The question for us, as technologists, is what are we doing about this?
2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.
However I think you have captured something essential in the idea that Mozilla Persona "failed to catch on", and it wasn't, as far as I can tell, for technical reasons.
The real problem is that any change from the username/password system has a cost (in programmer hours, and support retraining, etc.) and so long as "nothing is broken" it is hard to justify diverting funds from features that are customer-visible to providing a defense against an attack that is arguably the user's fault anyway (password re-use).
To me this issue is sort of a monument to the strange insincere lipservice we pay to technology and technologists. Of course technology is business-critical and of course we work to hire the best and brightest, etc. But somehow organizations keep storing passwords in plain text in spite of the fact that engineers who work there know better.
I've bought 1Password for everyone in my family, and nagged them into using it. I console people online to do the same, or use keepassx, or last pass.
It's not effortless security, that's for sure. In a perfect world we would have a better system than passwords. But we live in a world of compromises, and I feel it's presently the wisest course of action.
It would be a great start if sites that don't actually require an account to get the job done would stop asking you to create one. For instance, most e-commerce transactions where you buy a single item still require you to register with the store. That's like having a loyalty card forced upon you because you tank gas somewhere.
Usually I just want to buy the item, not become 'a member'.
> I was hopeful that something like persona from Mozilla would catch on, but that has failed.
I talked with two people from Mozilla at a conference in February and was disappointed (though not altogether surprised) to discover they couldn't articulate the compelling reason why someone would move to using Persona. For something to mainstream, the marketing, positioning and ease-of-use is crucial. They had no answers other than 'privacy' and 'ease of use' -- which while valid, aren't going to convince my aunt & uncle to adopt something new. Until they've been hacked, scammed and otherwise suffered pain.
Just throwing this out there but when signing up for sites while using Safari, Apple gives me the option of using a (Apple generated) random password that is stored to my keychain and synced to my iCloud account. This means both of my MacBooks, my iPhone, and my iPad all have access to these sites with no effort on my part (I never could remember my passwords) while also being random and secure(-ish?).
All that is needed is a service (Microsoft, Google, Apple, Facebook) that you trust as your password manager and is integrated either with the sites you browse or the browser you use.
Having read Apple's iOS security document (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...) I have just the right combination of convenience, ease of use, and feeling secure with their services to use keychain for most of my password needs.
What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password. Then in response, most sites would set a cookie. To change the password, you could have a second header that has the new password, along with the original. No usernames needed. The browsers would have a global password for cases of shared computers. Log out buttons on sites just remove the cookie. Or without cookies, just have the browser send the auth header each time until a native log out button is pressed.
All the security measures usually presented (including here) are completely unrealistic - no one can use different, complex passwords on every site we log into, and then change them every month!
The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.
People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
I don't think there's anything wrong with user-names and passwords in concept. It's familiar to users and easy to implement. Users need to create better passwords and we need to help them do it.
Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."
Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.
OT, but why is that providers like Namecheap implement 2FA but not organizational team support?
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
Unfortunately, your 2FA is unusable for me. I have pretty bad cell phone reception in my home and cannot receive the SMS messages.
Also, it's unusable for anyone that travels outside their home country and cannot receive SMS messages.
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
Hi, did you turn on (or can you) selective forensic logging from the ip-adresses you believe are attacking, logging username/password pairs? AFAIK the list in question isn't public, it would be nice to see if there was a pattern (to uids and/or uid:password pairs) -- that might be turned into an IDS rule? (failed login for user: alfa, followed by user beta, followed by... -> block/flag originating ip etc)
two factor authentication via SMS is the biggest waste of time. It's not true two factor authentication as you need to depend on the network and protocol between namecheap and my phone. Not to mention the code is probably not originating from a namecheap server but from a third party service.
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
Teddy, I'm a Namecheap user (over 30 domains and a bunch of SSLs) and what really concerns me is that I find out about this security issue via hacker news, instead of being sent an email. This is not how you communicate with customers when these types of security issues arise.
As someone who runs an online game we find that a huge percentage of our users arrive pre-compromised.
Vast quantities of people wander around from site to site using the same email/password combo that has been compromised a long time ago.
We do a GeoIP check now and send an email with an unlock code any time someone logs in from a different city than last time. This reduced the account compromise problem significantly. Most of these pre-compromised people have a different password on their email at least.
As someone who plays online games, I get really, really annoyed when I'm forced to create a password to log in.
