· 198 comments · Save ·
Announcements Apr 14, 2014 at 10:00 PM

We recommend that you change your listnook password

Posted by alienth

Greetings all, As you may have heard, listnook quickly patched its SSL endpoints against server attack of the infamous heartbleed vulnerability. However, the heartbleed vulnerability has been around for quite some time, and up until it was publicly disclosed listnook's SSL endpoints were vulnerable. Additionally, our application was found to have a client-side vulnerability to heartbleed which allowed memory to be leaked to external servers. We quickly addressed this after it was reported to us. Exploiting this vulnerability required the use of a specific API call on listnook, and we have analyzed our logs and found nothing to suggest that this API call was being exploited en masse. However, the vulnerability did exist. Given these two circumstances, it is recommended that you [change your listnook password](https://ssl.listnook.com/prefs/update/) as a precaution. Updating your password will log you out of all other listnook.com sessions. We also recommend that you make use of a unique, [strong](http://xkcd.com/936/) password on any site you use. The most common way accounts on listnook get broken into is by attackers exploiting [password reuse](http://xkcd.com/1286/). It is also strongly recommended, though not required, that you set an email address on your listnook account. If you were to ever forget your password, we cannot contact you to reset it if we don't have your email address. We do not sell or otherwise make your email address available to third-parties, as indicated in our [privacy policy](http://www.listnook.com/help/privacypolicy#p_13). Stay safe out there. alienth Further reading: [xkcd simple explanation of how heartbleed works](http://xkcd.com/1354/) [Heartbleed on wikipedia](http://en.wikipedia.org/wiki/Heartbleed) **Edit:** A few people indicated that they had changed their passwords recently and wanted to know if they're now safe. We addressed the server issue hours after it was disclosed on April 7th. The client-side leak was disclosed and addressed on April 9th. Our old certs were revoked by the 9th (all dates in PDT). If you have changed your password since April 9th, you're AOK.
🚩 Report this post

198 Comments

Sign in to comment — or just click the box below.
🔒 Your email is never shown publicly.
KamiNuvini Apr 14, 2014 +104
Well then again, unless you explicitely use pay.listnook.com Listnook doesn't even use https:// to begin with, so a MITM attack to get credentials wouldn't be hard at all in anyways. I'm really hoping we get full SSL by default soon.
104
alienth Apr 14, 2014 +36
MITM can be used to grab your session cookies and the like. Logins, password changes, and preferences are sent over HTTPS (although admittedly savvy attackers can force you around this since the main site is HTTP). MITM is still a very real attack vector. The scary thing about the heartbleed vuln is that it requires no MITM. Full site HTTPS is coming. There is nothing significant blocking us here on the technical side. It is currently a matter of working with our CDN partners to get everything in place. This is something I'm working on every day at this point, although admittedly it has been a long time coming so I wouldn't even believe me until I saw the results :P
36
Joker_Da_Man Apr 14, 2014 +54
The login process uses HTTPS, specifically an HTTP POST to https://ssl.listnook.com/api/login/Joker_Da_Man
54
cleverusername10 Apr 14, 2014 +84
Because the page with the login button is sent over HTTP, someone could use a MITM attack to change the login button to post to a different non-HTTPS address, completely bypassing the HTTPS. This only prevents passive MITM attacks.
84
rabbitlion Apr 14, 2014 +9
It doesn't even prevent that, since someone could steal your session cookie. I suppose in that case they won't get to know your actual password, they'll only be able to log in as you.
9
[deleted] Apr 14, 2014 +4797
[deleted]
4797
alienth Apr 14, 2014 +283
While listnook doesn't have the level of personal information that a site like Facebook might, there are things which may be valuable to attackers. For example, some folks would be rather dismayed if their votes or private messages were leaked, especially if they have any clues which may tie their real identity to their account. It would be unwise to assume that your account isn't valuable in some way to an attacker. As the saying goes, better safe than sorry.
283
[deleted] Apr 14, 2014 +23
[deleted]
23
raisin22 Apr 15, 2014 +4
Well if the armpit photos I sent to /u/PM_ME_YOUR_ARMPIT were leaked it would be pretty bad I guess. Nobody wants to see my stubbly pits.
4
[deleted] Apr 14, 2014 +1053
I would rather my listnook account get hacked then have to come up with and memorize a new password.
1053
SilverNightingale Apr 15, 2014 +369
Look on the bright side. At least Listnook's password requirements aren't something like, two capital letters, one lowercase letter, three numbers, one foreign symbol and can you please provide your mother's second cousin twice removed and the name of your father's kindergarten teacher and read out all these blurry alphabet letters and numbers so we know you aren't a bot and so on...
369
ZombiePudding Apr 15, 2014 +90
I don't even know my current password. I've been logged on my ipad since making my account.
90
sirin3 Apr 14, 2014 +390
I use the same password for my credit card banking! And university mail and ssh login And I have no clue what else
390
[deleted] Apr 14, 2014 +215
[deleted]
215
sirin3 Apr 14, 2014 +142
>Remembering four or five password is a lot easier than a hundred. I tried that. Then my credit account was blocked They block after 3 invalid password attempts, trying to figure out which one of five password I used, were too many :(
142
Bardfinn Apr 14, 2014 +209
Okay. I'm a computer scientist and a former IT manager. I'm going to tell you the secret to how to do this, so, get ready to bookmark this post. … Are you ready? … **WRITE THE PASSWORDS DOWN ON A PIECE OF PAPER**. Write them on two separate pieces of paper, even, and put one of those pieces of paper in a lockbox. ^also ^write ^the ^date ^on ^the ^papers ^and ^change ^your ^passwords ^every ^six ^months ^or ^less.
209
[deleted] Apr 14, 2014 +102
Nah, I have a better method. It involves writing them down but also includes a 'key' that only you know. Your key is something that only you would know and something you'll always remember. A childhood nickname, the name of your first pet, really anything that those with access to your room won't guess. Then your passwords all INCLUDE this 'key' but additionally have other numbers/letters. On your paper or notebook you write down the additional letters/number but leave the space where the 'key' is blank. So even if someone finds your paper they don't know your 'key'. So say my key was 'sam' for my childhood pet. Then my paper would look something like: Intrust Bank: 115***,h GMail: cloud***55 etc etc It's a far better method because it prevents any thief or snoopy person from finding your paper/notebook with your passwords on it. **EDIT** well I just realized there are like 25 other comments to yours so no one will probably ever see this, which is a shame since it's a far better method than just writing them out plain as day for a thief or friend or whatever to find.
102
[deleted] Apr 15, 2014 +3
I like that idea a lot. I also like randomly generated passwords, though... so I might well combine the two. For example, I use this (on a site I wrote) to generate an easy-to-write and easy-to-type random password: http://pwgen.us/?length=12&grouping=4 That generates passwords like this: >eaag-kh94-2727 or >39ep-9e3r-th3m So combining those two ideas; say my personal phrase was "sam", I might write down: >listnook.com - PanamaCityPC - 39ep-9e3r-th3m& And the ampersand would mean "sam" - or I could put it in the middle or something and know that 39ep-9e3r&-th3m meant 39ep-9e3r-sam-th3m (to add the extra dash). Heck, might even use two sets of four instead of the three..... Good idea.
