passwords
Latest
Key pattern analysis software times your typing for improved password protection
The recent pilfering of PlayStation Network passwords and personal info shows that having a strong passcode doesn't always guarantee your online safety. However, key-pattern analysis (KPA) software from researchers at American University of Beirut may be able to keep our logins secure even if they're stolen. You create a unique profile by entering your password a few times while the code tracks the speed and timing of your keystrokes. The software then associates that data to your password as another means of authentication. Henceforth, should the magic word be entered in a different typing tempo, access is denied. We saw a similar solution last year, but that system was meant to prevent multiple users from accessing subscription databases with a single account. This KPA software allows multiple profiles per password so that your significant other can still read all your email -- assuming you and your mate reside in the trust tree, of course.
PSN logins exploited again, Sony takes pages offline
This isn't as bad as it could have been -- Sony's PSN hasn't exactly been hacked again -- but what can only be described as a glaring oversight looks to have forced the company into hastily switching off PSN logins on its websites. The issue? If you legitimately forget your password and need to reset it, previously all you had to do was type in your e-mail address and date of birth, then choose a delightfully cunning new password. Sounds good? The problem is that if you were a PSN member before the hack then both your e-mail address and your date of birth (plus a lot of other frightening stuff) is known to the hackers. So, whoever has the millions of rows of data that were exposed could, in theory, re-exploit any account. Sony was made aware of the issue and those pages are now offline again, which should make the Japanese government feel just a little big smug. Update: Sony has confirmed that there was "a URL exploit that we have subsequently fixed." However, the company indicates there was "no hack involved." So, remember kiddies: exploits are not hacks -- not until someone starts having fun with them, anyway.
Talking Sony and identity protection with LifeLock
As Sony continues to struggle to restore service to both the PlayStation Network and Sony Online Entertainment's MMOs following a hacking intrusion that resulted in millions of customer identities being compromised, players are understandably concerned about how secure their information is with similar companies. Even though Sony promised to provide a year's worth of identity theft protection for affected customers, part of the responsibility for safeguarding against such theft lies with us. As such, we spoke with Mike Prusinski, the Senior Vice President of Corporate Communications for LifeLock, an identity theft protection service. We asked him about what we should be doing to protect our identities online -- and what Sony could have done better in the first place. Massively: What are the most common ways that people have their identities stolen? Mike Prusinski: Though there are no statistics that point to one way over another, consumers get their personal information lost through stolen laptops, hackers, stolen mail, trash, skimming devices, scams (email, phone calls and personal visits), peer-to-peer networks and public websites.
Apple doubles down on in-app purchasing security in iOS 4.3, password now required
As you might recall, a certain game was racking up credit card bills because of its in-app purchases -- something which probably resulted in some angry parents (or as the folks in Finland say, "birds"). In Apple's latest iOS update, a feature has been implemented that requires the user to input their password whenever an in-app purchase is made. Will this new security measure actually prevent those children from purchasing hundreds worth of virtual fruit? A big boon for grown-ups, a big downer for those who no longer have an excuse to explain their Smurfberry obsession.
iPhone passcode bypassed by security researchers
A group of German researchers at the Fraunhofer Institute for Secure Information Technology report that they've cracked the iPhone's keychain system, allowing access to the passwords saved on any phone in just six minutes. By jailbreaking the target phone and installing an SSH app on it, the hackers found they could access any information on the phone that they wanted, without the need to input a passcode or any other form of security from the user. In other words, if they can get their hands on your iPhone, they have access to everything on the keychain, which includes any Gmail or Exchange accounts saved on the phone, as well as network, Wi-Fi and voicemail passwords, as well as the passwords on some apps. You can read the full report as a PDF online. The only solution that Frauhofer lists in the report is that any lost or stolen iPhone must require its owners to assume that all passwords included on the handset are compromised, and must all be changed and replaced as soon as possible. It's hard to think what Apple might be able to do about this -- as long as the phone can be jailbroken, this seems possible, and obviously Apple hasn't been able to stop jailbreaks in the past, for a number of reasons. On the other hand, this hack needs access to the phone itself, so if you don't lose your phone, you're still good to go.
