# Passwords & Hackers



## csonni (Feb 8, 2001)

Just had our Skype account hacked into today. Good thing I've been aware of the emails coming in of sudden auto recharges. Someone somehow hacked into my account and made an incredible number of calls to a mobile phone in Egypt and Indonesia. I started to panic as I was just waiting for all those auto recharges to fire up (3 already did). I then changed my Skype password which ended all that nonsense. I then got on a Skype chat line and they restricted the account until I provided details to verify who I was, and then reactivated it. Skype will not refund my (3) $35 unauthorized charges, but BMO Mastercard will.

My big question is, how does a hacker actually get someone's account password? Are they hacking into Skype's database or somehow hacking into my network and somehow gaining access to my passwords that way? It's really got me curious.

On top of all this, BMO just informed me, as well, that my credit card has been compromised again (twice in 3 months!) and are sending me a new card as well as restricting my present card to $250 transactions.

Thus, the nature of my question in relation, not only to passwords, but also credit card numbers! I don't think this thing with Skype is related to my compromised credit card, since the card was compromised back on around March 28 and this Skype incident didn't happen until yesterday.


----------



## eMacMan (Nov 27, 2006)

There are all sorts of possibilities. They can hack data bases. For the Skype It is probably easy enough to get your user name, so if the password is not fairly robust, trial and error could eventually lead to a hack. 

Credit cards are most often hacked at places like service stations. Once through the hacking device, then through the legitimate machine.

I have even heard of people installing hacking devices on ATMs along with an inconspicuous camera to placed to pick your PIN.

As far as I know Cash has never been successfully hacked and other losses are restricted to the amount in your wallet.


----------



## csonni (Feb 8, 2001)

eMacMan said:


> Once through the hacking device, then through the legitimate machine.


Can you be more specific on this? What's the "device" and "machine" you'd be referring to?


----------



## jamesB (Jan 28, 2007)

eMacMan said:


> As far as I know Cash has never been successfully hacked and other losses are restricted to the amount in your wallet.


^^^
good one!


----------



## WestWeb (Jul 11, 2009)

As eMacMan said it's pretty easy to get someones username for Skype(and most places really).

Once the hacker has that, they have to get your password. The most common way to do that is using Rainbow Tables in conjunction with a piece of software that basically tries every combination of characters from the tables at a very fast rate.

If you have a simple password, like a dictionary word(s), or name, phone number, something like that, it won't take very long for a hacker to get your password. If like me you create all your passwords using a service like strongpasswordgenerator.com, it usually becomes too much time and effort for the hacker to bother: unless you have something rEaLly valuable they want, of couse. Almost any system or service can be hacked into with enough time and know-how.


----------



## The Doug (Jun 14, 2003)

Try this password strength calculator:

https://www.grc.com/haystack.htm


----------



## csonni (Feb 8, 2001)

I'm going through all my online accounts (bank, credit card, Paypal, etc) and changing passwords. It's about time.
My bank online rep just told me that lower or upper case isn't detected. That's something to know when generating passwords, thinking that they do. I guess not all online sites are "case aware."


----------



## eMacMan (Nov 27, 2006)

csonni said:


> I'm going through all my online accounts (bank, credit card, Paypal, etc) and changing passwords. It's about time.
> My bank online rep just told me that lower or upper case isn't detected. That's something to know when generating passwords, thinking that they do. I guess not all online sites are "case aware."


In that case I would definitely use some sort of random generator for the password and absolutely avoid anything shorter than 8 characters. 10+ is better, and be sure to include a few numbers.

BTW Thieves have devices that look like the typical credit card terminal. Can capture all the info on your card and allow them to build a copy. Sometimes they'll say it did not go and try a second terminal. This lets them work a location for a couple of weeks. Sometimes they only work for a day at one business and rip them off as well, disappearing with several duped credit cards, and with the help of a spy cam, the PINs as well.


----------



## crawford (Oct 8, 2005)

Sorry to hear about that. It's a major pain in the butt.

I had my Skype account compromised last year. In my case, the person changed my login credentials so that I was unable to reset my password myself. I have a pretty strong password -- this was the only time in many years of being online that something like this has happened. I don't completely rule out the possibility that someone gained physical access to my computer (long story, slightly embarrassing). 

Dealing with Skype's customer service was an experience (I still have a folder with >30 emails from Skype). Eventually the charges on my account were reversed by PayPal as Skype refused to help.


----------



## csonni (Feb 8, 2001)

It took me a while to figure out how to get help. I finally stumbled on the option of a chat line.