3
HyperLaxative Apr 14, 2014 +401
These "pieces of paper" and "lockboxes"...where do I download them?
401
WR810 Apr 14, 2014 +112
I'll take jokes that aren't funny but still caused me to laugh for 100 Alex.
112
the_omega99 Apr 14, 2014 +3
It's not necessary to change passwords every six months (etc). As long as you don't reuse passwords and have a sufficiently secure one, you're probably fine. http://security.stackexchange.com/questions/4704/how-does-changing-your-password-every-90-days-increase-security If you're password is too weak, however, the only thing stopping it from being cracked is time. A long enough password should hold that off for long enough that it doesn't matter (after all, if a password takes 1000 years to brute force, then it doesn't really matter how often you change it). And of course, you don't want to reuse passwords because if the programmer didn't hash the passwords, then changing your password every x days probably won't do anything. For example with, mixed letters, numbers and symbols (size 96 character set), a size 16 password has 5.204e+31 different combinations. I'm not sure what the fastest computers are doing these days. I grabbed the [first Google result I saw](http://arstechnica.com/security/2012/12/25-gpu-cluster-cracks-every-standard-windows-password-in-6-hours/), which mentions 350 billion per second (3.5e+11). That makes for a total of 1.486e+20 seconds, or 4.708e+12 years. Granted, there's no such thing as perfect security. It won't help if your password is sent in plain text and a man-in-the-middle attack grabs it, for example.
3
[deleted] Apr 15, 2014 +4
Hey- just a little heads up- I noticed you wrote: > \^also \^write \^the \^date \^on \^the \^papers \^and \^change \^your \^passwords \^every \^six \^months \^or \^less. when you could have just written: > \^(also write the date on the papers and change your passwords every six months or less) You're welcome ;)
4
[deleted] Apr 14, 2014 +79
Wait. I can remotely disable peoples accounts by just making 3 invalid attempts? I must be missing something, this shouldn't be possible so easily.
79
MXIIA Apr 14, 2014 +48
Or use keepass. Remember one really strong password and you're done.
48
[deleted] Apr 15, 2014 +5
[deleted]
5
[deleted] Apr 14, 2014 +3
I would add an extra layer of security to this: use the same base password but add a letter on the end. For example, say you've chosen to use the same base password for Netflix, eBay and Amazon. Say you've chosen the password *326_Happy* as the base. For eBay, it would be *326_HappyE* for Netflix, *326_HappyN* and for Amazon, *326_HappyA*. That way, if someone does happen to figure out/steal your Netflix password, they won't be able to use it to log into your Amazon account, because they're technically different passwords. However, *you* just have to remember one base password, and use the name of the site for the last letter.
3
HowsTricksMurphy Apr 14, 2014 +962
Thanks for letting us know! Smart move.
962
currentlydownvoted Apr 14, 2014 +513
I just use my username for everything. You're welcome to my $11 and shockingly below average credit rating
513
DatJazz Apr 14, 2014 +1073
Hey guys, he's not kidding. I just robbed his bank account and somehow became *poorer*
1073
cdawg85 Apr 14, 2014 +285
Every time a homeless person asks me for money I try to hand them my student loan bill.
285
chunkydrunky Apr 14, 2014 +122
Those debt free guys asking for a hand out! Pbbt
122
Brobi_WanKenobi Apr 15, 2014 +18
Debt free. Man...I'm in worse financial shape than a homeless person.
18
dekrant Apr 15, 2014 +10
Your balance sheet may be worse, but your statement of cash flows is probably much better. Furthermore, you probably have higher realizable gains as an investment vehicle. Never fear, pseudo-accounting/biz speak is here to improve your self-esteem!
10
mtbr311 Apr 15, 2014 +15
You're so poor that if it were free you couldn't afford it!
15
flyonawall Apr 15, 2014 +10
I am pretty sure most homeless people actually have more net worth than I, due to my student debt...
10
JackOfCandles Apr 14, 2014 +84
I hope you've learned a valuable lesson today.
84
sirin3 Apr 14, 2014 +198
Not really. Using another password is equally bad. For example my account is called sirin*3*, because I made up unique passwords for sirin and sirin*2*, and forgot them the next day.
198
[deleted] Apr 14, 2014 +64
[deleted]
64
EltonJuan Apr 14, 2014 +174
In fact, just tell me your passwords and I'll remember them for when you need them.
174
heartbleedlovechild Apr 14, 2014 +147
Okay! My password is KSADVR Not even kidding. Yes this is a brand new account that used the captcha thing as its password. Wreak havoc, post p***, tell legitimate stories about my mother, change the password, post it again, get banned for breaking the rule that says don't post the password, even though the account was made for the sole purpose of sharing its password Oh, and don't forget my password /u/EltonJuan. Don't you dare forget it Edit: DISREGARD THAT I SUCK COCKS
147
igloo27 Apr 14, 2014 +52
Someone changed the password while I was subscribing to gay p***. Enjoy that whoever took it from me!
52
Tetranitrate Apr 14, 2014 +25
I was editing the comment, and by the time I saved someone else had knocked me off. I hope they at least run with it. Edit: also whoever did it changed the password.
25
glglglglgl Apr 14, 2014 +12
Nice [bash.org](http://bash.org/?5775) reference.
12
marshsmellow Apr 14, 2014 +16
Or write them down on a sticky note taped to the monitor... That's how it is in my organisation's server room...
16
[deleted] Apr 14, 2014 +54
[removed]
54
rallets Apr 14, 2014 +25
you heard him hackers, get this guy first
25
Unidan Apr 14, 2014 +1518
http://i.imgur.com/MVmgqX2.gif
1518
SteampunkWolf Apr 14, 2014 +963
How can we know you're the *real* Unidan and not somebody who hacked Unidan's account?
963
Unidan Apr 14, 2014 +2209
It is I, the agreeable biophysicist! Come, let us learn about fact biologiks funs at http://saferussiangambling.ru/
2209
Poem_for_your_sprog Apr 14, 2014 +365
That bio-wizard wrapped in glee, Called Unidan by name - Has changed of late, it seems to me, And hasn't been the same. *For when I came across a thread* *To hear the words he spoke -* *He robbed me f****** blind instead,* *And left me stony broke.* :(
365
all_seeing_ey3 Apr 15, 2014 +31
Consistent, brilliant OC that never fails to make me giggle like an idiot. Don't ever change, pfys. Don't ever change. :D
31
_madmanwithabox Apr 14, 2014 +832
You seem like a good guy to have as a friend! The kind of guy I'd want to give my bank details to
832
currentlydownvoted Apr 14, 2014 +45
You shouldn't give them directly, that's crazy. You need a middle man for added security. Go ahead and pm the bank details and scans of your vital documents and I'll pass the information along safely and securely through my "patent pending" triple safety locked file sharing technology. Don't worry, you can trust me.