ALL non-secure online sites that need to identify users should allow for Google or Facebook authentication, or I will never try to access the game from my phone or tablet.
I refuse to use the same password everywhere, but that means I have a password vault on my computer. If I need to create a password and I'm on my phone, I simply click "close" (and uninstall if necessary). I sympathize with those "precompromised accounts," given that it's such a user interface failure (not to mention arrogant) to require a new password for every single little service/game/whatever.
OTOH, if I can "login with Google" and/or Facebook, both of those are already authenticated on my phone, and through the magic of OAUTH I can securely connect to your game without needing to generate a password. Certainly having the OPTION to create a password is fine; there will be people who hate Google/Facebook/whatever and who won't use them. But not having the option is an instant fail for me.
Not saying you're doing it wrong, since I don't know what game you're talking about, but I've certainly encountered many games that have no OAUTH options.
Funnily enough there was a HN post yesterday that looked like a phishing attempt on namecheap accounts:
Gift HN: Unused domain 'appstores.io' with ~11 months registration left
Post your namecheap username and I'll pick someone at
random in 24 hours and push it to the winner.
> The group behind this is using the stored usernames and passwords to simulate a web browser login through fake browser software. This software simulates the actual login process a user would use if they are using Firefox/Safari/Chrome to access their Namecheap account.
So basically PhantomJS? Or is it more sophisticated than that?
Also, this might actually let me see if I'm in the list, since I will get an unsolicited 2FA text if they try my account.
I've seen a huge uptick in spam email the last few days, and although I have no indication that I've been hacked, I feel as though I should probably fear for the worst and aggressively change all my passwords from their current kindergarten security levels. Is there a widely accessible, secure, multi platform, free/libre password manager that is recommendable as easy to use? I reuse passwords because its easy to remember, and I'm hoping there is something out there that is light years better than those I found the last time I tried (2007).
This is a good reminder that we all need to encourage our friends, family, and colleagues to not use the same password everywhere. Almost all of them currently do.
The best solution I've found thus far is getting them to use 1Password or the like. They still only have to remember 1 password, and the browser extensions make it trivial to log in different places. If necessary, buy them the software.
If you disagree, please reply with why. Save the downvotes for spam, trolls, jokes, memes and genuinely off-topic comments.
The concept of securely checking the hash of a chosen password against a database of known compromised credentials hosted by a trusted 3rd seems like a reasonable addition layer of security to me. I'd love to hear counter-arguments.
For sensitive sites like this, users should not be given the option to use the same username/password as other websites: The username should be issued by the site in the form Sally379687 or Fred965912
What Namecheap do is better - two-factor authentication. usernames are not meant to be secret, and forcing users to look up a username as well as a password is going to be annoying.
Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.
Define "sensitive site". Any email provider, if it's your main email account would qualify as very sensitive. However, people also have myriad junk accounts. As soon as you start to enforce this sort of thing you limit who's going to sign up.
I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?
The way I have organised is to have 5 varying levels. This limits the volume of passwords I have to recall whilst maintaining variety. While there is still opportunity for cross-use if one is hacked it does create breakage points from areas more likely to be hacked and avoids a single point of failure. It's structured something like this;
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?
A hacker group has accumulated thousands (millions?) of email+password pairs. Anyone who uses the same password on all sites could be compromised, even if their password is 16 characters and random (i.e., immune to dictionary attacks).
> WTF is this "urgent"? How might this affect "all internet users"?
Suppose you have a domain registered with Namecheap (or really anyone). You've reused your password and the attackers get into your account at the registrar. What does that get them?
First they change the MX record for your domain. Immediately they're receiving all your email. Now that they control your email they can get a domain-validated certificate for your domain. Then they can change all your other DNS records to point at their servers and operate them with valid TLS certificates and MITM all the connections to your real servers. Then they can collect all the credentials of users using your website including the administrative credentials that allow them to compromise your real servers. Now they have all your data and your users' data and your password database and your website is hosting malware.
There are very few things more compromising to large numbers of people than attackers quietly getting control of multiple legitimate active domains.
[+] [-] orofino|11 years ago|reply
2FA is nice, but not the end all, be all. OAuth has largely failed to gain any reasonable traction. Using Facebook login means Facebook gets to track me as I move around the web.