----------



## absolutetotalgeek (Sep 18, 2005)

There's a reason Skype is a 'banned' app in corporate environments, well one's that take security seriously.


----------



## HowEver (Jan 11, 2005)

Really? People enter their passwords online to 'check' them? That's the last thing I would do.




The Doug said:


> Try this password strength calculator:
> 
> https://www.grc.com/haystack.htm


----------



## Joker Eh (Jan 22, 2008)

The Doug said:


> Try this password strength calculator:
> 
> https://www.grc.com/haystack.htm


:lmao::lmao::lmao::lmao::lmao::lmao:

Go ahead test your password on a site. :lmao:


----------



## lara (Mar 15, 2009)

Use Apple's Keychain Password Assistant to generate or check passwords. It's Apple, and local to your machine.


----------



## Paddy (Jul 13, 2004)

I've posted this link here before, but it definitely bears re-reading:

Password size does matter | Security Central - InfoWorld

You can try things out to see how different password lengths/combinations of characters make a difference at: https://www.grc.com/haystack.htm - it's not actually a password strength calculator, if you read the text.  The info he posts is pretty interesting. 

Bottom line - length matters more than anything else. I use phrases that mean something to me (total nonsense to anyone else) with some special characters/uppercase thrown in. They're easy for me to remember, unlike the things generated by those password generators, and just as unhackable.


----------



## The Doug (Jun 14, 2003)

Joker Eh said:


> :lmao::lmao::lmao::lmao::lmao::lmao:
> 
> Go ahead test your password on a site. :lmao:


Learn more about the man who developed the site and you may not be so quick to laugh.


----------



## Guest (Apr 12, 2012)

xkcd: Password Strength


----------



## Greenman (Feb 22, 2003)

...


----------



## The Doug (Jun 14, 2003)

Yep. You don't have to input your actual password(s) but if you do some e_Xp:3rim"ent"5 on the site you will quickly see the benefit of using alpha characters (upper & lower case), as well as numbers and symbols in online passwords. More to remember and slower to type in of course but it's worth the trouble.


----------



## csonni (Feb 8, 2001)

The Doug said:


> More to remember and slower to type in of course but it's worth the trouble.


Unless you use 1Password like I do. You can also do the copy and paste thing as well. No need to type out your password each time.


----------



## John Clay (Jun 25, 2006)

csonni said:


> Unless you use 1Password like I do. You can also do the copy and paste thing as well. No need to type out your password each time.


+1. I only actually know 1 password. I haven't a clue what the rest are.


----------



## krs (Mar 18, 2005)

csonni said:


> Unless you use 1Password like I do. You can also do the copy and paste thing as well. No need to type out your password each time.


So if someone hacks your Mac and into 1Password he now has access to all your passwords?
Is that how it works?

I tried to find a few technical reviews but couldn't find anything other than how wonderful the GUi is and how easy it is to use.
And this user comment on one review:


> I've had nothing but trouble with 1password after upgrading to Firefox 6. I'm dumping it.


BTW - I have come across some sites where copying and pasting the password does not work.
No clue why - if I copy and paste it the site doesn't recognize the password, if I type it in manually everything is fine.


----------



## csonni (Feb 8, 2001)

I think some browsers need to be run in 32bit for the 1Password plugin to work?


----------



## zen.state (Nov 29, 2005)

Language doesn't really evolve with technology it seems. The true meaning of the word "hacker" is a person who computes in a command line. The term comes from UNIX culture referring to how it's users hack away at a keyboard all the time. 

People who do illegal things online are criminals and shouldn't be categorized with users of command line OS. Every time someone uses this word incorrectly they spread ignorance.


----------



## csonni (Feb 8, 2001)

So how exactly does one "hack" into a computer? For instance, can an individual in Indonesia gain access to my computer over a network? How about someone local? Can they access my computer via my local network (all this is contingent on whether or not I have good security in place, such as Firewall, etc.)?


----------



## zen.state (Nov 29, 2005)

csonni said:


> So how exactly does one "hack" into a computer? For instance, can an individual in Indonesia gain access to my computer over a network? How about someone local? Can they access my computer via my local network (all this is contingent on whether or not I have good security in place, such as Firewall, etc.)?


The only truly safe computer is one that is turned off and unplugged. 

When it comes to turning it on and going online it's the user that is the best security because you actually have an active thinking human brain. If you need to be told how you can be broken into then you're really in need of some basic security education. It's nothing that can be spoon fed to you on a forum. You need some theory (research) backed up by some real world feeling out.

The best place to start is a good router (hardware firewall) and not logging in as admin unless you need to do admin stuff. Create a regular user account and use it most. The rest requires some personal time investment.