45
angryman2 Apr 14, 2014 +330
I can vouch for him! He promised to make me a Prince!
330
JesseisWinning Apr 14, 2014 +26
Prince here, I can confirm that if you send Unidan all of your account information, you too can be written into a royal Family! Enjoy the power and wealth of Science today!
26
BobTehCat Apr 14, 2014 +234
He said he'd trim my armor!
234
Nice_Try_Man Apr 15, 2014 +95
Dude, do it yourself. Just drop it and press Alt-F4, then pick it up.
95
starshadowx2 Apr 14, 2014 +12
The combination of your name, and that comment, make you awesome.
12
[deleted] Apr 14, 2014 +4
[deleted]
4
IAMABananaAMAA Apr 14, 2014 +320
Unidan is awesome! I just made $5,000 from looking at biology facts!
320
Interleukine-2 Apr 14, 2014 +75
By learning from home!
75
FoxtrotBeta6 Apr 14, 2014 +8
Prove that you are yourself Unidan. Tell us a cool story involving extinct creatures.
8
TheoHooke Apr 14, 2014 +9
Once upon a time there were dinosaurs. T Rex was the mightiest dinosaur of them all, except for his freakishly small arms, which made him the laughing stock of the dinosaur world. But he still got laid more than you.
9
[deleted] Apr 14, 2014 +116
This. Just make a new one, it's not like karma is worth anything, unlike bitcoins ...
116
buge Apr 14, 2014 +22
But if you have a balance with bitcointipbot, then if you lose your listnook account, you lose those bitcoins.
22
Ghoti_Ghongers_40 Apr 14, 2014 +3
I make a new account every few months (or whenever a new username takes my fancy). Who gives a f*** about karma? I just share posts and comments which I think people may enjoy, or take something away from. Karma is simply a by-product of people actually enjoying them. It's nice to know something you have posted or said has been appreciated by a lot of people, but counting your running total is just...sad. EDIT: After posting this reply, I notice most of the comments around me are getting downvoted. I'm unsure whether a sarcastic comment about that fact, and "hoping" my comment does better, would now curry favour with the listnook masses, or attract downvotes. Hopefully you've already realised that I don't care either way, it's just funny seeing how arbitrary the upvotes/downvotes seem to be. Also, is this the first comment to have an edit that's longer than the original reply? Just in case it isn't, here's a completely needless extra sentence to pad things out a bit.
3
reseph Apr 14, 2014 +402
Thanks. I work as a SysAdmin elsewhere; for those out there that want to check if a site may be affected you can use: https://filippo.io/Heartbleed/ **If a site you use is affected, you shouldn't even use the website until they fix it** (PS: this is looking like a comment graveyard already, yeesh)
402
alienth Apr 14, 2014 +104
I should also note that sites may start blocking that test site, and as a result may give false negatives, which are bad. Edit: Looks like they no longer give false negatives, as reseph pointed out below.
104
reseph Apr 14, 2014 +54
Luckily I don't think the site gives false negatives. It instead gives a generic: >Uh-oh, something went wrong Which hopefully users won't take as "this site is clean". Or at least this is all from an expectation of a block.
54
Zeal88 Apr 14, 2014 +15
Serious question: What would someone want with my listnook account?? I'm just a regular schmoe, and nothing in here is linked to any kind of financial data. I'm not even sure if my email is linked to this account. What would a hacker have to gain from exploiting my account? Why should I worry about it? I know this sounds like a stupid question, but I'm honestly curious.
15
Stops_short Apr 14, 2014 +24
If you use similar passwords on other common sites, they could take advantage of that.
24
[deleted] Apr 15, 2014 +3
Your email is linked to your Listnook account (you have the verified email badge). The attacker would be able to go into your preferences and see your email address. From there, they could try to log in to your email with your Listnook account's password (which they know thanks to Heartbleed). If you use the same password for your email, the attacker would be able to log in. From there they would have access to all your other accounts, and the ability to submit password/email change requests. If you *don't* use the same password for your email account, the attacker would still be able to search for your username on other sites and try to log into your accounts there. If you use different passwords for every site, the hacker is basically stopped at this point. So even if you just use your Listnook account to post cat pictures, an attacker could still use it to get to important things like your bank account.
3
[deleted] Apr 14, 2014 +75
Is there any evidence that anyone has used heartbleed to get information?
75
alienth Apr 15, 2014 +7
There have been real-world tests of people gathering very important information, such as the private keys of SSL certificates. As of yet I have seen no evidence of malicious compromise(correct me if I'm wrong). That doesn't mean it hasn't happened - one reason for this is you can't easily prove information was compromised at all. However, I do anticipate that this evidence will come to light eventually. For example, there is a decent likelihood that cert private keys were gathered by attackers, especially for the sites that still have not patched this vulnerability. If certs which were vulnerable to theft via heartbleed are found to be hosted by parties other than the owner, then that will be a major smoking gun .
7
[deleted] Apr 14, 2014 +109
bloomberg says the nsa has been exploiting heartbleed for 2yrs.
109
[deleted] Apr 14, 2014 +88
[deleted]
88
alienth Apr 15, 2014 +16
Bloomberg is basing their reputation on such statements, and as such they have an incentive to not publish such things unless they're very sure it is legit. Doesn't mean it did or did not happen. I think the best you can pull from the bloomberg article thus far is that there have been accusations from a well-respected journal. Take that for what you will. I can't really conclude beyond that without additional information or evidence.
16
fenwaygnome Apr 14, 2014 +302
Question: Why does it matter if someone finds out my listnook password? What's the worst thing that can happen? Just posting as me? No one reads what I say anyway, it's mostly for my own amusement.
302
[deleted] Apr 14, 2014 +340
[deleted]
340
Feldkirch Apr 14, 2014 +189
Because you might reuse the password elsewhere.
189
pug_subterfuge Apr 14, 2014 +13
But they already would have your 'old' password, so in reality you should change your password everywhere else (that you care about) to be something different than your listnook password.
13
[deleted] Apr 14, 2014 +69
but the damage has already been done.
69
TGI_Martin Apr 14, 2014 +85
Soo you should probably delete your facebook and sell your computer... Oh, and I guess hit the gym
85
KhanOfBorg Apr 14, 2014 +30
If we changed our passwords yesterday, for example, is that safe enough? Or, was the system declared completely safe only today? (Sorry if this is a really ignorant question)
30
inexcess Apr 14, 2014 +10
Also >Exploiting this vulnerability required the use of a specific API call on listnook, and we have analyzed our logs and found nothing to suggest that this API call was being exploited en masse So it wasn't being exploited en masse. Good, but was it being exploited at all?
