NameSilo
Paul Buonopane

PSA: If you use the same password on multiple websites, change it now

Views:
4,653
Comments:
52
By Paul Buonopane, Mar 6, 2021
  1. NickB

    NickB Wales.org VIP

    Posts:
    4,870
    Likes Received:
    11,034
    I'm beginning to suspect there is no wife and you lead a double life

    By day.....John
    By night......Jane
     
    The views expressed on this page by users and staff are their own, not those of NamePros.
  2. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    16,900
    Likes Received:
    6,429
    She is in the picture. We had dinner with Eric Lyon, Amanda and the baby.
     
    Last edited: Mar 7, 2021
  3. johnn

    johnn WeSellName.com PRO VIP ★★★★★★★★★★

    Posts:
    16,900
    Likes Received:
    6,429
  4. King

    King Investor & Creator VIP Gold Account

    Posts:
    1,871
    Likes Received:
    1,825
    I used to use the same password as a kid and it was leaked, they got the password and logged into all my accounts, I had nothing of real value anyway so I don't care so much. Up to this day they still log into those outdated accounts, lol.

    Nowadays, every password I use is complex and unique. Use a password manager or write them down somewhere.
     
  5. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    We're now trialing a new feature on NamePros that will check whether any new passwords set are similar to known-compromised passwords. If a password is found to be weak or compromised, it'll be rejected. Right now, it's fairly strict, although we may have to tune it a bit if we decide to keep it enabled long-term.

    Give a try! Change your password. If it gets rejected, your password might be lousy. ;)
     
  6. Sutruk

    Sutruk Top Contributor VIP

    Posts:
    1,472
    Likes Received:
    4,195
    No need to use a wrench, it will work with a chocolate bar... :xf.grin::banghead:

    Social engineering: Password in exchange for chocolate

    https://www.sciencedaily.com/releases/2016/05/160512085123.htm

    "It requires a lot of effort and expense for computer hackers to program a Trojan virus and infiltrate individual or company computers. They are therefore increasingly relying on psychological strategies to manipulate computer users into voluntarily divulging their login details. These methods are known as “social engineering”. For the first time, psychologists have conducted a large-scale study (involving 1,208 people) to investigate how people are manipulated into sharing their passwords with complete strangers in return for small gifts.

    In one condition, participants were given chocolate before being asked for their password, while in the control group they were only given chocolate after the interview. The research showed that this small gift greatly increased the likelihood of participants giving away their password. If the chocolate was only given out afterwards, 29.8 per cent of participants revealed their passwords. However, if the chocolate was received generally beforehand, a total of 43.5% of the respondents shared their password with the interviewer. The willingness to divulge passwords increased further if the chocolate was offered immediately before the participants were asked to disclose their password. Here, the internal pressure felt by the recipient appeared to be particularly high, with 47.9% giving away their passwords, compared with 39.9% of participants who received their gift at the beginning of the interview.

    The study shows how easy it is for people to be manipulated with the help of a simple incentive and the principle of reciprocity. Melzer concluded that "This simulated attack was in no way a sophisticated criminal strategy. Although the consequences of such attacks can be severe for individuals or companies, many people lack awareness of such dangers."

    Credits to @Future Sensors from his post:

    https://www.namepros.com/threads/science-technology-news-discussion.1212824/page-71#post-8179289
     
    Last edited: Mar 8, 2021
  7. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    875
    Likes Received:
    2,866
    Reminds me of a Usenix conference where Bruce was speaking about security. It was in a time when ssh was not yet widely used. Lots of security researchers were using insecure methods (telnet, pop3, etc) to login to their company assets during that talk. When the talk was over, there was a huge whiteboard at the exit, showing all captured passwords in plaintext, with an urgent request to use encrypted communications in the future.
     
    Last edited: Mar 8, 2021
  8. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    Ha, classic.

    For anyone who’s not sure who @Future Sensors is referring to, Bruce Schneier is perhaps one of the most famous security professionals out there. One of his algorithms, Blowfish, forms the basis of the method that NamePros used to securely store passwords until recently.

    For some proper social engineering fun, search for talks by Deviant Ollam.
     
  9. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    875
    Likes Received:
    2,866
    Direct all evil traffic to the nP honeypot, where they can sell names in alternative TLDs to each other :ROFL:
     
  10. Sutruk

    Sutruk Top Contributor VIP

    Posts:
    1,472
    Likes Received:
    4,195
    Don't forget to put a bit of salt on them :xf.smile: SHA512 is also pretty strong. At least a few time ago!
     
    Last edited: Mar 8, 2021
  11. Domain Search

    Domain Search Established Member

    Posts:
    393
    Likes Received:
    195
  12. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    Modern cryptography frameworks take care of the salt. ;) As for SHA512, it’s not suitable for password hashing on its own, although and can be used as the basis for a solid KDF.
     
  13. Corey

    Corey GDBR. com VIP ★★★★★★★★★★

    Posts:
    14,638
    Likes Received:
    17,897
    Password changed, downloaded the google thingy, thanx for the heads up.

    Cheers
    Corey
     
  14. tonyk2000

    tonyk2000 Top Contributor VIP ★★★★★★★★★★

    Posts:
    2,269
    Likes Received:
    3,829
    Hope that NP passwords will not then be stored in plain text on server side... ( ? )
     
  15. Bravo Mod Team

    Bravo Mod Team Moderator, NamePros Moderator PRO VIP Gold Account

    Posts:
    1,494
    Likes Received:
    2,053
    Never. The quality of the password is checked before it’s accepted and stored. That’s why you have to try to change your password to see it in action. It’s basically a more advanced version of “You must add a special character to the password that you want to use.”

