dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
4251

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL
ARRIS DG1670

pcdebb

Premium Member

Amazon.com password reset?

I received an email from Amazon.com stating that they reset my password due to them finding a list of email/password combos online. They in fact did change it and I had to reset it (yes, i went directly to the site). I didn't read anything about a list being found.

Anybody hear about this?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

Nope, first I've heard. How complex was your Amazon password? Have you reused your Amazon password on another site?
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

This is all over the gmail password leak. I got the same email.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

So, are you saying that you used the same password on Amazon that you used for Gmail?
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

Nope only sign in with gmail. They checked the same database as i did and found my 10 month+ old password. Same as the other places

In my case got one from imdb, amazon and wordpress. My paypal is under a separate email address that is much newer. I use my "compromised" email to sign in to allot of places. Soon as i checked and seen the old pass word i was worry free. In my case and others i have heard from people about it is a old password long changed that the site was showing.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

Hmm, wonder why I didn't get one. I did change my Gmail account passwords as soon as I heard about the leak.

dandelion
MVM
join:2003-04-29
Germantown, TN

dandelion to pcdebb

MVM

to pcdebb
Just got a notice today.

pcdebb
birdbrain
Premium Member
join:2000-12-03
Brandon, FL

pcdebb

Premium Member

my amazon password is different from all others, but I guess they sent the email because alot of people use the same combo for multiple sites. At least they were proactive about it I guess.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy to pcdebb

MVM

to pcdebb
I guess my real question is why are they resetting your password? If they are storing your password properly they would not know what your password. They would only have a hash of it, a salted hash would be best, which would require them to run the password list through their algorithm to see if the password on the site resulted in the same hash. Beware of any site that can e-mail you your password.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

They are making the assumption that you me etc may have used the same password for our gmail and their site. Even if they can't see it. Erring on the side of caution is all. They are pretty slow though its been what a week or longer sense the leak?

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

I still haven't received one and use my Gmail account on Amazon, however I may not be on the leaked list. I'm just trying to figure out how they decided which users to send password resets. To me, it seems wrong for them to assume that because your Gmail account was leaked that your Amazon account is automatically at risk.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

I think they are playing it safe. If your mail was on the list they are making the safe assumption that you might have used the same password as well. In my case my amazon pass and my gmail pass are extreamly different. Length is higher on my amazon pass and the offset string i used for the cypher has a extra number or 2 as well as a dif fave quote etc as the starting phrase. Both are 15 or longer thats about all they share in common lol. I honestly do not know if it would be possible for a brute force attack to work in any thing less than a billion years. As for dictionary attacks those would never work as it looks like a letter jumble (hjgfd ertyis ghss jdrgierbv or what ever) Yeh i doubt any dictionary would have any thing like the ( ) inclosed heh.

Kilroy
MVM
join:2002-11-21
Saint Paul, MN

Kilroy

MVM

These days they do masked attacks and anything less than a truly random password isn't as secure as we are led to believe. This Dan Gooden article has links to some of his previous articles on how passwords are being hacked and cracked these days.

Unfortunately it doesn't matter how good our passwords are if the organizations that require we use them don't store them properly.
Nanaki (banned)
aka novaflare. pull punches? Na
join:2002-01-24
Akron, OH

Nanaki (banned)

Member

said by Kilroy:

Unfortunately it doesn't matter how good our passwords are if the organizations that require we use them don't store them properly

Very true. As for truly random password that is what mine is. Do to the way the cipher works Just by choosing say a fave quote ill use the last line of the season finale for extant as a example.

"Im every where"
Now we take this quote and apply the numbers 1 2 3 4 to it (spaces get left inplace)
i+1=j m+2=p e+3=h v+3=y e+4=i r+1=s y+2=a w+3=z h+4=l e+1=f r+2=t e+3=h
so
im every where becomes
jp hyisa zlfth

And that is a simple one
Now you can remove spaces and and numbers in place of letters if you like or are required to by the site
eg
Jp hy1Sa zl4tH

Good luck on that one being guessed by any means out there.
Best part is if you forget it you need no recovery question. Or you can cipher it as well

So long as you remember 2 bits of information the quote and the 4 numbers you can never loose the password. Good old memorizing will take over after a couple times of entering the password. The spaces will help you to memorize it by breaking it up in to 3 data sets
Jp (d1) hy1Sa (d2) zl4tH (d3)
So it becomes very easy to memorize very long pass words created from a fav quote as long as you want and that the site will accept and a series of numbers i find 4 digits works great to jumble things up 6 works but more than that and you'll end up with repeated characters in a row which will weaken your jumbled pass strength. As you see there is a repeated letter in the pass word. But this is less than the 4 es from the original. Playing with the numbers in the offset even just not using 1 2 3 4 will result in a password with out repeats. I used that only to demonstrate what happens with this very simple cipher.