Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Behind Biggest-Ever Password Theft Begin Attacks

Soulskill posted about a month and a half ago | from the 123456-letmein-iloveyou-trustno1 dept.

Cloud 107

An anonymous reader writes Back in August, groups of Russian hackers assembled the biggest list of compromised login credentials ever seen: 1.2 billion accounts. Now, domain registrar Namecheap reports the hackers have begun using the list to try and access accounts. "Overnight, our intrusion detection systems alerted us to a much higher than normal load against our login systems. ... The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account. The hackers are going through their username/password list and trying each and every one to try and get into Namecheap user accounts." They report that most login attempts are failing, but some are succeeding. Now is a good time to check that none of your important accounts share passwords.

cancel ×

107 comments

Sorry! There are no comments related to the filter you selected.

Welp (1)

Anonymous Coward | about a month and a half ago | (#47803343)

Time to TFA bitches!

Re:Welp (1)

tysonedwards (969693) | about a month and a half ago | (#47808387)

Now this seems like a much more plausible source of the fappening pictures that are making their way to the interwebs than repeated, undetected brute force attempts going on for months strait... Just a thought.

McCarthy Era is Back! (-1)

Anonymous Coward | about a month and a half ago | (#47803355)

Government is now spooking poor redneck children with stories of Vladimir Putin and Russian rebels and hackers.

Change your password and enable 2 factor auth... (0)

Anonymous Coward | about a month and a half ago | (#47803391)

I suggest changing your Namecheap password and enabling 2 factor authentication. Problem solved.

Re:Change your password and enable 2 factor auth.. (2)

onproton (3434437) | about a month and a half ago | (#47803587)

My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.

Re:Change your password and enable 2 factor auth.. (4, Informative)

Charliemopps (1157495) | about a month and a half ago | (#47803761)

My suggestion to Namecheap (and other domain registrars or hosting companies) would be to lock them all down if possible, force all users to change the passwords from e-mail or other contact method before they can login again. We don't know what they have and we don't know what their plans are. This is a gaping security hole in the internet.

Unless the users had the same password for their email account which is likely. This is the problem with the username/password system, people want single signon, but companies don't want to cooperate unless it involves giving up any shred of anonymity i.e. Facebook/Google longon.

Re:Change your password and enable 2 factor auth.. (1)

Anonymous Coward | about a month and a half ago | (#47803915)

Yeah it's bad, and I protect my shit to the max and I still worry. The problem even with all the safeguards it only takes one gullible tech support person to completely destroy it. A 90 trillion character password is worthless if you can get it reset over the phone with half-assed information.

I talked AOL into resetting my password with only my name spelled incorrectly back in the day. "boredom at its finest" It made me feel so warm and fuzzy ins.. I mean terrified that I changed my service the same day.

Too late (0)

Anonymous Coward | about a month and a half ago | (#47803439)

Now is a good time to check that none of your important accounts share passwords.

Now is too late. Sadly the users with bad/duplicate passwords won't get the message until they are actually harmed by them.

Re:Too late (4, Insightful)

plover (150551) | about a month and a half ago | (#47803649)

With a billion credentials, they certainly haven't had the chance to exploit them all yet. It's too late for 0.01% of the victims, but not too late for the rest of us.

Re:Too late (-1)

Anonymous Coward | about a month and a half ago | (#47803819)

You're still here plover? How's your Fat Aunt Sally doing these days? Did that rash ever clear up?

Re: Too late (1)

O('_')O_Bush (1162487) | about a month and a half ago | (#47805661)

Really? You are going with the "blaming the victim" route?

How about this one. There are probably over 100 websites that have store my credit card information in their own proprietary system because every company seems to have "not developed here" syndrome, and making each uname/password combo is very difficult without some easy to guess alto, or even remembering where accounts might have been created already. And on top of that, nobody has any clue who was affected or how they were affected because the only group claiming to have any idea what happened has refused to divulge that information, giving the hackers free reign to continue to exploit vulnerabilities no matter how users respond.

So any attempt at blaming users seems awfully idiotic in the face of everything else.

Re: Too late (1)

O('_')O_Bush (1162487) | about a month and a half ago | (#47805671)

Damn phone makes posting nearly impossible.

Uname/password combo unique*

Algo* not alto

Re: Too late (1)

weszz (710261) | about a month and a half ago | (#47805811)

Get a password management program.

I've been using one for just over a year, there is a master password that isn't stored anywhere, and everything i log into has a different password.

If I need to log in at home i fire up the program and it will autofill passwords on the right sites, if i'm at work i use my phone or the website to get the passwords, and it reminds me every x amount of days to reset the passwords.

not 100% since nothing is, but much better than the old methods.

Re: Too late (1)

johnnnyboy (15145) | about a month and a half ago | (#47806185)

Hi weszz,
Any password programs that you recommend I can start using or look at?
Ideally something that will work on my android tablet but even then I worry about the security of my tablet itself.

Re: Too late (1)

WuphonsReach (684551) | about a month and a half ago | (#47806513)

Encrypt the tablet / phone - use a 6-9 digit PIN (which is a lot better then just a 4-digit PIN). Have the device wipe after 10 bad attempts (the default on Android).

Most thieves, when presented with that obstacle - will just reformat the device for sale rather then try and steal information off of it.

