Some days ago I my xbox started spouting the "(my gamertag) was last signed in on another console". I searched the net for info on what that means, and reset my password. However, it was too late. I later noticed that 1000 MS points had been used from my account (I had 1040 in total) to make some purchases. Microsoft's technical support was quite helpful and competent handling the situation, and they investigated the incident and returned my lost points. (This was, I admit, a slight surprise, given all my prejudice against Microsoft.)
I do not know how they hacked my account, as Microsoft's report did not reveal any such information. I consider myself quite an experienced and savvy computer user, having been using Unix and Windows systems since the early 90's, and I know not to fall for eg. social engineering; not that I have had any attempt at such a thing done to me either. Yet it still happened. (Reading on the subject on the internet, it seems that at least some hackers hack Xbox Live accounts to make purchases and transfer them to some other account, which is possible at least with some purchases, and then they sell that account, which is full of games, for good money. Others might do it just for pure vandalism and egotripping.)
So it can happen. Here's some advice:
- If you ever get an unexpected "(your gamertag) was last signed in on another console" message on your xbox 360, take it seriously. It means what it says: Somebody else has logged into your xbox live account from another console. That should never happen (unless you yourself did indeed do that.)
- If that happens, go to www.xbox.com/security and reset your password. Remember to click the option "require a password to sign in from all consoles" (else the hacker will be able to keep signing into your account because they have most probably set the "remember password on this console" option.)
- Check at the xbox live website for your purchase history to see if anything has been purchased with your account that shouldn't be. If there is, contact Microsoft's technical support. At least in my case they were very helpful. Also check if anything has been changed in your account, such as your gamertag, friends list, etc. (You might want to contact Microsoft technical support even if nothing has changed, just in case.)
Or - more commonly - a non-unique password. Say, you're using the the password 12345 on xbox live, on your favourite forum and on your luggage. Your favorite forum's DB gets hacked, passwords are extracted. The hackers will at some point try all the gathered credentials on xbox live, other games, forums, banking sites, email providers and of course on your luggage.
Another very common problem is that hackers are having access to your emails account. Many of the large email providers have been compromised in the past, and many didn't take the necessary precautions to change their user's passwords. Not sure how xbox live handles password- or authentication-emails, but this may be another attack vector.
See also: https://www.guildwars2.com/en/news/mike-obrien-on-account-security/ - a company with several million customers advises the same. (Actually, I work at a gaming company with several million customers, but who's going to trust me? :P)
Joined: 3/31/2010
Posts: 1466
Location: Not playing Puyo Tetris
Here's what can happen (and did to me). You signup for some site. You used the same password there as you do on other sites. The site's owner sells your password, along with everyone else's and hackers go crazy. The worst possible case is clear text passwords. Absolute failure of security.
When TAS does Quake 1, SDA will declare war.
The Prince doth arrive he doth please.
How hard can it be to smash your keyboard and produce about twenty characters of noise? Just write the password down in a password manager application.
Do you usually write your Xbox Live account name and password to random websites?
So you want your password to be retrievable in cleartext from your computer? (Also, a bit difficult to log into Xbox Live with your console using a password manager application...)
That's why the password manager has a master password.
Someone gaining physical access to your computer, extracting the encrypted password-db and guessing the master-password may be a security problem, but it's very very unlikely for anything like that to happen to a private computer. This is something to worry about if you're sharing your PC with your evil brother, or if you're having sensitive information that's worth a couple millions.
Someone gaining your passwords from another site and re-selling or re-using them for all kinds of mischief happens all the time.
So tell me, which attack vector would you rather close? I'll choose unique passwords and a good password manager anyday.
Only stupid forum software keep password in a decryptable way. Most of them hash the passwords, so they are undecryptable (or at least they should; if they do not, then avoid that software).
Aside from that, using a local password manager that contains uniquely generated long and complex passwords for each site is far more secure than non-unique easily remembered passwords.
Make sure you have a strong password for your user on your computer, and for some extra security, if the user is shared (which it never should be!), a strong password for your password manager.
