• Welcome to ASR. There are many reviews of audio hardware and expert members to help answer your questions. Click here to have your audio equipment measured for free!

Important: Another Wave of Account Hacks

Both of these posted tables are already obsolete by a long shot...

index.php

QLHrGtE9GR2cIphR4FzkN-DBzzd_tFbfuX46mHo3jBI.jpg


Here's a more realistic table (based on today's top-of-the-line GPU, Nvidia 4090, which can perform 100 billion hashes per second (100 GH/s) for less secure algorithms like MD5.)

Here's a basic example for MD5 algorithm:
1715925058455.png

Source of table: GPT-4o, with input from Nvidia 4090's hashing calculations as input.
 
Likely there was some large scale hack and peoples compromised passwords were used on various websites. I saw a few accounts on my forum also start spamming in the last days.
 
I’ve been using LastPass from day 1 up until their breach of Aug 2022.

Now, Lastpass belongs in the graveyard, after how poorly their security was, which was discovered after their breach.

I’ve moved to 1Password since I like their feature set and ease of use, but it’s not free.
I recommend Bitwarden for everyone who doesn’t want to spend money.
Both have a reputation that is rock solid.
 
sweetchaos said:
I’ve been using LastPass from day 1 up until their breach of Aug 2022.

Now, Lastpass belongs in the graveyard, after how poorly their security was, which was discovered after their breach.

I’ve moved to 1Password since I like their feature set and ease of use, but it’s not free.
I recommend Bitwarden for everyone who doesn’t want to spend money.
Both have a reputation that is rock solid.
Click to expand...
Similar - except I've moved to bitwarden - which is still free for single user sharing some passwords with one other user.
 
Rja4000 said:
I use a dedicated email address for that.
Click to expand...
Every website gets its own email address.

Means I can blackhole them if they start to receive spam - plus I know which organisations leak email addresses into the wild.
 
There's lots of good advice here. One thing that all good authentication systems should do is implement an increasing delay with every failed login attempt up to a certain number, after which it's locked for a fixed period. This stops brute force attacks.
 
kemmler3D said:
Huge +1. If you aren't already using something like Keepass or Lastpass, start before someone comes along and cleans out your bank account and sends your naked pictures to all of your relatives.
Click to expand...
My bank locks the account after 3 unsuccessful attempts.
Why would I need some extreme overkill password?

I've been fine with a 5 digit alphanumeric nonsense password since 2007.

Really, instead of pestering people with more and more complex password shenanigans, give logins a time penalty after 2 wrong attemtps, starting at 30s and doubling after that. Lock accounts after 10-20 attempts. This eliminates brute-force attacks.

Use 2FA in order to prevent DB leaks from being effective.

Tough I'll be honest: 2FA for a Forum like ASR seems WAY overkill. After all, ASR has no personal data from me.
Worst case: Senpai banhammer's my account and I need to create a new one. Sure beats the hassle of reaching for my smartphone every time I log in.
 
Last edited:
  • Like
Reactions: ENG
dmilller said:
I doubt any cloud password service keeps passwords. They keep an encrypted filed to which they don't have the key.
Click to expand...
We can argue over these details in another topic but everything depends on correctness of the specific implementation in its every detail. I lost trust in Lastpass after their latest embarrassment and what it revealed about their implementation and switched to KeePass. The main message I want to get across here is:

- don't reuse passwords
- use long random passwords in a password manager app where appropriate
- use long, hard-to-guess but memorable passwords for those you must remember, I like Schneier's method
- for critical assets, use multi-factor in addition to good passwords but not instead of
 
Aerith Gainsborough said:
My bank locks the account after 3 unsuccessful attempts.
Why would I need some extreme overkill password?

I've been fine with a 5 digit alphanumeric nonsense password since 2007.

Really, instead of pestering people with more and more complex password shenanigans, give logins a time penalty after 2 wrong attemtps, starting at 30s and doubling after that. Lock accounts after 10-20 attempts. This eliminates brute-force attacks.

Use 2FA in order to prevent DB leaks from being effective.