As for apps, keypass / lastpass are frequently mentioned. My personal preference is a strong master password in Firefox, and just let it remember the 100s of secondary website account passwords (i.e. not my bank, webmail, or other financial sites). The best choices are those where you setup your own webdav cloud storage on your own hardware, and use that to keep things synchronized.

Re: Too late (1)

coop247 (974899) | about a month and a half ago | (#47806751)

I use 1Password and really like it. In addition to the site logins I store a bunch of server username/PW in encrypted notes. You can also store files (like my SSL certs) encrypted. I cannot talk about how it works on Android, I dont use it on mobile. I know you can, I just dont.

Re: Too late (1)

weszz (710261) | about a month and a half ago | (#47807769)

I've been using Dashlane, it's been really good for me, there is a cost and a free trial. If you want the 6 month trial let me know and i'll post a link.

The benefit that gives is password syncing, so it's stored by them as well as your phone/tablet and computer, your master password decrypts them so they can be used. Dashlane also alerts me to any website i have a password for that reports a hack so i know right away to change the password.

This won't do anything for device encryption, just passwords.

Re: Too late (1)

johnnnyboy (15145) | about a month and a half ago | (#47809147)

Dashlane looks exactly what I need, the cost is pretty small compared to its features, let me try the free trial a go or is 6 month the default trial period?

Re: Too late (1)

weszz (710261) | about a month and a half ago | (#47809205)

Here's a link to the longer trial
https://www.dashlane.com/en/cs... [dashlane.com]

Re: Too late (1)

weszz (710261) | about a month and a half ago | (#47809251)

I THINK the normal trial is a month, so this will give you more time to see if it works for you. Otherwise local only is free, the syncing stuff is what the premium stuff is for.

Re: Too late (0)

Anonymous Coward | about a month and a half ago | (#47806307)

I use one too, but the day when a widespread virus starts grabbing entire password databases from memory is inevitable. The damage is going to be leaps and bounds beyond anything that could have happened by just reusing passwords on a handful of sites, especially since I'd guess that a disproportionately high percent of password managers are used by techies and server admins.

In the last year or so I've actually deleted the two most important accounts from the database (primary email address and bank) and made myself remember the logins so that if/when someone gets the database, I still have a lifeline via "password reset" on a million various sites to my email address.

Re: Too late (1)

weszz (710261) | about a month and a half ago | (#47809387)

May be off in my understanding of dashlane, but I don't think it decrypts it until you have a request for it. With that something may be able to figure out how to start requesting them, but I have more faith in that process handing the password off to their agent for a browser than what I know of ones that use a file you put on dropbox to keep safe... yes you can encrypt the whole database, but that to me makes it more susceptible...

I also wouldn't personally trust one from symantec, mcafee or one of those that try to be everything to everyone... I feel better about one that does one thing well instead of an afterthought product to get more in there.

Re: Too late (1)

jeffmeden (135043) | about a month and a half ago | (#47807975)

Really? You are going with the "blaming the victim" route?

How about this one. There are probably over 100 websites that have store my credit card information in their own proprietary system because every company seems to have "not developed here" syndrome, and making each uname/password combo is very difficult without some easy to guess alto, or even remembering where accounts might have been created already. And on top of that, nobody has any clue who was affected or how they were affected because the only group claiming to have any idea what happened has refused to divulge that information, giving the hackers free reign to continue to exploit vulnerabilities no matter how users respond.

So any attempt at blaming users seems awfully idiotic in the face of everything else.

How many companies actually mandate saving a credit card within the account though? Almost all of them that I use (although not most of them by default) allow payment via a nonsaved credit card, so an attacker can't do anything nefarious after gaining access to the account. It does require more effort though. But yes, to your point it is silly to blame the user when clearly the actual mistake was made by the site that lost the credentials through bad security management. I will however raise you one more. JP Morgan Chase spends $200 million dollars a year *just on computer security*. And they still lost data. We need to move beyond a blame the victim (be they the user or the site manager) to a point where we account for the inevitability of data loss.

Notified and ignored? (0, Troll)

bjwest (14070) | about a month and a half ago | (#47803455)

Did Namecheep notify it's users via email that their system was compromised and they need to change their password? If so, and they ignored it, oh well, it's your own damn fault. If Namecheep didn't notify it's users via email, then Namecheep is at fault and should be accountable for any damages, monetary or otherwise.

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47803481)

Unless I'm mistaken, it would seem that the passwords were stolen from other websites (wasn't Ebay one of them?), and affects users that use the same password for Namecheap.

So, if that is the case, it really isn't up to Namecheap to inform users that password have been stolen from some other source and may one day be used against them should they re-use that password.

Re:Notified and ignored? (5, Informative)

Enry (630) | about a month and a half ago | (#47803489)

From the namecheap link:

I must reiterate this is not a security breach at Namecheap, nor a hack against us. The hackers are using usernames and passwords being used have been obtained from other sources. These have not been obtained from Namecheap. But these usernames and passwords that the hackers now have are being used to try and login to Namecheap accounts.

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47803519)

Yeah it's not Namecheap's fault that credentials were stolen but that wasn't the original posters point. The point is if Namecheap has a system to detect suspicious log ins then they should also notify the account owner of that suspicious log in. If they do not then any damage done once the account is compromised can in part be blamed on Namecheap

That said as a user of Namecheap I'm guessing they are notifying the account owners of the suspicous log in activity since they seem like the type of company that would do that. I'd be dissapointed if they didn't.