10
alienth Apr 14, 2014 +11
No way for us to determine that, heartbleed exploits are silent for the most part. One would have had to exploit this API call over and over and over again to have decent odds of gathering anything interesting. It could have been exploited, but given the circumstances the odds are remarkably low. Still, since the possibility exists, it is best to take the precaution of changing your password.
11
[deleted] Apr 15, 2014 +9
[deleted]
9
ziondreams Apr 14, 2014 +1
[Serious Question] I already changed my listnook password on 2014-Apr-10. The LastPass Heartbleed page, at that time, had indicated that the vulnerability had already been patched and that a password change was safe. Question: Do I need to change it again or was it indeed safe to change it days ago? Thanks!
1
SanityInAnarchy Apr 15, 2014 +7
Thanks for the heads up, but given that Listnook operates in plaintext HTTP most of the time, I'm not really more worried now than I was before. I am, however, worried about the technical competence of Listnook for taking Heartbleed seriously, but otherwise using SSL in very nearly the least correct way possible. Dear Listnook: If you want us to care about our account security, you should at least give us an option for SSL to begin with. SSL-at-login-only is a great way to expose all your users, all the time, to session hijacking. Because of the way Listnook works (customized homepage and all), I suspect most Listnook users stay logged in, which means we're carrying around session cookies for a *long* time with *long* expiry times. A password theft would be more dangerous, except that by default, Listnook's login/signup page is delivered over plaintext also. Even if the password is theoretically submitted over SSL, a MITM on the login form could steal passwords, even before Heartbleed. And this can't be purely accidental. https://ssl.listnook.com/ redirects to http://www.listnook.com/ which tells me that this insecure mode is very much intended. Heartbleed *is* worse, and I suppose it's conceivable that someone grabbed all our passwords right out of RAM. But should I really be caring, when anyone on the same Starbucks wifi could just [launch Firesheep and steal my session](http://arvtard.com/firesheep-profile-for-listnook)?
7
toew Apr 14, 2014 +26
Regarding that linked xkcd. Is that actually true? Is it only password length/randomness that matters? I mean, I have a password similar to that in the first "frame" of the xkcd, it's 7 random scrambled letters (upper + lower), 2 special characters and 3 numbers. I have no difficulty remembering it (I've had it for years) but it still concerns me that "correcthorsebatterystaple" might be safer. Can some computer whiz ELI5 it for me? I know basic terms such as rainbowtables, bruteforce etc, but other than that please keep it as layman as possible.
26
eubarch Apr 14, 2014 +31
What Munroe is doing is describing two 'algorithms' for creating passwords. He does this by explaining them as a series of choices you must make to pick one password from the set of all *possible* passwords that you could make with that algorithm. The bigger the pool of possible passwords that an algorithm can generate, the more secure those passwords are. This is important because password cracking programs try to model these exact algorithms and iterate through that set of possible passwords. A good algorithm will have the biggest pool possible and generate it from the most memorable choices. The first password looks complex because it involves six choices (caps or not? which base word? Which substitutions to make?), but it has a problem. Not only are the choices hard to remember, but they tend to have very few possible states. For instance, caps-or-not can only be one of two things in your password, so your bang-for-buck ratio in terms of how large your pool grows per thing you have to remember is "double", which is not so good. Choosing four common words, despite being fewer decisions, is picking four times from a pretty big set of possibilities. The number of way you could do this explodes exponentially. Incidentally, one bit is a good way to represent a choice between two things (1 or 0), and that's what Munroe does in the comic. The total pool size comes from multiplying the all the component choice sizes together. Incidentally, it's easy to do this in binary as well. The possible number of outcomes between two independent binary choices is 4: [00, 01, 10, 11], which is exactly two bits. This is the same as making one decision among four equally probable possibilities. You can keep adding bits this way to represent picking something out of larger and larger pools, and that's how Munroe represents the total number of possible passwords: he guesses or determines the number of possibilities for each little decision you have to make, represents them in bits, then adds the number of bits together. The total number of possible passwords is then equal to the number of unique integers you could make with that number of bits. Every new bit doubles the pool. "Correct Horse Battery Staple" comes from a pool of many more bits than "Tr0ub4dor&3", but is easier to remember. Relating how many possible passwords there could be to how many characters are in the password starts to touch on the concept of "entropy", which is a deeper pool. Consider this: A one-character password is not strong, because it is one symbol from perhaps 255 possibilities. However, the grid-based password system on mobile phones where you have to draw a line that connects some of the grid's dots is much stronger even though there is still only one symbol that you provide, and that's because you are picking a single thing from a much larger pool.
31
DamienWind Apr 14, 2014 +7
I can help with this, I actually just had to explain this to a layman yesterday. The basic gist is that when a computer does a brute force attack, it's going through a range of digits and guessing every possible combination of characters within the set (like a-z A-Z 0-9 specials and so on) with that number of digits. So if you have 4 digits, you're guessing every possible combination of characters within 4 digits. You can't re-use any of that when you move up to 5 digits, so you're guessing every possible combination of those characters within 5 digits now. This increase is exponential, so when you get up to like 16+ the number of combinations to guess gets ridiculous, even for a computer. The time becomes expanded greatly when the character set to guess is larger, too. When a password is being cracked the fact that a number or special character or whatnot is there is enough to increase the complexity of a character set (how does anyone know WHICH letter of the alphabet will be capitalized? If you don't, you have to include all of them). This means even having *one* capital letter, *one* number, and *one* special character increases the character set by *all* of those things, which is a huge jump. So that, combined with length, gets a really ridiculously secure password going. Something like this would be an amazing password cryptographically: Ilovehavingreallysecurepasswords1! 34 characters long and forces the c****** to use upper and lower alphanumerics, all numbers, special characters, and so on. It would require some time to crack in hundreds of years and it's absolutely brainlessly easy for a human to remember. correcthorsebatterystaple is good for its length (which is the point he's trying to make), but you can still improve on it by enlarging the character set. The whole gist of rainbow tables is that you're pre-generating these values and sticking them in a text file.. since generating that data is the hard part. The actual comparison of the data is the easy/quick part. But still.. rainbow tables that contain that large of a pre-generated character set would take an enormous amount of disk space. I'd have to guess at least 4-8TB, I'm ballparking it though. Tiny for a datacenter, pretty big for a power user, and definitely huge for your average user. Don't forget the way that these cracks work is that the password is guessed (generated) and then it's hashed with whatever encryption type is being used.. then compared to the hash you already have. A quick example, with a certain encryption type (I'll use MD5): **aaaaa** becomes **594f803b380a41396ed63dca39503542** **Ilovehavingreallysecurepasswords1!** becomes **2959c171eac7cba9bfdddb1763c70a1b** Always and forever. So if your password is aaaaa, your hash will be that. So when a c******'s brute force generates "aaaaa" they'll see that hash, see it matches yours, and then realize your password must be "aaaaa" The complexity of the password doesn't actually change the complexity of the hash, as you can see -- this is done to obfuscate the password length (among other things) so people can't say "oh, the hash is X long, so I only need to bother guessing X or fewer characters." Mostly word/letter order doesn't matter, some cracking algorithms will use plaintext wordlists and variations on it, so they may actually string together random words in order to make guesses and throw things like one number or special character at the end because crackers know full well that people like to do this.. but it's still severely offset by the fact that it's just so damn long. Think of how many english words are in the dictionary. Think about four *random* words.. the number of possible combinations to guess is mind-boggling and one individual computer can't really make quick work of it either.