PSA: Change your old Amazon.com password for better security
Amazon's allegedly got an security flaw where hackers can find your password much easier than they would otherwise, and there's already a fix in place. But get this -- you'll probably need to change your password for the fix to take effect, if you haven't already done so in the last couple of years. According to Reddit users, the Amazon.com login system will actually accept any phrase so long as it begins with your password, such as "password123" when the magic word is simply "password" by itself. That apparently makes it that much easier for a computer to guess your password via brute force methods, no matter how counter-intuitive that seems, so if you simply change it immediately -- and to something other than "password," please -- you'll have much sounder dreams.
The Road to Mordor: Hacked!
"My kinship had just finished an instance run about a week-and-a-half ago and was in the process of reloading back into the world when I got the message that I was being disconnected because I had just logged into the Brandywine server. Huh? Suspecting the worst, I immediately hit up the Turbine Account page and changed my password then re-logged back into the game, which would boot the hacker offline just like I had been booted minutes earlier. "I was lucky and did that before the hacker had time to switch servers to where my active characters are. Other kinmates have not been so lucky." So goes the frightening tale of Pumping Irony's Scott, who shares this in the hopes that others may avoid a similar scare. Unfortunately, it seems as though stories such as these are becoming more and more common in Lord of the Rings Online, where the worst threat to your quest may not be the eye of Sauron but the malicious intent of hackers gutting your account while you're offline. Today we're going to step off the path for a temporary side trail into the gloomy undergrowth of account security and an MMO under siege.
Our favorite tips and hints for 1Password, now out on Windows and Chrome
1Password is having a big week. The Windows version has arrived at version 1.0, and Google Chrome support has been added. In addition, there are a lot of new 1Password users this week, thanks to Agile's promotion that let users give away free licenses to friends. Not using 1Password yet? New customers can save 20% right now. You can also get a free copy of "Take Control of Passwords on Mac OS X" just by logging into Agile's Customer Center. It seemed like a good time to share some of my favorite 1Password tips and hints. First: Track your weak passwords. If you are like most people, you have a handful (hopefully more than one!) of passwords that you reuse at several different sites. 1Password can help by generating secure passwords for you, but at first, you might just want to tell 1Password to save your logins at all of the sites that you log into because you don't think you have time to change them all. If so, create a Smart Folder to track weak passwords. A "Smart Folder" will act much like saved Spotlight searches in Finder, Smart Mailboxes in Mail or Smart Playlists in iTunes: define some criteria, and 1Password will show you all the entries that match. For example, let's say that you use "billy1" as your password for a bunch of sites. Go to File » New Smart Folder, and tell 1Password to look for Passwords that contain "billy1," click the "Save" button and name the Smart Folder. When you are ready to start making secure passwords, use that folder to keep track of all of the websites where you used that same weak password. More tips after the break...
Drama Mamas: Hacking a friend's account
Drama Mamas Lisa Poisso and Robin Torres are experienced gamers and real-life mamas -- and just as we don't want our precious babies to be the ones kicking and wailing on the floor of checkout lane next to the candy, neither do we want you to become known as That Guy on your server. It was really hard to choose from the many dramalicious emails we got this week. So much drama, so little time. I'm happy we have so many topics to choose from, but sad that so many of you have to go through so many dramafied situations. This one really did stick out as pretty dramarific, however. Dramarily! Drama-lama ding dong! Dramastified. OK, I'm drama-done. Turn the page for all the dramaness.
The Daily Grind: Locked out
You don't really know the value of account security until it fails you. Or, more accurately, you don't think at all about entering your password until that day when you type it in... and it doesn't work. You double-check it, and it still doesn't work. You don't know if you somehow forgot it, or if you've gotten hacked, or what the issue is... but suddenly playing the game becomes impossible. And suddenly, something as trivial as going in and doing your obnoxious dailies seems like it's an urgent matter. In the best-case scenario, you just forgot the correct password and it can be fixed fairly easily. In the worst-case scenario, you look and find that the recovery e-mail is an address you haven't used in years that no longer functions, and all of your contact information is completely wrong. Because who needs all of that, right? Except that you do now, and you're left kicking yourself for not thinking it through at the time. Have you ever found yourself on the wrong end of getting locked out of an account? What happened? Were you angry, upset, or just ambivalent? Tell us your story, because for better or worse, we've all had to wrestle with security at some point.