Re:Notified and ignored? (2)

QuietLagoon (813062) | about a month and a half ago | (#47803691)

... but that wasn't the original posters point....

Au contraire, that was the OP's point. The OP threw an unsubstantiated accusation at namecheap.com, "Did Namecheep notify it's users via email that their system was compromised"

.
The OP stated, incorrectly, that namecheap's system was compromised.

Re:Notified and ignored? (1)

mlts (1038732) | about a month and a half ago | (#47804215)

Ideally, all providers should have some 2FA mechanism. name.com has two options, true 2FA with TKIP [1], and an authorized IP list where if you are not using an IP the site knows about, it will E-mail you with a link to log on. Of course, the IP list isn't extremely secure as if the E-mail account is compromised, it can be added... but it would stop entry for someone who managed to guess a password.

[1]: One can use many apps for this: Google's Authenticator, Amazon's AWS, or decent number of others.

Re:Notified and ignored? (1)

WuphonsReach (684551) | about a month and a half ago | (#47806293)

These days the password on your email account is more important then your bank account password...

Because if they can gain access to your email, they can do password resets to gain access to dozens / hundreds of your accounts.

Some of the web email providers have 2FA (two-factor authentication) - those are probably better choices if you don't run your own email server.

Re:Notified and ignored? (1)

mlts (1038732) | about a month and a half ago | (#47806683)

One thing I wish Exchange [1] had was the ability (and would be turned off by default like POP and IMAP support) to have application passwords, as well as the ability to support 2FA if someone is logging in via the Internet.

It is ironic that all of my "free" E-mail accounts have 2FA on them, while my paid providers don't have this functionality.

[1]: Probably AD as well, for storing the random seed key for the secondary authenticator, as well as when to ask for the authenticator versus just the password only.

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47805433)

The point is if Namecheap has a system to detect suspicious log ins then they should also notify the account owner

Assuming the attempt is against a valid account, then yes. But most of them aren't valid accounts.

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47803491)

Well according to the story, Namecheap claims to have not been hacked. But what they think is going on is that people used the same account names and passwords for other sites who just happen to have used those credentials for Namecheaps site.

Though whose site were hacked is the question...

Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47803497)

It could be that the attackers are trying their list on Namecheap, not that they sourced the credentials from Namecheap. I suspect that we'll likely see login attempts to everything ranging from Wordpress to Gmail to Hotmail, with the attackers hoping that people use the same password in multiple areas.

Re:Google is your friend (2)

Technician (215283) | about a month and a half ago | (#47803609)

http://www.thedomains.com/2014... [thedomains.com]

The good news is that Namecheap found the attack early and took measures to defeat the attempt to log into NameCheap accounts, the bad news is this is not just a security issue for Namecheap but seems to be along the lines of the groups of Russian Hackers which gained access to hundreds of thousands of email accounts and millions of user Id’s and passwords last month so its an issue for all Internet Users

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47803705)

it's means it is. Just thought I'd notify you.

Re:Notified and ignored? (1)

ayesnymous (3665205) | about a month and a half ago | (#47803765)

Did Namecheep notify it's users via email that their system was compromised and they need to change their password? If so, and they ignored it, oh well, it's your own damn fault. If Namecheep didn't notify it's users via email, then Namecheep is at fault and should be accountable for any damages, monetary or otherwise.

I have a few domains at Namecheap and I have never received an email about this.

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47804691)

Duh. The Russian hackers' bot deleted it, right after it clicked the link inside.

Re:Notified and ignored? (5, Interesting)

Charliemopps (1157495) | about a month and a half ago | (#47803787)

If so, and they ignored it, oh well, it's your own damn fault.

I hear this argument a lot. But the fact of the matter is, if you're neighbor is stupid enough to let their kids play with matches... yes, that's their fault, but that doesn't mean your house isn't going to burn down right along with theirs. A breach of this scale could have repercussions for the internet as a whole. I run into this attitude at work all the time... lets say we're building a website and we put a button on the screen over to the right, but if they have the window too small they can't see that button. Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!" at which point I pipe up and say "We want stupid peoples money to don't we?"

You can't just ignore stupid people on the net. That's about 99.99% of people, and they're paying for the rest of us to actually use it properly.

Re:Notified and ignored? (1)

Anonymous Coward | about a month and a half ago | (#47803995)

FYI, "you're" means "you are". I think you meant "your neighbour".

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47805329)

Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!"

<rant>
I get plenty of that here too, but It's not the user who is being stupid, it's the moron who tries to cover his design flaws with such a remark.
Web content should adjust itself to match the user's display and window, not the other way around.

I'm so fed up with all those websites that show their content as a 10 cm (or 4 inch if you prefer) vertical band in the middle of the window, that my browser window is set to accomodate not much more than that by default. Wider sites should reflow to fit that. If they don't, they're even more wrongheaded than those that insist on turning your screen estate into 80% empty space if you dare to run your browser full screen.
</rant>

Re:Notified and ignored? (1)

jafiwam (310805) | about a month and a half ago | (#47805975)

Someone invariably says something to the effect of "Well, you'd have to be an idiot to have your window shrunk down to that size! It's their own fault for being stupid!"

