No. of Recommendations: 4
I expect you were not using things like 123456, LetMeIn, ChangeMe or Password as your password - but more than 1 in 10 passwords are of this variety...

Thanks for the response. No, I've never had weak passwords like those, except maybe when I first started out in the 1970s and may have had dictionary words, etc. Nowadays, I use strong passwords, but sometimes you still find a website that allows only a limited subset of special characters, for example. Sometimes a website that accepts strong passwords now only allowed somewhat less-strong passwords just a year or three ago, which means the less-strong password may remain in place if you're unaware the requirements have changed.

I don't like to recycle or reuse passwords, which means I have a lot of them. It makes keeping track and updating things a bit hard.

In retrospect, though still "strong" (according to the password assistant in System Preferences > Users & Groups), my Amazon password had room to be stronger. Plus, it hadn't been changed in a while, so it's possible it dates from a time when Amazon didn't allow really strong passwords.

The Apple ID problem was mainly an irritation, but coming right after the Amazon hack compounded things.

-awlabrador
Print the post Back To Top
No. of Recommendations: 7
First my sympathies - I am sure you feel violated.

You asked, "Can two factor authentication be hacked?"

This is a system designed, implemented and controlled by humans so the answer to your question is yes.

But let me suggest the more important question is something along the line of given your Amazon Account was hacked how likely is my Apple Account with Two Factor Authentication can be hacked? And the answer to that question much more unlikely at a minimum.

To access my TwoFactor protected AppleID & Account information the bad guy would have to:

#1. Know my AppleID (the easiest part to learn)
#2. Know my Apple Password - something I don't leave out and short of having a keystroke logger on my MacBook difficult to get.
#3. Physical possession of one of the devices I qualified with the Apple system for authentication. Those devices are my iPhone, my iPad and my MacBook. (I can easily set up these devices so I need not only possession, but also the device's passcode before the numbers are even sent by Apple to my device.) So the system is not simple to defeat.

Regarding your 3:35 email from Apple - sometimes wordings in such emails are a bit sloppy. Maybe someone had your login/AppleID and clicked on a link to a "Forgot My Password" system. If you want to know what really happened, call AppleCare - with a security issue. I expect they will have records of what actually happened.

Today I was able to access my Amazon account and do any of the follow merely by knowing my Amazon Login and Amazon Password:

#1. Change my email of record
#2. Change my Amazon Password
#3. Change my Amazon Security Level
#4. Change my delivery address
etc.

As I read your post whoever was into your account may well have been just playing with you. Otherwise they could/would have done a lot more than just change your email.

Not knowing your password habits before the Amazon incident makes if hard to gauge where on that spectrum from the CIA/FBI are after you to sloppy habits just caught up with you.

I expect you were not using things like 123456, LetMeIn, ChangeMe or Password as your password - but more than 1 in 10 passwords are of this variety. Another common weakness is what I call password recycling. For many years my wife and I used the same 4 or 8 characters as our PIN and Password for everything. Clearly if a bad guy gets a password to say a blog you read, one of the first things is check that password at say Amazon, Gmail, etc. I had a neighbor whose passwords were of the form abcAmazon, abcBankAmerica, abcElectric, etc.

The latest security views say length as opposed to complexity or even forced periodic changing is really what matters. Fortunately my Password Manager makes getting random passwords easy. Currently expert view says password #1 is significantly less secure than password #2 below. But #2 is much easier to remember and the type of thing I suggest for a Master Password.

#1. 3F8YqBfvAkUMWy94agHVTGhjE
#2. anteroom-sycamore-upwind-pentagon

Because the first is 25 characters long and the second is over 30.
Print the post Back To Top
No. of Recommendations: 4
I expect you were not using things like 123456, LetMeIn, ChangeMe or Password as your password - but more than 1 in 10 passwords are of this variety...

Thanks for the response. No, I've never had weak passwords like those, except maybe when I first started out in the 1970s and may have had dictionary words, etc. Nowadays, I use strong passwords, but sometimes you still find a website that allows only a limited subset of special characters, for example. Sometimes a website that accepts strong passwords now only allowed somewhat less-strong passwords just a year or three ago, which means the less-strong password may remain in place if you're unaware the requirements have changed.

