Hackers Find Way To Hit Hushmail
from the back-door dept
Hushmail, the web-based email service that boasts "total security," just got a dose of insecurity. Apparently someone hacked into Hushmail's domain name registrar, Network Solutions, and redirected the website to a staged site with graffiti. The company says no data was compromised, but even a minor security breach looks pretty bad when security is your raison d'etre. Just goes to show that maybe you can never be too paranoid when it comes to securing your computing experience, as Mark Burnett writes in his column. He admits that his precautions might be extreme (50-character passwords, anyone?), but that they can't hurt either. Sometimes, they even deter new, unanticipated threats. In other words, even super-secure email services are susceptible to attack and might benefit from other means of protection.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
can't hurt?
I disagree -- even if it's a 50 character password, you still need to throw non-alphanumerics in there (to avoid dictionary attack). At that point, in order to remember a 50 char password, it's going to have to be written down somewhere, or in some way obvious (otherwise you'll lock yourself out, too). So it could hurt.
Really, what's needed (and has been mentioned here before) is a combination of a good password of reasonable length (10 chars?) PLUS some personal identifier (bioinformatics, one of those hardware devices with a constantly changing key (drawing a blank on what they're called)).
[ link to this | view in chronology ]
Re: can't hurt?
The only reason to put non-alphanumerics in your password is because a paranoid password program requires it. People naturally assume that a password needs to be a variation on a dictionary word in order to remember it. This is not true. Type the string "cde34rfv" and you'll see what I mean. The position of the keys makes it easy to remember and it doesn't appear in any dictionary. The 3 and 4 are completely optional, I might just as well have used "cderfvbgt". You can think of times your fingers "knew" a familiar password your mind had forgotten. The sequence of keypresses is what is remembered best, the decoded mnemonic information such as your dog's name is secondary.
[ link to this | view in chronology ]
Re: can't hurt?
They not only cover known words, but the passwords you describe are also covered as "words". Its all about likely combinations, and frankly, your method is a VERY LIKELY combination.
So you might want to go rethink those passwords.
[ link to this | view in chronology ]
Hushmail Attacked? Nah...
[ link to this | view in chronology ]