Password authentication, when implemented correctly, is safe enough for low-sec purposes. While brute force is effective *eventually*, if five consecutive authentication failures leads to account lockdown and a red flag somewhere, such an attack will not be feasible. Unfortunately, in the last few years some larger soc sites (I'm looking at you, Twitter) have been inexcusably lax in their security, with no limits on authentication failures whatsoever. If you are in charge of a web site implementing password authentication and it does not have measures against repetitive failures, give yourself a good hard slap across the face and rectify this.
That said, I've been a proponent of pre-shared key authentication for several years. All major browsers support this reasonably uniformly, and the reason we're not using it boils down to laziness and some drawbacks which are rapidly getting outmoded. Several years ago people used several different computers as temporary workstations as they only owned a non-portable desktop computer if they owned any computer at all. Nowadays we do our work with laptops, tablets, and smartphones. We seldom use another person's terminal anymore, because we always carry our own terminals in our bags and pockets. Using shared keys have suddenly become more feasible; I hope our providers get with the program soon. kizito Mudambo <[email protected]> wrote: >doesnt yahoomail support 2 step authetication... the real truth is >passwords are no longer safe enough no matter how strong they are.... >the >only way for now is two step authetication as simple as that >On Dec 10, 2012 2:51 PM, "Colline Waiswa" <[email protected]> wrote: > >> >> >> I dont know how the breach took place but i highly doubt it was >guessed >> coz i think it had the characteristics of a good password. >> 1: it was quite long ( over 10+ characters) >> 2: had alternating capitation >> 3: had atleast 1 special character >> 4: was unrelated to my cat, team,etc >> >> Colline >> >> >> ------------------------------ >> On Mon, Dec 10, 2012 3:08 AM PST Benjamin Tayehanpour wrote: >> >> >Most *targeted* breaches are, yes. If you know a specific user and >you >> want >> >that user's account, specifically, then password-guessing is common. >But >> >this was quite evidently not a targeted breach, otherwise spam would >be >> the >> >least of his/her problems. Most non-targeted breaches (as in: "I >have this >> >lovely piece of spam I want to distribute, so I need one thousand >hacked >> >accounts") happen through lousy workstation security, with spyware >or MITM >> >attacks swiping the credentials. >> > >> >I'm curious. What was your password, Colline? Since you've changed >it it >> >shouldn't hurt to reveal it, right? >> > >> >On 10 December 2012 11:58, Victor van Reijswoud < >> >[email protected]> wrote: >> > >> >> Most breaches are because of poor passwords (except this one, of >course >> :) >> >> ). Interesting overview here: >> >> >http://nakedsecurity.sophos.com/2012/07/13/yahoo-voices-poor-passwords/ >> >> >> >> >> >> On Mon, Dec 10, 2012 at 11:19 AM, Benjamin Tayehanpour < >> >> [email protected]> wrote: >> >> >> >> Any idea how the breach happened yet? Password-guessing for >spam-related >> >> purposes is quite rare nowadays, with sophisticated brute force >> protection >> >> and especially if the password is a good strong one (which I >assume, >> since >> >> you're a Linux user and thus have common sense). Did you have your >> password >> >> written down somewhere accessible? Did you save it with a password >> manager >> >> on a public computer? Did you link your account to some other >account >> >> (Facebook/Twitter/&c.) which is compromised? >> >> >> >> On 10 December 2012 10:28, Colline Waiswa <[email protected]> >wrote: >> >> >> >>> >> >>> >> >>> >> >>> Seeing as my sent mail folder is full of the that message sent to >all >> my >> >>> contacts, i am pretty sure the mailbox was gotten into >> >>> >> >>> Colline >> >>> >> >>> ------------------------------ >> >>> On Mon, Dec 10, 2012 12:42 AM PST Mike Barnard wrote: >> >>> >> >>> >On 9 December 2012 17:37, Benjamin Tayehanpour >> >>> ><[email protected]>wrote: >> >>> > >> >>> > Without SPF protection, I could send e-mails which look like >they >> >>> > originate from your account, and the receiver will have no >means of >> >>> > verifying the sender address since SPF isn't implemented. >That's one >> >>> of >> >>> > many reasons why Yahoo! is a bad e-mail service provider. I'm >not >> >>> saying we >> >>> > should ban all users of Yahoo!; I'm saying Yahoo! as a service >> >>> provider >> >>> > should be boycotted due to the numerous flaws in their service. >> >>> > >> >>> > That said, I'm glad you managed to change the password so you >didn't >> >>> lose >> >>> > the account. Such things can be a real pain otherwise! Do you >know >> >>> how the >> >>> > breach happened? >> >>> > >> >>> > >> >>> >The "breach" will most likely happen again... I doubt that the >person >> >>> >actually got into his mailbox. Most spam from yahoo addresses >tends to >> >>> be >> >>> >from botnets that take advantage of the fact that one cannot >> >>> legitimately >> >>> >check whether its actually yahoo who sent the email. >> >>> > >> >>> > >> >>> >-- >> >>> >Mike >> >>> > >> >>> >Of course, you might discount this possibility, but remember >that one >> >>> in a >> >>> >million chances happen 99% of the time. >> >>> >------------------------------------------------------------ >> >>> >> >>> _______________________________________________ >> >>> The Uganda Linux User Group: http://linux.or.ug >> >>> >> >>> Send messages to this mailing list by addressing e-mails to: >> >>> [email protected] >> >>> Mailing list archives: >http://www.mail-archive.com/[email protected]/ >> >>> Mailing list settings: http://kym.net/mailman/listinfo/lug >> >>> To unsubscribe: http://kym.net/mailman/options/lug >> >>> >> >>> The Uganda LUG mailing list is generously hosted by INFOCOM: >> >>> http://www.infocom.co.ug/ >> >>> >> >>> The above comments and data are owned by whoever posted them >(including >> >>> attachments if any). The mailing list host is not responsible for >them >> in >> >>> any way. >> >>> >> >> >> >> >> >> _______________________________________________ >> >> The Uganda Linux User Group: http://linux.or.ug >> >> >> >> Send messages to this mailing list by addressing e-mails to: >> >> [email protected] >> >> Mailing list archives: >http://www.mail-archive.com/[email protected]/ >> >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> >> To unsubscribe: http://kym.net/mailman/options/lug >> >> >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> >> http://www.infocom.co.ug/ >> >> >> >> The above comments and data are owned by whoever posted them >(including >> >> attachments if any). The mailing list host is not responsible for >them >> in >> >> any way. >> >> >> >> >> >> >> >> _______________________________________________ >> >> The Uganda Linux User Group: http://linux.or.ug >> >> >> >> Send messages to this mailing list by addressing e-mails to: >> >> [email protected] >> >> Mailing list archives: >http://www.mail-archive.com/[email protected]/ >> >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> >> To unsubscribe: http://kym.net/mailman/options/lug >> >> >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> >> http://www.infocom.co.ug/ >> >> >> >> The above comments and data are owned by whoever posted them >(including >> >> attachments if any). The mailing list host is not responsible for >them >> in >> >> any way. >> >> >> I highly doubt >> _______________________________________________ >> The Uganda Linux User Group: http://linux.or.ug >> >> Send messages to this mailing list by addressing e-mails to: >> [email protected] >> Mailing list archives: http://www.mail-archive.com/[email protected]/ >> Mailing list settings: http://kym.net/mailman/listinfo/lug >> To unsubscribe: http://kym.net/mailman/options/lug >> >> The Uganda LUG mailing list is generously hosted by INFOCOM: >> http://www.infocom.co.ug/ >> >> The above comments and data are owned by whoever posted them >(including >> attachments if any). The mailing list host is not responsible for >them in >> any way. >> > > >------------------------------------------------------------------------ > >_______________________________________________ >The Uganda Linux User Group: http://linux.or.ug > >Send messages to this mailing list by addressing e-mails to: >[email protected] >Mailing list archives: http://www.mail-archive.com/[email protected]/ >Mailing list settings: http://kym.net/mailman/listinfo/lug >To unsubscribe: http://kym.net/mailman/options/lug > >The Uganda LUG mailing list is generously hosted by INFOCOM: >http://www.infocom.co.ug/ > >The above comments and data are owned by whoever posted them (including >attachments if any). The mailing list host is not responsible for them >in any way.
_______________________________________________ The Uganda Linux User Group: http://linux.or.ug Send messages to this mailing list by addressing e-mails to: [email protected] Mailing list archives: http://www.mail-archive.com/[email protected]/ Mailing list settings: http://kym.net/mailman/listinfo/lug To unsubscribe: http://kym.net/mailman/options/lug The Uganda LUG mailing list is generously hosted by INFOCOM: http://www.infocom.co.ug/ The above comments and data are owned by whoever posted them (including attachments if any). The mailing list host is not responsible for them in any way.