<rant> I get plenty of that here too, but It's not the user who is being stupid, it's the moron who tries to cover his design flaws with such a remark. Web content should adjust itself to match the user's display and window, not the other way around.

I'm so fed up with all those websites that show their content as a 10 cm (or 4 inch if you prefer) vertical band in the middle of the window, that my browser window is set to accomodate not much more than that by default. Wider sites should reflow to fit that. If they don't, they're even more wrongheaded than those that insist on turning your screen estate into 80% empty space if you dare to run your browser full screen. </rant>

Don't be such a short-sighted idiot.

The tools to do that are only a year or two old. It takes time to cycle through old tech and use new tech into a web site. There are ALWAYS some new thing that newer browsers will do that you can't use because it's brand new, and requires a rebuild of the site. Like, every week there is something new. For many years, people were waiting for IE8 to die out with XP.

Rebuilding a site is expensive, especially if it's a commercial site and the company isn't big enough to have an expert on staff.

Again, don't be an idiot. Or, grow up.

.... stupid millenials....

Re:Notified and ignored? (0)

Anonymous Coward | about a month and a half ago | (#47806979)

The tools to do that are only a year or two old.

.... stupid millenials....

What are you talking about? There have always been stupid sites that think your screen should be a certain size. Plain old HTML from the early nineties could reflow or not depending on how you set it up. That was the whole point of a markup language. It describes content independent of presentation.

I don't ever run windows full screen, but If people so choose, the site should reflow accordingly. I frequently have the opposite problem. My ideal window size would be about 900 pixels wide or so. This is apparently such a grievous sin these days that websites frequently do what GP mentioned. Buttons etc. are out of sight. (fortunately so are most ads). Even on /. I have to have about 1100 pixels to avoid side scrolling.

It's one of the reasons I like Medium.com so much. They reflow everything: text, images, whitespace. Sure there's some extra whitespace on the sides if you maximize, but who has eyes that can track all the way from one end of the screen to the other anyway?

side note: just checked w3schools just assuming they would be good at the whole reflow thing. NOPE!

Re:Notified and ignored? (1)

operagost (62405) | about a month and a half ago | (#47807095)

Are you being sarcastic? The tool to do that is 18 years old, and it's called "cascading style sheets".

And this is why (0)

Anonymous Coward | about a month and a half ago | (#47803477)

hackers should be taken out back and fed to the pigs. Alive.

Re:And this is why (1)

CaptainDork (3678879) | about a month and a half ago | (#47803529)

Yes. Don't kill the pigs.

Re:And this is why (1)

some old guy (674482) | about a month and a half ago | (#47805287)

But bacon!

Re:And this is why (1)

binarylarry (1338699) | about a month and a half ago | (#47803807)

Cops like donuts, not russian mobster hackers.

Re:And this is why (0)

Anonymous Coward | about a month and a half ago | (#47806013)

Ahhhh, however, Russian mobster hackers buy donuts for the cops... win win win

Anyone else get "sanction" as their captcha for using "Russian" in their post?

So apparently celebrities use the same password (0)

Anonymous Coward | about a month and a half ago | (#47803499)

So apparently celebrities use the same password, this is how their accounts were hacked. Duh

Two-Factor Authentication (2)

muphin (842524) | about a month and a half ago | (#47803513)

Although annoying i'm glad i have enabled 2-factor on Namecheap, plus my passwords are different from my email...

Re:Two-Factor Authentication (5, Informative)

Technician (215283) | about a month and a half ago | (#47803621)

If you have a Gmail account, look for the Last Account Activity at the bottom right. Use the Details link to see your recent history. Set your preferences to alert you to unusual account activity. More accounts should notify you of unusual logins and login attempts.

Re:Two-Factor Authentication (2)

olsmeister (1488789) | about a month and a half ago | (#47803739)

Google also has two step verification, where a code will be sent to your phone via SMS that you need to enter in order to log in to your Gmail account. A little more hassle, a lot more security.

Re:Two-Factor Authentication (0)

Anonymous Coward | about a month and a half ago | (#47804239)

It's worth it, given how much a Google login can be worth in the form of the ability to purchace things or control over YouTube channels it is stupid not to use the SMS 2 factor.

Re:Two-Factor Authentication (1)

Mashiki (184564) | about a month and a half ago | (#47804541)

Interestingly enough, Google will also request 2-step verification if you have a mobile number up and you're logging in from another part of the world. A few months back someone tried to log into this gmail account; it was blocked automatically. They then tried to reset the password and I got a sms challenge on my cell. It's also smart enough to know that if you've been one place before, it's likely you as well. I regularly head to the far northern part of Canada, very few ISP's and broadband. The first couple of times it gave a sms challenge, the last two times I've been out it hasn't.

Re:Two-Factor Authentication (0)

Anonymous Coward | about a month and a half ago | (#47807279)

Interestingly enough, Google will also request 2-step verification if you have a mobile number up and you're logging in from another part of the world. A few months back someone tried to log into this gmail account; it was blocked automatically. They then tried to reset the password and I got a sms challenge on my cell. It's also smart enough to know that if you've been one place before, it's likely you as well. I regularly head to the far northern part of Canada, very few ISP's and broadband. The first couple of times it gave a sms challenge, the last two times I've been out it hasn't.