7
ProPuke Apr 15, 2014 +2
Passwords are usually acquired by one of x ways: 1) Phishing attacks (you're sent an email to a fake login page that records your password) 2) Crappy sites/services getting hacked (your password is used on forumX which has security holes) 3) Spyware infection on your machine listening to what you type/send 4) Brute forcing (usually impractical, but some services can have vulnerabilities making this possible) With 1 and 3 they'll usually have your name and password. So you're screwed. If they manage to gain access to the user data of a site/service with #2 they'll usually have your name and copy of your password in an **encrypted** form (Unless they're complete idiots and store the passwords as normal text. Then you're screwed again.). When you have an encrypted password, working out what the password actually is is a little tricky. You see encryption normally only works 1 way: You encrypt *"iloveponies"* and out the other end you get *"f53388acbbf84e54bd7d105f..."*. But once you have *f53388acbbf8...* there's no way of turning it back (or there shouldn't be). So when you go to log in normally you give it your password, it gets encrypted, and if that *encrypted* version matches the encrypted version they have on record then *great*, they know you've used the same password. But the service itself doesn't actually need to know what your original password was. So once you've pilfered an encrypted password, the usual method for working out what it came from is to encrypt every combination you can think of, until one of them matches. Computers are fast. They can do this given sufficient *time* (usually a long time). - So we've got a big list of 20k encrypted passwords, and we want to crack as many in as short a time as possible. Lets start with obvious guesses first.. (note that if they you got you via number 4 you'll end up here too.. since they'll need to try every combination while they're trying to brute. Although usually with much limited capabilities) First we'll try a few hundred commonly used words/passwords. That's just a few hundred to try, that's good and fast, even for 20k passwords. Then we'll try each of those same words, with the numbers 0-9 on the end. There's just a few thousand combinations to try now. That's still okay. Now we'll try again with the first letter as uppercase - a few thousand again. ...And eventually we'll end up trying every combination of upper, lowercase letters, symbols and numbers. There's scadoodlezillions to try, but we'll leave it going for a while, trying the shorter passwords first, then slowly getting longer until we finally give up or decide we have enough. So obviously to get the most passwords we want to try things that are more common. The more likely your password is to be similar to other peoples (in form and length) the more likely it is to be found out earlier. If you password really is a *random* scramble then that's good, that's possibly relatively unique in form. If it just starts with an uppercase letter, and is then mostly lowercase, with a few letters capitalised or replaced with common letter/symbol substitutes and then ends in 1 or 2 numbers/symbols (as exampled in xkcd) then no, this is more likely. Attackers are more likely to try combinations like that before they try completely *random* combinations of everything. They'll work their way out from predictable patterns, to less likely. xkcd's example of using long memorable phrases is that A) It is rememberable 2) It is long Passwords aren't usually long phrases of words. So this isn't a pattern they are *likely* to try. This *likely* won't be found until they're trying every random combination last of all. And because it's very long they won't get there till the very end. And really our hopes are all based on the fact they'll give up before they get there. Getting this far is likely to take a *very* long time, even with some real meaty computing power. Of course if everyone starts doing it now and it becomes *common* then it's likely attackers will start trying *random list of 3-5 words with and without spaces* before the other stuff, so it will become less secure again. There are also limits as to how many combinations you need to try. Encrypted passwords are only *so* long (depending on the scheme used). So after a while long passwords start coming out the same as shorter ones. The speed at which they can guess also depends on whether the usernames/passwords came with **salts**, and whether they all use the same salt. If they use the same salt then you can encrypt one guess password, then loop through and compare it to every encrypted one for a match. If they all use different salts then you'll have to encrypt your guess separately, with the salt, for every single one, taking much, much longer. And there are other factors based on scheme, and tricks you can use - I've skimmed over a lot and massively simplified. But the trick is to be uncommon. Your password should be far, far from the norm - both in content, but also in the *form* it takes. 7 characters may be a little short, even if it does feature letters, numbers and special characters in a *random* form. Really though every password is insecure if the attacker already has a user/password list and enough time/machine-power behind them to crack it. Every password will eventually be found out. So make it long, uncommon, and use a different password wherever possible, so when one is found out it does not jeopardise others.
2
jberth Apr 14, 2014 +2828
F*** YOU I WON'T DO WHAT YOU TELL ME F*** YOU I WON'T DO WHAT YOU TELL ME F*** YOU I WON'T DO WHAT YOU TELL ME F*** YOU I WON'T DO WHAT YOU TELL ME F*** YOU I WON'T DO WHAT YOU TELL ME
2828
RileyCola Apr 14, 2014 +474
Nothing calms me down like some good ol' Rage Against The Machine.
474
[deleted] Apr 14, 2014 +369
[deleted]
369
qervem Apr 14, 2014 +195
Ooohh baby please, I won't do what you tell me
195
Taijitu Apr 14, 2014 +2
This was the best when they got to No. 1 in the charts before Christmas and so they automatically got to play it on BBC radio. BBC said to them that they weren't allowed to swear and they said that was okay and they wouldn't. Of course they went ahead and sung the actual lyrics on the live broadcast anyways, I don't really know what BBC thought would happen.
2
Thunder_Bastard Apr 14, 2014 +73
I'm one step ahead of them.... I use a password for Listnook that has already been compromised on a number of other sites. Take that hackers!
73
[deleted] Apr 14, 2014 +100
[deleted]
100
Cunt__Chocula Apr 15, 2014 +330
If anyone stole my password, can you please tell me what it is? I forgot. Thank you.
330
swank-and-bank Apr 14, 2014 +314
What if Heartbleed is a trick and really all the newly changed passwords are being captured
314
[deleted] Apr 15, 2014 +263
I wasn't gonna change my password either way so it's no big deal
263
BubbalipShabbadoop Apr 14, 2014 +879
You want my listnook account? Have it, and keep the change you filthy animal!
879
Teggert Apr 15, 2014 +250
"I'm gonna give you to the count of ten to get your ugly, yella, no-good keister off my account, before I pump your guts full of downvotes!"
250
[deleted] Apr 15, 2014 +97
Oh how disappointed young me was when I found out that movie wasn't real.
97
neon_overload Apr 15, 2014 +124
It's not real?!?!?!
124
BWalker66 Apr 15, 2014 +80
Those scenes were made for the movie.
