Important: Another Wave of Account Hacks

[antcollinet]

Ok, so a fastasfuch computer can create a list of passwords that includes your password in a nanosecond.

How does it figure out which of the gazillion passwords in the list it created is the one you are using for some purpose?

The way passwords are often stored on a system is as a one way encrypted hash number.

You enter the password, the algorithm converts it to a hash, and if the hash matches you are allowed in.


When a site is hacked it is possible all the hashes are also obtained by the hackers. In this case, they can (off line, and as fast as their computer can do it) brute force to find out what passwords match to the hashes they have. Once they find a match, they can get into that account. Simple passwords are cracked in this way very quickly, they can gain access to all the accounts with simple passwords on the hacked site within hours, or even minutes. And then retry those email password combinations on many other sites.

 

[Multicore]

When a site is hacked it is possible all the hashes are also obtained by the hackers. In this case, they can (off line, and as fast as their computer can do it) brute force to find out what passwords match to the hashes they have. Once they find a match, they can get into that account. Simple passwords are cracked in this way very quickly, they can gain access to all the accounts with simple passwords on the hacked site within hours, or even minutes. And then retry those email password combinations on many other sites.

If the hash function is computationally slow, and it should be, e.g. argon2 with sensible parameters, and if there's a reasonable minimum complexity password policy, and they are properly salted to thwarts rainbow attacks, then this approach to a brute force attack is inefficient.

However, as you see, there's a lot of detail to getting this stuff right and I don't trust most web sites to not screw it up. That's why I use unique, long random passwords so that even if the policy and hashing on the web site is crummy then my passwords will still be hard to find.

It sucks that we have to take so much care about this but that's life.

 

[antcollinet]

That's why I use unique, long random passwords so that even if the policy and hashing on the web site is crummy then my passwords will still be hard to find.

Exactly. Plus we have to remember that computer power is getting better all the time, and hackers are hoovering up data and storing it in the hope that what now is not viable to brute force, will be in the future. Although that is probably not a huge issue for most of us.

 

[Labjr]

I've read about Passkeys. Is that something this site can use?

 

[pablolie]

i have no idea why anyone would bother to hack this website - at least my payment info is abstracted through paypal or some other portal, so good luck getting personal or payment info. and if anyone else wants to waste time trying to impersonate me, i'd wonder what their weird motivation is.

that said, get passwords that are hard to crack for others, always and everywhere.

 

[Doodski]

i have no idea why anyone would bother to hack this website - at least my payment info is abstracted through paypal or some other portal, so good luck getting personal or payment info. and if anyone else wants to waste time trying to impersonate me, i'd wonder what their weird motivation is.

that said, get passwors that are hard to crack for others, always and everywhere.

If I remember correctly there was a complicated random password offered upon login and I accepted that so it is different than all my other passwords. That should be safe.

 

[Blumlein 88]

i have no idea why anyone would bother to hack this website - at least my payment info is abstracted through paypal or some other portal, so good luck getting personal or payment info. and if anyone else wants to waste time trying to impersonate me, i'd wonder what their weird motivation is.

that said, get passwors that are hard to crack for others, always and everywhere.

My guess is the motivation for hacking this is to find people who re-use passwords and did so for more important accounts.

 

[bossloot]

I recently read somewhere that most user account hacks are caused by 3rd party Chrome Chat GPT addons/extensions that people install.

Not necessarily, but the hacking is done through Chrome, yes... towards Saved Passwords/Usernames/Emailnames.
Basically it decodes your entire Google Account's history taking everything you've used as login details and even if you have a saved Username/Emailname without the account's password, it would try and use any other password you have stored from other websites and eventually success logging and/or changing the account's email/password, start spamming something useless like entire blocks of bible verses or just random text generated essays.

 

[pseudoid]

I purchased a 14pin TPM module, during a previous PC-build and noticed that the product was manufactured in China.

I saw the irony, and asked the implications of a "Trusted Platform" sourced from our adversaries but did not see an Asus reply to my liking, thus escalated the issue ALL the way up.
Result: Even a TPM has become suspect as to what 'trust' really means. Personally, I have given up on that notion.

 

[pablolie]

I purchased a 14pin TPM module, during a previous PC-build and noticed that the product was manufactured in China.
View attachment 370466
I saw the irony, and asked the implications of a "Trusted Platform" sourced from our adversaries but did not see an Asus reply to my liking, thus escalated the issue ALL the way up.
Result: Even a TPM has become suspect as to what 'trust' really means. Personally, I have given up on that notion.