Our users reuse passwords, primarily due to the proliferation of dozens or often hundreds of online accounts that a single individual has. We can't expect people to use password managers (they're complicated and then centralize everything into a single point of failure). Forcing people to use crazy passwords just results in weaker passwords.
I was hopeful that something like persona from Mozilla would catch on, but that has failed. Where are we with replacing the password? It is flawed technology.
On top of this we have the compounding factor that our systems are more complicated than ever and it appears that they're simply impossible to secure. Too many layers exist with too much code. Many sites just don't both with even hashing password, meaning those of us that care, are just kind of throwing our hands up and saying "well it wasn't my site that was compromised, so it isn't my fault". All the while, bad guys walk in the front door because we've decided to ignore the reality of the situation.
I know I'm not providing a constructive alternative here, but I'm a bit ashamed that we've even let it get this far. We're failing those that rely on our systems. I don't have the answer, but would love to hear some ideas about what can be done.
[+] [-] drewcrawford|11 years ago|reply
The state of the art of the technology, in my opinion, is GRC's SQRL: https://www.grc.com/sqrl/sqrl.htm
However I think you have captured something essential in the idea that Mozilla Persona "failed to catch on", and it wasn't, as far as I can tell, for technical reasons.
The real problem is that any change from the username/password system has a cost (in programmer hours, and support retraining, etc.) and so long as "nothing is broken" it is hard to justify diverting funds from features that are customer-visible to providing a defense against an attack that is arguably the user's fault anyway (password re-use).
To me this issue is sort of a monument to the strange insincere lipservice we pay to technology and technologists. Of course technology is business-critical and of course we work to hire the best and brightest, etc. But somehow organizations keep storing passwords in plain text in spite of the fact that engineers who work there know better.
[+] [-] droopyEyelids|11 years ago|reply
I've bought 1Password for everyone in my family, and nagged them into using it. I console people online to do the same, or use keepassx, or last pass.
It's not effortless security, that's for sure. In a perfect world we would have a better system than passwords. But we live in a world of compromises, and I feel it's presently the wisest course of action.
https://lastpass.com https://agilebytes.com
keepass or keepassx should be googled.
[+] [-] jacquesm|11 years ago|reply
Usually I just want to buy the item, not become 'a member'.
[+] [-] porker|11 years ago|reply
I talked with two people from Mozilla at a conference in February and was disappointed (though not altogether surprised) to discover they couldn't articulate the compelling reason why someone would move to using Persona. For something to mainstream, the marketing, positioning and ease-of-use is crucial. They had no answers other than 'privacy' and 'ease of use' -- which while valid, aren't going to convince my aunt & uncle to adopt something new. Until they've been hacked, scammed and otherwise suffered pain.
[+] [-] csacc|11 years ago|reply
All that is needed is a service (Microsoft, Google, Apple, Facebook) that you trust as your password manager and is integrated either with the sites you browse or the browser you use.
Having read Apple's iOS security document (http://www.apple.com/ipad/business/docs/iOS_Security_Feb14.p...) I have just the right combination of convenience, ease of use, and feeling secure with their services to use keychain for most of my password needs.
[+] [-] logn|11 years ago|reply
What about you load a site, get an HTTP 401 response, your browser sends back an auth header with a password generated for that domain name, based on some secret global key/password. Then in response, most sites would set a cookie. To change the password, you could have a second header that has the new password, along with the original. No usernames needed. The browsers would have a global password for cases of shared computers. Log out buttons on sites just remove the cookie. Or without cookies, just have the browser send the auth header each time until a native log out button is pressed.
[+] [-] bambax|11 years ago|reply
The only way to do this would be to use a password manager in an Saas mode... and if it gets cracked then you're completely doomed and lose all access to all services.
People probably assume that the time saved by not caring about security is greater than the time they will lose if (when) they're attacked, and they may be right.
[+] [-] nevir|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] tomelders|11 years ago|reply
Don't impose any restrictions on what the password should be, e.g. "Must not contain any special chars. Must contain a number..."
Use the word "pass phrase" instead of "password". Encourage people to use memorable phrases and quotes as their pass phrase. The English language has approx. 250,000 words. If a pass phrase contains 4 words, that's 1.62764322e+20 permutations. That's a naive view since "habit osteopath circumference telephone" isn't a particularly memorable password. With this in mind, You could use statistics to reduce the number of permutations, but that's no small feat.
Use email addresses instead of user-names.
Finally, use Bcrypt.
