Welcome to the MacNN Forums.

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

You are here: MacNN Forums > Community > MacNN Lounge > Apple News: Apple ID hacking attempts?

Apple News: Apple ID hacking attempts?
Thread Tools
andi*pandi
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 1, 2024, 09:37 AM
 
https://www.macrumors.com/2024/03/26...ishing-attack/

I have not experienced this thank goodness but it's unusual for apple to be the target of hacks like this.
     
Spheric Harlot
Clinically Insane
Join Date: Nov 1999
Location: 888500128, C3, 2nd soft.
Status: Offline
Reply With Quote
Apr 1, 2024, 05:13 PM
 
I actually got a log-in allow notification with the map and passcode entry request — someone in Sao Paolo had apparently tried to log in using my Apple ID with the correct password and was only stopped by two-factor authentication.

Holy shit.
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Apr 1, 2024, 05:47 PM
 
Ars Technica covered this too, as an "MFA Fatigue Attack". Oh, and AT&T has just admitted a data breech (method unknown) of 73 million current & former accounts. Including 49 million unique email addresses, and almost 44 million Social Security numbers. Plus snailmail addresses, phone numbers, date-of-birth, full names, plus (salted & hashed?) passwords.

Hope everyone is following good security practices: long random passwords, unique to every site. No reuse of passwords anywhere. This quarantines a compromise to a single account or service. Also, keeping the keys to everything you own on a single smartphone may not be so smart. Desktop or laptop, passwords on an encrypted thumb drive, roll your own solution. So a single smartphone breech doesn't reach everything. Ideally, spread things around so there isn't a single point of failure. It's less convenient, but good security always is.

If you haven't already, sign your emails up to the Have I Been Pwned website. Should your email(s) appear in data leaks, the site will email you with the details. I don't know of a similar service for leaked Social Security numbers.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 1, 2024, 06:49 PM
 
Hot take: if the password is long enough using mostly lowercase dictionary words is fine (and easier to type).
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Apr 1, 2024, 08:00 PM
 
I like the Stanford password recommendations as a guide for creating passwords. It covers what length to use for various character groups (like all-lowercase) as well as sentence-passwords made of dictionary words. However, this guide has been unchanged since at least 2014. I'd add at least two characters to each recommendation, and at least two extra words to any sentence password.
     
Laminar
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Apr 2, 2024, 08:59 AM
 
There's always an XKCD.

     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 2, 2024, 09:52 AM
 
This-is-the-ideal-password-f0rmat.
     
Laminar
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Apr 2, 2024, 09:57 AM
 
Wait which O is a zero? I keep forgetting. And do you choose a new multi-word sentence for each website/login?
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 2, 2024, 10:00 AM
 
Don’t reuse passwords.

A good password manager will use a font which disambiguates a capital “o” from a zero.



Edit: I misunderstood your post. Though the XKCD mentions memorization, you shouldn’t actually do that without a password manager net (IMO).
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 2, 2024, 10:11 AM
 
Also relevant…

     
Laminar
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Apr 2, 2024, 10:12 AM
 
I never got into password managers. Is there something that works across any Apple/Android/Amazon/Windows device seamlessly? My iPhone keeps trying to recommend impossible passwords which is completely useless to me when I want to log in on Chrome on my work laptop.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 2, 2024, 10:18 AM
 
1Password is what I use.

If you can install Dropbox on your work laptop there’s a Chrome plugin.

They claim it works on everything. Isn’t Amazon shit Android?
     
Laminar
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Apr 2, 2024, 10:24 AM
 
I'm trying to get away from Dropbox. It's becoming nagware, and since they got rid of hotlinking all of those years ago it doesn't really do anything for me that I can't do through OneDrive or Google Drive. The last killer feature was keeping my car tunes on it so they're synced across my tuning laptop, home desktops, and also available online. I'm doing that with Google Drive now but I'm not impressed with its slow syncing. Either way I'd only access Dropbox on my work laptop through the web interface.
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 2, 2024, 10:36 AM
 
It looks like they have their own servers if you want to use those, but I’m not familiar with it.
     
andi*pandi  (op)
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 2, 2024, 10:26 PM
 
1password no longer requires dropbox. Which is good for me having multiple devices with 1password on it (phone, ipad, 2 laptops) and not wanting to pay dropbox for >3 devices.

This-is-the-ideal-password-f0rmat.
idealpasswordBas3-sitesuffix!
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 3, 2024, 09:32 AM
 
Originally Posted by andi*pandi View Post
idealpasswordBas3-sitesuffix!
I’m not sure I understand. Does this mean reuse the bas3 and change only the suffix?

That’s the same as reusing a password.
     
Laminar
Clinically Insane
Join Date: Apr 2007
Location: Iowa, how long can this be? Does it really ruin the left column spacing?
Status: Offline
Reply With Quote
Apr 3, 2024, 02:18 PM
 
"Ideal password base" - "website" - "!"

I think? Is the risk that a person or even automated system, if they got the password into plain text, could recognize the site name as part of the password and extrapolate that to other sites? How many intrusions result in the password being revealed in plain text?
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 3, 2024, 02:42 PM
 
What to worry about here isn’t a brute-force intrusion on an account, it’s an intrusion on a site with poor security.
( Last edited by subego; Apr 3, 2024 at 03:00 PM. )
     
andi*pandi  (op)
Moderator
Join Date: Jun 2000
Location: inside 128, north of 90
Status: Offline
Reply With Quote
Apr 3, 2024, 05:38 PM
 
sitesuffix is not the site name but a clue. So for this site it might be AppleNN or something. (except on this site I use a completely random pw).
     
subego
Clinically Insane
Join Date: Jun 2001
Location: Chicago, Bang! Bang!
Status: Offline
Reply With Quote
Apr 3, 2024, 06:28 PM
 
Then you have to remember all your different site suffixes.

There’s also the problem of the sheer number of sites where the only appropriate suffix is Hive-of-Scum-and-Villainy
     
reader50
Administrator
Join Date: Jun 2000
Location: California
Status: Offline
Reply With Quote
Apr 3, 2024, 06:47 PM
 
Originally Posted by subego View Post
... the sheer number of sites where the only appropriate suffix is Hive-of-Scum-and-Villainy
Ah, you've banked at WF or BofA also?
     
   
Thread Tools
 
Forum Links
Forum Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Top
Privacy Policy
All times are GMT -4. The time now is 03:31 AM.
All contents of these forums © 1995-2017 MacNN. All rights reserved.
Branding + Design: www.gesamtbild.com
vBulletin v.3.8.8 © 2000-2017, Jelsoft Enterprises Ltd.,