Hi guys,

Just a heads up: Github was attacked last night, and a number of account details lifted. If you have an account there, check your security history for failed logons. I'd recommend reset your password to something strong as a precaution anyway.

 

http://news.softpedia.com/news/Cybercriminals-Use-Automated-Attacks...

 

Views: 1347

Comment by Tilman Baumann on November 20, 2013 at 5:10am

Nah, just use strong passwords and you will be good.

Comment by Euan Ramsay on November 20, 2013 at 5:59am
That's what I said.
Comment by Tilman Baumann on November 20, 2013 at 10:06am

No, you said Gihub was hacked (in the title). It was not.

And you said you recommend to reset the password. No sweat.

If you had stupidly weak passwords, then github probably just saved your sorry arse. They will have told you so. And there is a slim chance that your account got compromised.

If you have reasonable passwords (as in long enough and not dictionary words) you are fine. Be proud, open a beer and watch the masses panic.


Moderator
Comment by Sgt Ric on November 20, 2013 at 12:52pm

A bit of difference between a brute force and a hack.  (Like a shot in the dark and a sniper)

Comment by Euan Ramsay on November 20, 2013 at 1:02pm

Actually a brute force is more like carpet bombing, while hacking is more like sniping.

Comment by Euan Ramsay on November 20, 2013 at 1:04pm

Both suck ass to be on the receiving end…;)


Moderator
Comment by Nathaniel Caner on November 20, 2013 at 3:56pm

Which do you think is the stronger password?

z7Xt$.Ar46y or B1g_D0g..... Most people would think that passwords must be complex, as in the first example in order to be effective, but in truth that is not the case. The fact is the second password is stronger simply because it is longer. It is in fact perhaps as much as 95 times stronger than the first password (depending on the number of permissible 'special"characters in the password) . There are 26 possible lower and uppercase letters 10 numbers and as many as 33 possible "special characters, for a total of 95 possible characters for character in the password.

Since the "hacker" isn't told why (or even if) the password is wrong he doesn't know if he's close or a mile off. This isn't the movies after all! So for every character you add to your password you increase the amount of time it would take to break a password by an order of magnitude. As Tilman said, as long as you don't use and words from the dictionary, and use common sense practices like not using significant dates, use at least one lower case, one uppercase, one symbol and make your password at least 7 characters long (longer is better, but sometimes you are restricted in length by the site) you should be good. The password B1g_D0g..... fills all these requirements and is also easy to remember! This simple password has the following possible combinations 5.46 x 10^23. Assuming a brute force attack could attempt 1,000 passwords/second it would take 174 years to go through all the possible combinations. We can probably assume they would likely get it right within half the possible combinations, that would still be a really long time, and that's if they could make guesses without any restrictions. Most systems will lock the user out for a period of time after so many incorrect guesses.

The hard part is convincing people to follow best practices. I'm always amazed when I work with a client and they tell me their password is something like 12345678 or password or something equally simple. Passwords like these would probably be broken on less than a few minutes (assuming they weren't the very first passwords tried!).

So as Tilman said, just use strong passwords and you'll be fine. Also don't use the same password for multiple accounts. I have an encrypted thumb drive I use to store all my passwords and never use the same password on more than one account. I also change them on a regular basis.

Stay safe and secure!

Regards,

Nathaniel ~KD2DEY

Comment by Euan Ramsay on November 21, 2013 at 1:05am
Comment by Tilman Baumann on November 21, 2013 at 2:42am

I use lastpass. But that means I have to trust some other company subject to national security letters to have implemented zero knowledge crypto right.

Comment by hotelzululima on November 21, 2013 at 5:22am

uh kids.. just be done with this crap and use KeePass or KeePassX both open source password managers

     HZl

Comment

You need to be a member of DIY Drones to add comments!

Join DIY Drones

© 2020   Created by Chris Anderson.   Powered by

Badges  |  Report an Issue  |  Terms of Service