Hackers Find Way To Hit Hushmail
from the back-door dept
Hushmail, the web-based email service that boasts “total security,” just got a dose of insecurity. Apparently someone hacked into Hushmail’s domain name registrar, Network Solutions, and redirected the website to a staged site with graffiti. The company says no data was compromised, but even a minor security breach looks pretty bad when security is your raison d’etre. Just goes to show that maybe you can never be too paranoid when it comes to securing your computing experience, as Mark Burnett writes in his column. He admits that his precautions might be extreme (50-character passwords, anyone?), but that they can’t hurt either. Sometimes, they even deter new, unanticipated threats. In other words, even super-secure email services are susceptible to attack and might benefit from other means of protection.
Comments on “Hackers Find Way To Hit Hushmail”
can't hurt?
“He admits that his precautions might be extreme (50-character passwords, anyone?), but that they can’t hurt either.”
I disagree — even if it’s a 50 character password, you still need to throw non-alphanumerics in there (to avoid dictionary attack). At that point, in order to remember a 50 char password, it’s going to have to be written down somewhere, or in some way obvious (otherwise you’ll lock yourself out, too). So it could hurt.
Really, what’s needed (and has been mentioned here before) is a combination of a good password of reasonable length (10 chars?) PLUS some personal identifier (bioinformatics, one of those hardware devices with a constantly changing key (drawing a blank on what they’re called)).
Re: can't hurt?
“I disagree — even if it’s a 50 character password, you still need to throw non-alphanumerics in there (to avoid dictionary attack).”
The only reason to put non-alphanumerics in your password is because a paranoid password program requires it. People naturally assume that a password needs to be a variation on a dictionary word in order to remember it. This is not true. Type the string “cde34rfv” and you’ll see what I mean. The position of the keys makes it easy to remember and it doesn’t appear in any dictionary. The 3 and 4 are completely optional, I might just as well have used “cderfvbgt”. You can think of times your fingers “knew” a familiar password your mind had forgotten. The sequence of keypresses is what is remembered best, the decoded mnemonic information such as your dog’s name is secondary.
Re: Re: can't hurt?
Hate to burst your bubble, but sophisticated dictionary attacks take that into consideration.
They not only cover known words, but the passwords you describe are also covered as “words”. Its all about likely combinations, and frankly, your method is a VERY LIKELY combination.
So you might want to go rethink those passwords.
Hushmail Attacked? Nah...
If I read this correctly, Network Solutions got attacked and the domain name was redirected. Hushmail’s system did not get attacked.