Aion players: Watch your e-mails for scams
Keeping your password for your favorite game safe is always a top priority. No one wants to have their accounts hacked or have their passwords lost to someone who's willing to sell all of their items for gold, kinah, or what have you. So today, as a friendly public service announcement, we here at Massively would like to remind you to make sure you double and triple check any correspondence that looks like it comes from NCsoft or your favorite game company. Today we've received an e-mail telling us that our Aion account password had been changed, and if it wasn't us that we needed to go to the NCsoft master account site and change it back. We can guarantee you that the link provided was not for NCsoft's account management, but a phishing scam. While the scam letter was pretty obvious, always be wary of e-mails you don't anticipate. If you think there's something wrong, don't click any links in the e-mail -- instead go to your account management website directly to check on your account.
Hands-on with Puggable
We first heard about Vivox's Puggable service back at the Austin Game Developers Conference -- Vivox is a company that runs voice chat for online games, and Puggable is their attempt to target the WoW audience with a quick and easy way to put a group into voice chat. The site is still in a closed beta, but it's slowly opening up, and so as soon as we got a chance to jump in and test the service out, we took it.So what's the verdict? While Puggable's basic mechanics seem to work (by following their instructions, you can get a group into voice chat), the system itself is not quite ready for prime-time. Not only does it have an installation process that most cautious WoW account holders will scoff at (you have to install an Internet Explorer or Firefox addon, and restart your browser to use the service), but the real draw of the system, being able to browse and see player information at a moment's notice, aren't all there quite yet. Read on for our experiences.%Gallery-75677%
An Authenticator in your Visa
This is only slightly WoW-related, but it's worth a mention, I think, considering that when it happens, you'll be able to tell all your friends just what these things are. Our good friend Relmstein reports that Visa is planning to put an authenticator, of all things, in their credit cards. We of course all know how the Blizzard Authenticator works: you punch a button on the Authenticator, it gives you a code, and then that code can be used to synch up with the server. The Emue Card that Visa is testing right now works the same way: you punch in a PIN, it'll give you another code to enter on an online shopping site, and thus no one who just gets your card information can actually use your card (much like right now with a Blizzard Authenticator, no one who just gets your password can actually sign in). But it's all built in to the normal credit card.Very interesting. What Visa's doing with their credit cards might not be completely relevant to WoW, but it is relevant to note that of all of the accounts and passwords in your life that you might like to keep secure, a Blizzard account with an Authenticator attached is probably the most locked-down. Companies have started using Authenticator-like technology to have their employees log in to local networks, and obviously credit card and banking companies are testing things like this. But when it comes down to actual widespread usage, Blizzard is way ahead of the curve. Odds are that your WoW account right now is even more protected than your checking account. We'll likely be using the same authenticator system for other secure connections in the future.
1Password 2.9 and the Agile Keychain
We may have mentioned it one or two (dozen) times, but 1Password is a great solution for securely managing passwords, credit cards and notes on a Mac (and recently the iPhone). If you're a 1Password fan, be sure to check out the 2.9 release from last weekend; it has a pretty huge new feature. For quite a while now there have been grumblings about the OS X Keychain being a bit of a beast, especially when handling large amounts of data. Rather than waiting out Apple for new improvements to the Keychain system, the stalwart coders at Agile Web Solutions decided to write their own. If you dig into the Keychain section of the preferences in 1Password 2.9, you'll find an option to "Switch to Agile Keychain Format." What's the difference? First, it allows easy file-based synchronization, making possible non-MobileMe solutions for syncing up multiple Macs. Further, it maintains speedy access even when it contains gigs of data, as well as supporting much higher levels of encryption. Sounds good to me. If you're ready to switch your keychain format, head over to the developer's blog for detailed instructions, and read up on the various options for automatic sync between Macs. 1Password 2.9 is a free upgrade for existing users, and new users can grab a free trial. A single license runs $39.95USD with a family pack available for $59.95USD. For the full changelog for this release, check the version history page.
Forum post of the day: Rage against the authenticator
Alright, so the splash screen mystery is dramatic. Whatever the important announcement is, I don't think they could come up with one that makes me happier than the new authenticator. I will be first in line to buy mine once it comes out. It seems that most of us are with me. We've been clamoring for better authentication, and we're going to get it. A one-time charge of six and a half bucks for an extra layer of security seems like a smoking deal to me. It hasn't occurred to me to be bothered by the price. Tuhrell of Malrone believes that the authenticators should be distributed by Blizzard for free. Vallana of Thaurissan is on a short list of responders in the thread that agreed with the original poster. She believes that her $15/month is enough to spend on WoW and is "not retarded enough to get hacked so I really don't need it."