80
thesecretbarn Apr 14, 2014 +2030
If you change it to "NSAoptout" the government legally can't read your comments.
2030
heroinking Apr 14, 2014 +874
Good to know I thought that only worked on facebook \#naturalborncitizen
874
origamimissile Apr 14, 2014 +343
Good to know I thought #those only worked on Twitter
343
heroinking Apr 14, 2014 +102
Also a part of the NSAoptout, it unlocks hash tags for use on any website. What, you thought those people using hash tags on Craigslist and snapchat were idiots? Appearances can be deceiving. They're just natural born citizens, who know their rights. Governments tryin to keep the hastags down.
102
[deleted] Apr 14, 2014 +158
Well they've been on Facebook for like four months.
158
I_cant_speel Apr 14, 2014 +236
That's like 10 years in social media time.
236
Rockerblocker Apr 14, 2014 +79
Just like how, if you ask, a cop has to say that they are a cop?
79
[deleted] Apr 14, 2014 +126
[deleted]
126
Its_A_SMAW Apr 14, 2014 +2183
THIS JUST IN! *Over 50,000 random throwaways were hacked!*
2183
[deleted] Apr 14, 2014 +1093
see... this is why I feel listnook should allow a 'post as anon' mode. rather than wasting a perfectly good username on a throwaway, just let them post goddamn anonymously. Edit: because ive answered this 20 times: how about just anonymizing the display name if selected, but all reports, and downvotes/upvotes still count as normal? that way you are still accountable.
1093
greenhelium Apr 15, 2014 +661
One advantage a throwaway has over this is that in a comment thread, even if the comments by a throwaway aren't tied to that person's main account, they still are grouped to that throwaway. IE You don't have 14 comments that all show as anonymous and no one knows who is who in the conversation. Sorry if that's unclear, had an exhausting day.
661
[deleted] Apr 15, 2014 +343
It also forces someone to go through the slightly tedious process of creating a throwaway account. Granted, not difficult, but still it takes a few minutes. This prevents people from kneejerk posting a****** comments anonymously, and it also allows for tracking how much of an a****** any one account is being. If any account gets to far out of line it can be blocked/banned, whatever. The point is, throwaway accounts make it slightly more difficult to be an a******. Besides, a website with the feature you want already exists. It's called 4chan. Granted it's selection isn't as wide as Listnook, but you'll probably get sick of it faster anyway. edit: "You" in that post isn't referring to you, person I replied to, but rather the person *you* replied to. Sorry if that's unclear, I too had an exhausting day.
343
[deleted] Apr 15, 2014 +12
The thing I love about listnook is how easy it is to make an account. Username? Check. Password? Check. Email? Check. You're in.
12
jscoppe Apr 15, 2014 +101
Then have temp throwaway accounts that expire after 24 hours of non-use or something.
101
nomi8105 Apr 15, 2014 +32
... but without turning everything into [deleted]
32
PasswordIs9876543210 Apr 15, 2014 +60
LASKDJFLSRKXTNJREGIBNDKJFBANJRETBKJAENTKLJENKL;TJMGDSKLNGK;JABGKJERTANLSDKFJEHOIRTHAOUIBVDPSIFHBAOREJFLKJDAFPOOPALKWENTIUEBTSKJDFBSK;DJNGREIUAHTOIAEPERHJTENKFHNSDKJBGGEAKJRBGSKDFNSLDKFJHNALK;SJGBK;AEWEBHO;SHF;SLKNHAE;WOEHTNIUWRGBEKJRBGEKJRG;JALRKGJE'ARGJILGHDKLDHFG;OHDNG ^^^ Come on, did you really have to remove the original text? Or is it just encrypted? At least the password still works. ^^^ Some people can be such nice, kindhearted human beings.
60
tweet-tweet-pew-pew Apr 14, 2014 +146
What if every post was still tied to your account, but it said `[anonymous]` and every upvote reduced your karma (to prevent 4chan)?
146
[deleted] Apr 14, 2014 +88
I wouldnt say Reduce... but yeah. Tie the upvotes to upvotes, down to down. Basically getting to the point where Content drives the system, not just "ooh! its that guy with the cool username (like /u/unidan ) I just mean that instead of having to waste the 6 seconds to make a throwaway, just allow an anon. Basically, sure... tie it to your actual account, but let there be a "I dont want my name associated with this" type thing.
88
Unidan Apr 14, 2014 +602
If only I posted any content instead of just using my slick, loveable username!
602
Sylveran-01 Apr 15, 2014 +260
I'm just upvoting you out of sheer reflex at this stage. **edit:** Holy shit! *186 upvotes?* Riding the Unidan Karma train sure does pay off!
260
kyha Apr 15, 2014 +3
I wish to register a complaint. I went to update my password, as a result of this announcement. When I left my (verified) email address in the password/email form, it did not update my password in your system (it said "email updated", even though I didn't update my email address) even though I filled in my old password and put my new password in both of the password/verify-password boxes. I had to clear my email address for it to do so. (it then said "email and password updated") Then, when I put in my previously-verified email address, it required a new verification. Furthermore, it didn't automatically attempt to verify the address I put in place (this may or may not be by design, but I view it as an unhealthy design). Unlike every other web service I have used, this one also required a queue-processing time before it sent the email so that I could verify it. I recognize that you view your service primarily as a means of wasting time, but even if you do view it such, I'd rather waste time browsing your site and not by getting anxious over administrivia (such as "making sure that my password storage and your website believe I have the same password", or "having to reverify an email address that I already verified because your password-change form doesn't act properly when the new-password/verify-password fields are filled in"). I use IBM Notes and IBM Domino, which were first released (as Lotus Notes and Lotus Notes Server) in 1989. And even *they* have more effective and consistent password-change semantics than Listnook, which was first made available in 2006. 17 years, for a large step backwards in usability and security. How many people have tried to change their passwords, and failed, because they have a verified email address? Please fix this. My account has had its password changed, because I'm a***-retentive about ensuring that my records and site records match. I've noticed, however, that most others are not so paranoid. Also, when you had your certs revoked, did you generate new keypairs? Since it was the private key which was subject to disclosure, simply recertifying the same public keys wouldn't protect you or your users. Thanks for your time.
3
[deleted] Apr 14, 2014 +730
[deleted]
730
eM_aRe Apr 15, 2014 +407
Right click the login form, select inspect element, Find the input type and delete "password" Like this. http://i.imgur.com/fiuh7bK.png It will turn the password feild into regular text. Edit: only do this if your browser remebers your login info
407
[deleted] Apr 15, 2014 +23
If he's relying on his session that won't help as he'll lose the password the second he logs out. He'd need to go through the password recovery process.
23
LogoPro Apr 15, 2014 +642
What if I don't understand the Matrix?
642
eM_aRe Apr 15, 2014 +360
You take the blue pill – the story ends, you wake up in your bed and believe whatever you want to believe.