The good news is that components like TPM2 can't offer backdoor access. It would be way too easy to establish.
It is far more complex systems with top to bottom elements where things get more difficult to establish.
If it wasn't that way, I dont think we'd be inviting the Toppings and SMSLs etc into our audio chains (well I don't, but many seem too). And many components we have are at home. I do supervise every uninitiated flow that comes out of my place etc.

 

[Salt]

There was rumor of tiny chips on Supermicro server boards years ago and subsequent questionining how informations from russia could be obtained (by just using Taiwan technology)?

But aside of this: what about FIDO with 2 FA? Would solve most problems, not?

 

[Labjr]

There was rumor of tiny chips on Supermicro server boards years ago and subsequent questionining how informations from russia could be obtained (by just using Taiwan technology)?

But aside of this: what about FIDO with 2 FA? Would solve most problems, not?

The password thing is a total PITA. There will probably never be a fail-safe technology for keeping passwords secure. Seems like every day Google and other sites are asking me to change passwords. Passkeys was supposed to be the most advanced system security but, two years later, seems that not many sites are using Passkeys. Maybe it's not as good as they thought. Just wait until quantum computers render RSA encryption obsolete.

 

[Blumlein 88]

The password thing is a total PITA. There will probably never be a fail-safe technology for keeping passwords secure. Seems like every day Google and other sites are asking me to change passwords. Passkeys was supposed to be the most advanced system security but, two years later, seems that not many sites are using Passkeys. Maybe it's not as good as they thought. Just wait until quantum computers render RSA encryption obsolete.

I think passkey is purely an adoption problem. There are a handful of questions/concerns the general public has when offered them. All those concerns have been answered and solved yet most people don't believe it.

 

[Multicore]

I've read about Passkeys. Is that something this site can use?

Good question. Interesting tech I've been experimenting with.

 

[pseudoid]

During a speech for the launch event of their new Jini technology on 25 January 1999, Sun Microsystems' CEO Scott McNealy addressed a group of reporters/analysts and stated that consumer privacy issues are a "…red herring." Adding that "You have zero privacy anyway," and "Get over it."
Sadly, McNealy's comments came only hours after competitor Intel reversed course under pressure and disabled identification features in its forthcoming Pentium III chip.

ADD: I do not recall the source but my favorite security quote has always been "Everything is as secure as can be, until it is found NOT to be!"

 

[bossloot]

I purchased a 14pin TPM module, during a previous PC-build and noticed that the product was manufactured in China.
View attachment 370466
I saw the irony, and asked the implications of a "Trusted Platform" sourced from our adversaries but did not see an Asus reply to my liking, thus escalated the issue ALL the way up.
Result: Even a TPM has become suspect as to what 'trust' really means. Personally, I have given up on that notion.

Interesting that you brought up Hardware.

My new PC Build was bricked less than an year after i built it, by GGG Company and one of their Path Of Exile game updates (3.22 version),
as soon the updater finished downloading and installing - my internet connection went off before i even try launching the game and couldn't reconnect until i called office the next day since it happened at around 3-4 AM, and what they told me was it showed their system my PC was Virus-infected and auto-protection banned my HWID or something... then they "unbanned me" following me trying to launch the game and the same thing kept happening every time even after couple of OS reinstallations (which obviously removes any Software-based virus). My Twitter account started reposting and liking random Crypto pages, got banned twice, my Reddit account is currently perma-banned, internet provider said they just removed their protection towards my connection and that's their solution. However after these things happened i gave up on using the PC and put my old one on which has ASUS motherboard and after using it for couple of months without the previous issues - my Instagram account got stolen and it's email changed to a random russian-domain one and it's password as well, few of it's latest posts deleted and the account staying idle until this day without any staff support. So there you go, as mentioned by my previous post it is either a virus stored somewhere in Chrome/Google Account which is less likely or it's a Hardware matter triggered ports via voltages abuse or what else, idk i'm not really a hacker... Funny thing is my ancient HDD drive my old PC was using got fried few years back by the same GGG company upon reaching a certain point in their game, let's say opening a "Treasure Box" for example, giving me a loss of everything i stored from my 20's... most importantly all of my memes
So there is that, it could be any hardware particle in your system, it could be a display monitor you are using - who knows... you got the time - go research it in details.

Oh, forgot saying that after some period of me playing that game with the New PC - upon entering Full-Screen mode it looked like you are being dual-monitored and also the game started stuttering as it is logged/running twice on your computer which was not the case in the very first months. So be aware of targeted political-assassinations, LOL.