3748
3749

Reddit, account security, and YOU! (self.announcements)

KeyserSosa[A] 投稿

If you haven't seen it in the news, there have been a lot of recent password dumps made available on the parts of the internet most of us generally avoid. With this access to likely username and password combinations, we've noticed a general uptick in account takeovers (ATOs) by malicious (or at best spammy) third parties.

Though Reddit itself has not been exploited, even the best security in the world won't work when users are reusing passwords between sites. We've ramped up our ability to detect the takeovers, and sent out 100k password resets in the last 2 weeks. More are to come as we continue to verify and validate that no one except for you is using your account. But, to make everyone's life easier and to help ensure that the next time you log in you aren't greeted a request to reset your password:

On a related point, a quick note about throw-aways: throw-away accounts are fine, but we have tons of completely abandoned accounts with no discernible history and exist as placeholders in our database. They've never posted. They've never voted. They haven't logged in for several years. They are also a huge possible surface area for ATOs, because I generally don't want to think about (though I do) how many of them have the password "hunter2". Shortly, we're going to start issuing password resets to these accounts and, if we don't get a reaction in about a month, we're going to disable them. Please keep an eye out!

Q: But how do I make a unique password?

A: Personally I'm a big fan of tools like LastPass and 1Password because they generate completely random passwords. There are also some well-known heuristics. [Note: lmk of your favorites here and I'll edit in a plug.]

Q: What's with the fear mongering??

A: It's been a rough month. Also, don't just take it from me this is important.

Q: Jeez, guys why don't you enable two-factor authentication (2FA) already?

A: We're definitely considering it. In fact, admins are required to have 2FA set up to use the administrative parts of the site. It's behind a second authentication layer to make sure that if we get hacked, the most that an attacker can do is post something smug and self serving with a little [A] after it, which...well nevermind.

Unfortunately, to roll this out further, reddit has a huge ecosystem of apps, including our newly released iOS and android clients, to say nothing of integrations like with iffft.com and that script you wrote as a school project that you forgot to shut off. "Adding 2FA to the login flow" will require a lot of coordination.

Q: Sure. First you come to delete inactive accounts, then it'll be...!

A: Please. Stop. We're not talking about removing content, and so we're certainly not going to be removing users that have a history. If ATOs are a brush fire, abandoned, unused accounts are dry kindling. Besides, we all know who the enemy is and why!

Q: Do you realize you linked to https://www.reddit.com/prefs/update/ like three times?

A: Actually it was four.

Edit: As promised (and thanks everyone for the suggestions!) I'd like to call out the following:

Edit 2: Here's an awesome word-could of this post!

上位 200 件のコメント表示する 500
並べ替え:
Q&A (提案されたアイデア)
ベストトップ新着論争中古い順

[–]KeyserSosa[S,A] 304ポイント305ポイント  (147子コメント)

Reply to this comment with security-related horror stories suitable for /r/talesfromtechsupport, and we can crank up the fear mongering!

[–]u38cg2 108ポイント109ポイント  (22子コメント)

I was once /u/u38cg, but my easily guessed password was easily guessed. Then the rotten admins wouldn't reset it for me :(

[–]KeyserSosa[S,A] 110ポイント111ポイント  (20子コメント)

Lucky for you it appears you had a verified email, and the stupid admins have improved the ATO workflow in the last month. You should have just gotten a reset email.

[–]u38cg2 38ポイント39ポイント  (13子コメント)

That's weird. It didn't have one, which is why I couldn't recover it (I tried, under support request #57441).

[–]aryst0krat 14ポイント15ポイント  (6子コメント)

Perhaps the person who took it over also got into your email address and verified it?

[–]ansong 43ポイント44ポイント  (5子コメント)

The thief added their own email?

[–]u38cg2 26ポイント27ポイント  (4子コメント)

So it seems.

[–]AchievementUnlockd[A] 23ポイント24ポイント  (2子コメント)

It happens. Then, if we ATO it and attempt to return a suspected compromised account, the thief has the ability to reset the password. It's rarely their own email account - that's usually stolen too.

