What's your most cringeworthy online security moment?

[faftek]

Here's mine:

 

I went to setup my online account at fifth third bank today, and I found a little nugget of security gold, beating out even anything that Sony did: 

 

 

SPECIAL CHARACTERS ARE NOT ALLOWED.

ON A BANKING WEBSITE.

 

THE SAME WEBSITE WHERE I MAY TRANSFER MONEY BETWEEN ACCOUNTS AND EVEN TRANSFER MONEY TO OUTSIDE BANKS. OH AND IT HAS MY CONTACT INFO

 

Sorry for the rant there, this just made me bash my head into a wall, especially in light of the Sony hack, and the fact it is extremely insecure. Needless to say I'm now at a local credit union that forces secure passwords.

 

So I'm intrigued into what everyone else's most cringeworthy internet security moment is, anything from using password123 as your password for an email to a former boss keeping an excel sheet of all passwords.

 

 

[Horrorfull]

Upper and Lower Case required

Numbers Required

One special character required (! @ # $ % ^ & *)

At least eight characters

 

Just for my college app account back in high school and one of my employers used something like that.

Keep in mind that this isn't optional. You have to use all those just to submit college apps or get a job.

[AlexStriz]

These off-topic threads are getting so specific...

[werto165]

I hate it when websites limit password lengths, some are soooo short, i think one i used about a year ago had a 15 character limit or something silly.

@Windspeed36 makes me think of this: 

 

[Decon]

me?

 

accidentally showed friend how to deauth attack people's devices

 

derp

[hak4fun]

Using the same password for literally almost every website, except my savings account. I now have seperate passwords for every website, and I make new passwords every 3months. I started doing this, when I had to spend 2weeks on the phone getting my online identity back.

[Guest]

Websites sending password resets as plain text via email.

[faftek]

Websites sending password resets as plain text via email.

Oh god...

 

Using the same password for literally almost every website, except my savings account. I now have seperate passwords for every website, and I make new passwords every 3months. I started doing this, when I had to spend 2weeks on the phone getting my online identity back.

Well I'm glad you got your stuff back, and started using more passwords

 

me?

 

accidentally showed friend how to deauth attack people's devices

 

derp

 

oh boy, yeah I hate the days when friends go "how do you do that" and it turns into "I could tell you but I'd have to kill you"

I hate it when websites limit password lengths, some are soooo short, i think one i used about a year ago had a 15 character limit or something silly.

My bank has a 12 char limit... Oh and I'll use SHA-256 hashes at times for a pass just for the hell of it

[theloveablemoose]

My bank said i couldn't use a password over a certain character limit which i think was 10.

[ThatAngryGnome]

In the Sony hack, 25-ish pages of SSN numbers were leaked...ALL IN PLAIN TEXT!

[Neftex]

The special characters arent as bad as the limited length. The combination of both is quite impressive though.

The most cringeworthy moment for me was when I tracked spam sender and found out his mysql account was admin/admin.

[faftek]

The special characters arent as bad as the limited length. The combination of both is quite impressive though.

The most cringeworthy moment for me was when I tracked spam sender and found out his mysql account was admin/admin.

OH that's no surprise, most spammers don't know their ass from a hole in the ground, did you make a backup and tell him that you're a nigerian prince with a large database you're willing to sell for $50,000?

 

In the Sony hack, 25-ish pages of SSN numbers were leaked...ALL IN PLAIN TEXT!

.... I don't think what I want to say is allowed...

[rummykan]

Websites sending password resets as plain text via email.

I remember once or twice getting 'confirmation of registration' emails after signing up for a website that included username and password in plain text, can't imagine what they were thinking.

[Trik'Stari]

The sheer number of virus's I had on my last PC....from Kazaa (is that even still a thing?)

[Akolyte]

My Mom's Bank Website ONLY ALLOWS PASSWORDS UP TO 8 CHARACTERS And no special characters.  Numbers and letters only, capitals not allowed.

 

What a stupid freaking Bank!!!  Though after making a map of popular characters and calculating the popularity and volume of each alphabetical character I made her a password that would take around 30 years to crack. 

[faftek]

My Mom's Bank Website ONLY ALLOWS PASSWORDS UP TO 8 CHARACTERS And no special characters.  Numbers and letters only, capitals not allowed.