I don't like to recycle or reuse passwords, which means I have a lot of them. It makes keeping track and updating things a bit hard.

In retrospect, though still "strong" (according to the password assistant in System Preferences > Users & Groups), my Amazon password had room to be stronger. Plus, it hadn't been changed in a while, so it's possible it dates from a time when Amazon didn't allow really strong passwords.

The Apple ID problem was mainly an irritation, but coming right after the Amazon hack compounded things.

-awlabrador
Print the post Back To Top
No. of Recommendations: 12
I was watching a video yesterday addressed to coders and to some of our misconceptions. Passwords were one of them. It turns out that a ten digit gibberish password with lots of special characters is easier to crack than a plain sentence twice as long. The reason is simple, while it's gibberish to us it's just characters to a computer and the longer the string the longer the loop get through it. The origin of the misconception is simple enough, in the old days it was people doing the decoding but now its computers with a different approach to problem solving.

Facts become myths and rules over time.

Denny Schlesinger
Print the post Back To Top
No. of Recommendations: 0
Thanks, Denny and GWPotter, for the responses.

I've pretty much kept to strong password practices for quite a while, though I think it's clear that some of my passwords are stronger than others. Clearly my password practice has been evolving, with the newer ones being stronger as I go along. With last week's hack, I've begun going through and changing at least some of the more important passwords, and none of them are older than about two years. While that may be too long to go without changing, it turns out I've got around at least a hundred passwords, which is a lot to keep track of. I was surprised at the count. It's inevitable that some get stale.

Because money is involved, though, I tend to change my financial institution passwords far more frequently.

-awlabrador
Print the post Back To Top
No. of Recommendations: 3
I've begun going through and changing at least some of the more important passwords, and none of them are older than about two years.

Like most folks in this area, I only know what I read. That said, you have brought a very important point. Many comments by security people suggest that every password needs to be as strong as possible or at least very strong.

In my view no. Using CowBelljklm, where the characters 'jklm' are my street address number, as the password for our small town local newspaper presents a whole different risk than eMailgwpotter as my email password.

Even though I have a password manager I do tend to use easily remembered passwords for things like local news papers -- if nothing else occasionally I have to enter these passwords in on my iPhone and DeJgY4LXdWb is harder to enter than CowBell5678 even though there are equally long.

To my view the singly most important password I have is not my Master Password, but rather my email password. That is because is someone 'captures' my email I will find it really hard to say recover a hacked Amazon account or communicate with say Credit agencies. To be really clear, in my view one's email password needs be unique, at least 15 characters long and be composed of UPPER case, lower case and a $ymbol if allowed. My reading says such as password will take computers a long time to find.
http://keithieopia.com/post/2017-12-13-passwd-crack-time/

Most of us have financial accounts (credit cards if nothing else). I think such accounts should have strong passwords, but to me these represent a small risk. Unless I am committing fraud or fail to report an unauthorized transaction within two business days *after* I learn of the transaction my maximum possible loss is $50. Not quite the same as somebody being able to open a credit card in my name. Hence I have frozen my credit.

Each person's situation and personal views are different - we do decide consciously or by inaction how important the digital security of each individual account is. I just wish people would be honest enough to accept the consequences of their choices when those consequences are not what people want.
Print the post Back To Top
No. of Recommendations: 0
To my view the singly most important password I have is not my Master Password, but rather my email password.

Good point, Gordon. Do you use Mac (Apple) Mail? Do you secure Mail by using a strong login password for your Mac?

Bill
Print the post Back To Top
No. of Recommendations: 1
In my view no. Using CowBelljklm, where the characters 'jklm' are my street address number, as the password for our small town local newspaper presents a whole different risk than eMailgwpotter as my email password.

I agree, generally.

However -- and this is the paranoid part of me -- I note that a lot of the "less-critical" accounts I have are still linked to an e-mail address, i.e. a contact e-mail in my account profiles on various sites. That's not a big deal if an attack is an automated script/bot that merely brute-forces a password and then logs a successful login, without going in and collecting information or causing trouble.

