system — 2009-08-08T02:56:32-04:00 — #1
Someone told me today that someone hacked their hotmail password or something. I told them that someone probably saw them type it or they gave it to someone, and that hacking into hotmail is probably as hard as hacking into a bank, seeing as millions of people use hotmail accounts for all their business communications and secure information(credit cards, social security etc etc and whatever), well besides more techy savy people with their own private networks/servers or whatever. I also said that anyone with that kind of hacking skill would probably have better things to do than hack their account since they really are a nobody.
Am I right that hotmail and other popular public servers like yahoo are really this secure? Are there more secure alternatives? It just made me wonder.
felgall — 2009-08-08T03:27:29-04:00 — #2
Most people use easy to guess passwords and so their hotmail accounts (and accounts they have most other places) are easy to break into. With a hard to guess password containing uppercase letters, lowercase letters and numbers (as a minimum) it would take a lot longer to break in (perhaps too long to be worth the effort - particularly while there are so many easy to guess passwords in use).
system — 2009-08-08T04:57:41-04:00 — #3
I see. So basically as long as my password is a random combination of numbers and letters, it is safe to say that it I should not worry..... I hope
I know one method is password generators which randomly test hundreds of passwords per second or whatever until it unlocks... do mail servers have protection against these kind of attacks? Like if loads of requests fail in a few seconds it will recognize it as a hack program and shut them out. Or maybe some other method which hacks the mail server directly and then downloads the password from the hotmail/mail database.
Are there any more secure private mail alternatives? I do worry a bit.
Or maybe the public mail servers like hotmail/yahoo are actually the most secure since they have millions of dollars to build whatever security shields they use.
masm50 — 2009-08-08T05:30:06-04:00 — #4
GMail/Hotmail/Yahoo Mail are all relatively secure as Stephen said, but the issue is normally people using very guessable passwords. Even if the password is secure if any computer you login to your email with has a trojan then it may be logging you username/password and allowing someone in that way.
It is far more likely that someone can gain access to your account by guessing your password or getting it via a trojan than actually hacking in or using some form of brute force attack (ie. trying thousands of passwords per minute). Although I can't be sure I would imagine that if the wrong password is entered more than a few times in a minute from one IP then the mail service will block the IP, thus preventing most brute force attacks.
system — 2009-08-08T05:40:19-04:00 — #5
I had not thought of trojans. I am the only person that uses my computer in my house. What worries me about trojans is internet cafes... we all like to check our mail in holiday or in town/other journeys etc in these internet cafes... but you never know what someone could have installed there.... or perhaps the cafe itself is owned by some looser hacker. Maybe I should stop using internet cafes. I suppose I could change my password every time after I use an internet cafe... but then if I change it a dozen times a month I might forget it.
felgall — 2009-08-08T18:36:32-04:00 — #6
A lot of password protection systems automatically lock an account after a certain number of incorrect passwords (resetting the count when you successfully log in). This prevents brute force attacks but inconveniences the person whose account has been attacked since they then need to arrange for it to be unlocked in order for them to be able to use their own account.
An alternative that I have been implementing on password protected sites I have been setting up but which I haven't come across elsewhere is to enforce a delay between wrong password attempts. The account is automatically locked for so many seconds after a wrong password attempt (or any attempt while it is already locked). That way unless the person trying to brute force the password builds in a delay longer than the lock period between attempts then all attempts except their first one will be ignored as the account is locked until the required number of seconds passes after they stop trying.
One thing that perhaps more people should consider using is a password vault. This is a program that you use to store all your passwords in. They usually have an option for generating passwords that are random strings of characters (which can include those that are not numbers or letters). You then copy and paste your passwo9rd from there when logging in to a site. These programs generally use a master password (the only one you need remember) to prevent others being able to access your passwords (which are stored in an encrypted file that can only be read by the program after you successfully log in) and some also provide an option to hide the passwords when you are using the progrtam so that you can copy/paste a password to gain access to a site and the person standing next to you watching what you type in and what is displayed on the screen still doesn't know what your password for that site is (A keylogger would still be able to steal your password for access to the vault though and that would then give someone access to all your passwords - but then you wouldn't want to log in to anything from a computer that might have a keylogger installed on it anyway.).
alexdawson — 2009-08-09T03:10:51-04:00 — #7
You all have forgotten something very important (and problematic), hackers mainly use the "forgotten password" feature of sites like hotmail to take control of your account, where as most websites password forgotten sequences email the confirmation message to an email account (circumventing the issue), because hotmail IS an email provider they cannot use this system (otherwise people may not have somewhere else to email it too!). The problem with this is they rely on generic data such as your date of birth and a question (such as mothers maiden name) which are much easier to guess than a password with a long string sequence. As a result unless you make your personal questions much harder to guess you could end up with a hijacked account!
chrisk985 — 2009-08-10T16:31:25-04:00 — #8
Seeing what some people can do, I would suggest just not accessing anything that requires a password while browsing the internet at an internet cafe.
kailash_badu — 2009-08-11T04:40:03-04:00 — #9
I have also seen new kinds of social engineering attacks against the people who don't think twice before giving out their passwords. One of your friends in your messenger list falls victim to a malware that logs into his instant messenger / email account and sends out a mass message to all his friends. One of the most common messages go along these lines : 'Hey ! I just found out a site that finds the list of friends who have blocked me. click here to find who has blocked you'. Upon clicking the link you see a screen that says it needs your username and password to find out who has blocked you. most young people, especially girls, are instantly beguiled into giving out their passwords and the attack propagates.
dan_grossman — 2009-08-11T05:16:58-04:00 — #10
Now combine the two. The type of attack Alex brought up, and some social engineering.
Your "secret question" used to recover a lost password is probably the weakest link if you use strong, unique passwords for each site. It's too easy for someone to find out what high school you went to, what your mother's maiden name is, what your father's middle name is, what your first dog's name was, etc. when you and your family are listed on social networks.
You never know when the latest person to "friend" you that you didn't quite recognize could be someone that wants to read your profile in order to learn more about you to steal your accounts this way.
The SitePoint podcast recently talked about this and suggested you make up answers. Create a fake persona that lives only in your head so that your security questions/answers can't be answered by someone that might know your profile.