----------



## krs (Mar 18, 2005)

zen.state said:


> Language doesn't really evolve with technology it seems. The true meaning of the word "hacker" is a person who computes in a command line. The term comes from UNIX culture referring to how it's users hack away at a keyboard all the time.
> 
> People who do illegal things online are criminals and shouldn't be categorized with users of command line OS. Every time someone uses this word incorrectly they spread ignorance.


The "true" meaning you state sure doesn't agree with what the Wiki shows - not that the Wiki is always correct.
http://en.wikipedia.org/wiki/Hacker_(computer_security)

But the meaning and use of words also change over time - very few people today would think of a "hacker" as someone who computes using the command line.


----------



## csonni (Feb 8, 2001)

Any suggestions on where to start? I've never thought of creating a "General" user's account other than for troubleshooting. Kind of a drag to have to duplicate all my Mail and iTunes folder for a new user account. I'll have to check into the hardware firewall for both my Airport Extreme Base Station and my Aliant modem/router.


----------



## krs (Mar 18, 2005)

csonni said:


> So how exactly does one "hack" into a computer? For instance, can an individual in Indonesia gain access to my computer over a network? How about someone local? Can they access my computer via my local network (all this is contingent on whether or not I have good security in place, such as Firewall, etc.)?


Didn't the flashback trojan that just made the news big time do exactly that?
Used an unpatched Java vulnerability to install some software in your Mac without your knowledge with the purpose to use your Mac as part of a botnet.
At least that's what I understood.


----------



## zen.state (Nov 29, 2005)

krs said:


> The "true" meaning you state sure doesn't agree with what the Wiki shows - not that the Wiki is always correct.
> http://en.wikipedia.org/wiki/Hacker_(computer_security)
> 
> But the meaning and use of words also change over time - very few people today would think of a "hacker" as someone who computes using the command line.


Well I have been a BSD user since 1987 and many in the culture use that term. 

You represent the part of internet culture who think reading a web site is knowledge or can be used in an argument. If you can't have a differing opinion with your own words and need a web site to speak for you then you really shouldn't be in the discussion to begin with. Read all the sites you want but I base what I say on real world events.


----------



## krs (Mar 18, 2005)

csonni said:


> Any suggestions on where to start? I've never thought of creating a "General" user's account other than for troubleshooting. Kind of a drag to have to duplicate all my Mail and iTunes folder for a new user account. I'll have to check into the hardware firewall for both my Airport Extreme Base Station and my Aliant modem/router.


I also use my admin account as my main account - not the greatest idea......

To change that is it not possible to create a second admin account and then change the current admin account to a regular user account?
That could be straight forward and avoids having to move all existing files and folders.


----------



## csonni (Feb 8, 2001)

By the way, here's a website that will allow you to check if you've been infected by Flashback:

http://flashbackcheck.com/


----------



## csonni (Feb 8, 2001)

krs said:


> To change that is it not possible to create a second admin account and then change the current admin account to a regular user account?


Wouldn't using a new Admin account create the same problem of security?


----------



## krs (Mar 18, 2005)

zen.state said:


> You represent the part of internet culture who think reading a web site is knowledge or can be used in an argument. If you can't have a differing opinion with your own words and need a web site to speak for you then you really shouldn't be in the discussion to begin with. Read all the sites you want but I base what I say on real world events.


You're hilarious - best laugh I had all week, thanks.


----------



## csonni (Feb 8, 2001)

Wish I checked into this long ago. I never realized how vulnerable I've made myself by using my Admin account. Here's some good advice:

How to switch to a standard user account in OS X | MacFixIt - CNET Reviews

"However, instead of troubling yourself with migrating to a new account, you can switch your current account from admin to a standard account and thereby impose the same restrictions on it. To do this, you will first need to create the new admin account in the Accounts (or Users & Groups) system preferences, and then log out of your current account and log into the new admin account. Once logged into in the new account, go back to the Accounts system preferences, select your old admin account, and then uncheck the "Allow user to administer this computer" option to demote it."

IS THIS INFO VALID?


----------



## krs (Mar 18, 2005)

csonni said:


> By the way, here's a website that will allow you to check if you've been infected by Flashback:
> 
> http://flashbackcheck.com/


There were a number of websites like that as well as a check via terminal.

Trouble is that you never know if you are actually downloading malware by going to any of those.
At this point I would very, very strongly recommend you run the latest update that Apple just released yesterday (I think or the day before)
It will not only detect if the trojan is installed on your Mac but will also remove the most common variants of it.
And coming from Apple you're about as sure as you can be that there is no malware in that download.


