Your bank or credit card company is probably the last entity you would want forcing you to set an incredibly weak Web password. But it’s not just American Express that wants their customers to use really crappy, easily crackable passwords. Charlie recently discovered that Capital One and, to a lesser extent, Bank of America have limits on their customers’ passwords that force them to choose crappy ones. [More]
We’re told that the strongest kinds of passwords are the ones like look like an alien tap-danced on your keyboard, but people have a hard time remembering them without writing them down (on a post-it sitting on the desk). But baekdal has written an intriguing post that shows how when defending against a cracker trying to break your password via brute force through a web form, not only is “this is fun” actually memorable and usable than “J4sF!2,” it’s 10 times harder to crack. [More]
Some old Amazon account appear to have a flaw in their password protection scheme that makes them more vulnerable to a brute force cracking attempt. For affected accounts, if you haven’t changed your password in several years, and it’s over 8 characters long, it looks like all people have to do is enter the first 8 characters correctly and they’re in. Even if after the 8 characters they just type gobbledygook. [More]
If you’ve got an account on Gawker.com or any of its sister sites (Kotaku, Gizmodo, Deadspin and Jezebel among others), you’ll probably want to change your passwords because anonymous hackers have swiped usernames, email addresses and passwords and made them available via a torrent file. And by change your password, we potentially mean all of them. Now. [More]
It’s not going to be too long before you’ll have to have your face scanned before you can open your email, at the rate the password cracking arms race is going. [More]
Reader Lisa would like to ask the Consumerist hive mind for advice on cleaning up her recently hacked Gmail account. Here’s her story: [More]
So many logins to keep track of. You can use a handful of strong passwords across all your accounts but if somehow one gets figured out, your entire networked life could be at risk. But by creating an easy-to-remember pass phrase that uses part of the website’s name it its construction, you have a unique strong password for every account you have without ever even writing any of them down. [More]
If you spend a lot of time online, you’re probably aware of phishing scams and know what to look out for. In other words, you’re not one of those ignorant types who clicks on links and starts entering personal information without hesitation. Writer and blogger Cory Doctorow is what you might call hyper-vigilant–he keeps unique passwords, uses a VPN when going online in public, and generally knows not to trust strangers. Still, he got phished a couple of weeks ago. [More]
Wilson is switching from Sprint to T-Mobile and fielded an unusual, off-putting request from a T-Mobile CSR: “Please provide your password.” Wilson refused and wonders aloud whether or not it’s kosher to make such an indecent proposal. [More]
Twitter is looking out for you. When you register, in addition to telling you how strong or weak your password is, there are also certain passwords that are forbidden. These include “computer,” “twitter,” and “vagina.” [More]
William wrote to us this weekend to point out how little Microsoft does to fight phishing attacks on their hugely popular Xbox LIVE network. It’s unfortunate they don’t take this sort of crime more seriously, since so many kids—who by all rights should have less experience with phishing—are on Xbox LIVE. Below is what two different Xbox CSRs told William when he contacted them to complain about phishing attacks.
We’re no longer indignant about Amex’s weirdly lax security policies anymore, we’re just confused. Why would a major credit card company cold call new customers and insist they give up bank and address info over the phone, or email sensitive data to strangers? Or, we just learned, demand that you use a lame password that isn’t case sensitive, is only 6 to 8 characters long, and can’t contain special characters?
Jonathan wanted to opt out everyone in his family from direct marketing campaigns, something the DMA promises is possible via their website. Surprise! It turns out the DMA doesn’t really care so much about whether or not you want to be taken off any mailing lists, and they have a rotten website and poor security protocols to prove it.
We’re not sure why a company would bother with offering a password feature on their customer accounts if they disable them without warning 3 months later as a matter of policy, but that’s how Southern California Gas Company rolls. Does it really matter, you ask? It might if you’re a victim of domestic violence.
Andy logged in to Gmail on Sunday, and his friend Jeff started to chat with him. Things seemed a bit off, but Andy really became suspicious when Jeff asked him to wire $500 to an injured friend in Nigeria. The real Jeff, of course, was off playing XBOX and has no friends in Nigeria. Like the scammers hitting up people’s friends for money via Facebook, thieves can log in to your e-mail and chat accounts, pretending to be you.
We’ve posted before about security keys—those little digital keyfobs that generate expiring security codes over and over and make it incredibly hard for someone to gain unauthorized access to your account. They’re a great idea, and now if you own an iPhone you can install a Verisign app that will work with Paypal and eBay, as well as about two dozen lesser known sites. It’s probably the easiest step you can take to vastly improve security on those accounts.
Everyone knows that one of the best ways to protect yourself from online security disasters is to use a different password for each account. But do you do it? Probably not, because at first glance it looks like an unreasonable burden, having to either remember dozens of unique passwords or having to keep them all written down somewhere (which in itself is a security risk). The website ideashower.com offers a simple way to create a unique, easy to remember password for every account.
The New York Times has reported that a list of over 8,000 Comcast user name and passwords were available to the public via Scribd for two months, before a Wilkes University professor discovered it over the weekend after doing a search for his identity online. Comcast is saying it looks like the result of a phishing scam and isn’t an inside job, and that there are so many duplicate entries on the list that it’s closer to 4,000 customers.