But if a follow-up attack or more targeted attack goes in and lifts my e-mail address (assuming the account username isn't already my address), then it potentially opens the address itself for attack, plus other accounts with that address as a username.

Of course, the latter is less likely than an automated, brute force attack, and that address will have a different (and stronger) password and/or other protections

Even though I have a password manager I do tend to use easily remembered passwords for things like local news papers -- if nothing else occasionally I have to enter these passwords in on my iPhone and DeJgY4LXdWb is harder to enter than CowBell5678 even though there are equally long.

That's sort of what I do. Over time, as I've migrated to ever stronger passwords, I've resorted to very long but easily remembered (to me) phrases, and then I store a hint in an encrypted database that only I understand but never forget. This is not an actual example, but if part of my hint is "dogcow", I might remember that the actual passphrase component is "c@n1neM1lk" (canine milk) or even "Cl@rus". Should I ever forget what my hints mean, though, I might be in trouble.

-awlabrador
Print the post Back To Top
No. of Recommendations: 1
I think I should note that, a week after contacting Amazon, I still haven't heard back from them, which is a little concerning. However, the security changes that I activated (new password, 2 factor authentication) have remained safely and irritatingly in place.

-awlabrador
Print the post Back To Top
No. of Recommendations: 2
Pretty sure, at least with Amazon, you'd see Order confirmation, shipping notices, or password changes if they happened.

I lost my wallet a few years ago, never any odd charges, but we killed all our cards, changed Pins, etc.. Biggest hassle was remembering what was in it, other than the dollars lost, but medical, car insurance cards, drivers license, it made for a busy few weeks.. We del mainly with a local credit union, they are excellent at noticing any off charges, but others do it, too. Citi recently called us on odd charges away from our normal area, stopped the charge, reissued new cards... We never use ATM cards online. I use PayPal for eBay, all has been good for a long time.

Passwords, I know I should go to 1Password or LastPass, but so many counts are deep imbedded, verified, so I just hate to disturb them. Others, if there is no financial risk, simple, easy passwords...

Used to keep a little notebook, but moved it all to an Excel sheet, now way too long a list, but at least available.. Should encrypt it I suppose, but one can get really paranoid, uselessly as well..

In work times, before retirement, we had an 8.5x11 sheet of random 5 letter words, used in pairs, then changed every month.. Today I'd add numbers or viable characters, but a few combos were memorable, long after that sheet is gone and I use them in many places... I like the idea of long sentences as passwords, but they, too are easily forgetable..
Print the post Back To Top
No. of Recommendations: 0
if nothing else occasionally I have to enter these passwords in on my iPhone and DeJgY4LXdWb is harder to enter than CowBell5678 even though there are equally long.

FWIW, 1Password (and I presume LastPass) has a mobile app that prevents you from having to manually enter passwords on your phone. There's a paid version, but the free version gets you access to your passwords (I think the paid version allows you to access more of your other stored info that aren't necessarily logins).

dsbrady
Print the post Back To Top
No. of Recommendations: 1
Bill wrote
Do you use Mac (Apple) Mail? Do you secure Mail by using a strong login password for your Mac?

No the password for my AppleID really could not be considered strong. I will rethink that.

While I have an @icloud.com email account, that is not my main email account.

My statement about the import of email passwords was clearly ambiguous. The risk and hence issue with email account is loosing control. Someone using a password, getting in and changing my password, changing my recovery information, etc. Rightly or wrongly, I have chosen to believe the 2 factor Apple system provides protection for that account. My main email is elsewhere and it has what I consider a strong password.
Print the post Back To Top
No. of Recommendations: 1
awlabrador wrote:

However -- and this is the paranoid part of me -- I note that a lot of the "less-critical" accounts I have are still linked to an e-mail address, i.e. a contact e-mail in my account profiles on various sites. That's not a big deal if an attack is an automated script/bot that merely brute-forces a password and then logs a successful login, without going in and collecting information or causing trouble.

