UKC

A few years back my email got hacked - the result of using a single, dictionary word as my password. So I changed all my passwords to include numbers. This it seems is no longer enough to stop the brute force hacking.

Last week a mate had his email hacked, despite it containing a number, and tonight my twitter was done, despite a 10 char password with 4 numerals in it.

Fortunately I have hardly any followers on twitter - I only use it for posting MTB conditions in the peak - but my wife is upset that I sent her a link for anti-aging cream.

Just wanted to pass on this warning.

I guess it's time to start using pass key or something similar. I've always been wary as something like that must itself be a target for hacking

In reply to Chris the Tall:


loving your work here, send the wife a anit-ageing cream ad when tipsy and then claim your account was hacked - and publicise on UKC for some veracity!

The chances of breaking a password which has 10 characters including numbers is unlikely. Assuming it's not a dictionary word still like password1234 or password1981 (or other year of birth etc the number of possible combinations are very high and would require a lot of computing power that would be a bit wasted trying to get into your twitter.

There are three likely outcomes.

1. Your password wasn't as strong as you think it is.

2. Your password was intercepted by malware/spyware/Trojan on your mahine (very common and with a root kit infection your computer might show as clean on scans.

3. Your email address and password was stored on another database in plain text which was compromised.

In reply to Chris the Tall:

https://xkcd.com/936/

In reply to deepsoup:
thanks for this link, i d not looked at xkcd for ages. i m printing this off and putting it on the fridge,due to having spent some of last week "playing" with a troublesome circuit.
https://xkcd.com/730/

In reply to Milesy:

Yep, your right it is very unlikely

Realised how rarely twitter asks you to log on, plus I mostly use it via apps rather than website, so malware/wire sniffing is also unlikely.

However i do use the same password on all those sites which demand a password but which I don't regard as particularly important, and of course is generally associated with my email address (my email password, and any financial stuff, are different and much stronger !).

So it possible that one of those sites has been hacked in much the same way that Chain Reaction was a few years back

In reply to Chris the Tall:

Quite often passwords on your machine are cached in the computers browser, so it's easier to expose them. If you use things like Autocomplete in IE you can use a simple password revealer to expose the passwords no matter how complex it is. Any Malware written with this similar functionality can send data back to the hacker from your Autocomplete list.

Better to not save passwords and enter them manually instead. Clear out your autocomplete listing and don't save Username/passwords

Jason

In reply to Chris the Tall:

Brute Force Hacking - wow - I thought that only happened in Transformers!

Surely something more obvious such as a malware keylogger?

In reply to Skyfall:

Our IT department do routine brute force hacking to expose weak passwords. I'll refer to them as Optimus Prime and Chromia from now on

In reply to Chris the Tall:
Brute force hacking has got better as computing power has increased and hackers are exploiting the parallel processing power of graphics cards.

However I highly doubt your account was hacked in this manner. Brute forcing is normally done on a database of hashed passwords that has been gotten hold of illicitly. All good websites with login credentials have systems in place which stop bots being able to take millions of guesses via the normal login route. Simple methods by only allowing a repeat guess after say a 5 second delay means brute forcing this way isn’t possible.

Also if twitter had been compromised, it would probably be in the news by now.

What's far more likely, and discussed above is you either have malware on your PC, a website which you also use a similar login and password has been compromised or you were a victim of social engineering.

a more relevant xkcd

https://xkcd.com/936/

In reply to BIgYeti86:

Not impressed with twitter security - having changed my password, I can still send tweets and Dms on another machine (this PC) without having to logon with the new password.

This is why I think malware is unlikely - I don't think twitter has asked me for a password since I first registered.

In reply to Chris the Tall:

How do you know it was a brute force attack? They aren't exactly difficult to detect and stop.

In reply to snoop6060:

Yep, starting to think it was not brute force, more likely same username/password combo used elsewhere

Not impressed with twitter - no way to force expiry of all active sessions, so password reset wont prevent hacker from striking again. And impossible to report this as a problem - automated system closed my support request because I'm already logged on !

In reply to Chris the Tall:


Nor can you log out of a machine you've accidentally left logged in but no longer have access to by the sound of it. Presumably a pretty common problem with internet cafes and relationship break-ups for example.

jk

In reply to Skyfall:



In reply to snoop6060:


Brute-force doesn't just mean repeated attempts to login to a site, cos that is indeed fairly easy to spot and stop.

If a server is compromised, the user database can be taken. Even if the passwords in the database were encrypted, it is quite easy to run an offline brute-force password cracking tool on the database. Because people re-use passwords all the time, any credentials that can be extracted from the database will be tested on various other websites.

If you've re-used your username/password combo anywhere, you're at risk from this.

In reply to Shearwater:



According to their help pages, Twitter does lock accounts if they get too many unsuccessful logon attempts (they don't say how many). However my understanding of how brute force hacking works is that a large number of accounts are subjected to a small number of attempts each. Twitter of course isn't going to lockout every account - it's effectively a Denial of Service attack. So the question is whether they can identify the source of the attempts and prevent that machine (or banks of machines) from trying to logon.

But as you say, it unlikely that was the case here

In reply to Chris the Tall:

There is a huge difference between attempting a few hundred thousand combinations of common words/numbers and 'brute force'.

How many combinations do you understand there to be in a brute force attack assuming alphanumeric plus say 10 special chars?

Or in other words, a 10 character string in base 46?!

Whatever it is, its a huge number and is never, ever going to be the method used to crack yours, or anyone elses tw*tter password.