[+] [-] ted0|11 years ago|reply
As always, we advise turning on 2-factor authentication on your account.
[+] [-] lobster_johnson|11 years ago|reply
If I set up 2FA, only my device can log in. If I become unavailable for some reason, none of my team members can access the account. The only way to do this is for all team members to do the 2FA setup at the same time, which I believe will seed the generator so that they will all produce the same sequence of tokens. But that's just unacceptable. It's like renting an office and only getting a single key.
I find it amazing that in this day and age, most providers still conflate the concepts of "login" and "account". I log into an account; that login is a set of credentials giving me access, but one account obviously must support multiple logins.
Without a clean separation, you turn employees into single points of failure. Shared account credentials is a potential security risk. And it makes it harder to lock out employees who leave the company once given access. And of course, it makes auditing harder because you just have the IP.
Most providers make this mistake: Among DNS providers, I use Gandi, EasyDNS and iWantMyName, all set up like this. Cloud-oriented providers like Digital Ocean and Mailgun, same problem. AWS does the right thing.
[+] [-] stevenh|11 years ago|reply
1. Log in
2. Click "Menu" (in the top right portion of the page)
3. Expand the "My Account" submenu (if it didn't already automatically expand when the menu appeared)
4. Click "Manage Profile" (5th from the bottom of the "My Account" submenu)
5. On the next page that appears, look for "Two Factor Authentication" on the left side under "Personal Settings"
[+] [-] jtheory|11 years ago|reply
I have been using 2FA on NameCheap since you added the feature, but it's one of the more annoying implementations -- compare to Google's 2FA setup, for example. There I have to jump through the hoop of getting an SMS once a month (and verify my password a bit more frequently).
For NameCheap, it's every single time I log in, which translates to every single time I need to do or check something in my account.
This is probably only a minor annoyance for most of your customers; for me it sometimes means I can't sign in. I live in an area with fairly poor mobile coverage, so internet access & ability to receive an SMS do not always coincide. I'm also not tied to my mobile, so I may need to go find it where it's charging downstairs (or plug it in if it's dead) before I can continue.
I'd really appreciate either the option of a code generator (Google Authenticator, Authy, etc.), or a longer "remember-me" time -- it's rather more likely that my phone would be stolen than my laptop... so letting the laptop I've just double-authenticated be a "thing I have" is perfectly valid.
[+] [-] rafaelm|11 years ago|reply
We've been waiting for ages for another 2FA option from Namecheap, either Authy or Google Auth. Now I'm just registering my domains elsewhere and when my Namecheap domains come up for renewal I'm jus transferring out.
[+] [-] kevinyank|11 years ago|reply
I’m curious what evidence you have that ties these login attempts to the CyberVor (1.2bn) hacked credentials database specifically?
Given that (to my knowledge) none of the data from this database has yet been leaked publicly, couldn’t the credentials being used for these attacks be coming just as easily from any number of sources, or previously-disclosed databases (Adobe, LinkedIn, Forbes, etc.)?
Just trying to distinguish “what we know” from “what we suspect”, here. Thanks!
[+] [-] e12e|11 years ago|reply
[+] [-] kbar13|11 years ago|reply
TOTP is a standard, it's great, there are open source implementations, and it's easy to integrate. Google even has that pam module. Use it.
[+] [-] jdong|11 years ago|reply
[+] [-] antr|11 years ago|reply
[+] [-] Negitivefrags|11 years ago|reply
Vast quantities of people wander around from site to site using the same email/password combo that has been compromised a long time ago.
We do a GeoIP check now and send an email with an unlock code any time someone logs in from a different city than last time. This reduced the account compromise problem significantly. Most of these pre-compromised people have a different password on their email at least.
[+] [-] SomeCallMeTim|11 years ago|reply
ALL non-secure online sites that need to identify users should allow for Google or Facebook authentication, or I will never try to access the game from my phone or tablet.
I refuse to use the same password everywhere, but that means I have a password vault on my computer. If I need to create a password and I'm on my phone, I simply click "close" (and uninstall if necessary). I sympathize with those "precompromised accounts," given that it's such a user interface failure (not to mention arrogant) to require a new password for every single little service/game/whatever.
OTOH, if I can "login with Google" and/or Facebook, both of those are already authenticated on my phone, and through the magic of OAUTH I can securely connect to your game without needing to generate a password. Certainly having the OPTION to create a password is fine; there will be people who hate Google/Facebook/whatever and who won't use them. But not having the option is an instant fail for me.