----------



## zen.state (Nov 29, 2005)

krs said:


> You're hilarious - best laugh I had all week, thanks.


This is the standard "I have no real argument to offer" response. Funny that a guy that uses a wiki page to make a point thinks I'm funny. Delusion does strange things to people.


----------



## krs (Mar 18, 2005)

csonni said:


> Wish I checked into this long ago. I never realized how vulnerable I've made myself by using my Admin account. Here's some good advice:
> 
> How to switch to a standard user account in OS X | MacFixIt - CNET Reviews
> 
> ...


I just bit the bullet and did that.

Create another admin account first
Then demote your existing account to a regular user account.

Seems to work without a hitch -

Two comments - 
1. You have to restart your Mac for some of those changes to become effective
2. Make sure you remember not only the new admin password - I made mine a bit more secure, but also the User name you give the new admin account. My user name was fairly long and in the account window in system preferences I only see part of it followed by .....

Sort of a security feature in a sense - I'll have to see if I can expand that window but if not, anyone having access to your Mac would also need to know/guess at the complete admin user name and then the password.


----------



## John Clay (Jun 25, 2006)

krs said:


> Sort of a security feature in a sense - I'll have to see if I can expand that window but if not, anyone having access to your Mac would also need to know/guess at the complete admin user name and then the password.


Hardly. They could just look in the /Users folder for the complete username.


----------



## krs (Mar 18, 2005)

zen.state said:


> This is the standard "I have no real argument to offer" response. Funny that a guy that uses a wiki page to make a point thinks I'm funny. Delusion does strange things to people.


It's your last comment that really made me laugh:



> Read all the sites you want but I base what I say on real world events.


Does that mean you only believe what you have seen in real life with your own eyes - you don't believe anything you have read or any pictures you have seen or for that matter most things posted here on ehMac.

As to the definition of "hacker" - don't know what dictionary you think is legit, but Merriam-Webster has four definitions for the word, not just the one you think is the "right" one
Hacker - Definition and More from the Free Merriam-Webster Dictionary


----------



## krs (Mar 18, 2005)

John Clay said:


> Hardly. They could just look in the /Users folder for the complete username.


I was going to post: "Not quite - the User folder shows the system generated name with no capitals and all the spaces eliminated.

But it doesn't look as if the Mac is fussy about that - I can either enter the user name I chose with three capital letters and two spaces or use the user name the system created with all lowercase and no spaces, and either one works.

Yeah - you're right, no additional security there.


----------



## csonni (Feb 8, 2001)

krs said:


> Seems to work without a hitch -


Can anyone report or comment on any bugs or hiccups in this? I really don't want to run into a situation where I'm going to get locked out of my Admin account.


----------



## John Clay (Jun 25, 2006)

krs said:


> I was going to post: "Not quite - the User folder shows the system generated name with no capitals and all the spaces eliminated.
> 
> But it doesn't look as if the Mac is fussy about that - I can either enter the user name I chose with three capital letters and two spaces or use the user name the system created with all lowercase and no spaces, and either one works.
> 
> Yeah - you're right, no additional security there.


The system will accept either the full username (the one you see in System Preferences), or the short username, which is used at the system level (what you see in the /Users folder).


----------



## Chimpur (May 1, 2009)

I had my iTunes account hacked awhile ago. Seems they didn't purchase anything or really do much. About the same time I had an ex hack my mobile me account. That was quite the event. Of course that was just before iCloud was announced. So Mobile Me was still payed. It was coming up to renewal time so instead of paying the Family Pack rates I warned her a month in advance and shut her account down. 

So to be honest; it's not just anonymous hackers or hooligans that one has to worry about online security. People who are or once were very close can also cause all kinds of Internet havoc!


----------



## Lawrence (Mar 11, 2003)

csonni said:


> I think some browsers need to be run in 32bit for the 1Password plugin to work?


There is a fix for Lion, It now works in 64 bit mode.


----------



## zen.state (Nov 29, 2005)

krs said:


> Does that mean you only believe what you have seen in real life with your own eyes - you don't believe anything you have read or any pictures you have seen or for that matter most things posted here on ehMac.


Thats not what I mean at all. My point is that I don't just read info for the first time and then act like I know something about it. Reading gives us a mental image of things but until we have practical experience with we really have no business acting like we know anything. 



krs said:


> As to the definition of "hacker" - don't know what dictionary you think is legit, but Merriam-Webster has four definitions for the word, not just the one you think is the "right" one
> Hacker - Definition and More from the Free Merriam-Webster Dictionary


The word has been bastardized into many things. The true origin is to chop or "hack" at something like an axe to wood. My point is that the true technical origin of the word "hacker" is a command line user. The word only took on meaning one who breaks into computers because pretty much all the early "hackers" were UNIX people. 