コメントをもっと表示する (1 返事)

    コメントをもっと表示する (6 返事)

      コメントをもっと表示する (1 返事)

        [–]allthefoxes 183ポイント184ポイント  (16子コメント)

        Semi-unrelated storytime! (copypasting this from chatlogs so pardon bad formatting)

        I found a security vulnerability in a large retailers website.

        I went to report this vulnerability

        For those that don't know, the proper way to report security vulnerabilities is generally through email to a security team or developer

        For example, security@reddit.com

        You don't tell others (this doesn't count) - You don't tweet it out, you don't call customer service, etc
        Since god knows how that will go

        So, I look around on this retailers website

        Try and find something about bugs / reporting

        Nothing, which is understandable

        So I dig through their support database. Nothing even about reporting issues, let alone security

        Same with their "forums"

        At a loss, I decide to call their 1-800 and just see if I can get trasferred to someone, or if someone knows the email

        I get through a robo-thing, and some dude with an accent is on the other end

        So I tell him, in the easiest way I can "I need to report a security vulnerability, how would I do that"

        He didn't quite understand, so I rephrased, "I need to talk to someone who can help me with a security issue"

        mistake #1

        He replies "Absolutely sir I will transfer you"

        and I'm like..great!

        New person picks up. Female, different accent

        Basically asks me a few questions about me. Name, etc

        And then she asks what makes me think my account was hijacked. was it an order, etc?

        And I'm like, "oooooooooooooooooooooooooooooooooooooooooooooooooooooh..no thats not what I meant"

        I again try and explain what I need

        "I need to get an email address so I can report a security bug" (they seemed to understand what I meant when I said bug)

        She tells me to hold, and again I am transferred

        Except its a bounceback

        So , "How can I help you today"

        I just hang up

        New strategy

        Whois the domain, and call the tech contact!

        This seems to work better! The person sounds super professional. When I was talking to "Matt from corporate", I really was!

        Matt seems to understand what I mean, and he tells me he will look into it

        I am transferred

        And the person on the other end again assumes my account was hacked / fraud, etc

        so i cri

        I ask again, just to see what happens

        and im on hold

        for about 20 minutes

        I just hang up

        At this point im grumpy

        So I do what always works, take it to social media

        I tweet this company, "Hey @Company, whats the correct contact to report a security vulnerability"

        They reply, "@company: @allthefoxes: Can you elaborate"

        "Sure @company, I found an issue in your website that compromises user security! Can you DM me an email address I can contact"

        "@company @allthefoxes: I see, you can contact Twitter@example.com and I will make sure it gets to the right people"!

        So, im closer now, but I'm like uuh, no, not sending this to a multi person customer support email

        The person assures me its monitored only by them at their corporate offices

        I just want to strangle this guy at this point "THATS NOT HOW IT WORKS YOU FUCK"

        SO. I do not give up so easily, I went to find my own path

        I found the careers page for this company and found they were hiring developers

        There I found a link in the bottom right to their twitter account about thier web services

        I follow this link, its not @company, its @companyapi, And I tweeted them, waited 20 minutes, no reply

        but I saw they followed a lot of people for a corporate account

        I looked at who they were following

        And scrolled through a few pages, and saw @personA, Sr. Developer at example.com

        and im like YES, SOMEONE WHO WILL UNDERSTAND

        I look the person up to confirm who they claimed to be and tweeted them

        30 minutes later he replies, we DM back and forth

        and i finally get my god damn email

        [–]wafflesareforever 116ポイント117ポイント  (12子コメント)

        A laptop got stolen from an admissions office at my university. On its (unencrypted) hard drive was an Excel file containing the personal information, including SSNs and ACT/SAT scores, of everyone who had applied over the past 35 years. Not just students who were accepted or attended - if you ever applied for admission, your deets were in that file. What a huge embarrassing ordeal that was.

        As far as we know, that file was never opened or shared by the thief, but we still had to call every person who was on the list to let them know what had happened. Real good for alumni relations.