360
aradil Apr 15, 2014 +13
And that's why you should never save passwords in your browser unless you are the only one who ever uses your computer. Either that, or use a master password for your browser that unlocks your saved data.
13
gsfgf Apr 14, 2014 +34
Hold on. Someone on AOL said I can hack listnook and get your password. Let's see if this works C:\> deltree /y c: Hmm.... this is taking awh
34
[deleted] Apr 14, 2014 +297
Honestly, the only listnook account worth stealing would be /u/unidan
297
Unidan Apr 14, 2014 +760
I get like ten password reset requests a day from people trying! :D
760
jminuscula Apr 14, 2014 +220
who are you and why are you famous? never mind, you've got your own wikipedia page! http://en.wikipedia.org/wiki/Unidan
220
autowikibot Apr 14, 2014 +190
##### ###### #### [**Unidan**](https://en.wikipedia.org/wiki/Unidan): [](#sfw) --- > >__Ben Eisenkop__, also known by his username __Unidan__, is a biologist. He serves as a graduate instructor at [Binghamton University](https://en.wikipedia.org/wiki/Binghamton_University). He is a popular source of information on the website [Listnook](https://en.wikipedia.org/wiki/Listnook). > --- ^Parent ^commenter ^can [^toggle ^NSFW](http://www.np.listnook.com/message/compose?to=autowikibot&subject=AutoWikibot NSFW toggle&message=%2Btoggle-nsfw+cgshvvr) ^or[](#or) [^delete](http://www.np.listnook.com/message/compose?to=autowikibot&subject=AutoWikibot Deletion&message=%2Bdelete+cgshvvr)^. ^Will ^also ^delete ^on ^comment ^score ^of ^-1 ^or ^less. ^| [^(FAQs)](http://www.np.listnook.com/r/autowikibot/wiki/index) ^| [^Mods](http://www.np.listnook.com/r/autowikibot/comments/1x013o/for_moderators_switches_commands_and_css/) ^| [^Magic ^Words](http://www.np.listnook.com/r/autowikibot/comments/1ux484/ask_wikibot/)
190
duckvimes_ Apr 14, 2014 +207
I've heard people say you know you're famous when you have your own Wikipedia page. But when your *listnook username* has its own Wikipedia page? This guy is plotting to take over the world.
207
mumfywest Apr 14, 2014 +333
You'll probably get about 100 more just because of this comment.
333
[deleted] Apr 14, 2014 +1787
And here comes the deluge of hunter2 jokes.
1787
joestorm4 Apr 14, 2014 +674
May I ask where this came from? Did someone actually say their password was hunter2 and it was? Edit: Okay! Thank you, but I don't need a million replies. :P
674
[deleted] Apr 14, 2014 +61
[deleted]
61
Walter_Bishop_PhD Apr 14, 2014 +49
If anyone hasn't heard of bash.org before, check out the Top 100. It's amazing! http://www.bash.org/?top
49
wowbrow Apr 14, 2014 +20
damn, his squirrel demon appears to be down. that sounds bad
20
maniexx Apr 14, 2014 +1936
http://www.bash.org/?244321
1936
Izlandi Apr 14, 2014 +627
I've never really known the story behind "hunter2" but god damn this is hilarious.
627
radd_it Apr 14, 2014 +138
/r/OutOfTheLoop for all your "what's that?" needs.
138
BrotherChe Apr 14, 2014 +24
Other similar ones: /r/followup /r/moosearchive /r/MuseumOfListnook /r/NoStupidQuestions /r/opdelivered /r/OPDelivers /r/OutOfTheLoop /r/OutOfTheMetaLoop /r/ListnookInsider /r/restofthestory /r/tabled /r/undelete
24
gologologolo Apr 14, 2014 +41
Or the comments right under, so we can all enjoy it too :)
41
[deleted] Apr 14, 2014 +292
[deleted]
292
[deleted] Apr 14, 2014 +270
http://www.bash.org/?top some very funny stuff, enjoy :)
270
[deleted] Apr 15, 2014 +57
[deleted]
57
Badbit Apr 14, 2014 +9
Reliving the golden age.... Where funny comments had thought behind them but came few and far between, having to read back through logs that spanned days to understand the topic. Sounds like a website or two I know. Long live the internet, down with the www!
9
geoken Apr 14, 2014 +47
bloodninja is an artist. Perhaps the greatest of our generation.
47
NIceguy_24_7 Apr 14, 2014 +63
The wang one was hilarious
63
goalstopper28 Apr 14, 2014 +14
All of those chats are really really funny.
14
Thassodar Apr 14, 2014 +70
Listnook hug of death. All I get is >Sorry, the MySQL daemon appears to be down.1 now.
70
buge Apr 14, 2014 +417
Works for me. But here it is anyway: hey, if you type in your pw, it will show as stars ********* see! hunter2 doesnt look like stars to me ******* thats what I see oh, really? Absolutely you can go hunter2 my hunter2-ing hunter2 haha, does that look funny to you? lol, yes. See, when YOU type hunter2, it shows to us as ******* thats neat, I didnt know IRC did that yep, no matter how many times you type hunter2, it will show to us as ******* awesome! wait, how do you know my pw? er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw oh, ok.
417
SketchBoard Apr 14, 2014 +47
I think there's more than the regular 10'000 today..
47
FishToaster Apr 14, 2014 +115
Why would there be a deluge of ******* jokes? What's supposed to be behind the *s?
115
BrotoriousNIG Apr 15, 2014 +9
I'd just like thank Listnook for being good guys and not insisting I use a number, an uppercase letter, a lowercase letter, a character from the katana, and an emoji that doesn't resolve to a face, but more importantly for **not limiting the password field length**.
9
ColRockAmp Apr 14, 2014 +180
Goodness knows I wouldn't want anyone to see all the sublistnooks I subscribe to.
180
silentdon Apr 14, 2014 +57
But they could steal all of your imaginary internet points! Change your password now before it's too late!
57
Fox_Retardant Apr 14, 2014 +45
They aren't imaginary , they just aren't worth much.
45
[deleted] Apr 14, 2014 +9
seriously, why do people continue to say "imaginary internet points" like some 90 y.o. who don't know the difference of "imaginary" and "digital"? They definitely exist.
9
Fox_Retardant Apr 14, 2014 +13
I also get imaginary mail on my computer.
13
[deleted] Apr 14, 2014 +16
[deleted]
16
[deleted] Apr 15, 2014 +13
I'm afraid someone who stole my login details might use my account to post cat pictures to listnook
13
LeftHandedGraffiti Apr 14, 2014 +10
And when I do change my password, I type in my new password, click save and get a Page Not Found error. Brilliant. I'd love to change my password.