Then encrypt all the files containing your passwords (regular NTFS encryption for Windows should do fine), to prevent anyone who manages to come over your hard drive to get access to all your passwords. Don't forget to backup your certificate in that case! Some password managers may do this encryption for you, which is a good thing.
Online has become such a dangerous place today. You can't really expect any information online to be safe anymore. Eventually it will be breached; it's just a matter of when. The best thing to do is to minimize the damage.
Joined: 8/6/2006
Posts: 784
Location: Connecticut, USA
I've heard more and more stories of this happening, so I changed my Live password a couple of months ago. I had one randomly generated: max length, and a mixture of lowercase and capital letters, numbers, and symbols. It's ugly looking, but I just wrote it down on a piece of paper and threw it in my desk drawer. I almost never have to actually input the password, so it's not a big deal.
While storing passwords as one-way hashes is certainly vastly more secure than storing them as plaintext or any format that's unencryptable, one should never consider it 100% safe (especially in environments where hundreds or thousands of passwords are stored, such as online websites.) Things like rainbow attacks (yeah, they are really called that) have been used successfully again and again to decrypt some/many passwords of such websites. (There are measures to make rainbow attacks much more difficult, if not almost impossible, but many websites do not use them.)
Of course a common form of "hacking" a password, which bypasses all forms of encryption, is social engineering. Countless people enter their login info and passwords to random places just because they are naive enough to believe a random email or scam website. (Some forms of social engineering are much more elaborate than that, especially if the hackers are resourceful and have a great interest in retrieving a particular password. These may involve things like physical phone calls and so on.)
Sometimes websites get hacked, and it may look to you like the regular old website, and you log in as normal, but in reality your login info and password is being passed to the hackers. There's little one can do to avoid this, as everything happens silently on the server side.
Curiously, using normal English (or whichever spoken language) words in a password may be more secure than using random symbols, no matter how egregiously unintuitive that might sound. There was a strip at xkcd about this.
It's simple math, really. For example, let's assume that you use a 10-character password, using random alphanumeric characters, and random punctuation from the ASCII character set (let's say for a total of about 80 possible characters). There are about 1019 possible passwords.
In contrast, assume you make a password consisting of just 6 random English words. While English has a really vast dictionary, let's be really conservative and say that you are drawing from a pool of about 100 thousand words. The total amount of possible passwords is 1030. A vastly larger amount.
So, you see, using just 6 random English words results in a significantly more secure password than using 10 random ASCII characters. The advantage of using English is that it's far easier to remember.
Yet all security advisors out there recommend against using cleartext passwords.
A small, but very important, nitpick: Hashing doesn't make the passwords undecryptable. Rainbow tables exist for all major hashing functions, or can be constructed with a bit of effort.
Only hashing and salting with a per-user-salt does. At that point, an attacker would have to brute-force each users' password separately, making it infeasible to run all but the simplest of dictionary attacks.
A quick googling for three examples:
* Sony hack (77 million passwords): hashed, but not salted.
* LinkedIn hack (8 million passwords): hashed, but not salted.
* eHarmony hack (1.5 million passwords): hashed, but not salted.
All of these passwords must be considered "public". Proper salting is very important.
Oh, and the advice to "avoid that software" is pretty much impossible from a users' point of view. :) I know tasvideos.org uses phpBB2 (which had a good share of security flaws) and a lot of custom made code (which I cannot evaluate). So is my password on this forum safe or is it not? I have no way of knowing, so the only reasonable action is to assume the worst.
While this is true when comparing 10-random-character passwords with half sentences, ElectroSpecter mentioned that his random-ASCII-character-password was max length. And when looking at identical length, the random password is preferable, as it is (or at least should be) immune to dictionary attacks.
While this is true when comparing 10-random-character passwords with half sentences, ElectroSpecter mentioned that his random-ASCII-character-password was max length. And when looking at identical length, the random password is preferable, as it is (or at least should be) immune to dictionary attacks.
The point is that when you have to remember your password (you can't use password manager software everywhere and in every situation), a password consisting of random English words is much easier to remember and more secure than a password consisting of random characters (which is short enough for a normal person to remember.)