Friam

FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

classic Classic list List threaded Threaded
6 messages Options
Owen Densmore
Reply | Threaded
Open this post in threaded view
|

FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

Owen Densmore
Administrator
I just l0v3_Rants!!

Oh wait, that was my only password!  I'm playing with 1Password, I'm ashamed to say.

   -- Owen

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Nick Thompson
Reply | Threaded
Open this post in threaded view
|

Re: FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

Nick Thompson

[sigh]

 

I got a call from Citibank, today.  The Russians have my creditcard number and are trying to buy computers at Dell.   Second time I have had to change my credit card number in 4 mos. 

 

Nick

 

 

 

 

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Owen Densmore
Sent: Monday, December 05, 2011 11:18 AM
To: [hidden email]; Complexity Coffee Group
Subject: [FRIAM] FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

 

I just l0v3_Rants!!

 

Oh wait, that was my only password!  I'm playing with 1Password, I'm ashamed to say.

 

   -- Owen


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Robert Holmes
Reply | Threaded
Open this post in threaded view
|

Re: FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

Robert Holmes
In reply to this post by Owen Densmore
This was my favorite line. The punctuation says it all. Brilliant.—R

i've run into more than one bank that requires a digit in your username. A digit. In. Your. Username.

On Mon, Dec 5, 2011 at 11:18 AM, Owen Densmore <[hidden email]> wrote:
http://me.veekun.com/blog/2011/12/04/fuck-passwords/


============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Owen Densmore
Reply | Threaded
Open this post in threaded view
|

Re: FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

Owen Densmore
Administrator
I feel naive but have to ask:
  How exactly do stolen passwords help someone steal my credit card etc.?

I ask because I'm assuming they do so by breaking into a website (Gawker was mentioned) and get the password file.  That file has a hash of my password, and a very few other things like my login name.

This is the only way they can crank on my hash to find words that translate into the hash .. assuming they know how the site uses it (salt etc).

OK, they have my password.  Now what?

They won't have my credit card number, that is stored elsewhere, and on amazon etc it is reasonably well protected.  And even I don't see the credit card number .. only the last few digits.

Ditto for my email address, also often used as a login "name", it's not part of the password file, right?  So how would they get my email address?  I suppose they can search for my login name and hope to correlate it with an email address.

Which brings me to the real threat Steve mentioned a while back: if someone can hack into your mail account, they can simply go to amazon and click "I forgot my password" .. and have it mailed to the compromised email account which the wily hacker is monitoring and deletes as soon as the pw is available.

So shouldn't one's email account be the best secured?  Best password?

So I don't really understand how the theft of a password file automatically turns into stealing your identity, credit cards and all.

How's it done?
============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Marcus G. Daniels
Reply | Threaded
Open this post in threaded view
|

Re: passive security

Marcus G. Daniels
In reply to this post by Nick Thompson
On 12/5/11 12:55 PM, Nicholas Thompson wrote:
I got a call from Citibank, today.  The Russians have my creditcard number and are trying to buy computers at Dell.   Second time I have had to change my credit card number in 4 mos. 


Two factor security:  Something you have and something you know.   But rather than "something you know", replace with "the normal activities of you.."   These are enormous companies.  They have the resources to do the modeling and also to absorb the cost of some fraud. 

Marcus

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Sarbajit Roy (testing)
Reply | Threaded
Open this post in threaded view
|

Re: FUCK PASSWORDS - Blog - December 2011 - veekun: fuzzy notepad

Sarbajit Roy (testing)
In reply to this post by Owen Densmore
If somebody hacked your email account, it would ASSIST them for the
following things

1) They would know many "secret" things about you / your knowledge
2) They could request / authenticate a PIN reset.
3) They could request a replacement credit card to be sent to another
address under their control.

and so on.

The hacked email by itself would be very useful, but not always
sufficient for their purposes. It may require supplementing by
impersonation or interception of snail mails etc.

Sarbajit



On 12/6/11, Owen Densmore <[hidden email]> wrote:

> I feel naive but have to ask:
>   How exactly do stolen passwords help someone steal my credit card etc.?
>
> I ask because I'm assuming they do so by breaking into a website (Gawker
> was mentioned) and get the password file.  That file has a hash of my
> password, and a very few other things like my login name.
>
> This is the only way they can crank on my hash to find words that translate
> into the hash .. assuming they know how the site uses it (salt etc).
>
> OK, they have my password.  Now what?
>
> They won't have my credit card number, that is stored elsewhere, and on
> amazon etc it is reasonably well protected.  And even I don't see the
> credit card number .. only the last few digits.
>
> Ditto for my email address, also often used as a login "name", it's not
> part of the password file, right?  So how would they get my email address?
>  I suppose they can search for my login name and hope to correlate it with
> an email address.
>
> Which brings me to the real threat Steve mentioned a while back: if someone
> can hack into your mail account, they can simply go to amazon and click "I
> forgot my password" .. and have it mailed to the compromised email account
> which the wily hacker is monitoring and deletes as soon as the pw is
> available.
>
> So shouldn't one's email account be the best secured?  Best password?
>
> So I don't really understand how the theft of a password file automatically
> turns into stealing your identity, credit cards and all.
>
> How's it done?
>

============================================================
FRIAM Applied Complexity Group listserv
Meets Fridays 9a-11:30 at cafe at St. John's College
lectures, archives, unsubscribe, maps at http://www.friam.org
Free forum by Nabble Edit this page