Originally Posted by DiGiCiDAL
Same as always - if you don't have completely unique passwords of maximum (or at least long and complex enough
) - sooner or later the account will be compromised. There's simply too much 'free money' sitting there that is virtually indefensible in a legal context for it not to be considered 'low hanging fruit' for hackers.
That's why I use 10 word passphrases pulled from a random page in a book that only I know I use for that purpose. That way I can simply write down the page and line number in a little notebook I keep - and it's instant two factor protection. Even if someone steals the notebook... unless they somehow also know the book used... no good. The really nice thing is that every few months I can simply change the book to a different one - and update the passwords to the new words - while keeping the entries in the notebook exactly the same.
Of course, none of that helps with a 20char max password - which is part of the reason I didn't actually mine anything on their pool.
It's definitely not a perfect system - but unless I choose 2-3 books in a row which have exactly the same words in exactly the same positions on exactly the same pages... it's unlikely that someone would even have enough time to brute force them before they changed. Although I suppose someone could steal my notebook and all ~300 books off my bookshelves... but they would definitely have to kill me first to get that kind of access - and if I'm dead, then I really don't care who has access to my coins.
Pretty much the same here, my master passwords come from random books as well with a little more cryptic way of sourcing the characters & words than you described, and my library runs the gamut from fictional, to science, to mathematics, to history, and more. Around 2600 books, last count.
I use Lastpass for any unimportant incidentals like forums & such that don't matter so much to me.
The mission critical stuff, oh no. Keypass container, in an password protected 7zip file, that's in a Truecrypt container w/ a random key file for added security. I might add, with 12+ Tb of files on that computer to sift through looking for that key file, and before then you'll have to hack into an encrypted LVM to even get in to start looking. Good luck with that last part, I'm pretty sure all the holes are completely closed in a certain custom *nix flavor that's oft used for penetration testing.
That's how I roll where my personal info & banking is concerned. To any other os, it looks like a secure deleted drive, & windows always asks if you want to format the drive before you can use it. Lol! Sure, it's not convenient, but truly safe never is. I believe in taking care of my own house, in every respect...
If by chance my account there @ Hashco.ws was compromised, then it was either because of an inside job, or they were storing the pw's in plain text.... Unfortunately, not everyone follows as regimented & stringent a security protocol as us. Foolish mortals...
The only way they could've brute forced a bunch of 20 char. true randomized password is to have one massive gpu farm running Hashcat, & I'd like to think that the admins would be paying closer attention than to miss a large bit of traffic on the order of magnitude of something like that. I'm betting it was an inside job.Edited by ForceProjection - 12/25/13 at 1:48am