A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Windows 10 » Windows 10 Help Forum
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!



 
 
Thread Tools Rate Thread Display Modes
  #1  
Old March 24th 19, 01:45 AM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
arlen holder
external usenet poster
 
Posts: 130
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

New York Times:
o Facebook Did Not Securely Store Passwords. Heres What You Need to Know
https://www.nytimes.com/2019/03/21/technology/personaltech/facebook-passwords.html

*Yet another reason to engage your brain & store NOTHING on the Internet.*

From two to six hundred million username/passwords were stored in the clear
o (no hash, no salt, no nothing).
o All in plain vanilla text files since 2012!
o Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years
https://krebsonsecurity.com/2019/03/facebook-stored-hundreds-of-millions-of-user-passwords-in-plain-text-for-years/

Facebook says nobody "improperly" accessed the files, even as there were
apparently over 9 million internal queries by over 2,000 Facebook engineers
on the data (according to blogger Brian Krebs).
https://www.npr.org/2019/03/21/705588364/facebook-stored-millions-of-user-passwords-in-plain-readable-text

Apparently the security gaff affects
o Facebook users
o Facebook lite users
o Instagram users
etc.

Bear in mind GitHub did the same thing recently:
o GitHub says bug exposed some plaintext passwords
https://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

As did Twitter:
o Twitter to All Users: Change Your Password Now!
https://krebsonsecurity.com/2018/05/twitter-to-all-users-change-your-password-now/

*Yet another reason to engage your brain & store NOTHING on the Internet.*
Ads
  #2  
Old March 24th 19, 05:43 AM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
arlen holder
external usenet poster
 
Posts: 130
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote:

One thing is the personal password policy.


Hi Poutnik,

FACTS + LOGIC.

Do not reuse passwords and change them at least after any revealed pw break.


LOGIC:
A good personal password policy is to _generate_ unique passwds securely
o And then to save those generated passwords _locally_ in encrypted form:
https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ

The best general purpose freeware for this type of security seems to be
*Linux*:
o https://sourceforge.net/projects/kee...test/download?
*Windows*:
o https://keepass.info/download.html
*Mac*:
o https://sourceforge.net/projects/kee...atest/download
*Android*:
o https://play.google.com/store/apps/details?id=keepass2android.keepass2android
o https://play.google.com/store/apps/details?id=com.android.keepass
*iOS*:
o https://itunes.apple.com/us/app/keepass-touch/id966759076
o https://itunes.apple.com/us/app/minikeepass/id451661808

Note also the responsible sites do not store passwords at all,
but password hashes, generated by one way process.


In addition, they should be _salted_ when stored, IMHO.

Other thing is the personal data policy.


LOGIC:
For a personal data policy, I suggest "encrypted containers", IMHO,
o Best freeware for portable encrypted file containers
https://groups.google.com/d/msg/comp.mobile.android/cas1QJ_j2uI/4Uut0HGrBgAJ

The best freeware seems to be Veracrypt, IMHO,
1. Windows === Veracrypt freeware with Truecrypt-style containers
2. Linux === Veracrypt freeware with Truecrypt-style containers
3. Android === EDS Lite freeware with Truecrypt-style containers
4. *iOS === there is no freeware available (but payware exists on iOS)

Many of data stored on internet are intentionally public without
need of any password. Many of other data can use 2 step protection,
with their own encryption.


FACT:
*Two-factor authentication has huge _restrictions_ on Apple ecosystems.*

LOGIC:
o Brodsky versus Apple: Two-factor authentication is abusive to users
https://www.scribd.com/document/399265266/Brodsky-versus-Apple-alleging-that-two-factor-authentication-is-abusive-to-users
"A class action suit has been filed that accuses Apple's two-factor
authentication of being too disruptive to users, taking too much time
out of a user's day when it is needed, and abusive since it can't be
rolled back to a less safe login method after 14 days."
https://appleinsider.com/articles/19/02/09/apple-being-sued-because-two-factor-authentication-on-an-iphone-or-mac-takes-too-much-time

The part that is restrictive is that you're stuck with it for the rest of
your life where Apple won't give you the freedom to do what you want.

I don't know if any other ecosystem other than Apple has this huge restriction.
o Do you?