Tough I'll be honest: 2FA for a Forum like ASR seems WAY overkill. After all, ASR has no personal data from me.
Worst case: Senpai banhammer's my account and I need to create a new one. Sure beats the hassle of reaching for my smartphone every time I log in.
Click to expand...
Why would you want to know your passwords? Length doesn't matter when using a password manager. If you are reusing passwords you will eventually get hacked. I can find my old reused passwords from 10-15 years ago on "the dark web".

antcollinet said:
Every website gets its own email address.

Means I can blackhole them if they start to receive spam - plus I know which organisations leak email addresses into the wild.
Click to expand...
Apple's Hide My Email is great. Only my financial institutions and my friends have my primary email. I probably should not trust my friends.
Multicore said:
We can argue over these details in another topic but everything depends on correctness of the specific implementation in its every detail............
Click to expand...

It's simply 256 bit encryption.
 
Many years ago, i was taught a simple, easy to remember password solution from my IT guy. Ingnenious as it allows every website a new password but, because of its structure, is simple to remember (because at its core is a repeatable password that is common for each website) and is incredibly secure (or not) depending upon the parameters selected in the structure chosen.
 
dmilller said:
Why would you want to know your passwords? Length doesn't matter when using a password manager. If you are reusing passwords you will eventually get hacked. I can find my old reused passwords from 10-15 years ago on "the dark web".
Click to expand...
Because I am not always using a device that has access to said manager?
Much better if >I< am the password manager.

I think instead of blindly believing in any software solution, be it cloud or otherwise, simple steps like delays after failed attempts + a robust 2FA are much better because they leave the control with the user instead of some random company.

Yes, indeed I consider the password used for ASR to be "compromised". It is only used on non-security relevant sites, such as gaming forums etc. Still, according to "pwn'd" site, my E-Mail has been compromised since ... 2013 :facepalm:.

Suffice it to say: I am not worried. Services with real data have other passwords anyway.
 
Last edited:
2FA is good for banking and you're probably fine if you use it, but
Aerith Gainsborough said:
My bank locks the account after 3 unsuccessful attempts.
Why would I need some extreme overkill password?

I've been fine with a 5 digit alphanumeric nonsense password since 2007.

Really, instead of pestering people with more and more complex password shenanigans, give logins a time penalty after 2 wrong attemtps, starting at 30s and doubling after that. Lock accounts after 10-20 attempts. This eliminates brute-force attacks.
Click to expand...
This isn't really correct to my knowledge. If the DB is stolen they can crack your password offline and then log in with one attempt. This is why 2FA is also needed.
Aerith Gainsborough said:
Use 2FA in order to prevent DB leaks from being effective.

Tough I'll be honest: 2FA for a Forum like ASR seems WAY overkill. After all, ASR has no personal data from me.
Worst case: Senpai banhammer's my account and I need to create a new one. Sure beats the hassle of reaching for my smartphone every time I log in.
Click to expand...
Tend to agree 2FA is overkill for forums though, since low-to-no personal information is stored here.

Also, the point of using password managers is not necessarily to have crazy-long passwords, although it makes it easy to do it. It's so you can have a different password on every site and not have to remember any of them.
 
antcollinet said:
Every website gets its own email address.
Click to expand...
I've had an email account from an Australian outfit, which allows sub-domaining and/or aliasing of your email address.
Paid member for 24 years and if you get spammed (even if your individual email addressing is given to 3rd parties or sold), you don't even have to 'unsubscribe', You can block spams or any email, that will be directly sent to the 'trash' folder.
It further allows you to determine/trace the source of those who forward your 'aliased' email address to others.:)
 
Last edited:
I use Proton Pass which supports some cool features like email aliases so the site won't have to know your real email. Also can store encrypted notes, etc. Works with phones and browsers.
 
You must log in or register to reply here.

Similar threads

J
Enable Air play and Spotify Connect via Wireguardserver in Openwrt
Replies
0
Views
194
Jajabinx
J
U
Listening Experiment for Electric Motorcycles Part 2
Replies
0
Views
481
UoS_Alex
U
LIΟN
Does Anyone Use the AES E-Library?
Replies
5
Views
716
Broadcast_Eng
Broadcast_Eng
U
Listening Experiment for Electric Motorcycle Sounds
5 6 7
Replies
127
Views
7K
EJ3
E
B
Seeking advice on purchase of an amp or if I would really need to get another one.
Replies
3
Views
654
BrentWal
B
Back
Top Bottom