This feature can be a HUGE pain. I have known someone who travels yearly. Two years in a row, he had Hotmail refuse to work because of the 2000 mile difference from his original country. He was here for months, and all other ways of authentication were a pain. Not being very computer literate will cause headaches that they can't begin to understand. The first year, we basically used his backup email to do a reset. The second, he had magically forgotten the password for the backup. The backup, also being run by Hotmail, obviously was a no-go.
I reluctantly got him onboard with a Google+ account, which I was somewhat cynically expecting to refuse to work once he travelled the 2000 miles back to his home.

Larger Implications? (1)

onproton (3434437) | about a month and a half ago | (#47803547)

Reports at the time were that they stole billions of passwords, so why only target the domain registrar? This could be a sign of worse things to come, how many accounts have they accessed without alerting an IDS, and what are they doing once they gain entry. By starting with the domain registrars, they could gain much more information than even their previous massive trove of user data. This is highly troubling.

Why? Simple bullshit is why. (4, Informative)

s.petry (762400) | about a month and a half ago | (#47803903)

The first report was bullshit by some nobody to make money, nothing more and nothing less. This is more of the same bullshit to make bogeymen, and Russia has been a good target lately. I have worked in IT security for nearly 3 decades, so yes I do have some knowledge.

The 1.2 billion "credentials" was nothing to worry about (see disclaimer below), and still isn't. Hackers move massive lists of email addresses all the time, and try to run brute force attacks all the time. We block hundreds of thousands of these attacks every day. The majority are [email_addr@domain] with a password of 'password1'. Most of the time these are easy to see, as neither the user or domain exist on the targeted servers. Even the legit addresses are easy to detect, because hackers will use the top 25 worst passwords (just like you can find in articles every year, no I'm not kidding). Rarely do I ever see anything complex, like .00001% of the time rare, where there is actually a worm running on the back end (think John the Ripper).

If I was a conman and wanted to make fast cash, I could start dumping all of these email addresses to a DB, and say "Oh Noez! This email account is haxxored! When in reality, there is no such compromise. To fluff numbers, I hash 'password1' in SHA, MD5, CRYPT, and maybe even use plain text. 300 million accounts has now given me a claim of 1.2 billion 'credentials', and you can hopefully see that the claim is complete shit! I can gather that 300 million addresses in a week without breaking a sweat.

Disclaimer. You should be changing passwords for anything you care about frequently. 8 character passwords every 90 days, 14-16 character every 6 months. If you are using a strong password and are up for a change, go do so, no big deal. Since I write this shit for policies regularly, a "strong" password consists of the following.
1. No dictionary words, proper names or common acronyms in forward or reverse.
2. No QWERTY keys, including qazwsx, 54321, etc...
3. Contains at least 1 special character, 1 number, 1 upper and 1 lower case character.
4. Is not 'p@SSw0rd' or some other l337 speak that would be in a cracklib dictionary, and there is plenty there.

There are obviously restrictions in some places, so if you can't use certain characters make a longer password. If you can't make a longer password change the password more frequently. The majority of 'hackers' are script kiddies, not hackers. If you make things hard, they find a different target. There are numerous people out there that use 'password1' for their password, don't be one of them.

Re:Why? Simple bullshit is why. (1)

simplypeachy (706253) | about a month and a half ago | (#47804861)

correcthorsebatterystaple

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47806123)

thank you xkcd.org

Re:Why? Simple bullshit is why. (1)

jeffmeden (135043) | about a month and a half ago | (#47809255)

correcthorsebatterystaple

22f0ebce1cbb13f9b9ea8ad40442c1852932156c

thanks sha1sum

Re:Why? Simple bullshit is why. (1)

simplypeachy (706253) | about a month and a half ago | (#47804895)

Assuming an attacker has no knowledge of the password make-up, according to your policy the password nkeL4(b3 sits in a keyspace of around 6.1 * 10^15 combinations.

Under equal conditions the password refineddisplayparcelsuited sits in a keyspace of around 6.2 * 10^36 combinations. When I get back from my appointment this morning, I will still remember refinddisplayparcelsuited and won't have to write it on a sticky note, or save it on to the Dropbox App on my phone, which has a crappy password I use everywhere, using the file name "Work login password.txt".

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47805229)

You may remember it when you're back from your appointment, but you might not be able to type it right twice (see example).

Re:Why? Simple bullshit is why. (1)

simplypeachy (706253) | about a month and a half ago | (#47805343)

Your account has been locked out due to too many failed login attempts. Please contact your slashministrator.

Re:Why? Simple bullshit is why. (2)

WuphonsReach (684551) | about a month and a half ago | (#47806467)

Four words, strung together, can be a key space as small as 3000^4 (roughly 46 bits of entropy), especially if they are chosen from the top 3000 words in the dictionary. That's nowhere near 6.2 * 10^36.

Misspellings can help a lot and make it a lot stronger (adding maybe 3-4 bits per word). Adding spaces or punctuation between them adds maybe 1 bit per word. Random capitalization of something other then the first letter adds 2 bits per word.

Basically, if you're using English language phrases / words without any munging, you're only getting about 2 bits per character. A bit lower if it's a grammatically correct phrase (~1.5 bits/character), a bit higher if it's random words strung together (~2.3 bits/character). That puts a 26 character phrase like you provided at somewhere between 39-60 bits (and it is always better to assume the lower bound).