  #3  
Old March 24th 19, 09:02 AM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
arlen holder
external usenet poster
 
Posts: 130
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

On Sun, 24 Mar 2019 08:59:26 +0100 (GMT+01:00), Libor Striz wrote:

Additionally, no storing would mean
no usage of public email system,
including sending or receiving unencrypted emails via SMTP/POP3/IMAP4 protocols,
no social networks,
no communication with people,
no content providing,
limiting oneself to anonymous R/O access to a public content.


Hi Poutnik,
I understand your "just give up" point of view since many people do that.
o For me, what it means is to simply be _intelligent_ about what we do
o and NOT just give up like you do the moment you have to think a bit

Thinking means being intelligent...

What it means is to be intelligent with your private DATA...
o Back up your files to your own hard drives on your own private LAN
o Calendar cross platform importing/exporting iCalendar format files
o Generate & save passwords using standard keepass encrypted files
o Pass private data between devices using encrypted container files

What it means is to be intelligent with your email...
o Delete email before the "Stored Communications Act" deadline
https://reason.com/volokh/2019/03/21/fourth-circuit-deepens-the-split-on-civi

What it means is to be intelligent with your texts...
o Use encrypted systems if you want privacy on SMS/MMS texting

What it means is to be intelligent with your searches...
o Use DuckDuckGo, StartPage.com or any other privacy-based search engine

What it means is to be intelligent with your browsing...
o Use Tor, Epic, or Opera for proxy-based browsing...

What it means is to be intelligent with your Usenet posts...
o Periodically change the headers so that it's essentially random

What it means is to be intelligent when on the network...
o Use VPN when logging into _any_ site or account

What it means is to be intelligent about fingerprinting
o Check panopticlick and other sites for identifying bits

What it means is to be intelligent about app settings
o Turn off all the checks that phone home in the settings

What it means is to be intelligent about Android system setup
o Turn off sending Google your neighbor's SSID & MAC

What it means is to be intelligent about router SSID setup
o Use _nomap and _optout to minimize use on the net

What it means is to use offline map apps whenever possible
o That way your location isn't reported to an Internet source

etc.
  #4  
Old March 24th 19, 12:13 PM posted to alt.comp.os.windows-10
Davidm
external usenet poster
 
Posts: 102
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

On Sun, 24 Mar 2019 05:43:12 -0000 (UTC), arlen holder
wrote:

On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote:

One thing is the personal password policy.


Hi Poutnik,

FACTS + LOGIC.

Do not reuse passwords and change them at least after any revealed pw break.


LOGIC:
A good personal password policy is to _generate_ unique passwds securely
o And then to save those generated passwords _locally_ in encrypted form:
https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ

The best general purpose freeware for this type of security seems to be
*Linux*:
o https://sourceforge.net/projects/kee...test/download?
*Windows*:
o https://keepass.info/download.html
*Mac*:
o https://sourceforge.net/projects/kee...atest/download
*Android*:
o https://play.google.com/store/apps/details?id=keepass2android.keepass2android
o https://play.google.com/store/apps/details?id=com.android.keepass
*iOS*:
o https://itunes.apple.com/us/app/keepass-touch/id966759076
o https://itunes.apple.com/us/app/minikeepass/id451661808

SNIP
So how do you autogenerate passwords (eg with keepass) when many
institutions (particularly banks) won't tell you their password policy
(length, what characters are accepted/not accepted etc etc)?
  #5  
Old March 24th 19, 02:43 PM posted to alt.comp.os.windows-10
Chris
external usenet poster
 
Posts: 407
Default More reasons to store NOTHING on the Internet: Facebookexposes hundreds of millions of user login/passwords IN CLEARTEXTsince 2012!

Davidm wrote:
On Sun, 24 Mar 2019 05:43:12 -0000 (UTC), arlen holder
wrote:

On Sun, 24 Mar 2019 06:13:24 +0100 (GMT+01:00), Libor Striz wrote:

One thing is the personal password policy.


Hi Poutnik,

FACTS + LOGIC.

Do not reuse passwords and change them at least after any revealed pw break.