I really can't take people seriously when they let a web site do their arguing. If you really knew anything about all this you could back up any points with your own words that come from your own brains database of knowledge. Doing a link copy/paste and adding a few filler words only shows you have nothing to really offer but things that don't come from you. 

I challenge you to make a few arguments without pasting a link.


----------



## Chimpur (May 1, 2009)

As far as the degradation or evolution of the English language goes; (take your pick which turn you use) there will always be various if not multiple definitions of the same concepts or things and words will often pull double duty or more. But that argument is a whole other matter not related to passwords and computer security.


----------



## zen.state (Nov 29, 2005)

Chimpur said:


> But that argument is a whole other matter not related to passwords and computer security.


A fair point.


----------



## Lawrence (Mar 11, 2003)

As a rule I don't keep any banking passwords on my computer,
I don't even store banking passwords in my 1Password app either.

If the hackers want to make money out of me then they are S.O.L.


----------



## Chimpur (May 1, 2009)

Sometimes I find security questions that these sites ask can either be too easy to guess... or too hard to remember. I mean if I made an account up and it asked my favourite movie.. thats subjective and subject to change. But anyone who remotely knows e can guess my dogs name or where I grew up.


----------



## Lawrence (Mar 11, 2003)

Chimpur said:


> Sometimes I find security questions that these sites ask can either be too easy to guess... or too hard to remember. I mean if I made an account up and it asked my favourite movie.. thats subjective and subject to change. But anyone who remotely knows e can guess my dogs name or where I grew up.


I find that with ING, They ask those same peculiar questions that Apple iTunes wants to ask now.


----------



## csonni (Feb 8, 2001)

Just created a new Administrator User account with a new password (a bit lengthier than previous). Now running on a Standard account.
I'm also a bit concerned about all the info I have stored in 1Password. Should I make the password more difficult to crack? Can someone actually crack my Administrator password and then my 1Password password? And all this after getting by the built in Firewall in my Airport Extreme and the built in OSX Firewall?


----------



## krs (Mar 18, 2005)

zen.state said:


> I challenge you to make a few arguments without pasting a link.


This discussion has become a total waste of time.

You are simply not correct when you state:


> The *true meaning* of the word "hacker" is a person who computes in a command line. The term comes from UNIX culture referring to how it's users hack away at a keyboard all the time.


When Chimpur posted 


> I had my iTunes account hacked awhile ago


do you really think the meaning related to someone computing using the command line?

I simply referenced a well respected publication like Merriam-Webster to illustrate my point. People usually ask for a reference if none is given, you take just the opposite approach.
Do you really think people take whatever you post as gospel just because it's you posting it? That's the message you are conveying.

In any case - you have taken this thread way off topic. I'll pass on any further discussion about the use of the word "Hacker" - maybe you should be contacting Merriam-Webster about their definition since according to you they are spreading ignorance as well.


----------



## Chimpur (May 1, 2009)

krs said:


> This discussion has become a total waste of time.
> 
> You are simply not correct when you state:
> 
> ...


'Cause you know; I AM the definitive example upon how the English Language should be wielded... 

So it shall be written... So it shall be done!


----------



## krs (Mar 18, 2005)

Chimpur said:


> Sometimes I find security questions that these sites ask can either be too easy to guess... or too hard to remember. I mean if I made an account up and it asked my favourite movie.. thats subjective and subject to change. But anyone who remotely knows e can guess my dogs name or where I grew up.


I agree - the whole security issue is just not taken too seriously in North America it seems.
Especially when it comes to financial institutions - I mean 4-digit PINs.
No wonder the losses incurred annually to fraud is a well kept secret that no financial institution wants to divulge.


----------



## Chimpur (May 1, 2009)

krs said:


> I agree - the whole security issue is just not taken too seriously in North America it seems.
> Especially when it comes to financial institutions - I mean 4-digit PINs.
> No wonder the losses incurred annually to fraud is a well kept secret that no financial institution wants to divulge.


Lmao! So true..... whats ur pin I wonder.... 1234? hmm no? 0000? hmm maybe well no matter only 9998 more combos lol!


----------



## krs (Mar 18, 2005)

csonni said:


> Just created a new Administrator User account with a new password (a bit lengthier than previous). Now running on a Standard account.
> I'm also a bit concerned about all the info I have stored in 1Password. Should I make the password more difficult to crack? Can someone actually crack my Administrator password and then my 1Password password? And all this after getting by the built in Firewall in my Airport Extreme and the built in OSX Firewall?


