Russian Gang Steal 1.2 Billion Username/Passwords!

Status
Not open for further replies.
Originally Posted By: eljefino
I've read it suggested that you come up with a mnemonic like:

My First Girfriend Was Jenny And She had 32 DDs

which turns into

MfgwJ&sh32DD

a tolerable password... for now!


Passwords are more memorable if they're based on real facts in your life...not fantasy...
 
Originally Posted By: Lubener
The world would be better off without the internet.


Might as well blame Al Gore for inventing the internet.
 
Some fantasies can be more vivid than real life; heck all fantasies are more vivid than *my* life!
 
If they did manage to penetrate the security of websites wouldn't they actually get hashes and not passwords? And if a person had a decent password wouldn't it still take a long time to unscramble the hash? Unless the hash could be used itself.
 
Nobody here knows about hashes?

The hashes could be secured further by 'salting' (putting extra numbers and letters in) and by encrypting the hashes.

As long as people were using good passwords it would take time to get the passwords from the hashes. And if a website encrypted the hashes it would be more difficult.
 
Compromise #432423; businesses should be incorporating 2 factor authentication @ this point; not doing so is putting all one's e-customers @ risk (and is the 'cheaper' way, of course)

Better start doing it or risk having 'someone' tell you to do it.
 
Hopefully with Google starting to give ranking preference to sites using HTTPS more places will start getting serious about security.
 
Originally Posted By: Quattro Pete
Originally Posted By: Touring5
Another cool tool is Virtual Account numbers from Citi. They allow you to log in, and generate a 1-time use credit card number (you can specify a dollar limit and time limit) - that can only be used online or over the phone.

This, while seemingly useful, ended up getting us in trouble once.

We used such one-time generated credit card number once with Discover to buy some concert/event tickets. The tickets needed to be picked up in person, and at pickup time, they wanted to see the credit card that was used to make the purchase. Well, guess what... the number on the card was different from the one-time generated card number.



Yeah, you have to keep an eye out for something like that where you might need to show the card to pick up the product purchased. I've bought stuff online and selected the in store pickup option, and it says you need to bring the CC you purchased the products on to pick the items up. I've always just printed out the one time use CC and explained to them that the print out is of the card and the card doesn't exist b/c it's a virtual one-time use card. I've never had a problem doing that. Once they see the number's match, they're good with it.

Yeah, it's an extra step, but it's always worked for me and it keeps my CC number from being stored in places where I don't know what type of security they're using, or I think they might be a prime target for people trying to steal CC numbers.
 
I use 1password - only have to remember one long password and each other password is long, random, and cannot possibly be remembered.

quite useful to record serial numbers etc. and other things you like encrypted.
 
It is pretty interesting what is said about this theft of usernames and passwords at 'Krebs on Security' as compared to what is said at Bruce Schneier's security website.

Krebs says he knows this Holden of Hold Security and Schneier said he had never heard of Hold security until this theft was reported.

There is a major difference of opinion at these two security websites. Which makes a person wonder about a lot of things.
 
It certainly does not hurt to change all of your passwords to be safe. And to use two factor authentication if you can. But the more I find out about all of this the more I wonder. Too many questions about this Hold Security and this Holden guy. Go to Bruce Schneier's security website and check this out. It is now on the second page.

Yes there may well be Russian hackers that have a large number of passwords. But those passwords might have come from various sources, such as Adobe and Target hacks. And nobody here but me talked about this but a lot of the passwords could be old (and useless if they have been changed) and if the passwords were encrypted or at least good passwords in hashes it would have taken time to get the password. Of course some people never change their passwords and many people use weak passwords. But those people are likely to be victims anyway. And of course some people use the same password everywhere.

Merely changing your passwords will defeat all of this. Of course, website owners need to make sure they have the best security possible for their websites.

I personally am not going to pay anybody to find out if my user names and passwords are in the alleged 1.2 billion list. I have already changed all of my passwords. And I use long passwords and change them regularly, and I don't use the same password for several websites.

If everybody used good passwords, changed their passwords regularly, and did not use the same password at several websites, that 1.2 billion list of user names and passwords, if it exists, would be useless in a short period of time.
 
I have a buddy who hacks for a living (thank goodness he is on our side!), and he says point blank there are some really good hackers out there....kinda much better than the good guys!

Bottom line- most of these passwords ideas are useless, because it does not stop them, it might just slow them down a bit...if they want it, they will somehow...

Best advice he can give? Simply put, watch over your stuff best you can, and simply pray. Don't have all your eggs in one basket, more true with banks. Have ways you can have "outs" or a back up plan in place if needed.

It's like most things in life guys....you prepare....best you can. It's now just another thing in life to prepare for....
 
over the past few days, several financial institutions have been hit with distributed attacks. They're not your standard attacks, though. They are brute force distributed login attempts.

Thing is, in analyzing the data, a vast majority of the logins attempted are valid. The passwords, however, are not.

This also has the effect of overwhelming email systems as they send out thousands of account lockout notifications at a time.

Clever girl
 
Status
Not open for further replies.

Similar threads

Jackson_Slugger
“The mother of all breaches”-Malwarebytes Offering Free Identity Scan
2
Replies
34
Views
2K
ka9mnx
OVERKILL
Federal Agents Charged With Stealing Bitcoin
Replies
9
Views
3K
Electromotive
O
  • Locked
Security Alert Stolen IDs Monster.com
Replies
3
Views
1K
simple_gifts
Back
Top