But if a follow-up attack or more targeted attack goes in and lifts my e-mail address (assuming the account username isn't already my address), then it potentially opens the address itself for attack, plus other accounts with that address as a username.


I am with you that for less risky and/or important accounts getting attacked is likely not a big deal -- that is the first paragraph.

Where I have trouble is your second paragraph. If I understand you correctly you are saying because your email is a login your more important accounts are placed at added risk. In many locations such as TMF, your login shows up. Your email is hardly a secret. The key point is have your email protected from being highjacked. i.e. someone take control of it in a way to prevent you from getting email sent to you (like changing the email password).


Am I miss reading the second paragraph from you above?
Print the post Back To Top
No. of Recommendations: 1

I think I should note that, a week after contacting Amazon, I still haven't heard back from them, which is a little concerning. However, the security changes that I activated (new password, 2 factor authentication) have remained safely and irritatingly in place.


OK this is my cynical curmudgeon side speaking --

Amazon does not give a flip about the fact 99.9% of the compromised Amazon accounts are compromised. Amazon cares about selling stuff. They are fully aware many people use simple passwords. It is not in Amazon's financial interest to force people to use strong password because a significant portion of those customers will seek alternative places to spend money.

Amazon passwords must be 6 characters long - They may not allow 123456, but I am not going to find out. Here are their rules & suggestions. http://tinyurl.com/y79c85wq
Print the post Back To Top
No. of Recommendations: 0
I wonder if one could successfully use a password made completely of emojis?
or something like ßceìœ?
Print the post Back To Top
No. of Recommendations: 0
Am I miss reading the second paragraph from you above?

No, you're not misreading it, and I understand the trouble you have with the second paragraph. If my less-important account uses my e-mail address in my profile (but not my username), then it says to the hacker that there's a legitimate e-mail address there to check out. If that address has a very strong password, two factor authentication for settings, etc., then I've done as good a job as I can at protecting it, short of never publicizing that address anywhere. Your point about protecting the e-mail address is understood. But it's still a map to another contact point of mine, making my e-mail address a potential target where it wouldn't necessarily have been before.

For example, suppose I'm a famous Twitter user with a lot of followers, but suppose my Twitter handle is frotz, with password "password". Frotz alone isn't a good identifier, but someone breaking in could find my e-mail address is ozmoo@e-mail.com. If my e-mail password is strong, or at least much, much stronger than my Twitter password, then my e-mail becomes a target, but a well protected target. If the password is weak, my e-mail becomes a very vulnerable target. In either case, my e-mail address is more likely a target because of the information found on the weakly protected Twitter account rather than because someone probed all possible usernames on e-mail.com.

But moving beyond that particular e-mail address, suppose I had said things on Twitter indicating I'm a user on Google and YouTube, which can be accessed with an e-mail address as a username. Then those accounts become additional targets, whether they have strong passwords or not. With enough of these accounts, surely some will have weak passwords and thus be vulnerable.

As I said, it is the paranoid part of me that thinks this way, the same part of me that goes through my /var/log directory frequently to look for unauthorized accesses.

-awlabrador
Print the post Back To Top
No. of Recommendations: 0
try and see what happens.

Try it on a throw away/ fake new account.
Print the post Back To Top
No. of Recommendations: 2
This is another potential issue I had not thought about before this thread - sort a sad way to satisfy my goal of learning something every day.

There are somethings we can control and others we have to accept we can not control. On such item is people will change their email addresses. There needs to be a way for anybody with an internet presence to accommodate email address changes.

But before you let your paranoid feels push your mind to a conclusion, have your logical side address one question and one thought.

Question. Exactly what reason were there be to spend thousands of dollars and/or hundreds of hours hacking you?

Thought. If for what ever reason the FBI or CIA wants something, they have large staffs and budgets. Since they generally don't publish their data (i.e. the stuff they know) maybe worrying about stuff I can't control or even know exists is a waste of time.
Print the post Back To Top
No. of Recommendations: 1
But before you let your paranoid feels push your mind to a conclusion, have your logical side address one question and one thought.

Question. Exactly what reason were there be to spend thousands of dollars and/or hundreds of hours hacking you?