 

What a stupid freaking Bank!!!  Though after making a map of popular characters and calculating the popularity and volume of each alphabetical character I made her a password that would take around 30 years to crack. 

it would take 30 years to crack on a potato, honestly I could crack that in a few minutes with GPU power

[WinNut]

My old LTT password. It was "lga1366". Worst fucking password ever.

[ubuntusuperuser]

it would take 30 years to crack on a potato, honestly I could crack that in a few minutes with GPU power

(26+10)^8=2,821,109,907,456 even if you had a monster gpu it still might take a while (depends on how the hash is stored)

[pspfreak]

My old LTT password. It was "lga1366". Worst fucking password ever.

maybe for a non-tech website it would be OKAY,  but on a website like LTT, no. Incredibly idiotic.

[faftek]

(26+10)^8=2,821,109,907,456 even if you had a monster gpu it still might take a while (depends on how the hash is stored)

I've got my 280X up to a few million passwords a second, but for the hell of it let's say for some reason you're only getting 5 million a minute, this would equate to: 6.530347008 days of hashing to get the password.

 

Of course all this is entirely relative to encryption types and how the password is stored(great youtube video explaining it above), so there's no best answer for it. 

[ThatAngryGnome]

OH that's no surprise, most spammers don't know their ass from a hole in the ground, did you make a backup and tell him that you're a nigerian prince with a large database you're willing to sell for $50,000?

 

.... I don't think what I want to say is allowed...

Dem ******* stupid 

[Blade of Grass]

(26+10)^8=2,821,109,907,456 even if you had a monster gpu it still might take a while (depends on how the hash is stored)

It wouldn't take very long. Most passwords are either dictionary words, or aren't completely random and contain some type of word mangling, both of which makes it alot easier to crack passwords.

When it comes to brute forcing, some encryption algorithms are more intensive than others, which makes them take longer (as they require more compute power to make each hash). Assuming the hashing is SHA512, a 290x can get around 4500 MH/s. At that speed, it would take, at most, 11 minutes to exhaust the keyspace. Yes, only 11 minutes.

8 character passwords aren't very safe anymore, assuming the keyspace is larger (upper and lower letters, numbers), it would still only take, at most, 14 hours to crack. Assuming it's extremely large (upper and lower letters, numbers, 36 special characters), it would still only take, at most, 22 days.

[Briggsy]

my bank permanently locks out my online account if someone were to guess the password wrong 5 times, and I would then have to go through some hoops to get it unlocked again. on the off change that someone was able to guess my password, they would then be greeted with a random question created by myself (picked randomly out of many questions I created) if their ip address, browser, operating system etc.. was not what I normally would use to access my bank account. I find it hard to believe any online banking system does not work like this. brute force hacking died a long time ago for anything valuable.

[Mattr567]

Tinypic.com 's captcha is completely broken. You can type anything you want and it accepts it. LOL

[faftek]

my bank permanently locks out my online account if someone were to guess the password wrong 5 times, and I would then have to go through some hoops to get it unlocked again. on the off change that someone was able to guess my password, they would then be greeted with a random question created by myself (picked randomly out of many questions I created) if their ip address, browser, operating system etc.. was not what I normally would use to access my bank account. I find it hard to believe any online banking system does not work like this. brute force hacking died a long time ago for anything valuable.

:notbad: and yeah I don't know what happens if someone tries to be bruteforced, however I'm also worried if there was a database breach/disgruntled employee.

 

Tinypic.com 's captcha is completely broken. You can type anything you want and it accepts it. LOL

LOL good job tinypic...

 

It wouldn't take very long. Most passwords are either dictionary words, or aren't completely random and contain some type of word mangling, both of which makes it alot easier to crack passwords.

When it comes to brute forcing, some encryption algorithms are more intensive than others, which makes them take longer (as they require more compute power to make each hash). Assuming the hashing is SHA512, a 290x can get around 4500 MH/s. At that speed, it would take, at most, 11 minutes to exhaust the keyspace. Yes, only 11 minutes.

8 character passwords aren't very safe anymore, assuming the keyspace is larger (upper and lower letters, numbers), it would still only take, at most, 14 hours to crack. Assuming it's extremely large (upper and lower letters, numbers, 36 special characters), it would still only take, at most, 22 days.

Has cracking really got that fast? Damn it used to be MUCH slower when I was doing it...