warning Increase in credential stuffing attacks targeting domainers

[Paul]

NamePros is observing an increase in credential stuffing attacks targeting domain investors. This is a semi-regular occurrence. It typically works as follows:

1. An arbitrary website in the domaining industry is compromised. Typically, we have no way of knowing which site it was.
2. The username and passwords are harvested from the compromised website.
3. Attackers assume that most people use the same (or a similar) password everywhere, so they plug the username and password combination into other, more secure websites.
4. The attacker will steal any assets in the account and potentially scam other people while impersonating the compromised user.

I've written about this quite extensively in the past, but people are still using the same password on multiple websites. Password reuse is a great way to get hacked: if you know your password, it's a bad password.

Get a password manager and enable 2FA. It's your responsibility to keep your accounts secure. If you use the same password on NamePros and SomeRegistrarWebsite, and SomeRegistrarWebsite leaks your password, attackers are going to have no trouble logging into your NamePros account.

In the short term, we'll be requiring some high-risk accounts to enable 2FA. We'll also be enforcing stronger password requirements for some accounts. This is not a perfect solution, and we still expect members to maintain good internet hygiene by choosing more secure passwords.

 

[kor]

LastPass is infinitely more secure

Quantum computers greet you.

saving data on your laptop or writing in on a stickynote

Well, critical data shouldn't be saved/written as plain text in any case of course.

 

[Paul]

Quantum computers greet you.

Any quantum computer capable of breaking AES256 is going to have no trouble decrypting everything you do on the internet anyway, including every password you enter on every website.

That’s not a risk worth worrying about unless you’re lucky enough to find yourself in a position to be designing and implementing quantum-ready encryption.

 

[kor]

Any quantum computer capable of breaking AES256 is going to have no trouble decrypting everything you do on the internet anyway, including every password you enter on every website.

So technically nothing is infinite. Even the universe itself.

 

[Paul]

So technically nothing is infinite. Even the universe itself.

Security is about risk assessment and risk management. Your risk is much higher if you reuse passwords or follow a pattern than if you use a password manager with proper end-to-end encryption.

LastPass is not that, though. Sure, they might have been using AES256, but AES is only as good as your KDF--and their KDF parameters were garbage. That wasn't a surprise to anyone, though, and they have a history of security issues.

 

[Future Sensors]

Nonprofit Cyber Releases Updated Guidance on Passwords to Mark 2nd Annual "More Than A Password Day"

https://nonprofitcyber.org/nonprofi...-to-mark-2nd-annual-more-than-a-password-day/