More from: passwords

Change Your Uber Password Right Now

Uber passwords and partial credit card info are showing up for sale on the darkweb.  This passwords ahve been confirmed to be valid.

 

From ars:

According to the listing (Tor, AlphaMarket login required), he or she has sold 131 such logins since March 18.

Ars attempted to contact the two vendors but they did not immediately respond.

In an interview with Motherboard, one vendor claimed to have “thousands” for sale, and even provided a sample of them. As the site reported Friday:

Motherboard reached out to one of the users whose email address and password was put up for sale: James Allan, sales director for OISG, a technology solutions company.

Allan confirmed that the username and password Motherboard had seen were correct, as well as the expiry date on his personal credit card. He doesn’t actually use Uber anymore, and the last trip he booked was in December 2013.

“Bloody hell,” Allan said over the phone, when he was told what his password was.

He was “extremely surprised” by the revelation, he said. Allan also said that he doesn’t use the internet much for financial transactions, preferring cash “for this very reason.”

In a statement e-mailed to Ars on Saturday morning, Uber spokeswoman Trina Smith said that the company did not find evidence of a breach.


An Update On The Scurity Theater of Complex Password Rules

Last month I made a post about trying to create password for a site that implemented and insane list of password rules. At the time I pointed out that this all felt like security theater and putting up a false front to make customers feel secure even though backend security is the real problem. At the time for my own security I removed ant references to what institution this was.

Well in light of recent events I now feel like coming forward and saying it was Chase.com. Yes that’s right the same Chase.com that recently leaked gigabytes of data, from 90 servers and compromised the lives of tens of millions of customers.


There has to be a better way.

Increasingly I’m stumbling onto sites where their approach to security is to simply create longer and longer and longer lists of password rules.  While I’m well versed in information security and see the need for robust passwords these increasingly complex rule sets raise concerns for me and to be blatantly honest mystify me.  Are there so many brute force password attacks out there that there needs to be a huge rush to force people to create increasingly complex passwords?  Aren’t all these password leaks actually the result of terrible server side password security?  Is this all just silly security theater?

Yesterday I could not log into one of my accounts.  I later figured out the reason was twofold, one they had a rule list that forced me to change my preferred username.  Second they have a crazy over the top set of password rules that forced me to make some weird password.

 

Must be 8-32 characters long
Must include at least one letter and
one number
May have special characters or punctuation
(for example: ! # $ % + / = ? @ ~)
Must be different than your previous
five Passwords
Must not match your User ID
Must not include more than 2 identical characters (for example: 111 or aaa)
Must not include more than 2 consecutive characters (for example: 123 or abc)
Must not use the name of the financial institution
So no big deal I’ll just reset the password.  I tired about 20 different versions of the robust passwords I use, every single one of the bounced me back to the form with message stating I need to follow the password rules.  I have no clue which of those rules I was violating.   Finally in frustration I used a simply non-robust password and it was accepted.

 

These crazy rules as far I can tell are not increasing security, are treating a problem that is not really present, and are forcing people to fall back on very very bad password habits.


Dear KiK Please Give Me My Account Back.

Before I launch into my actual problem with KiK I’m going to give you a brief history of issues with my email  address and why I hate sites that use your email account as a login or any type of account tracker.

Ahh the fantastic joy of getting an early beta invite to Gmail.  I’m one of the cool kids who got the name he wanted and not modified in anyway, no numbers filling in for letters, didn’t need to tag some numbers on the end of it…  Man this is awesome.

That is until Gmail became ubiquitous.   I’m not going to give out my actual address but let’s just say it’s very common and popular.  So we will just say my address is John.Smith@gmail.com.  Cool right, no it’s a nightmare and this is why.  Every person with John.Smith variations at some point registers on a site and forgets to add the variation to it.  So John.Smith74 forgets to add the 74 and I end up getting all his registration info.  Most sights are smart, they require you to verify that are not making a mistake and force you to reply from that email  address.   Many sites however do not do this, so I will end up getting John.Smith74s crap forever until I go to the site change the password and remove John.Smith74s access to  the site.  I will also often go to register for a site or service only to find that my e-mail address has already been used.  This brings you up to date.

A week ago I try to register for KiK.  Hmmm I already have an account, maybe I signed up a long time ago or something.  None of my passwords work, ok no big deal I’ll just reset them.  Go through the reset process.  Get into the account and hey look at this some Asian guy has been using this account.   Again not going to give out the real info but let’s just say the username  he used looks like someone just hit the keyboard so my username is basically adfskhl .  No big deal how do I change the username, hmmm nothing in the menus, I bet I can do it on the website.  Hmm

“Your Kik username can’t be changed. But you can change your display name!
On Kik your username is your identity and is unique to you. This is how we connect you with your friends on Kik.
If you’d like a new Kik username, you’ll need to register a new account with a different email address.”

Well surely that’s just there to discourage dopey people who want to constantly change the account name.  I’m sure once I explain my situation to them they will take pity on me.  I emailed support twice now and have gotten nothing.

So because of KiKs total lack of e-mail authentication and security I know have two options.  One either use a different email address which I really don’t want to or feel should be forced to.  Or the second option, every single time I want to add someone on KiK I have to give them fadskhl as my username.


Password inventor says his creation is now “a nightmare”

From ESET

 

ernando Corbato, the MIT computer scientist who is widely credited with inventing the password as a means of logging into a computer,  says that he and his colleagues could not foresee the World Wide Web from the early Sixties – and passwords have now become “kind of a nightmare.”

The data breach at eBay threw this into sharp relief, with security experts such as ESET’s Lysa Myers raising questions over why such important data was not protected with additional measures such as “two-factor authentication” or “2FA”.

“Unfortunately it’s become kind of a nightmare with the World Wide Web,” Corbato said. “I don’t think anybody can possibly remember all the passwords that are issued or set up. That leaves people with two choices. Either you maintain a crib sheet, a mild no-no, or you use some sort of program as a password manager. Either one is a nuisance.”

“The notion of a password goes way back. What had happened was we were sharing a mainframe and we had a common disk file. People weren’t used to sharing in those days. It was just an attempt to put in some compartmentalization so people didn’t have to live in a communal setting,” Corbato said.

Corbato revealed in an interview with Wall Street Journal’s Digits Blog that he himself had around 150 passwords, and now committed security sins such as writing down a “crib sheet” to remember them all.

“First of all, we didn’t foresee the current Internet either. Passwords are not a super high level of security, but are enough to protect against casual snooping,” Corbato said, acording to Business Insider

kissimmee saint cloud osceola county 192 34769 34744 34772 34771 34743 34746 computer repair st cloud computer reapir kissimee lake nona narcossee virus malware virus removal