Most attackers will assume 2-6 words strung together, from the top N lists. So just tacking words together is not safe. Or they'll use N-grams (sort of like Markov chains, but more general) and go after the most common phrases.

In comparison, an 8-character password, chosen from a field of 64 possibles per character (6 bits) is 48 bits strong. If you managed to use one of 90 possible characters per position, that is 52 bits strong (6.5 bits/char * 8 bits).

48-52 bits is just not a lot these days, if the attacker gains access to the hashed password and can attack it offline. Minimum bits of complexity really needs to be about 64 bits (10-12 characters, fully random) to deal with offline attacks, and 80 bits of entropy is far better.

Re:Why? Simple bullshit is why. (2)

operagost (62405) | about a month and a half ago | (#47807043)

"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.

I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.

Re:Why? Simple bullshit is why. (1)

jeffmeden (135043) | about a month and a half ago | (#47809303)

"refineddisplayparcelsuited" is not a common phrase, and this isn't Master Mind where the attacker gets hints when he correctly selects part of the password.

I love how we spend so much time picking passwords that are hard for people to guess-- or remember-- when computer programs can only be written in a practical matter to try the most common dictionary words or "hunter2"-type passwords. Past that, it's all brute force whether you used "j$b01[BaP*@" or "refineddisplayparcelsuited" because the program has no idea how much of the character set your password used until it's been cracked.

Except guessing at strings of words is trivial if they are in the dictionary.

refined display parcel suited are 4 common words. I could write a tool to attack that very quickly, starting with the most common words arranged in 2,3,4 sets.

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47809947)

Not common, actually.

"Display" is beyond 2000 common words, and other three are not even in common 5000 ("suite" is, but not "suited").

So this is at least log2(5000^3) ~= 49.1 bit. Throwing in trivial capitalization and spacing, this is raised by ~6-8 bit, making it on the order of 9 character full printable ASCII random password, except this one is easy to memorize.

Re:Why? Simple bullshit is why. (1)

s.petry (762400) | about a month and a half ago | (#47807341)

For posterity, it's not just the off line attack that's become a problem. There are numerous attacks that occur over huge IP ranges. If you locked the account at a few bad attempts most users would be perpetually locked out. Hackers are now hitting an account from thousands of IP addresses to brute force. They rate throttle to reduce detection, most connecting once every 30-60 minutes. The really stealthy attacks may have a single IP connecting once per day for 1 account, the next day the same account will be hit from a different IP, and the next day a new IP.

If you don't have a vigilant watch on log data, someone in your perimeter will be hacked in time. Some network devices (I won't give sales pitch for free) will help quite a bit, but we still manually block a whole lot of IPs that the devices miss.

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47808855)

Most attackers will assume 2-6 words strung together, from the top N lists.

No they won't.

Stat is very wrong.. (1)

s.petry (762400) | about a month and a half ago | (#47807165)

I'm not sure you ever tried to write a brute force tool, let alone run one. I'm not saying your method is horrible, but it is nowhere near as secure as you think. The actual strength is (dictionary_words)^4. The statistic you gave is not even accurate as a 26 character randomized password, which would be 26^26 (given that you are only using lower case letters). Your strength statistic is absolutely wrong.

There are many ways to make strong passwords. If you want to use words like that, mixing in what I gave as required makes a huge difference. 'R3defined?display/Parcel5suiteD' makes a massive difference to your 4 words. I can't use a dictionary alone to break it, I have to use brute force methods.

I personally prefer a math/programming method of making passwords. '21Y=acos[n-1]' for example is going to be a nasty amount of effort for someone to break. 'Fling[p00,u]' is another, and if you want to make it harder in your passwords change one of the brackets/parenthesis to an alternate. E.G. '{N-33]=Pi*qq'.

Some people prefer phrases and transformation. 'Mary had a little lamb, it's fleece was white as snow' would be 'Mhall,ifwwas' which again is not using dictionary words and going to be hard to break.

Stringing 4 words is not 'bad', because you are making it harder for a hacker than 'password1'. Being more secure than that person is what has kept your password safe, not the method of construction you gave here. Well, that and the fact that people shut down brute force attacks when they are detected normally.

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47806043)

Your rules are wrong, they actually reduce entropy and make the passwords easier to crack.

I won't run through the math with you, but anytime you reduce the number of characters that can be used in a given position, you've reduced entropy.

These "secure" rules are nothing but a CIA/NSA ploy to weaken passwords worldwide, and it's working.

oh that's rich, getting "logged" for capthca when using CIA and/or NSA in post.

Re:Why? Simple bullshit is why. (0)

Anonymous Coward | about a month and a half ago | (#47806415)

I would love to use untypeable characters, which would render brute force hacking nearly impossible, but a majority of software (routers, websites, etc) choke on them. I've encountered many cases where my password will actually be accepted when chosen, but then when I try to log in with it, it won't be accepted, leaving me locked out.

