Pennsylvania
|
Post #402,185
5/29/15 9:07:07 PM
|
Entertaining story.
I've become convinced that computers are no longer deterministic.
Good luck!
Cheers,
Scott.
|
Post #402,194
5/30/15 8:28:53 AM
|
I get annoyed at password restrictions.
Having written several systems over the years to accept anything in a password (barring the obvious checks, like length), I know there is no excuse for anything less.
On a related note, it's amusing when colleagues realize my systems also allow spaces in usernames. :-)
Wade.
|
Post #402,071
5/27/15 11:35:13 AM
|
password management
general web password for sites you dont give a rats ass about.
Specific passwords for shit you do care about. a passphrase with vowels replaced by numerals.
Banking/financial password, one that given a weeks access to your house and paperwork can never be sussed out. 14 character minimum, no passphrase, upper case lower case special characters, lots. Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
|
Post #402,074
5/27/15 1:18:42 PM
|
Chase doesn't allow special characters.
|
Post #402,087
5/28/15 12:16:48 AM
|
Too many sites do passwords wrong.
A website that uses passwords should do nothing to a supplied password other than hash it, unaltered. What you're given is what you're given and no characters should be forbidden. If someone wants to include a space, a left-brace, an acute-a, a copyright symbol and the Chinese character for water, it should work.
Obviously you should have strength checks to help stop users being idiots, but even a length check should be very very generous. 256 characters is a hideously long password, but not so long as to be problematic to hash.
Wade.
|
Post #402,076
5/27/15 2:09:06 PM
|
Number substitution isn't recommended any more.
http://optimwise.com/passwords-with-simple-character-substitution-are-weak/From 2010: A common piece of password advice is to substitute characters, such as numbers or special characters, for letters. For example, password becomes p@$$w0rd. These are sometimes called “leetspeak” passwords, because “elite” hackers originally used such character substitutions.
Unfortunately, leetspeak passwords are far from secure. For years, password cracking applications have been able to recognize most character substitutions, decipher the underlying word, and crack the password.
Here are a few excerpts about how leetspeak and character substitution passwords are weak. Links to the source pages follow each excerpt:
[...] Something I've never understood: I thought sensible places locked one out after N (often N=3) attempts at entering a password. If that is the case, what difference does it make how complex the password is? Don't dictionary attacks only work if the hacker gets an infinite number of attempts? NIST's Guide to Enterprise Password Management (38 page .pdf) mentions preventing infinite guessing, but doesn't explain why that isn't good enough. The problem with complex passwords that are unique to each site (and expire periodically) is that they're very difficult to remember so users write them down somewhere (phone, wallet, post-it notes on monitors, etc.) which compromises security worse than if passwords were simple and trivial to remember. Cheers, Scott. (Who expects face/finger/iris recognition (maybe with a 4 digit PIN) will eventually make all of this obsolete).
|
Post #402,077
5/27/15 2:29:25 PM
|
I like writing down
I always keep pieces of paper in my wallet that I want to keep safe. It's called "money".
|
Post #402,079
5/27/15 3:51:34 PM
|
so you go in person to pay all your bills? Nice to have that much free time
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
|
Post #402,080
5/27/15 4:27:34 PM
|
Not the point
People say keeping passwords written down is insecure. I've learned to secure my wallet because I know it has valuable contents. If my wallet is stolen I count on having to deactivate all my credit cards anyway.
|
Post #402,081
5/27/15 4:41:49 PM
|
Having my wallet messed with in middle school taught me that it's not good to depend on it...
But I get your point.
I know someone who has passwords on his electronic PDA on his phone. ;-)
Cheers,
Scott.
|
Post #402,101
5/28/15 1:26:40 PM
|
not necessarily
users write them down somewhere (phone, wallet, post-it notes on monitors, etc.) which compromises security worse than if passwords were simple and trivial to remember.
Not necessarily. My written passwords are physically remote from my computers. Anyone has access to both, then I'm already in big trouble.
cordially,
|
Post #402,103
5/28/15 3:11:19 PM
|
Re your last line: yes, that
|
