Time to change your hotmail/gmail/yahoo password
Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online. Mainstream media such as the BBC are also carrying the story. Some information is posted here.
UPDATE: Gmail and Yahoo are also affected by the compromise. Change all passwords on any of these popular webmail sites.
Some does and don'ts:
- Do change your passwords on a regular basis (every six months or so)
- Do use long complex pass-phrases rather than passwords where you can
- Do change all of your passwords if you notice something suspicious
- Do take identity theft seriously
- Do use up-to-date anti-virus and a firewall
- Do NOT click on links in emails, ever
- Do NOT use the same password at multiple sites
Cheers,
Adrien de Beaupré
Intru-shun.ca Inc.
Keywords: hotmail compromise
14 comment(s)
×
Diary Archives
Comments
I know that tools for this purpose have existed for some time, but I only now realise the real necessity of them.
It would be so much easier if we were using public-key crypto for everything now, but passwords are still with us. Fortunately, the keychain idea makes it no longer difficult to use very long passwords with a great deal of entropy, which can be changed with much less of a burden; almost to the point of being a cryptographic 'nonce' used for authentication.
Steven Chamberlain
Oct 6th 2009
1 decade ago
David
Oct 6th 2009
1 decade ago
I have a list of seed words, and a simple algorithm that uses the site name as a seed.
The end result looks like line noise and every site has a different password, but it's rather easy for me to rebuild the password for any site even if I don't go there very often.
I change the list of seed words every 6 months, and keep the old site lists documented in case there is a site I forget to update.
I also keep the names of sites where the list is valid, along with a "trust number" which represents the number of times i've had to change the password at that site since the last time I generated a new seed list.
Example algorithm: google.com
first letter == G
Third letter == O
Seed word 1 == Grass
Seed word 2 == Oragami
Trust value == 2
Remove the vowels from Seed1 == Grss
Remove the consonants from seed 2 == oaai
alternate them == Gorasasi
Square the trust value == (2x2 = 4)
Insert number into word at trust value == G4rasasi
New password==G4rasasi.
I use my gmail daily, but even if I forget the password, I can recreate it with ease.
Also, even if someone has a copy of my seed list, they have to also know the formula or it's worthless.
No keypass needed, no repeated passwords, and all I need is a slip of paper in my wallet or access to a web page with my current seed list hidden on it.
eldorel
Oct 6th 2009
1 decade ago
"Do NOT click on links in emails, ever"
But whenever people sign up for something - like an account here - and a billion other places they receive an email with a link that performs an action like verifying the account or validate a password reset... ;) So this rule should probably be something like:
"Do NOT click on links in emails you did not explicitly request, ever!"
PG
Oct 6th 2009
1 decade ago
Adrien de Beaupre
Oct 6th 2009
1 decade ago
BigStu
Oct 6th 2009
1 decade ago
Skuld
Oct 6th 2009
1 decade ago
kevinm
Oct 6th 2009
1 decade ago
For the regular end user (those of us not inherently paranoid (for good reason)) changing one's password on a regular basis has long been a standard defense against various forms of password compromise.
GuenTech
Oct 6th 2009
1 decade ago
GuenTech
Oct 6th 2009
1 decade ago