If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
New York Times:
o Facebook Did Not Securely Store Passwords. Heres What You Need to Know https://www.nytimes.com/2019/03/21/technology/personaltech/facebook-passwords.html *Yet another reason to engage your brain & store NOTHING on the Internet.* From two to six hundred million username/passwords were stored in the clear o (no hash, no salt, no nothing). o All in plain vanilla text files since 2012! o Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/ Facebook says nobody "improperly" accessed the files, even as there were apparently over 9 million internal queries by over 2,000 Facebook engineers on the data (according to blogger Brian Krebs). https://www.npr.org/2019/03/21/705588364/facebook-stored-millions-of-user-passwords-in-plain-readable-text Apparently the security gaff affects o Facebook users o Facebook lite users o Instagram users etc. Bear in mind GitHub did the same thing recently: o GitHub says bug exposed some plaintext passwords https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/ As did Twitter: o Twitter to All Users: Change Your Password Now! https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/ *Yet another reason to engage your brain & store NOTHING on the Internet.* |
Ads |
#2
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote:
One thing is the personal password policy. Hi Poutnik, FACTS + LOGIC. Do not reuse passwords and change them at least after any revealed pw break. LOGIC: A good personal password policy is to _generate_ unique passwds securely o And then to save those generated passwords _locally_ in encrypted form: https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ The best general purpose freeware for this type of security seems to be *Linux*: o https://sourceforge.net/projects/kee...test/download? *Windows*: o https://keepass.info/download.html *Mac*: o https://sourceforge.net/projects/kee...atest/download *Android*: o https://play.google.com/store/apps/details?id=keepass2android.keepass2android o https://play.google.com/store/apps/details?id=com.android.keepass *iOS*: o https://itunes.apple.com/us/app/keepass-touch/id966759076 o https://itunes.apple.com/us/app/minikeepass/id451661808 Note also the responsible sites do not store passwords at all, but password hashes, generated by one way process. In addition, they should be _salted_ when stored, IMHO. Other thing is the personal data policy. LOGIC: For a personal data policy, I suggest "encrypted containers", IMHO, o Best freeware for portable encrypted file containers https://groups.google.com/d/msg/comp.mobile.android/cas1QJ_j2uI/4Uut0HGrBgAJ The best freeware seems to be Veracrypt, IMHO, 1. Windows === Veracrypt freeware with Truecrypt-style containers 2. Linux === Veracrypt freeware with Truecrypt-style containers 3. Android === EDS Lite freeware with Truecrypt-style containers 4. *iOS === there is no freeware available (but payware exists on iOS) Many of data stored on internet are intentionally public without need of any password. Many of other data can use 2 step protection, with their own encryption. FACT: *Two-factor authentication has huge _restrictions_ on Apple ecosystems.* LOGIC: o Brodsky versus Apple: Two-factor authentication is abusive to users https://www.scribd.com/document/399265266/Brodsky-versus-Apple-alleging-that-two-factor-authentication-is-abusive-to-users "A class action suit has been filed that accuses Apple's two-factor authentication of being too disruptive to users, taking too much time out of a user's day when it is needed, and abusive since it can't be rolled back to a less safe login method after 14 days." https://appleinsider.com/articles/19/02/09/apple-being-sued-because-two-factor-authentication-on-an-iphone-or-mac-takes-too-much-time The part that is restrictive is that you're stuck with it for the rest of your life where Apple won't give you the freedom to do what you want. I don't know if any other ecosystem other than Apple has this huge restriction. o Do you? |
#3
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
On Sun, 24 Mar 2019 08:59:26 +0100 (GMT+01:00), Libor Striz wrote:
Additionally, no storing would mean no usage of public email system, including sending or receiving unencrypted emails via SMTP/POP3/IMAP4 protocols, no social networks, no communication with people, no content providing, limiting oneself to anonymous R/O access to a public content. Hi Poutnik, I understand your "just give up" point of view since many people do that. o For me, what it means is to simply be _intelligent_ about what we do o and NOT just give up like you do the moment you have to think a bit Thinking means being intelligent... What it means is to be intelligent with your private DATA... o Back up your files to your own hard drives on your own private LAN o Calendar cross platform importing/exporting iCalendar format files o Generate & save passwords using standard keepass encrypted files o Pass private data between devices using encrypted container files What it means is to be intelligent with your email... o Delete email before the "Stored Communications Act" deadline https://reason.com/volokh/2019/03/21/fourth-circuit-deepens-the-split-on-civi What it means is to be intelligent with your texts... o Use encrypted systems if you want privacy on SMS/MMS texting What it means is to be intelligent with your searches... o Use DuckDuckGo, StartPage.com or any other privacy-based search engine What it means is to be intelligent with your browsing... o Use Tor, Epic, or Opera for proxy-based browsing... What it means is to be intelligent with your Usenet posts... o Periodically change the headers so that it's essentially random What it means is to be intelligent when on the network... o Use VPN when logging into _any_ site or account What it means is to be intelligent about fingerprinting o Check panopticlick and other sites for identifying bits What it means is to be intelligent about app settings o Turn off all the checks that phone home in the settings What it means is to be intelligent about Android system setup o Turn off sending Google your neighbor's SSID & MAC What it means is to be intelligent about router SSID setup o Use _nomap and _optout to minimize use on the net What it means is to use offline map apps whenever possible o That way your location isn't reported to an Internet source etc. |