        [–]MonaganX 20ポイント21ポイント  (1子コメント)

        I used to be /u/monagan before some unfortunate looking dude from Switzerland took over my account and started spamming his shitty twitch channel. Since I hadn't verified my e-mail address, there was no way for me to ever get it back, and I had to ask the admins to put the old guy down. Thanks again for your help in this tough time, by the way, it would have doubly sucked for my ghost to keep posting some god damn LoL nonsense. Rest in peace, little guy. I had a lot of porn posts saved on you that I was probably never going to look at again.

        Seriously, I can only reccomend you take this password stuff seriously. You might think you'd just lose pointless karma anyways, and I certainly didn't think I'd care when I made that account using my general purpose password, but remembering what you were subscribed to? Finding old posts you'd saved but can't remember where? Knowing that you probably started an argument with someone somewhere, and they have probably since replied, but now you can't respond and they think you chickened out? It's a massive pain in the ass.

        [–]DKTim 84ポイント85ポイント  (7子コメント)

        A long time ago a web host was offering a 6 month trial (with domain registration) completely free! no obligation required or credit card.

        However it was only offered to the first x amount of people to sign up. It sounds like a bad popup banner from the early 2000s, but it was real!

        So, here's the kicker. I arrived too late and registration was closed. I however noticed the promotion page had been changed to state that the promotion is closed/over, and the link to the register button was disabled.

        So, I just typed www.webhostcompany.com/register.php and yep, you guessed it, the registration page was working! So I signed up and got started.

        A few hours later I get phone call asking me how I managed to register. I told them the story. The guy laughed and said they will make an exception.

        My story has nothing to do with passwords.

        [–]MyPornographyAccount 25ポイント26ポイント  (1子コメント)

        Worked for an enterprise security startup. The database on their appliance ran as root. The rest api made raw sql queries using user-supplied data with no validation. The https layer for the rest api ignored certificates as long as they were well formed.

        When I pointed out, they pushed out fixing it to the next release because it wasn't that important.

        EDIT: It gets better. The javascript on the login page for the management console had raw SQL queries to the same database. You know, the one running as root.

        [–]ani625 31ポイント32ポイント  (2子コメント)

        During a computer security assessment, auditors were able to convince 35 IRS managers and employees to provide them with their username and change their password to a known value. Auditors posed as IRS information technology personnel attempting to correct a network problem.

        http://passwordresearch.com/stories/story72.html

        [–]sec-horrorthrowaway 19ポイント20ポイント  (3子コメント)

        A real security horror story:
        Somewhere in the world, a fairly large corporation has a windows server in their DMZ. This server has an any:any:allow rule on the internal firewall because "it's a critical system" and "we can't afford the down time if we apply the wrong firewall rules". If you can compromise the server, you can get plaintext passwords for logged in accounts, and gain access to a fair amount of the internal network.

        [–]DoctorProfPatrick 10ポイント11ポイント  (0子コメント)

        osu!, a free-to-win rhythm game, just had its source code leaked because one of the developers used the same password for multiple sites. A hacker compromised one of those sites, and used the password to gain access to the developers github account. It's been quite problematic...

        You can read more about it here: (side note: /u/ pepppppy is the main developer for the game)

        https://www.reddit.com/r/osugame/comments/4kyegq/regarding_osus_sourcecode_leak/

        tl;dr good passwords are a necessity now a days.

        [–]raffters 18ポイント19ポイント  (3子コメント)

        The company where I work has pretty normal security requirements (8 characters, some special character stuff, etc) and had some penetration testing done.

        After the initial penetration was done, they had cracked most passwords in under 2 hours and 95% in 4.

        [–]WHOSTOLEMYPORNALT 60ポイント61ポイント  (3子コメント)

        My cool porn account /u/FUCKINGCAPTCHAS didn't have an email and the password was 123456789, someone stole it and now I have to use this one!

        [–]b4ssm4st3r 10ポイント11ポイント  (0子コメント)

        I am locked out of an account on another site because I don't remember my password. And in order to reset it I need to know my password. And when I call, in order to talk to a person I ... need to know my password.

        Its rather frustrating.