LOGIC:
A good personal password policy is to _generate_ unique passwds securely
o And then to save those generated passwords _locally_ in encrypted form:
https://groups.google.com/d/msg/misc.phone.mobile.iphone/5Z15v7xP8so/fG_nz45HGwAJ

The best general purpose freeware for this type of security seems to be
*Linux*:
o https://sourceforge.net/projects/kee...test/download?
*Windows*:
o https://keepass.info/download.html
*Mac*:
o https://sourceforge.net/projects/kee...atest/download
*Android*:
o https://play.google.com/store/apps/details?id=keepass2android.keepass2android
o https://play.google.com/store/apps/details?id=com.android.keepass
*iOS*:
o https://itunes.apple.com/us/app/keepass-touch/id966759076
o https://itunes.apple.com/us/app/minikeepass/id451661808

SNIP
So how do you autogenerate passwords (eg with keepass) when many
institutions (particularly banks) won't tell you their password policy
(length, what characters are accepted/not accepted etc etc)?


How do you generate *any* password if the institution won't tell you the
rules? I can't think of any that don't.

  #6  
Old March 24th 19, 03:03 PM posted to alt.comp.os.windows-10
nospam
external usenet poster
 
Posts: 3,286
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

In article , Chris
wrote:

So how do you autogenerate passwords (eg with keepass) when many
institutions (particularly banks) won't tell you their password policy
(length, what characters are accepted/not accepted etc etc)?


How do you generate *any* password if the institution won't tell you the
rules? I can't think of any that don't.


any institution that tells you the rules is *less* secure than one that
doesn't. the bad guys now know what combinations to ignore, thereby
*reducing* the potential possibilities.
  #7  
Old March 24th 19, 03:34 PM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
arlen holder
external usenet poster
 
Posts: 130
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

On Sun, 24 Mar 2019 11:03:15 -0400, nospam wrote:

So how do you autogenerate passwords (eg with keepass) when many
institutions (particularly banks) won't tell you their password policy
(length, what characters are accepted/not accepted etc etc)?


How do you generate *any* password if the institution won't tell you the
rules? I can't think of any that don't.


any institution that tells you the rules is *less* secure than one that
doesn't. the bad guys now know what combinations to ignore, thereby
*reducing* the potential possibilities.


Throwing up meaningless spurious hurdles like this is just ridiculous from
a logical standpoint, IMHO.
o *Did _any_ of you ever even _see_ a keepass-generated password?*

Here is one:
https://i.postimg.cc/W19cRXjq/keepass01.jpg

HINT: They look like a long chain of scrambled eggs.

DOUBLEHINT: I doubt they will fail _any_ bank test, but even if they do,
you can add a bang at the end or whatever _extra_ is needed.

What you're doing is throwing up meaningless arbitrary hurdles.

I'm responding to Poutnik's inference that people aren't capable of being
"intelligent" with passwords, where I think it's _easy_ to be intelligent
about them.

One method to be intelligent about them is to let an app like keepass
generate and store them (or just store them) and then you pass the keepass
database from your desktop to your mobile device over your private LAN.

Keepass can _merge_ so you can edit either and merge to the other.

This eliminates writing the password down;
o It reduces the chance of a weak password
o It is random, so phishing attacks won't work as easily
o It doesn't require the Internet like LastPass does
etc.

All I'm saying, in response to Poutnik's advice to "just give up"
o Is that we can be intelligent about how we use the Internet
  #8  
Old March 24th 19, 03:36 PM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
Mr. Man-wai Chang
external usenet poster
 
Posts: 1,924
Default More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!

More reasons to store NOTHING on the Internet:
Facebook exposes hundreds of millions of user
login/passwords IN CLEARTEXT since 2012!


Do you need that much information to believe that?

You should never trust outsiders and middle-persons!

--
@[email protected] Remain silent! Drink, Blink, Stretch! Live long and prosper!!
/ v \ Simplicity is Beauty!
/( _ )\ May the Force and farces be with you!
^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3
¤£*ɶU! ¤£¶BÄF! ¤£½ä¿ú! ¤£´©¥æ! ¤£¥´¥æ! ¤£¥´§T! ¤£¦Û±þ! ¤£¨D¯«!
½Ð¦Ò¼{ºî´© (CSSA):
http://www.swd.gov.hk/tc/index/site_...sub_addressesa
  #9  
Old March 26th 19, 02:58 AM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
arlen holder
external usenet poster
 
Posts: 130
Default More reasons to store NOTHING on the Internet: Facebook exposes hundreds of millions of user login/passwords IN CLEARTEXT since 2012!