Not saying you're doing it wrong, since I don't know what game you're talking about, but I've certainly encountered many games that have no OAUTH options.
[+] [-] junto|11 years ago|reply
Maybe it was genuine, but if I had posted my name cheap account name there, I think I'd want it deleted now.
[+] [-] diafygi|11 years ago|reply
So basically PhantomJS? Or is it more sophisticated than that?
Also, this might actually let me see if I'm in the list, since I will get an unsolicited 2FA text if they try my account.
[+] [-] Mandatum|11 years ago|reply
[+] [-] unknown|11 years ago|reply
[deleted]
[+] [-] saosebastiao|11 years ago|reply
[+] [-] reitanqild|11 years ago|reply
I also use lastpass.com for most of my stuff. While not libre it is free and multiplatform. (I still pay to get mobile sync.)
[+] [-] quoiquoi|11 years ago|reply
[+] [-] coldpie|11 years ago|reply
[+] [-] morgante|11 years ago|reply
The best solution I've found thus far is getting them to use 1Password or the like. They still only have to remember 1 password, and the browser extensions make it trivial to log in different places. If necessary, buy them the software.
[+] [-] scoot|11 years ago|reply
Websites could check users aren't reusing a compromised password either at account creation, or as a one-time check as existing user log in.
[+] [-] scoot|11 years ago|reply
The concept of securely checking the hash of a chosen password against a database of known compromised credentials hosted by a trusted 3rd seems like a reasonable addition layer of security to me. I'd love to hear counter-arguments.
[+] [-] randunel|11 years ago|reply
[+] [-] terravion|11 years ago|reply
[+] [-] MarkMc|11 years ago|reply
[+] [-] foxylad|11 years ago|reply
Off-topic, I switched to Namecheap (from GoDaddy) a couple of years ago, and have been impressed. Things like two-factor auth and being aware of and publicising this attack are all signs of a good corporate citizen doing things right.
[+] [-] lotsofcows|11 years ago|reply
I've got accounts with two brokers. One has good tools which I can use with simulated ledgers but won't manage SIPPs. It has a crap password which I can remember and bang in whenever I want to check performance. The other's password is in KeePass and requires a small but significant effort to access. You could argue that the former doesn't want my "business" but if they started handling SIPPs or if I start doing some speculation I'd convert instantly. Is my low level leeching worth an instant convert?
[+] [-] elithrar|11 years ago|reply
[+] [-] Gustomaximus|11 years ago|reply
1) Random sign-ups.
2) Slightly personal information e.g. Hackernews
3) Personal or slightly financial: e.g. mail accounts
4) Financial: e.g. Banking/Share trading
5) Work accounts
I've been wondering if I should expand this to have the same as above but bring in a component of the URL into the password to create variance for all but keeping it easy to remember. Does that seem a good method or do people have better systems?
[+] [-] elbenshira|11 years ago|reply
https://lastpass.com/
https://agilebits.com/onepassword
http://keepass.info/
[+] [-] supercoder|11 years ago|reply
Seems we were all too late....
[+] [-] oliverdavenport|11 years ago|reply
[+] [-] AdamGibbins|11 years ago|reply
[+] [-] sandis|11 years ago|reply
[+] [-] le_meta|11 years ago|reply
[deleted]
[+] [-] yuvadam|11 years ago|reply
A hacker group is trying dictionary attacks. Wow.
Flagged.
[+] [-] SomeCallMeTim|11 years ago|reply
A hacker group has accumulated thousands (millions?) of email+password pairs. Anyone who uses the same password on all sites could be compromised, even if their password is 16 characters and random (i.e., immune to dictionary attacks).
[+] [-] zrm|11 years ago|reply
Suppose you have a domain registered with Namecheap (or really anyone). You've reused your password and the attackers get into your account at the registrar. What does that get them?
First they change the MX record for your domain. Immediately they're receiving all your email. Now that they control your email they can get a domain-validated certificate for your domain. Then they can change all your other DNS records to point at their servers and operate them with valid TLS certificates and MITM all the connections to your real servers. Then they can collect all the credentials of users using your website including the administrative credentials that allow them to compromise your real servers. Now they have all your data and your users' data and your password database and your website is hosting malware.
There are very few things more compromising to large numbers of people than attackers quietly getting control of multiple legitimate active domains.