So somebody from China logged into my gmail...

[Flames0910]

And spammed all my contacts.

I've changed my password...but it was already strong (alphanumeric, 8 characters) and there is no evidence of keyloggers or anything of the sort.

Some websites claim it's because of the Chinese/Google hacking incident months ago.


China (58.60.182.2) - 6:26 AM


And my gmail is set to alert on unusual activity, but DIDN'T. Apparently somebody accessing my account isn't unusual enough. I found out by receiving a tonne of email bouncebacks this morning.

I really wish there was an option to block out of country access.


aaand a funny comment on another board: "I eat chinese food all the time and this is how they repay me!?"

[sclitheroe]

This has gone on long before the Google hacking incident - there have been other posts about it on CP.

Hopefully you don’t use the same password everywhere..

[Flames0910]

Quote:

Originally Posted by sclitheroe

This has gone on long before the Google hacking incident - there have been other posts about it on CP.

Hopefully you don’t use the same password everywhere..

Yea I kinda thought that was weird.

What drives me crazy is I have no idea how they got in. Do you just guess a password and hope to get lucky?

[HotHotHeat]

It happened to me a few weeks ago. My password was changed and I had to go through the recovery exam. Hardest/most stressful test I've ever written in my life....Simply because I was guessing at all the answers. All my passwords are much more difficult now, although I'm not sure that matters to hackers.

[DropIt]

Bwong

[cSpooge]

Quote:

Originally Posted by Flames0910

And spammed all my contacts.

I've changed my password...but it was already strong (alphanumeric, 8 characters) and there is no evidence of keyloggers or anything of the sort.

Some websites claim it's because of the Chinese/Google hacking incident months ago.


China (58.60.182.2) - 6:26 AM


And my gmail is set to alert on unusual activity, but DIDN'T. Apparently somebody accessing my account isn't unusual enough. I found out by receiving a tonne of email bouncebacks this morning.

I really wish there was an option to block out of country access.


aaand a funny comment on another board: "I eat chinese food all the time and this is how they repay me!?"

by no standards is an 8 character password strong.

[Flames0910]

Quote:

Originally Posted by cSpooge

by no standards is an 8 character password strong.

seriously?

z7tE2.ka

If we did a CP poll I would think that's better than average.

[Rathji]

Quote:

Originally Posted by cSpooge

by no standards is an 8 character password strong.

I disagree. No one is breaking a 8 character alphanumeric password through brute force, as long as your password looks more like this &bS8a1>9Z, and less like bobby123. Especially if you have any sort of lockout in place for failed attempts.

In reality, what does adding the 9th, 10, or 15th character add? Nothing except an increased chance the user will re-use, write down, or otherwise compromise the security of the password, like making easier to socially reverse engineer it by using a common name, phrase etc.

[cSpooge]

Quote:

Originally Posted by Flames0910

seriously?

z7tE2.ka

If we did a CP poll I would think that's better than average.

It is better than average that still doesn't make it any stronger than it actually is. 8 characters isn't long enough to be considered strong.

[photon]

http://www.passwordmeter.com/

http://howsecureismypassword.net/

Length is important, not in a dictionary attack but in a brute force attack every new letter would increase the attack time significantly.

Lol, the second site says it would take 71 sextillion years to crack my password storage file password (or one almost the same to it).

One thing you can do to increase the length of your passwords is know a number of shorter passwords and them combine them in different ways.

So while &bS8a1>9Z is quite secure it's impossible to remember, &b3sTp4sS!? (and this is the best password?! to remember) is much easier to remember and very secure.

[Flames0910]

Apparently it would take around 252 days to crack the password I had.

[Ramsayfarian]

Quote:

Originally Posted by Flames0910

Apparently it would take around 252 days to crack the password I had.

I hope you didn't use your real password.

[photon]

If you use multiple computers would cut that down.. You would think that Google would have some kind of system to detect multiple login attempts and make it very difficult to brute force, but I can't find any info on any measures they take.

There are password dictionaries out there as well so if your password is still a common variation of common passwords (password1).

But all those accesses would show up in the access list, and if it'd only been accessed once, I'd be much more suspicious of a keylogger.

[sclitheroe]

Quote:

Originally Posted by photon

http://www.passwordmeter.com/

http://howsecureismypassword.net/

Length is important, not in a dictionary attack but in a brute force attack every new letter would increase the attack time significantly.

Lol, the second site says it would take 71 sextillion years to crack my password storage file password (or one almost the same to it).

One thing you can do to increase the length of your passwords is know a number of shorter passwords and them combine them in different ways.

So while &bS8a1>9Z is quite secure it's impossible to remember, &b3sTp4sS!? (and this is the best password?! to remember) is much easier to remember and very secure.

You guys are hilarious, if you are seriously testing the strength of your password at one of the above sites, from one of your own computers, from your place of work or residence.

[sclitheroe]

Quote:

Originally Posted by photon

But all those accesses would show up in the access list, and if it'd only been accessed once, I'd be much more suspicious of a keylogger.

More likely the person affected has used the same password on a website that doesn’t securely store passwords to user accounts/profiles, and they obtained the password from there.

Regardless....

Password length and strength is a bogus and completely misguided approach to security. You either know someone’s password, or you don’t. Any more than 3-5 attempts to log in in a 5 minute time span should result in immediate suspension of the account for a minimum of 1 hour, along with email notification to the account holder. In this way, no more than say 5 attempts can be made to brute force a password per hour.

The onus should be entirely on service providers to deliver this level of account protection, and anything less is irresponsible. It’s trivially easy to implement this level of protection on a web site or online service.

[Flames0910]

Quote:

Originally Posted by Ramsayfarian

I hope you didn't use your real password.

Why? It's already been compromised. I changed the password on the account

[photon]

Quote:

Originally Posted by sclitheroe

You guys are hilarious, if you are seriously testing the strength of your password at one of the above sites, from one of your own computers, from your place of work or residence.

Not my exact password no, but the javascript is easily viewable and a quick scan didn't show anything communicating back.

Quote:

Originally Posted by sclitheroe

More likely the person affected has used the same password on a website that doesn’t securely store passwords to user accounts/profiles, and they obtained the password from there.

That's true, or keyloggers.. almost everyone I know that's had something compromised has been by keyloggers, and almost all of those have been WoW players

Quote:

Originally Posted by sclitheroe

Regardless....

Password length and strength is a bogus and completely misguided approach to security. You either know someone’s password, or you don’t. Any more than 3-5 attempts to log in in a 5 minute time span should result in immediate suspension of the account for a minimum of 1 hour, along with email notification to the account holder. In this way, no more than say 5 attempts can be made to brute force a password per hour.

The onus should be entirely on service providers to deliver this level of account protection, and anything less is irresponsible. It’s trivially easy to implement this level of protection on a web site or online service.

I wouldn't go so far to say that password strength is totally bogus, I've guessed a number of passwords in the past.

But I totally agree from a service perspective a site should do exactly what you say, throttle the ability to do attacks to the point where it's useless. That's why I'm surprised I can't find any information on it. And I'm too scared to try on my own account lol.

[Shazam]

Darn, 12345 isn't a good code for my luggage.

[photon]

I always pick 99999 because that's the last one they'll try.

[sclitheroe]

Quote:

Originally Posted by photon

Not my exact password no, but the javascript is easily viewable and a quick scan didn't show anything communicating back.

Heh, good for you! Unfortunately, most people wouldn’t be able to tell if the calculation on password strength was being performed client or server side.