#4
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
On Sun, 24 Mar 2019 05:43:12 -0000 (UTC), arlen holder
wrote: On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote: One thing is the personal password policy. Hi Poutnik, FACTS + LOGIC. Do not reuse passwords and change them at least after any revealed pw break. LOGIC: A good personal password policy is to _generate_ unique passwds securely o And then to save those generated passwords _locally_ in encrypted form: https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ The best general purpose freeware for this type of security seems to be *Linux*: o https://sourceforge.net/projects/kee...test/download? *Windows*: o https://keepass.info/download.html *Mac*: o https://sourceforge.net/projects/kee...atest/download *Android*: o https://play.google.com/store/apps/details?id=keepass2android.keepass2android o https://play.google.com/store/apps/details?id=com.android.keepass *iOS*: o https://itunes.apple.com/us/app/keepass-touch/id966759076 o https://itunes.apple.com/us/app/minikeepass/id451661808 SNIP So how do you autogenerate passwords (eg with keepass) when many institutions (particularly banks) won't tell you their password policy (length, what characters are accepted/not accepted etc etc)? |
#5
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebookexposes hundreds of millions of user login/passwords IN CLEARTEXTsince 2012!
Davidm wrote:
On Sun, 24 Mar 2019 05:43:12 -0000 (UTC), arlen holder wrote: On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote: One thing is the personal password policy. Hi Poutnik, FACTS + LOGIC. Do not reuse passwords and change them at least after any revealed pw break. LOGIC: A good personal password policy is to _generate_ unique passwds securely o And then to save those generated passwords _locally_ in encrypted form: https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ The best general purpose freeware for this type of security seems to be *Linux*: o https://sourceforge.net/projects/kee...test/download? *Windows*: o https://keepass.info/download.html *Mac*: o https://sourceforge.net/projects/kee...atest/download *Android*: o https://play.google.com/store/apps/details?id=keepass2android.keepass2android o https://play.google.com/store/apps/details?id=com.android.keepass *iOS*: o https://itunes.apple.com/us/app/keepass-touch/id966759076 o https://itunes.apple.com/us/app/minikeepass/id451661808 SNIP So how do you autogenerate passwords (eg with keepass) when many institutions (particularly banks) won't tell you their password policy (length, what characters are accepted/not accepted etc etc)? How do you generate *any* password if the institution won't tell you the rules? I can't think of any that don't. |
#6
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
In article , Chris
wrote: So how do you autogenerate passwords (eg with keepass) when many institutions (particularly banks) won't tell you their password policy (length, what characters are accepted/not accepted etc etc)? How do you generate *any* password if the institution won't tell you the rules? I can't think of any that don't. any institution that tells you the rules is *less* secure than one that doesn't. the bad guys now know what combinations to ignore, thereby *reducing* the potential possibilities. |
#7
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
On Sun, 24 Mar 2019 11:03:15 -0400, nospam wrote:
So how do you autogenerate passwords (eg with keepass) when many institutions (particularly banks) won't tell you their password policy (length, what characters are accepted/not accepted etc etc)? How do you generate *any* password if the institution won't tell you the rules? I can't think of any that don't. any institution that tells you the rules is *less* secure than one that doesn't. the bad guys now know what combinations to ignore, thereby *reducing* the potential possibilities. Throwing up meaningless spurious hurdles like this is just ridiculous from a logical standpoint, IMHO. o *Did _any_ of you ever even _see_ a keepass-generated password?* Here is one: https://i.postimg.cc/W19cRXjq/keepass01.jpg HINT: They look like a long chain of scrambled eggs. DOUBLEHINT: I doubt they will fail _any_ bank test, but even if they do, you can add a bang at the end or whatever _extra_ is needed. What you're doing is throwing up meaningless arbitrary hurdles. I'm responding to Poutnik's inference that people aren't capable of being "intelligent" with passwords, where I think it's _easy_ to be intelligent about them. One method to be intelligent about them is to let an app like keepass generate and store them (or just store them) and then you pass the keepass database from your desktop to your mobile device over your private LAN. Keepass can _merge_ so you can edit either and merge to the other. This eliminates writing the password down; o It reduces the chance of a weak password o It is random, so phishing attacks won't work as easily o It doesn't require the Internet like LastPass does etc. All I'm saying, in response to Poutnik's advice to "just give up" o Is that we can be intelligent about how we use the Internet |
#8
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!
