Craftbrewer Hoax!

[MaltyGoodness]

Got the email about an hour ago. Has links to a fake login page and a fake payment page. Seems like someones gone to a lot of effort to attack Ross' business. Hacked site,
stole mailing list, set up another url, created fake site, set up a spam mailer etc

Real craftbrewer site is still down :angry:

Hope they catch who did it

 

[Logman]

You more computer savvy guys, what's a good password manager? Is there a decent free download?

Keepass...

 

[Jay Cee]

Well having put through an order less than 24hrs earlier and payed $120 freight I was devistated when I saw the email title this morning!

Christ, did you buy a pallet of FWK's?

 

[bum]

You more computer savvy guys, what's a good password manager? Is there a decent free download?

How many phone numbers do you think you've memorised in your lifetime? How is that different to remembering multiple passwords?

 

[Nick JD]

How many phone numbers do you think you've memorised in your lifetime? How is that different to remembering multiple passwords?

Just have a common password and add the first letter of the website's name to the start of it. And the year (forces you to change it yearly).

eg. Cpassword12

C = Craftbrewer
password = your key word, used everywhere
12 = the year

 

[bum]

Just have a common password and add the first letter of the website's name to the start of it. And the year (forces you to change it yearly).

eg. Cpassword12

C = Craftbrewer
password = your key word, used everywhere
12 = the year

Hey, everyone. Post up how you determine all your passwords. And your mother's maiden name/your first pet's name. Sounds like a fun game to play on a public forum.

 

[donburke]

i feel somewhat neglected that i didn't receive the email

 

[vortex]

How many phone numbers do you think you've memorised in your lifetime? How is that different to remembering multiple passwords?

Humans CANNOT be trusted to generate sufficiently secure passwords or to remember secure passwords.

Using a password managed like LastPass, correctly configured, with different passwords (long passwords, alpha, numeric, upper & lower case + punctuation) for EVERY site you log in to, significantly improves your security against stolen password databases being cracked.

Crackers can check billions (yes, not a typo, I said BILLIONS) of password combinations a second with regular off the shelf hardware. 'Clever' passwords (such as changing E for 3, i/l for 1), appending/pre-pending your kid's birth year, marriage year, and associated tricks are all useless, and among the first things crackers check. While we all think we're the 'only' one to come up with these things, we're not, and the bad guys know it

Don't risk it. Do it properly.

 

[glenwal]

Crackers can check billions (yes, not a typo, I said BILLIONS) of password combinations a second with regular off the shelf hardware.

I'd like to see the web server that will respond to the billion requests per second, and the firewall that doesn't detect the DOS attack and drop the connection.

 

[vortex]

I'd like to see the web server that will respond to the billion requests per second, and the firewall that doesn't detect the DOS attack and drop the connection.

It's done offline, against a downloaded list of hashed passwords, of course

This article is particularly good: http://arstechnica.com/security/2012/08/pa...-under-assault/ and scary at the same time.

 

[bum]

Humans CANNOT be trusted to generate sufficiently secure passwords or to remember secure passwords.

This has no bearing on whether or not a person is capable of doing so, however.

Using a password managed like LastPass, correctly configured, with different passwords (long passwords, alpha, numeric, upper & lower case + punctuation) for EVERY site you log in to, significantly improves your security against stolen password databases being cracked.

Doing the same without software removes an extra vulnerability.

Crackers can check billions (yes, not a typo, I said BILLIONS) of password combinations a second with regular off the shelf hardware.

I've never seen "off the shelf" (i.e. consumer available) password crackers that promime more than a few hundred thousand per second. How many PFLOPS do you think the average scammer's computer is capable of?

Don't risk it. Do it properly.

For me, the issue with password managers is that all your passwords are tied to a single key (if any, in the case of desktop password managers). Someone who can't be trusted (as you say) to manage their own passwords should stay even further away from password managers.

 

[insane_rosenberg]

Humans CANNOT be trusted to generate sufficiently secure passwords or to remember secure passwords.

http://xkcd.com/936/

 

[donburke]

anz's falcon takes the worry out of these sort of things

plus, the credit card issuer will refund fraudulent transactions

start worrying about important things like correct cell counts for pitching rates

 

[vortex]

This has no bearing on whether or not a person is capable of doing so, however.

We all think we are. That is the problem

Doing the same without software removes an extra vulnerability.

Yes, this is true. However, IMO, the risk is worth it. LastPass appear to have it well sorted out.

I've never seen "off the shelf" (i.e. consumer available) password crackers that promime more than a few hundred thousand per second. How many PFLOPS do you think the average scammer's computer is capable of?

Graphics cards are being used these days for hashing and cracking, and there is a lot of open source software available to do this. I'm going to cop-out here and not link to examples, because i'm at work, and I don't want those searches in my work proxy history; but a google will reveal heaps of information. Security Now episode 366, the latest one, covers this also.

For me, the issue with password managers is that all your passwords are tied to a single key (if any, in the case of desktop password managers). Someone who can't be trusted (as you say) to manage their own passwords should stay even further away from password managers.

Yes, that is a concern of mine, too. However, at least for LastPass, the password 'database' is stored on their server after only being encrypted with AES-256 on the client (with an option of PBKDF2, also). In addition to this, LastPass allows two-factor authentication (something you have + something you know) which requires you to use Google Authenticator to generate a token (it's open source and standards based) when accessing the password database - that way if an attacker does get hold of your password database, even if they have your master password, it's useless to them.

I stayed away from it for a long time for those reasons, but I figure it was worth the risk (I actually do not store truly valuable passwords - such as internet banking - in LastPass).

 

[Jay Cee]

start worrying about important things like correct cell counts for pitching rates

That's a myth ! One coopers packet stored at room temperature is plenty :lol:

 

[glenwal]

start worrying about important things like correct cell counts for pitching rates

I heard that if you pitch warm you don't need as much yeast - Do you think my Home Brand Larger will work ok. Its fermenting at 30 deg in my shed out the back. I added 2KG of sugaz because i want more alcohol, and used the yeast that came under the lid. I even got it on special for $2.95 because it was passed its best before date.

 

[glenwal]

I heard that if you pitch warm you don't need as much yeast - Do you think my Home Brand Larger will work ok. Its fermenting at 30 deg in my shed out the back. I added 2KG of sugaz because i want more alcohol, and used the yeast that came under the lid. I even got it on special for $2.95 because it was passed its best before date.

hmmm - i think my AHB account may have been hacked because i don't remember posting that. Maybe my password wasn't good enough because i didn't use a password program, i just made it up myself.

 

[Nick JD]

My passwords for everything are:

NeverHadaPasswordCracked

 

[bum]

Graphics cards are being used these days for hashing and cracking, and there is a lot of open source software available to do this.

Yeah, I had a look into it after my last post and saw the stats are a lot faster than when last I looked but the rates are still a lot slower than billions per second for anything stronger than, say, MD5 hashes (which I've been led to believe are fairly out of fashion anyway). But even at those rates can you work out how long it would take to crack my weakest (memorised) current password: 18 characters, upper/lower case, numerals, special characters, spaces? That's 18^93, right? [EDIT: yeah, looking at Shane's graphic above, I've got that up the shit, disregard the figures but I think the point still holds]. Cracking passwords of random internet users simply isn't worthwhile/practical yet.

 

[sponge]

My passwords for everything are:

NeverHadaPasswordCracked

Really should be ENeverHadaPasswordCracked12 to know that its used for every site and for this year...