pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL ARRIS DG1670
|
pcdebb
Premium Member
2014-Sep-22 10:13 am
Amazon.com password reset?I received an email from Amazon.com stating that they reset my password due to them finding a list of email/password combos online. They in fact did change it and I had to reset it (yes, i went directly to the site). I didn't read anything about a list being found.
Anybody hear about this? |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Sep-22 10:23 am
Nope, first I've heard. How complex was your Amazon password? Have you reused your Amazon password on another site? |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Sep-22 12:08 pm
This is all over the gmail password leak. I got the same email. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Sep-22 3:33 pm
So, are you saying that you used the same password on Amazon that you used for Gmail? |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Sep-22 4:00 pm
Nope only sign in with gmail. They checked the same database as i did and found my 10 month+ old password. Same as the other places
In my case got one from imdb, amazon and wordpress. My paypal is under a separate email address that is much newer. I use my "compromised" email to sign in to allot of places. Soon as i checked and seen the old pass word i was worry free. In my case and others i have heard from people about it is a old password long changed that the site was showing. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Sep-22 6:42 pm
Hmm, wonder why I didn't get one. I did change my Gmail account passwords as soon as I heard about the leak. |
|
|
to pcdebb
Just got a notice today. |
|
pcdebbbirdbrain Premium Member join:2000-12-03 Brandon, FL |
pcdebb
Premium Member
2014-Sep-22 10:01 pm
my amazon password is different from all others, but I guess they sent the email because alot of people use the same combo for multiple sites. At least they were proactive about it I guess. |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
to pcdebb
I guess my real question is why are they resetting your password? If they are storing your password properly they would not know what your password. They would only have a hash of it, a salted hash would be best, which would require them to run the password list through their algorithm to see if the password on the site resulted in the same hash. Beware of any site that can e-mail you your password. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Sep-23 9:21 am
They are making the assumption that you me etc may have used the same password for our gmail and their site. Even if they can't see it. Erring on the side of caution is all. They are pretty slow though its been what a week or longer sense the leak? |
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Sep-23 1:10 pm
I still haven't received one and use my Gmail account on Amazon, however I may not be on the leaked list. I'm just trying to figure out how they decided which users to send password resets. To me, it seems wrong for them to assume that because your Gmail account was leaked that your Amazon account is automatically at risk. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Sep-24 11:06 am
I think they are playing it safe. If your mail was on the list they are making the safe assumption that you might have used the same password as well. In my case my amazon pass and my gmail pass are extreamly different. Length is higher on my amazon pass and the offset string i used for the cypher has a extra number or 2 as well as a dif fave quote etc as the starting phrase. Both are 15 or longer thats about all they share in common lol. I honestly do not know if it would be possible for a brute force attack to work in any thing less than a billion years. As for dictionary attacks those would never work as it looks like a letter jumble (hjgfd ertyis ghss jdrgierbv or what ever) Yeh i doubt any dictionary would have any thing like the ( ) inclosed heh. |
|
|
Kilroy MVM join:2002-11-21 Saint Paul, MN |
Kilroy
MVM
2014-Sep-24 11:47 am
These days they do masked attacks and anything less than a truly random password isn't as secure as we are led to believe. This Dan Gooden article has links to some of his previous articles on how passwords are being hacked and cracked these days. Unfortunately it doesn't matter how good our passwords are if the organizations that require we use them don't store them properly. |
|
Nanaki (banned)aka novaflare. pull punches? Na join:2002-01-24 Akron, OH |
Nanaki (banned)
Member
2014-Sep-24 12:19 pm
said by Kilroy:Unfortunately it doesn't matter how good our passwords are if the organizations that require we use them don't store them properly Very true. As for truly random password that is what mine is. Do to the way the cipher works Just by choosing say a fave quote ill use the last line of the season finale for extant as a example. "Im every where" Now we take this quote and apply the numbers 1 2 3 4 to it (spaces get left inplace) i+1=j m+2=p e+3=h v+3=y e+4=i r+1=s y+2=a w+3=z h+4=l e+1=f r+2=t e+3=h so im every where becomes jp hyisa zlfth And that is a simple one Now you can remove spaces and and numbers in place of letters if you like or are required to by the site eg Jp hy1Sa zl4tH Good luck on that one being guessed by any means out there. Best part is if you forget it you need no recovery question. Or you can cipher it as well So long as you remember 2 bits of information the quote and the 4 numbers you can never loose the password. Good old memorizing will take over after a couple times of entering the password. The spaces will help you to memorize it by breaking it up in to 3 data sets Jp (d1) hy1Sa (d2) zl4tH (d3) So it becomes very easy to memorize very long pass words created from a fav quote as long as you want and that the site will accept and a series of numbers i find 4 digits works great to jumble things up 6 works but more than that and you'll end up with repeated characters in a row which will weaken your jumbled pass strength. As you see there is a repeated letter in the pass word. But this is less than the 4 es from the original. Playing with the numbers in the offset even just not using 1 2 3 4 will result in a password with out repeats. I used that only to demonstrate what happens with this very simple cipher. |
|