More reasons to store NOTHING on the Internet:
Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012! Do you need that much information to believe that? You should never trust outsiders and middle-persons! -- @~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!! / v \ Simplicity is Beauty! /( _ )\ May the Force and farces be with you! ^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3 ¤£*ɶU! ¤£¶BÄF! ¤£½ä¿ú! ¤£´©¥æ! ¤£¥´¥æ! ¤£¥´§T! ¤£¦Û±þ! ¤£¨D¯«! ½Ð¦Ò¼{ºî´© (CSSA): http://www.swd.gov.hk/tc/index/site_...sub_addressesa |
#9
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!
On Sun, 24 Mar 2019 23:36:50 +0800, Mr. Man-wai Chang wrote:
You should never trust outsiders and middle-persons! While this article isn't complete, it is a start on what NOT to use. o The paranoid persons guide to online privacy https://www.fastcompany.com/90316917/the-paranoid-persons-guide-to-online-privacy Note: The article omits Epic & Opera but talks about "Brave", so it's not a great article, but it's a start for those who are clueless about privacy. The article lists 8 "things" you can do, which, summarized a 1. Ditch Facebook / Instagram / WhatsApp 2. Make Twitter & Reddit anonymous & private 3. Use a burner phone for 2-factor authentication 4. Say goodbye to Google searches 5. Use a secure browser 6. Use a VPN 7. Say goodbye to smart home products & android 8. Use a secure messaging app On the browsers, they're pretty wrong since they mention "Brave" but not Epic or Opera (both of which are "more private" than Brave is, IMHO). On the Google searches, they mention DDG but not StartPage, so they're incomplete. On the burner phone, they suggest a "burner" app if you don't use a physical phone (which, of course, is better but you have to figure out how to anonymously pay for the phone service), but the burner app they suggest requires your phone number & costs money, so if you're going to go that route, there are FREE apps that do that too (e.g., TextNow or Talkatone or 2ndLine, etc.). On the secure messaging app, the problem isn't you, it's the _other_ person has to use the same app. On Android, they're just dead wrong. o What is the factual truth about PRIVACY differences or similarities between the Android & iOS mobile phone ecosystems? https://groups.google.com/forum/#!topic/comp.mobile.android/FCKRA_3i9CY In short, the article is ok for people how know nothing about privacy but they got a few things dead wrong and they skipped scores of things that can easily be done to increase privacy (e.g., like saving files in encrypted containers, passing your password across encrypted containers, doing calendaring only on your local lan, etc.). |
#10
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!
arlen holder Wrote in message:
*Yet another reason to engage your brain & store NOTHING on the Internet.* Better is to engage the brain to analyse the real threats and contrameasures without making emotional decisions. One thing is the personal password policy. Do not reuse passwords and change them at least after any revealed pw break. Note also the responsible sites do not store passwords at all, but password hashes, generated by one way process. Other thing is the personal data policy. Many of data stored on internet are intentionally public without need of any password. Many of other data can use 2 step protection, with their own encryption. -- Poutnik ( the Wanderer ) ----Android NewsGroup Reader---- http://usenet.sinaapp.com/ |
#11
|
|||
|
|||
More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!
Libor Striz Wrote in message:
Other thing is the personal data policy.Many of data stored on internet are intentionally public without need of any password. Many of other data can use 2 step protection, with their own encryption. Additionally, no storing would mean no usage of public email system, including sending or receiving unencrypted emails via SMTP/POP3/IMAP4 protocols, no social networks, no communication with people, no content providing, limiting oneself to anonymous R/O access to a public content. -- Poutnik ( the Wanderer ) ----Android NewsGroup Reader---- http://usenet.sinaapp.com/ |
Thread Tools | |
Display Modes | Rate This Thread |
|
|