Over 40 million usernames, passwords from 2012 breach of Last.fm surface

New password leaks from years ago are coming to light constantly now.  More important than ever to change your passwords and not use the same password on multiple sites.

 

From ARS:

The contents of a March 2012 breach of the music tracking website Last.fm have surfaced on the Internet, joining a collection of other recently leaked “mega-breaches” from Tumblr, LinkedIn, and MySpace. The Last.fm breach differs from the Tumblr breach, however, in that Last.fm knew about the breach when it happened and informed users in June of 2012. But more than 43 million user accounts were exposed, including weakly encrypted passwords—96 percent of which were cracked within two hours by researchers associated with the data breach detection site LeakedSource.

Last.fm is a music-centered social media platform—it tracks the music its members play, aggregating the information to provide a worldwide “trending” board for music, letting users learn about new music and share playlists, among other things. The 2012 database breach contained usernames, passwords, the date each member joined the service, and internal data associated with the account. The passwords were encrypted with an unsalted MD5 hash.

“This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords, a sizable increase from prior mega breaches,” a member of LeakedSource wrote in a post about the data. Ars confirmed the LeakedSource data using our own Last.fm account information.

The contents of the database are somewhat representative of where passwords were in 2012 (and possibly still are on many services). Of the 41 million passwords that were successfully extracted, 255,000 of them were “123456.” The next most popular password, used by 92,000 users, was “password.”


Clover Terrible Customer Service

So my bank switched over to using Clover for credit card processing. In a mater of minutes I have found there app to be incredibly buggy.

Clover support has been spending two days blowing me off and blaming the phone.

Even if the issue is a compatibility issue with the phone this is no excuse for Clover to ignore the issue and blow me off.

What other bugs are they ignoring and blaming on the phone?

Clover seems to be becoming ubiquitous, you know those big fancy looking white touch screen cash registers that look they were designed by Apple, that’s Clover. They have taken over processing for the largest banks. I’m very nervous about running a credit card through a Clover terminal.


If You Force People To Constantly Change Passwords They Do Bad Things With Passwords

My own anecdotal experience with this is in 100% of cases where people where to constantly change passwords they either added a digit to the password or wrote the password on a sticky note somewhere in plain site of the computer.

From Ars

The most on-point data comes from a study published in 2010 by researchers from the University of North Carolina at Chapel Hill. The researchers obtained the cryptographic hashes to 10,000 expired accounts that once belonged to university employees, faculty, or students who had been required to change their passcodes every three months. Researchers received data not only for the last password used but also for passwords that had been changed over time.

By studying the data, the researchers identified common techniques account holders used when they were required to change passwords. A password like “tarheels#1”, for instance (excluding the quotation marks) frequently became “tArheels#1” after the first change, “taRheels#1” on the second change and so on. Or it might be changed to “tarheels#11” on the first change and “tarheels#111” on the second. Another common technique was to substitute a digit to make it “tarheels#2”, “tarheels#3”, and so on.

“The UNC researchers said if people have to change their passwords every 90 days, they tend to use a pattern and they do what we call a transformation,” Cranor explained. “They take their old passwords, they change it in some small way, and they come up with a new password.”

The researchers used the transformations they uncovered to develop algorithms that were able to predict changes with great accuracy. Then they simulated real-world cracking to see how well they performed. In online attacks, in which attackers try to make as many guesses as possible before the targeted network locks them out, the algorithm cracked 17 percent of the accounts in fewer than five attempts. In offline attacks performed on the recovered hashes using superfast computers, 41 percent of the changed passwords were cracked within three seconds.

 


“Unlimited”

“Unlimited” you keep using that word, I do not think it means what you think it means.

http://arstechnica.com/information-technology/2016/07/verizon-to-disconnect-unlimited-data-customers-who-use-over-100gbmonth/

Verizon Wireless customers who have held on to unlimited data plans and use significantly more than 100GB a month will be disconnected from the network on August 31 unless they agree to move to limited data packages that require payment of overage fees.

Verizon stopped offering unlimited data to new smartphone customers in 2011, but some customers have been able to hang on to the old plans instead of switching to ones with monthly data limits. Verizon has tried to convert the holdouts by raising the price $20 a month and occasionally throttling heavy users but stopped that practice after net neutrality rules took effect. Now Verizon is implementing a formal policy for disconnecting the heaviest users.