My logical side says that my Amazon account was probably hacked automatically by a script or other program, though I suppose it's possible that the hacker actually obtained Amazon's password file. I think the former is more likely the case. I'm frequently fending off persistent attacks on my Ubuntu systems at work, and it seems to me that there's not really a lot of effort that goes into these automated attacks. (I try to keep firewall protection at a useful minimum, because too strong a protection would interfere with work -- I've locked myself out a couple of times when I got too aggressive.)

I don't think they targeted me, specifically. The motivation would not be to compromise my account specifically but to compromise as many accounts as possible, on Amazon and elsewhere, to use for future access to systems, to install botnets, etc.

Thought. If for what ever reason the FBI or CIA wants something, they have large staffs and budgets. Since they generally don't publish their data (i.e. the stuff they know) maybe worrying about stuff I can't control or even know exists is a waste of time.

I don't think I ever thought the FBI or CIA targeted me, or even Amazon accounts generally. I believe that the CIA and the NSA already have the tools to compromise all kinds of systems, including Macs, iOS, and Linux, and not just Windows -- see my posts here over the past few years on things like the Equation Group, Advanced Persistent Threats, etc. (Search the discussions for "awlabrador Equation Group".) And state actors, like the Equation Group, would see as one of their primary goals keeping the target from learning he's been hacked, right up there with installing their APT platforms in the first place. That is, if even my Mac were compromised by the NSA, I probably wouldn't know it. (And if so, my ISP router is probably most likely to blame.) With my Amazon account, I knew within an hour of receiving the e-mail that something was wrong.

No, my logical side says that my Amazon account was compromised by an automated attack, and that the success of the attack was logged somewhere with my e-mail address. Even if they'll try to exploit the compromise, my bet is that they won't get around to it for a while, and I've already upped security.

It's my paranoid side that's saying, "Okay, but what if..."

-awlabrador
Print the post Back To Top
No. of Recommendations: 0
Here's another thought:

Assuming the hackers are intent on using multiple accounts for whatever reason, they'll probably want inactive or moribund accounts -- the owner has passed away, for example, or perhaps forgot his access credentials and opened another account rather than try to recover access.

In that case, the hackers would log the accounts and then return later (days, weeks) to see if the compromise is still in place. Those that have their security restored would be discarded as being active, while those that are still compromised could be flagged as potentially useful in the future.

-awlabrador
Print the post Back To Top
No. of Recommendations: 1
The sad part is that there are sites (hotel accounts) that still only use a 4-6 digit password which is easily hacked. I had an issue with a major banking site and finally realized they only allowed something like 14 digit passwords and mine was longer (ideally you should be using 16+).

Also once a site is hacked and they get your email and a password (actually hash since passwords should never be stored) for that account, they will often use the same email and password on other sites because many people use the same password everywhere.

Due to traveling and not easily remembering a completely random password, and maybe not having time to log into something like lastpassword to retrieve it, I've managed to come up with a system using a couple of short common words intermixed with quite a few numbers and special characters and then add a unique character or two depending on the site. The only problem is that, as I mentioned above, there are some sites that won't allow long passwords or passwords using certain symbols which is really stupid.

You'd think most systems would lock out an account once you get several false password attempts to prevent a brute force attack. If they do that then the other likely scenario of you being hacked is that someone had hacked Amazon (or whoever) systems and retrieved the list of hash values for every account and did the brute force off line.

Anyhow, good luck,
Rich
Print the post Back To Top
No. of Recommendations: 0
Maybe totally irrelevant, but have you rebooted your router as the FBI is advising? If somehow the Russians got into your router they could probably see everything you did and you'll just have to do them again.

Just a random thought.
Print the post Back To Top
No. of Recommendations: 0
Maybe totally irrelevant, but have you rebooted your router as the FBI is advising?

That's a good thought. I reboot it every once in a while when I suspect it's having problems syncing with the service, but I haven't done it in a few weeks. Will do so later this PM.

Now that I think of it, I'm a bit more interested in what hardware (brands, devices, etc.) specifically are affected.

-awlabrador
Print the post Back To Top