Mac 101: Retrieve lost passwords
Everyone eventually forgets a password or two. It's OK, don't be ashamed. Even your friends at TUAW have committed this error. Honestly.Ivan at CreativeBits offers a simple way to reveal a forgotten password with Mac OS X's Keychain Access application. You'll find it in your Utilities folder (which lives in the Applications folder). It lists all the passwords you've stored for different applications (wireless networks, FTP servers, etc.). Just select the one you're interested in and perform a "Get Info" by hitting Command-I. Good luck, and write it down this time, will you?
Secure your Mac: Keychain on the move
Victor's Mac 101 yesterday gave you the basics of the Keychain, so we all know what it's good for -- keeping your passwords and credentials in a convenient, automatic and protected file. Still, that's an awful lot of passwordy goodness to keep in one place, especially if some of those passwords are controlling access to your financial or professional information. Y'know, what would be really cool -- if you could do it -- take that keychain, and put it on a portable drive, and then you'd have physical control of your passwords even when you aren't with your computer... nice. Conveniently enough, there's a great walkthrough at nevali.net to accomplish this exact task. The basic steps: make a new keychain (with a secure, complex password) and save it to your removable media; once that's done, set your default keychain (where Mac OS X will put new password saves automatically) to the new, portable keychain. From that point on, you can take your passwords with you -- just don't forget to back up that USB drive somewhere safe. Thanks, Mo.
Mac 101: Keychain
The Keychain on your Mac is a little application buried in the Utilities folder in your Applications folder. I say buried because I think Keychain is sadly neglected by most users. Here are some things you can do with it: Save web page passwords Save login info (aside from websites, like your IM logins) Save protected notes (secret stuff) This 101 will be a little longer than usual, so I can show you how to use Keychain to store passwords and other secret things. Later, in our Secure Your Mac series, we'll talk about making a good password so all these things stay private. Full details on how to easily use Keychain after the jump.
TUAW Tip: Safari's reset button
Brandon sent us a great tip that I should have known was in Safari, but that I hadn't found yet. For you paranoids out there, the Safari 3 beta offers an easy way to clean up every single thing you've ever done, including the history, passwords, cookies, and even favicons and Autofill text. Under the Edit menu, there's a "Reset Safari" option which reveals a checklist that lets you hit the reset button on your browser. Firefox users like myself will notice that this was "gently lifted" from the Clear Private Data function under FF's Tools menu.And it's not just for paranoid browsers out there-- the blogging engine here at TUAW, Blogsmith, is a great program but sometimes hiccups when the cache gets overwritten or pushed out of sync. When it does, the Reset options let me flush the cache in just a few clicks without losing any of my browser windows. If you ever run across a browser-based application that's not doing what you want, this is definitely an alternative to try before actually restarting the browser.
Tactile passwords thwart snooping, facilitate old-fashioned muggings
Okay, we'll admit it: we're definitely not "tough guys" around here, and when we need to use the ATM after dark (heck, even before dark), we're looking over our shoulder every two seconds to make sure no one is scoping our easy-to-guess PIN or lying in wait to snatch that fresh stack of twenties out of our RSI-plagued hands. Well computer engineers at Queen's University Belfast in the UK are trying to make those late-night ATM runs just a little less terrifying, with a new system for password entry that uses tactile feedback combined with on-screen cues instead of the old ten button method we're used to. The whole process centers around a modified computer mouse with sixteen moving pins under both the index and middle fingers; different pin patterns are known as tactons. To enter a password, the user must manipulate the mouse so that a cursor moves through nine different boxes on the display, with each box sending a different, random tacton back to the mouse. Once the user feels the proper tacton correlating to the first element of his/her password, he/she then clicks the mouse button in the appropriate box and proceeds to repeat the process until the requisite number of codes have been entered. While subjects in a study felt more secure with this technique and were able to remember their tacton sequences even after several weeks of non-use, the biggest downside here is that testers needed an average of 38 seconds to negotiate all those boxes and get all their clicks in. So while the tactile system seems to do a good job thwarting nosey parkers, those 30+ seconds of staring at the screen give crooks plenty of time to sneak up behind you and force you to hand over your life savings (or $500 -- gotta love those daily limits).