I don't keep any password on my Mac or in 1Password or anything similar if it is for a site where unauthorized access would cause me significant harm.
And I use different passwords for different sites; I also change passwords occasionally although I'm not sure what benefit that is. 

I think in this day and age one needs to worry more about some social engineering method to try to get your password rather than people trying to hack into your Mac and to somehow guess your passwords.
I still get the occasional email telling me my account has been compromised and log in here......or an email that Paypal has just authorized payment for x dollars to ---- and if that isn't a legitimate payment. log in here .... or similar things.


----------



## krs (Mar 18, 2005)

Chimpur said:


> Lmao! So true..... whats ur pin I wonder.... 1234? hmm no? 0000? hmm maybe well no matter only 9998 more combos lol!


Wow!

You almost guessed - only one digit out.


----------



## csonni (Feb 8, 2001)

krs said:


> I don't keep any password on my Mac or in 1Password or anything similar if it is for a site where unauthorized access would cause me significant harm.


So then. You keep all your passwords on some kind of handwritten notes? I assume you're referring only to those passwords and account numbers that have to do with banking, social insurance number and anything that could allow your identity to be compromised?


----------



## csonni (Feb 8, 2001)

Common sense would tell me to disable airport and remove any network cables before retiring for the night. Might as well cut off any network activity, no?


----------



## krs (Mar 18, 2005)

csonni said:


> So then. You keep all your passwords on some kind of handwritten notes? I assume you're referring only to those passwords and account numbers that have to do with banking, social insurance number and anything that could allow your identity to be compromised?


No - I make up passwords that typically consist of four words very familiar to myself and easy for me to remember but not in any dictionary.
Then if possible I create a user name that consists of the first letters of each of those words to provide me with a memory jogger and add a few digits (again numbers that mean something to me but nobody else) for good measure.


----------



## csonni (Feb 8, 2001)

Here's a good short read:

Microsoft: Changing Passwords Isn't Worth the Effort | News & Opinion | PCMag.com


----------



## John Clay (Jun 25, 2006)

csonni said:


> Common sense would tell me to disable airport and remove any network cables before retiring for the night. Might as well cut off any network activity, no?


You're way over-thinking this...

Good security doesn't require paranoia.


----------



## csonni (Feb 8, 2001)

I don't think this is paranoia at all. Having a credit compromised twice in 3 months makes me more aware. And turning off Airport for the night isn't a bad measure at all. If all security measures can't be totally fool-proof, what's the harm?

Here's some good hints for creating passwords:

Toward Better Master Passwords | Agile Blog


----------



## vancouverdave (Dec 14, 2008)

Chimpur said:


> Sometimes I find security questions that these sites ask can either be too easy to guess... or too hard to remember. I mean if I made an account up and it asked my favourite movie.. thats subjective and subject to change. But anyone who remotely knows e can guess my dogs name or where I grew up.


One trick is to answer the security questions with *lies* that you will remember.


----------



## csonni (Feb 8, 2001)

A word of warning. When messing around with changing critical passwords (User Account, Administrator Account, etc.), make sure you write it down on paper before committing to the change. I'm getting a bit tired and I shouldn't be doing this now. I almost locked myself out of my User Account.

By the way. About the OSX Keychain. I found that mine wasn't locked. Can someone gains access to the Keychain and use that? How many actually use their Keychain? Or, can 1Password replace that pretty much?

Another thing. I notice that my new Admin Account is not accessible through Fast User Switching nor through User Group Preferences. I can only login by going through the Login Window.


----------



## vancouverdave (Dec 14, 2008)

csonni said:


> How many actually use their Keychain? Or, can 1Password replace that pretty much?


I have replaced Keychain use with LastPass (similar to 1Password)


----------



## krs (Mar 18, 2005)

csonni said:


> A word of warning. When messing around with changing critical passwords (User Account, Administrator Account, etc.), make sure you write it down on paper before committing to the change. I'm getting a bit tired and I shouldn't be doing this now. I almost locked myself out of my User Account.


This is not an issue.
You can always reset your account password using the install disk

Mac OS X 10.6 Help: If you forget your administrator password

What is an issue if you forget the password to a password protected .dmg folder.
Happened to me once and there doesn't seem to be any way in the world to recover from that.


----------



## pm-r (May 17, 2009)

Here's a suggestion for the possibly paranoid users as to whether their Mac can be hacked or passwords overridden etc.

Call up your local school or university for a good known hacker, invite them for dinner or just provide pizza and pepsi/coke or beer, they live and thrive on such a diet, and even offer some payment, but most do it just for the challenge, and see if they can access or change or bypass anything password protected on your Mac or any personal stuff.

