lol, on another note, as a person who knows how to hack into others' accounts, heres a fun tip on how to not get hacked by some indian like this guy:
1. use a different password for every account that uses the same e-mail address (this is THE way of never getting hacked)
2. the password must have more than 4 numbers, and cannot be something common like 1234, moreso something like 4827 (having a strong password means you can't get bruteforced if you don't use the same passwords)
remember guys, most hackers just feed your e-mail address and run it through a bunch of unprotected sites' sql databases to check for your passwords, and that's how they hack you. as long as you don't use the same password for any account, and all your passwords are very "strong", you'll be in the clear
Agreed, it seems rather arbitrary advice. Though complex passwords are good, and mixing normal characters with numbers helps that, I'm starting to strongly believe that for passwords humans need to remember long passwords or even passphrases are the more appropriate answer.
But still, I'd wager that these breaches are rarely due to weak passwords getting brute-forced and more bad password hygiene otherwise (e.g. sharing passwords across sites, falling prey to social engineering/phising or having that happen to the service provider).
I'm sure there are opportunistic attacks on the few most common passwords (or even few hundred) but I'd imagine such attacks to generally get identified & blocked by the service providers. This of course assumes a certain level of competency and scale on their part. :)
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.
But this guy didn't get the password for his facebook account. The "hacker" had Harvard send him a reset password email for the poster's alumni address, which was associated with his facebook. While having strong passwords helps, it wouldn't have mattered in this case.
Ah, social engineering, probably the most efficient way of doing targeted hacking. :)
But still, strong and more importantly unique passwords (I'm bad at this too, but starting to use something like KeePass or LastPass helps) are probably quite a good deterrent to more passive/large scale breaches so it's still good advice. Even if it hadn't helped in this case! ;)
lol, on another note, as a person who knows how to hack into others' accounts, heres a fun tip on how to not get hacked by some indian like this guy:
1. use a different password for every account that uses the same e-mail address (this is THE way of never getting hacked)
2. the password must have more than 4 numbers, and cannot be something common like 1234, moreso something like 4827 (having a strong password means you can't get bruteforced if you don't use the same passwords)
remember guys, most hackers just feed your e-mail address and run it through a bunch of unprotected sites' sql databases to check for your passwords, and that's how they hack you. as long as you don't use the same password for any account, and all your passwords are very "strong", you'll be in the clear
Why should it have more than 4 numbers? An alphanumeric passphrase with 4 numbers or less can be secure given enough entropy.
EDIT: Also, things like PBKDF2 + unique salts + hashing reduce the attack vectors and increase the amount of time required to carry out such attacks.
Agreed, it seems rather arbitrary advice. Though complex passwords are good, and mixing normal characters with numbers helps that, I'm starting to strongly believe that for passwords humans need to remember long passwords or even passphrases are the more appropriate answer.
But still, I'd wager that these breaches are rarely due to weak passwords getting brute-forced and more bad password hygiene otherwise (e.g. sharing passwords across sites, falling prey to social engineering/phising or having that happen to the service provider).
I'm sure there are opportunistic attacks on the few most common passwords (or even few hundred) but I'd imagine such attacks to generally get identified & blocked by the service providers. This of course assumes a certain level of competency and scale on their part. :)
Although I concur with the need for the service provider's(') diligence in securing the site and its resources, social engineering is hard to carry out once preventative methods are put in place.
Social engineering requires one of the following:
-physical access to the user's machine
-remote access to the user's machine
-user's assistance via revealing the password(s)
-user's assistance via revealing confidential information
-access via server's(') employees
-access to the server's(') machine(s)
The first two requirements on the list are mostly preventable. Physical access is basically the point of no return. Remote access utilizes the functionality of malware. The next two are preventable assuming the user analyzes emails from the service carefully and enters URLs properly. The last two are not preventable from the user's side, thus it should be the only attack vector if the user prevents the first four criteria from being met.
Agreed, social engineering from the user's point of view is usually moderately easily preventable with vigilance, however a weak moment (e.g. not properly checking or verifying information) or insufficient education may still allow it to happen. And one way for malware to gain access in the first place is social engineering as well (e.g. e-mails with malicious attachments), so it doesn't need to be the end all way of access but can also be a part in the chain.
But this guy didn't get the password for his facebook account. The "hacker" had Harvard send him a reset password email for the poster's alumni address, which was associated with his facebook. While having strong passwords helps, it wouldn't have mattered in this case.
Ah, social engineering, probably the most efficient way of doing targeted hacking. :)
But still, strong and more importantly unique passwords (I'm bad at this too, but starting to use something like KeePass or LastPass helps) are probably quite a good deterrent to more passive/large scale breaches so it's still good advice. Even if it hadn't helped in this case! ;)