Re:Why? Simple bullshit is why. (1)

Jawnn (445279) | about a month and a half ago | (#47806483)

I would agree that brute-force attacks are hardly news. The door-rattlers have always been there, but the news that over a billion user accounts, that is working credentials that grant access to something, are in the hands of organized criminals, is something else again. The wave of snowshoe spam we've seen over the last few weeks lines up nicely with that news, and our analysis is that compromised user accounts on a widespread assortment of services/hosts appears to be a fundamental part of the campaign. That is news. If we use our imagination a bit, that same trove of credentials could be used for other purposes as well. Owning some accounts with one or more services like namecheap.com would be a a very useful tool. I'm glad that namecheap has been as forthcoming as they have been vigilant.

Re:Larger Implications? (1)

jeffmeden (135043) | about a month and a half ago | (#47808321)

It's simple, get control of a domain and you can redirect all email. Redirect all email and you can reset passwords without needing to ever worry about the actual mailbox password (which is probably stronger than the registrar password but obviously is just as important).

Exhibit A, in which this exact scenario happened:
https://medium.com/p/24eb09e02... [medium.com]

The Start (0)

Herkum01 (592704) | about a month and a half ago | (#47803625)

Does this mean we are approaching a preemptive strike from Russia? We always hear about our infrastructure being comprised via the internet, I guess a war with Russia is a good way to find out!

The Start (0)

Anonymous Coward | about a month and a half ago | (#47805327)

safer would be to cut routing to/from Russia. And like in 2001 threaten all countries to do the same or be treated like terrorists (and have also cut access to US+allied internet resources).

A Strange Thing (-1)

Anonymous Coward | about a month and a half ago | (#47803633)

All the "notables" filling iCloud with gay porn and gay child porn and variations on those themes.

A strange thing.

Idiot...luggage (1)

jtownatpunk.net (245670) | about a month and a half ago | (#47803725)

I'm watching Spaceballs right now so I'm really getting a kick out of this story.

many sites still dumb (3, Interesting)

jmccue (834797) | about a month and a half ago | (#47803753)

I decided why not change the passwords, been a while anyway, 2 of the 3 sites I care about still do not allow what they call 'special characters' (!@# - etc). In this day an age I would think those restrictions would lifted. One day I will try UTF-8 or UNICODE characters and watch the fireworks at the sites. I do not do on-line banking and I have no incentive to start after seeing some finance sites will only accept US English letters and numbers for PWs.

Re:many sites still dumb (2)

heezer7 (708308) | about a month and a half ago | (#47803769)

Hell, financial sites like ETrade and Charles Schwab still have limitations like this as well.

Re:many sites still dumb (1)

martin-boundary (547041) | about a month and a half ago | (#47804225)

That's not a real problem, though. For every special character, just type out it's name in English at the point where you would use it. You'll get a longer password, therefore stronger, without special characters. The real problem is when a site limits the total length of a password.

Re:many sites still dumb (1)

simplypeachy (706253) | about a month and a half ago | (#47804867)

But it's special characters! It MUST mean the password is more secure! Wait, you're also saying that using "seventysix" is more secure than "76"? Goodness gracious, man, what is wrong with you? Did you use that "mathematics" thing again?

Re:many sites still dumb (0)

Anonymous Coward | about a month and a half ago | (#47804655)

Did you check that some websites actually do not strip the special characters, and/or trim a password they consider too long, silently? I've had this happen to me once or twice...

Re:many sites still dumb (0)

Anonymous Coward | about a month and a half ago | (#47804711)

Didn't Linux (because of bad habits it got from Unix) do that past 8 characters up until a few years ago?

Re:many sites still dumb (1)

dargaud (518470) | about a month and a half ago | (#47805185)

Ha, for years my bank website used 4-digit pins as passwords... Fortunately that changed. After a major break-in I assume.

Re:many sites still dumb (2)

weszz (710261) | about a month and a half ago | (#47805919)

my bank went from unlimited characters to 10 with no special characters...

Took me so long to figure out why I couldn't change my password... Thought there is no way this isn't complex enough... turns out I had to trim 6 characters off it and remove the symbols and such... made for a sad day.

Their response was that it didn't matter because a brute force attack would be locked out long before it could try the other characters.

Much higher than normal != related to 1,2 billion (1)

zedaroca (3630525) | about a month and a half ago | (#47803881)

A domain registrar with roughly 3 million domains [wikipedia.org] having a lot of traffic is not a sign that the not so credible 1,2 billion accounts stolen are being used (about the credibility of the claim: The Russian 'hack of the century' doesn't add up [theverge.com] and Hold Security Backlash [theregister.co.uk] ).

Maybe someone stole 15 million accounts and are trying them out (way less than 1200 million and way more than normal on their website).

Hahaha (1)

X.25 (255792) | about a month and a half ago | (#47804663)

Of course, it could not been any of thousand brute force attacks that is happening every day.

No.

It was a brute force attack by bad baby eating state sponsored Russian hackers, specifically using the imaginary end-of-the-world password list.

Of course, neither the "1.2 billion passwords" list, nor the "they're using it against Namecheap" events were/are cheap advertising.

Nope.

Re:Hahaha (1)

wonkey_monkey (2592601) | about a month and a half ago | (#47804845)

It was a brute force attack by bad baby eating state sponsored Russian hackers

That is a very bad baby.