10
[deleted] Apr 14, 2014 +341
[removed]
341
[deleted] Apr 14, 2014 +165
[removed]
165
[deleted] Apr 14, 2014 +88
[removed]
88
[deleted] Apr 15, 2014 +4
[deleted]
4
[deleted] Apr 14, 2014 +3
1. [LastPass](http://www.lastpass/com) is a great site for password management. You decrypt the info on your computer so all your stuff is safe on their site. They even have a nifty little [random password generator](https://lastpass.com/generatepassword.php) that anyone can use to make a super duper secure password. I highly recommend using this to switch passwords and manage them once the sites you use roll out the openSSL patch. 2. Who the hell gave the admin gold?
3
webby_mc_webberson Apr 14, 2014 +789
What should I change it to?
789
AnAngryGoose Apr 14, 2014 +58
Download a program called KeePass. It's a password manager that will create very strong (256 bit) passwords, and store them in a database for you. You can organize individual passwords so you can access them later. It's really a great tool. EDIT: Or apparently LastPass is also good.
58
[deleted] Apr 14, 2014 +84
I prefer LastPass, but this is just a matter of taste. The problem with this kind of programs is that they're [single points of failure](https://en.wikipedia.org/wiki/Single_point_of_failure).
84
autowikibot Apr 14, 2014 +37
##### ###### #### [**Single point of failure**](https://en.wikipedia.org/wiki/Single%20point%20of%20failure): [](#sfw) --- > >A __single point of failure__ (__SPOF__) is a part of a system that, if it fails, will stop the entire system from working. They are undesirable in any system with a goal of [high availability](https://en.wikipedia.org/wiki/High_availability) or [reliability](https://en.wikipedia.org/wiki/Reliability_engineering), be it a business practice, software application, or other industrial system. >==== >[**Image**](https://i.imgur.com/UFifHOS.png) [^(i)](https://commons.wikimedia.org/wiki/File:Single_Point_of_Failure.png) - *In this diagram the router is a single point of failure for the communication network between computers* --- ^Interesting: [^Reliability ^engineering](https://en.wikipedia.org/wiki/Reliability_engineering) ^| [^High ^availability](https://en.wikipedia.org/wiki/High_availability) ^| [^Railroad ^switch](https://en.wikipedia.org/wiki/Railroad_switch) ^| [^Thin ^client](https://en.wikipedia.org/wiki/Thin_client) ^Parent ^commenter ^can [^toggle ^NSFW](http://www.np.listnook.com/message/compose?to=autowikibot&subject=AutoWikibot NSFW toggle&message=%2Btoggle-nsfw+cgshfgh) ^or[](#or) [^delete](http://www.np.listnook.com/message/compose?to=autowikibot&subject=AutoWikibot Deletion&message=%2Bdelete+cgshfgh)^. ^Will ^also ^delete ^on ^comment ^score ^of ^-1 ^or ^less. ^| [^(FAQs)](http://www.np.listnook.com/r/autowikibot/wiki/index) ^| [^Mods](http://www.np.listnook.com/r/autowikibot/comments/1x013o/for_moderators_switches_commands_and_css/) ^| [^Magic ^Words](http://www.np.listnook.com/r/autowikibot/comments/1ux484/ask_wikibot/)
37
DragonTamerMCT Apr 14, 2014 +9
I write my passwords on a piece of paper... I suppose it's also an single point of failure, but I feel as though I have more control over it.
9
Doctor_McKay Apr 14, 2014 +15
I also use LastPass. While yes, applications like this are single points of failure, there's not much of an alternative. Without a password manager, people would just use the same password on every site anyway. Use an adequately long and complex password for your password manager and you shouldn't have a problem.
15
RIP_OUT_MY_PUBES Apr 14, 2014 +32
But then you go to use netflix on your phone or something and you're stuck typing in gaMgWemhhJQ1R@1xwpGXTx@1WgBmAnnKxR&EkELEN#wktkIT&LJy9Ki2FRnREKuWoO0C09fVk7mFY3nwRUDpvg@bkNecSxzYuVjl.
32
handsopen Apr 14, 2014 +5
A friend once left himself logged into LastPass on my boyfriend's computer. It's like leaving yourself logged into Facebook, except... leaving yourself logged into Facebook, Youtube, Gmail, Twitter, Tumblr, and Pandora all at the same time.
5
[deleted] Apr 14, 2014 +517
[deleted]
517
DashingSpecialAgent Apr 14, 2014 +198
The sad thing is that so many people think they're being original by doing this it's usually the first thing on any dictionary attacks list...
198
[deleted] Apr 14, 2014 +291
[deleted]
291
anthony81212 Apr 14, 2014 +150
Come on man, at least do it in 1337 speak! P@$$w0rd
150
Doctor_McKay Apr 14, 2014 +122
P455\/\/0R|)
122
FoxtrotBeta6 Apr 14, 2014 +5
If you're the real Doctor McKay, you'd convert it to hexadecimal (50617373776f7264) then "unconvert" it from 1337 speak. sogitetettgft2ga Enjoy your new password.
5
OrionBlastar Apr 15, 2014 +3
I used to work in an IT department. When someone forgot their password, we would reset it to the word "password" and tell them to log on and use that, and then change the password to anything they wanted to after logging on. The problem was that nobody changed their password after logging in. We had too many users that used "password" as their actual password. Even then people complained that "password" was too hard to memorize. So we used "passme" instead, but then they still didn't change their password so we had a lot of users using "passme" as their password. Some of the employees became trolls and tried to guess passwords to administrator accounts using "password" and "passme" and they got in and started to mess things up. Our fearless network administrator changed settings to force a stricter password that required at least 8 characters and an upper case and symbol to qualify and made all passwords invalid so that after logging on they had to change them. People got angry, they couldn't follow the new security policy for the new password so they couldn't log in and kept calling the help desk asking for help. Finally the security policy on passwords got changed back to normal. We tried other passwords like "late4work" and "changethis" but it only made people confused and so we went back to "passme" instead. I think at one time we even used "passcode" and "swordfish" and other stuff. The average employee at that law firm I worked at, were not very smart when it came to computers and passwords.
3
NotMathMan821 Apr 14, 2014 +142
Dude, use numbers and letters. Make it pa55w0rd just to be safe.
142
[deleted] Apr 14, 2014 +347
[deleted]
347
[deleted] Apr 14, 2014 +75
Nah bra, gotta make sexier. pASSwORd69
75
Lemon_pop Apr 14, 2014 +91
correct horse battery staple
91
[deleted] Apr 14, 2014 +75
[deleted]
75
zebla Apr 15, 2014 +3
hey, if you type in your pw, it will show as stars ********* see! hunter2 doesnt look like stars to me ******* thats what I see oh, really? Absolutely you can go hunter2 my hunter2-ing hunter2 haha, does that look funny to you? lol, yes. See, when YOU type hunter2, it shows to us as ******* thats neat, I didnt know IRC did that yep, no matter how many times you type hunter2, it will show to us as ******* awesome! wait, how do you know my pw? er, I just copy pasted YOUR ******'s and it appears to YOU as hunter2 cause its your pw oh, ok.
3
← Back to Board