Massive Hack, Billions of credentials stolen... Was Fastmail affected?

[ChinaLamb]

http://www.nytimes.com/2014/08/06/te...ials.html?_r=0

Read this article on the NYT and I got concerned...

Not sure if Fastmail was targeted... Seems to be a massive database - - probably a collection of stolen credentials obtained through the open ssl and other hacks? If so, maybe Fastmail was not affected?

Anyhoo... Would be nice to hear if our data is secure.

/cl

[n5bb]

What matters most is how you create your passwords. If you use the same password for Fastmail and other sites, a security breach at any of these sites could compromise your Fastmail password (since you are sharing that same password with multiple sites). And if your Fastmail password isn't extremely secure (long and impossible to guess) it can be compromised by those botnets. As long as you have a complex password, I think the greater threat is reusing your Fastmail password at another website. I recommend use of password safe programs or other techniques allowing you to use different long random passwords at different sites, or use of different long word strings you can remember. Since so many of us have well over a dozen important passwords, I don't see getting around using password safe programs or similar secure password storage which can't be easily hacked. Of course, your remembered password for the password safe software needs to be one very secure string you can remember.

Bill

[werewolf]

Here's the sidebar from that linked article -

http://www.nytimes.com/interactive/2...sian-hack.html

So now I have to change all my passwords again - and try to remember them - and every place needs a different pw!

[n5bb]

Quote:

Originally Posted by werewolf

...So now I have to change all my passwords again - and try to remember them - and every place needs a different pw!

As I said, start thinking about using password safe software. I use SplashID, which synchronizes your device encrypted password lists via a cloud server. You then only need to remember one secure password.

[werewolf]

Quote:

Originally Posted by n5bb

As I said, start thinking about using password safe software. I use SplashID, which synchronizes your device encrypted password lists via a cloud server. You then only need to remember one secure password.

But then if someone gets that one secure pw they have access to everything?

[n5bb]

Quote:

Originally Posted by werewolf

But then if someone gets that one secure pw they have access to everything?

Yes. I figure that company is focused on security. Of course, you need a single password which is long and secure. To make things even more secure, I use a user ID (email address) which is an alias not used for any other purpose, so hackers can't try to use repeated login attempts at the cloud website, since they don't know my user ID. This is similar to keeping your Fastmail or other service login ID separate from any email address you use. They can't hack into my devices unless they get physical access (unless they can remotely control your device).

The main issue with both spam and general Internet security is that users tend to always use the same email address, login ID, and password at multiple accounts. The hackers use automated scripts running on zombie computers (so the attacks come from a huge range of previously trusted IP addresses) with one of your ID/password pairs and if it matches at another site they are easily into your account. If you use different login ID and password pairs at each site, they can't use that technique. If credit cards had a secure challenge/response feature, the name and numbers on the card would be of little use to a hacker. Again, we use the same card information everywhere, and since you can make orders with nothing but that data (and the card account name and billing address) it's a disaster when a server holding many such card entries is breached.

Bill

[BritTim]

Some will consider the suggestions below suspect, but they have stood the test of time. If you do not want to use a password generator, such as Bill suggests, here is another pretty secure scheme:

1. Choose a fairly long and random string of characters (about 12 should be enough) that you use in all passwords.
2. For each site, have an easily remembered procedure you consistently follow to select 4 unique characters that you prefix to the front of your common password string. This can be as simple as, say, the 8th, 3rd, 2nd and 6th characters of the site name. Add one additional suffix character if the first 4 unique characters match some condition (variable length passwords are slightly better than always using the same length).

The reasons this is pretty secure are

• No human looking at a single password will be able to figure out your methodology.
• Password hashes are designed so that similar substrings in multiple passwords do not yield similar hashes. Thus, brute forcing additional passwords based on a single exposed password is no easier (assuming your methodology remains secret)..

Note that, if you sometimes need to use computers that are not your own, it is a bit scary to risk exposing your password database and master password. The scheme above limits your exposure in this case. (Of course, one-time passwords, if available, are preferable).

[DumbGuy]

I've been using BritTim's strategy for a while now for most of my pw's and like it.

[William9]

I really like 1Password as my password manager.

[Berenburger]

Quote:

Originally Posted by William9

I really like 1Password as my password manager.

LastPass +1

[MHartfield]

I use a method similar to BritTim's.

[danieldk]

Quote:

Originally Posted by BritTim

here is another pretty secure scheme:

It's a pretty insecure scheme. The problem is that some websites store the plain password in their database without applying a cryptographically sound hash. Or even if they do secure hashing, their server may be hacked and the hacker might obtain unhashed passwords. It'll be easy to figure out the scheme. Even more when someone has access to two hacked databases.

There is only one secure password scheme and that is using different, long, random high-entropy passwords for every site. If some site gets hacked, you just replace the password and you do not have to worry that someone will be able to figure out the simple transformation of password -> <some easy to derive characters from the site's name>password<optional one character prefix>.

If people want to stick to a BritTim-like scheme, *please* run the whole thing through a good hash function first, and use that as a password. That will at the very least make it harder to discover the relation between the nearly-identical passwords. You shouldn't use SHA-1, but just as an example to show why hashing such passwords is good:

Code:

~ % echo "ppalSuperSecurePassword" | openssl dgst -binary -sha1 | openssl base64
S85shs0K5glNGpuOf0g/zxPYLB4=
~ % echo "googSuperSecurePassword" | openssl dgst -binary -sha1 | openssl base64
pT6XXfQ66oCQWYrHUnn0zDBdIrU=

As you can see, running the password through a hash first, will make it difficult to find the relation between the passwords.