And to make it easier for them, allow them to connect directly with an ethernet wired connection to your LAN network, but with one extra condition - they are NOT allowed to use any direct methods such as boot install disks.

When they finally fail and give up, maybe you'll breath a bit easier, regardless of other personal compromises such as credit cards etc. which shouldn't have anything to do with one's Mac.


----------



## vancouverdave (Dec 14, 2008)

pm-r said:


> Here's a suggestion for the possibly paranoid users as to whether their Mac can be hacked or passwords overridden etc.
> ...
> When they finally fail and give up, maybe you'll breath a bit easier, regardless of other personal compromises such as credit cards etc. which shouldn't have anything to do with one's Mac.


Or you can run Apple's update from yesterday, only to find your system has already been compromised by the recent Flashback.


----------



## HowEver (Jan 11, 2005)

EXCEPT if you change the firmware password. That you need to remember, and cannot reset with the install disk.




krs said:


> This is not an issue.
> You can always reset your account password using the install disk
> 
> Mac OS X 10.6 Help: If you forget your administrator password
> ...


----------



## pm-r (May 17, 2009)

vancouverdave said:


> Or you can run Apple's update from yesterday, only to find your system has already been compromised by the recent Flashback.


True for some, and I'd suggest in the very small minority regardless of the, I'd suggest the inflated media Mac users so infected, but not exactly a hacking attack as the latest and nearly all malware needed some unsuspecting, un-knowlagable Mac user to OK and implement and install such hacking malware I believe.


----------



## pm-r (May 17, 2009)

HowEver said:


> EXCEPT if you change the firmware password. That you need to remember, and cannot reset with the install disk.


Is that about the same as using file-vault and it's password and encryption??

I know of a local senior that kept insisting he needed to use it and against all local Mac user advice to NOT use it for his personal data, and sure enough, three years later he forgot his F-V password and lost all access to all his data.

But no one ever got access to his data which I doubt they could have even without his F-V and password stuff being enabled. Now it's all lost, gone forever and not accessible unless he gets a reborn senior's memory brain fart.


----------



## csonni (Feb 8, 2001)

In regards to your User Account password- isn't that only vulnerable to someone who is actually at your computer trying to access it? Apart from your administrator password (for system changes), what kind of security is provided by a User Account password on a network?


----------



## Guest (Apr 16, 2012)

I've been watching this one go and go and I have to chime in. 

Honestly someone breaking into _your_ computer, unless you've been infected with a trojan/virus/some other kind of mechanism to let them in is probably less likely to happen than you getting struck by lightning. Most "hackers" (I use that term as it's the one that has been used most often in this conversation, not because I agree with it's usage) could care less about trying to break into your personal machine -- which is also likely behind at least a simple NAT based firewall if you are using a router based setup for your internet, making it that much more complicated to get at. You're honestly wasting your time setting up really hard to guess and/or break passwords on your home machines. If your home machine does get compromised it will more often than not be with a trojan or other software based means of "getting in" and in those cases your password doesn't mean much of anything. This is where things like not running from an admin account are your better line of defence.

What those nefarious types DO all the time are phishing scams -- those "you need to reset your password" type emails and similar. Avoid them and you won't very often get "hackers" getting your passwords -- and they want your passwords for online baking, forums, email, social networks, etc etc, not your computer. Having the most secure password possible will not help you from giving away your personal information. You would be amazed at just how many people give away their passwords be falling for things like this ...


----------



## Guest (Apr 16, 2012)

pm-r said:


> True for some, and I'd suggest in the very small minority regardless of the, I'd suggest the inflated media Mac users so infected, but not exactly a hacking attack as the latest and nearly all malware needed some unsuspecting, un-knowlagable Mac user to OK and implement and install such hacking malware I believe.


Not true at all. Lots and lots of exploits that are used to compromise a computer (mac or not) do not need a user to click "ok" ... this whole conversation on "security" has been like watching the blind lead the blind.

It seems that during my vacation from ehmac that nothing has changed. The voices of authority telling it "like it is" with conviction, but at the same time having little to no clue about the reality of it all.

Sorry to be so blunt, but I literally almost spit coffee all over my screen a few times reading this thread.


----------



## pm-r (May 17, 2009)

mguertin said:


> Not true at all. Lots and lots of exploits that are used to compromise a computer (mac or not) do not need a user to click "ok" ... this whole conversation on "security" has been like watching the blind lead the blind.
> 
> It seems that during my vacation from ehmac that nothing has changed. The voices of authority telling it "like it is" with conviction, but at the same time having little to no clue about the reality of it all.
> 
> Sorry to be so blunt, but I literally almost spit coffee all over my screen a few times reading this thread.