Did they already catch them then? (2)

dutchwhizzman (817898) | about a month and a half ago | (#47804683)

Why would these "Russian criminals" be the ones behind this attack? Sure, some company that used the argument that there seems to be a list of over 1 billion accounts floating around on the internet to sell their services some time ago. It may even be that this list was found for sale on a Russian market place. It may even been that there are actual Russians selling this list. The accounts could even be mostly real, although probably most of it will be relatively dated.

But why would that same group of people that are actively selling this list be the same group that is using it? It makes much more sense that some group that bought part of this list, or bought some other list, or has their own trojan to steal passwords is now attacking namecheap. Unless there is substantial evidence that the same group is behind it, this is just FUD and sensationalism.

Namecheap is under attack with what's most likely a brute force list with accounts that were compromised in some yet unknown way. I think those are the facts and the rest is purely speculation.

If I had a billion credentials, (1)

robbo (4388) | about a month and a half ago | (#47804731)

for sure the first site I'd attack is obscure registrar namecheap...

YPROU FAIL IT! (-1)

Anonymous Coward | about a month and a half ago | (#47804931)

coming a piSs

stop BGP with Russia (0)

Anonymous Coward | about a month and a half ago | (#47805243)

I wonder when someone finally gets to stops routing BGP with Russia.
Not as "hacking prevention" but as "military defence", as Russian mercenaries fight with whoever Cremlin tells them to.

So why USA/NATO/EU does not stop internet traffic with Russia and threaten to block these countries that try to provide net to Russia?
+ This would be also more effective than puny sanctions that USA and EU imposed so far.
+ The cost for US/EU would be low, cost for Russia - more painful.
+ This would produce some discontent in Russian society
+ This would reduce hacking attacks and spam by 50% globally

Should have used the Kaje Password service! (0)

garyebickford (222422) | about a month and a half ago | (#47805639)

[shameless plug, but apropros] - my company's Kaje Picture Passwords for the Web [ka.je] would have prevented these attacks almost completely. (I say "almost" because, well, "never say never".) We published a press release about this two weeks ago: Bright Plaza offers “Kaje” Website Security Solution to Russian Hacker Password Breach [prweb.com] . Using Kaje, the password is no longer stored on the website so these breaches could not have exposed the passwords. Kaje never knows anything about the user other than the anonymous ID sent by the website.

Had all those websites been using Kaje, these breaches would not have resulted in the huge potential liability and recovery costs that so many businesses will be facing. From Sony a few years ago to Target and EBay recently, and now this Russian thing, password breaches are causing billions of dollars in damages, often borne by website owners - in some cases thousands of dollars per user. Health care and financial services websites are particularly subject to financial penalties from regulatory bodies as well as civil litigation. In comparison, the Kaje service costs fractions of a cent per use for large users.

A Picture Password, which was demonstrated to be easier to use and more secure than text passwords by NIST as early as 2003 [nist.gov] (using an earlier, less secure methodology), is more difficult to crack as well as resistant to man-in-the-middle attacks. The Kaje service has an HTTPS RESTful API, is compatible with OpenID, SAML, and other SSO systems, and plugins are available for Drupal and WordPress with others coming soon. Using Kaje basically requires SSL, one or two additional columns for the anonymous ID sent to Kaje by the website The first 10,000 uses are free, so smaller websites can use it for years without paying anything, while larger ones can try it out, do testing and prototyping with no cost or obligation.

If anyone is interested, check out Kaje [ka.je] or contact me through the website. We're looking for both website (customers) and web services (hosting, CMS vendors, developers), who can apply to be Kaje Affiliates and receive a commission from us by offering discounts to their customers.

wut (2)

drinkypoo (153816) | about a month and a half ago | (#47805725)

Now is a good time to check that none of your important accounts share passwords.

No, now is a terrible time to check for that. You should not have to check.

Shun traffic... (0)

Anonymous Coward | about a month and a half ago | (#47805833)

Where are these "hacking attempts" originating? From Russia? From zombied machines/bots scattered all over the world? If they're coming from specific countries from which no legit traffic should be originating-- BLOCK IT. Sophos UTM (and others) has the ability to block traffic by country. You're damn skippy I block traffic from China and various eastern European countries known to be sources of attacks-- also monitor those logs to see what's going on....

You know... (1)

BringsApples (3418089) | about a month and a half ago | (#47806101)

...I don't understand why this is so difficult. If I go to youtube, from my PC at home, I am handed a suggestion-list based on past videos browsed (if I use my work PC then I get handed different suggestions). If I change some stuff in my browser (firefox add-ons or the like) then I notice that youtube's suggestions change, but soon learn that it's my PC and eventually suggest the same videos as before (even if I have not looked at those videos since the change). So it seems to me that it's very possible (for the site owner) to use a combination of user/pass with browser recognition in order to validate a user.

And if you think it'd be to much for anyone to develop, then you're not thinking of personalized ads.

Cut the cables. (0)

Anonymous Coward | about a month and a half ago | (#47806897)

Nothing good ever comes from anywhere East of the Rhine. They're gangsters and peasants. Block it all. Firewall it.

Why is it always the Russians? (0)

Anonymous Coward | about a month and a half ago | (#47807419)

Ok, "always" is an exaggeration. BUT,

Although Russians are only 2% of the worlds population, after reading about countless security breaches over the past 10 years, it seems like 50% of the crackers and black-hats are Russian.

Why? Is there something about 21st-century Russian culture that tends to produce unethical behavior?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?