    An important caution about Google Authenticator:

    It does not sync to your other devices and it doesn’t backup to the cloud or anywhere else; if you lose your device with it, you’ll be locked out of your account(s).

    Bitwarden, Authy, 1Password, and several other password managers can sync across your devices and store your data in the cloud with end-to-end encryption, which means even they can’t see it without your master password.

    Those are better options for most people.
     
  16. CraigD

    CraigD Top Contributor VIP

    Posts:
    3,966
    Likes Received:
    8,721
    Write you passwords down on some sheets of paper and hide it when you leave your office/ house.
    Photocopy it as a backup, and hide that in an envelope somewhere else.

    It doesn't get much simpler IMO.

    EDIT: you can also include a false character that only you know is not part of the real password, just in case someone does find your list.
     
    Last edited: Mar 8, 2021
  17. wwwweb

    wwwweb Top Contributor VIP ★★★★★★★★★★

    Posts:
    11,469
    Likes Received:
    11,383
    On flip side this is why I have seen an established account trying to sell to good to be true domains, you have to be wary of aged accounts offering to good to be true deals.
     
  18. Corey

    Corey GDBR. com VIP ★★★★★★★★★★

    Posts:
    14,638
    Likes Received:
    17,897
    @Bravo Mod Team
    TBH I don't know much about it or how to use it, I think it was for the 2 factor thingy....how do I change that or what should I do next...thank you in advance.

    Cheers
    Corey
     
    Last edited: Mar 8, 2021
  19. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    I'd recommend testing it with a Google account first so you have a clear idea of how it works. They have an informative setup process that we can't compete with for the time being, although we're working on improvements.

    Once you've experimented with it and understand the setup process, head to https://www.namepros.com/account/two-step to enable 2FA on your NamePros accounts. There are some important notes, though:
    • If you get locked out of your account as a result of using 2FA, unless you've only recently enabled it, we're probably not going to be able to get you back into your NamePros account. It's meant to be the ultimate in account security.
    • After you enable 2FA, make sure you retrieve your backup codes. Print them and store them somewhere safe. Otherwise, you're going to get locked out of your account eventually.
    You should research 2FA on your own: why it's necessary, what problems it solves, and how to use it. This will allow you to make informed decisions about enabling 2FA on other accounts, not just your NamePros account.

    If there's interest, I may do another blog post with a detailed introduction to 2FA. It's an area of active development, so it's probably worth spending some time writing an article with the latest information.
     
  20. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    875
    Likes Received:
    2,866
    Thanks @Paul - good initiative.

    May I suggest a related -optional- security feature for consideration.

    Link IP address to session. For additional security you can choose to link your (fixed) IP address to your session. Once enabled, changes to your services during the session (these can be long sessions) can only be made from the IP address used to log in. You can still log in from any other IP address. This model can be extended for particular high-risk sections on namePros. Of course it should be made clear that this feature is especially useful with fixed and semi-fixed IPs.
     
    Last edited: Mar 9, 2021
  21. Future Sensors

    Future Sensors 78% of human domainers will be replaced by robots Gold Account

    Posts:
    875
    Likes Received:
    2,866
    Found it :sneaky:

    Usenix plaintext password.jpg
     
  22. frostify

    frostify Top Contributor VIP

    Posts:
    1,684
    Likes Received:
    889
    I'd personally recommend taking it a step further and using a secure password manager such as LastPass, 1Password, Dashlane, etc. + setup 2-factor authentication on all your accounts.

    I personally use 1Password and they have a feature that will just auto-generate secure passwords and save them. Using password managers + 2 factor authentication actually protected me against a targetted Russian attack on one of my previously owned 3 letter .com domain names worth 5 figures as well as other valuable domains which were almost stolen. Fortunately, after breaching my email account and other accounts they were stopped at the registrar and nothing was lost.

    When you post on forums like NamePros, it unfortunately makes you a target.

    Also, be sure to run frequent virus/malware scans on your computer to make sure you don't have keyloggers or other malicious programs. Use something like Windows Defender, Malwarebytes, AVG, etc. and run it at least once a week or so.
     
    Last edited: Mar 12, 2021
  23. Paul

    Paul CTO, NamePros CTO VIP

    Posts:
    1,602
    Likes Received:
    2,913
    Indeed, anyone capable of using a password manager should do so. I linked to Bitwarden in the blog post since it’s free, but all of these are good options.
     
  24. frostify

    frostify Top Contributor VIP

    Posts:
    1,684
    Likes Received:
    889
    Bitwarden is also a fantastic option, I used to use this at a company I worked with and it kept our logins secure :)
     
  25. Kenny

    Kenny Top Contributor VIP Gold Account ★★★★★★★★★★

    Posts:
    14,841
    Likes Received:
    16,650
    My email password got hacked. Again.
    This is the 3rd time I've had to rename my dog.

    Peace,
    Kenny
     
Topics / Tags:
NameWorth
  1. NamePros uses cookies and similar technologies. By using this site, you are agreeing to our privacy policy, terms, and use of cookies.
    Dismiss Notice
Loading...