I was referring to the earlier versions of the Flashback and similar stuff that required the user's input, but you're correct and I should have added that the later Flashback exploit versions didn't require any user input.

But a question: You said "not running from an admin account are your better line of defence". 
Is the Mac fully protected when run that way or is it still prone and vulnerable to such exploits??


----------



## csonni (Feb 8, 2001)

I think what it is is that others cannot get in and make system wide changes, etc. Is that correct?


----------



## Guest (Apr 16, 2012)

pm-r said:


> I was referring to the earlier versions of the Flashback and similar stuff that required the user's input, but you're correct and I should have added that the later Flashback exploit versions didn't require any user input.
> 
> But a question: You said "not running from an admin account are your better line of defence".
> Is the Mac fully protected when run that way or is it still prone and vulnerable to such exploits??


Nothing is ever fully protected. The only real benefit of not running an admin account in this context is that if you do get compromised there's a _chance_ that the compromise won't have enough access to change your base system, apps, etc. That said it's still not really a failsafe nor very useful at the end of the day because any *nix based system can execute binaries (apps) from within it's own user space without a lot of restriction -- meaning that if the exploit puts binaries within your userspace it's not going to help you. 

That said it also doesn't guarantee that the compromise won't get escalated permissions -- it really depends on the exploit used, some exploits give higher permissions than the user that is running the app in question. Honestly running a non-admin account is still not really that much additional protection unless the nefarious code is something specifically targeting your machine's filesystem (i.e. trying to delete or replace critical system software components or commands). More often than not an exploit these days is going to be some sort of tool to get your machine into a botnet and/or infect other machines and a non-admin account doesn't make any kind of difference in that case. At one time things may have been different in regards to the payload that the "hackers" were trying to get onto your machine but from what I've seen in the last few years you're not seeing a lot of keyloggers and the like ... it's much easier to phish that sort of information that it is to capture it in real-time.


----------



## pm-r (May 17, 2009)

Thanks mguertin.


----------



## csonni (Feb 8, 2001)

I suppose the new Admin account I created the other day wouldn't hurt to have just as an account for troubleshooting if something were to get corrupted in my User Account i.e. Preferences, etc.


----------



## Guest (Apr 16, 2012)

It never hurts to have a separate admin account.


----------



## csonni (Feb 8, 2001)

With my new Admin account, I am now having a problem with a number of apps updating. This is what I get after entering my Admin password, as seen in my screenshot. Not sure what to do about it. I really don't want to have to be doing a Get Info, etc. just to install.
The easiest way is to login in as Admin, of which can be a pain.


----------



## krs (Mar 18, 2005)

vancouverdave said:


> Or you can run Apple's update from yesterday, only to find your system has already been compromised by the recent Flashback.


So was that the case for you?

If so, did you not at last have one of the applications on your Mac that would cause this trojan to delete itself?
I really have a hard time understanding how anyone can get infected - every Mac in my family has at least one of these apps running and when we checked using the terminal commands, none were infected.


----------



## csonni (Feb 8, 2001)

Not sure if you're referring to me. I've already run the Flashback check with no infection.


----------



## krs (Mar 18, 2005)

mguertin said:


> You would be amazed at just how many people give away their passwords be falling for things like this ...


How true!
Most of the phishing is pretty obvious - the language used is often hilarious.

The one that almost got me and I think could easily fool someone else is the email from "paypal"
When one makes a real paypal payment, paypal sends a confirmation email that the payment has been made.
So getting an email like that from paypal is something paypal users expect.

The phishing part was an email like this essentially stating "This will confirm the payment of
$243.75 to Amazon.ca" and there is a link included with a comment - if you feel this payment was made in error please contact paypal.
I never clicked on the link but I'm sure it will take you to a web site that looks like a paypal site with fields to enter your user name and password. If you do enter user name and password, you will probably get a message back that the payment has been reversed or something similar that you think everything is fine now.
I ignored the email and logged into my paypal account directly via the browser - there was of course no payment that had been made.
But I thought that was a nice piece of social engineering to collect some paypal user accounts and passwords.


----------



## csonni (Feb 8, 2001)

Can someone shed some light on my problem stated in my previous post with a screenshot? I cannot seem to copy over an App without this window popping up. I logged in to my Admin account even and still get the "not all items have been copied over" thing. I shouldn't have to go unlocking anything, should I?

Update: Just found out that I actually need to delete the app first and then copy over updated app. That's strange. I really don't care for that.


----------