On Sun, 24 Mar 2019 23:36:50 +0800, Mr. Man-wai Chang wrote:

You should never trust outsiders and middle-persons!


While this article isn't complete, it is a start on what NOT to use.
o The paranoid persons guide to online privacy
https://www.fastcompany.com/90316917/the-paranoid-persons-guide-to-online-privacy

Note: The article omits Epic & Opera but talks about "Brave", so it's not a
great article, but it's a start for those who are clueless about privacy.

The article lists 8 "things" you can do, which, summarized a
1. Ditch Facebook / Instagram / WhatsApp
2. Make Twitter & Reddit anonymous & private
3. Use a burner phone for 2-factor authentication
4. Say goodbye to Google searches
5. Use a secure browser
6. Use a VPN
7. Say goodbye to smart home products & android
8. Use a secure messaging app

On the browsers, they're pretty wrong since they mention "Brave" but not
Epic or Opera (both of which are "more private" than Brave is, IMHO).

On the Google searches, they mention DDG but not StartPage, so they're
incomplete.

On the burner phone, they suggest a "burner" app if you don't use a
physical phone (which, of course, is better but you have to figure out how
to anonymously pay for the phone service), but the burner app they suggest
requires your phone number & costs money, so if you're going to go that
route, there are FREE apps that do that too (e.g., TextNow or Talkatone or
2ndLine, etc.).

On the secure messaging app, the problem isn't you, it's the _other_ person
has to use the same app.

On Android, they're just dead wrong.
o What is the factual truth about PRIVACY differences or similarities between the Android & iOS mobile phone ecosystems?
https://groups.google.com/forum/#!topic/comp.mobile.android/FCKRA_3i9CY

In short, the article is ok for people how know nothing about privacy but
they got a few things dead wrong and they skipped scores of things that can
easily be done to increase privacy (e.g., like saving files in encrypted
containers, passing your password across encrypted containers, doing
calendaring only on your local lan, etc.).
  #10  
Old July 11th 19, 07:34 PM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
Libor Striz[_3_]
external usenet poster
 
Posts: 14
Default More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!

arlen holder Wrote in message:
*Yet another reason to engage your brain & store NOTHING on the Internet.*


Better is to engage the brain to analyse the real threats and contrameasures without making emotional decisions.

One thing is the personal password policy. Do not reuse passwords and change them at least after any revealed pw break.
Note also the responsible sites do not store passwords at all, but password hashes, generated by one way process.

Other thing is the personal data policy.
Many of data stored on internet are intentionally public without need of any password. Many of other data can use 2 step protection, with their own encryption.


--
Poutnik ( the Wanderer )



----Android NewsGroup Reader----
http://usenet.sinaapp.com/
  #11  
Old July 11th 19, 07:34 PM posted to comp.mobile.android,misc.phone.mobile.iphone,comp.sys.mac.system,alt.comp.os.windows-10
Libor Striz[_3_]
external usenet poster
 
Posts: 14
Default More reasons to store NOTHING on the Internet: Facebook exposeshundreds of millions of user login/passwords IN CLEARTEXT since 2012!

Libor Striz Wrote in message:

Other thing is the personal data policy.Many of data stored on internet are intentionally public without need of any password. Many of other data can use 2 step protection, with their own encryption.


Additionally, no storing would mean
no usage of public email system,
including sending or receiving unencrypted emails via SMTP/POP3/IMAP4 protocols,
no social networks,
no communication with people,
no content providing,
limiting oneself to anonymous R/O access to a public content.

--
Poutnik ( the Wanderer )



----Android NewsGroup Reader----
http://usenet.sinaapp.com/
 




Thread Tools
Display Modes Rate This Thread
Rate This Thread:

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off






All times are GMT +1. The time now is 01:02 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright 2004-2019 PCbanter.
The comments are property of their posters.