        [–]elfa82 191ポイント192ポイント  (9子コメント)

        This is based on a true story

        [–]damontoo 4ポイント5ポイント  (4子コメント)

        I saw a major corporation was using FTP to embed images in an obscure part of their site in the form ftp://user:pass@company.com. There were hundreds of files on the server from ad campaigns to employee contracts and the account used had write access to all of it. I called and spoke to someone that I was told handles security. It didn't seem like they had a team. He asked what account it was and told me he'd investigate. A year later I got curious and checked on it and nothing changed. The account was still enabled with the same permissions and they were still posting the login on their website.

        [–]itmonkey78 10ポイント11ポイント  (1子コメント)

        It's "fourwordsalluppercase". One word, all lowercase.

        Ninja edit: correct link

        [–]TheLonelyWind 31ポイント32ポイント  (9子コメント)

        My runescape account got hacked once. Even took my logs.

        [–]buge 2ポイント3ポイント  (0子コメント)

        I've been personally targeted by 4 different "hackers".

        One of them created a forum and asked me if I want to be a moderator for it. I eventually agreed, but I realized the entire reason he invited me was because he was hoping I would reuse the same password on the forum as on my video game account, because that account was fairly wealthy. But joke's on him, I use a long unique random password for every site.

        Another pair of guys DDOSed me saying they wouldn't stop until I "traded" my items to them. I didn't do it, and they stopped after 30 minutes.

        Another guy tried to trick me into clicking the wrong button in Teamviewer that would give him remote control of my computer.

        [–]MannoSlimmins 25ポイント26ポイント  (3子コメント)

        I once had an issue with my account. But the admins turned it off and on again and it worked!

        [–]FurryWolves 1ポイント2ポイント  (0子コメント)

        So, don't want to get downvoted to oblivion here for mentioning furries, but this is very relevant. Furaffinity just got hacked a couple of weeks ago and every single user and password was leaked, everyone's personal data, just the entire site. So if anyone does have an account on there, make sure to change your password to everything connected to it! If your email has a password you use for everything, like I did and had to reset it cause I couldn't get into my email (luckily it was an old account and I still got in with my phone number), reset your passwords! And use symbols!

        [–]thedarkjack 1ポイント2ポイント  (0子コメント)

        I never changed my password on reddit after the xsplit hack and a few weeks back my account got compromised, my 20k people subreddit got taken over and my account finally was deleted. Thankfully reddit admins where pretty fast to fix everything.

        People change your passwords if you have an Adobe, xsplit, or anything else hacked account.

        [–]atomic1fire 0ポイント1ポイント  (0子コメント)

        I have one that comes to mind involving a few reddit accounts, a couple forums, a video game codebase, and a lot of drama in one subreddit.

        In posting this I mean no disrespect to the users of /r/ss13, goonstation, or any of the affected players.

        So a dude got into a database and found a password for a code repository. They leak the copy of the codebase that the victim had, and then when players from other competing servers found out that this "closed source" codebase was leaked, got really upset about the whole thing (because the goon coders did not want their codebase to be open source, and other servers understood that) and the hacker childishly responded by discovering people's reddit passwords based on his database access. He proceeded to hijack various reddit and forum accounts in some stupid attempt to insult his or her critics. Spamming his or her stupid messages all over /r/ss13 about how great of a hacker they are or whatever.

        Goonstation admins come out with a statement saying that the code release was done without their consent, and they'll be working with the proper authorities once they find out who is responsible.

        http://pastebin.com/cBzLCrcu (mirror of the announcement)

        https://np.reddit.com/r/SS13/comments/48ot44/hacked/ (thread detailing one person's reddit account hack, plus a statement from an /r/ss13 mod.)

        https://www.reddit.com/r/SS13/comments/48kh01/goon_station_member_pays_200_in_ransom_in_an/ (IRC logs)

        https://github.com/goonstation/goonstation-2016 (official github)

        Goon Coders announce that they'll be making a one time open source revision of the code based on what was leaked, as an act of good will since their code is out there anyway, and they thank the members of other SS13 servers for being so understanding.

        This hacker not only managed to leak a codebase, but hijack several Reddit accounts with passwords they discovered through a single forum, but then apparently hijacked another forum based on a discovered password, and caused a lot of drama for about a solid week or two.

        Ultimately Goon admins created a patches subforum for people who add their own code features to the server under a BSD license, which has netted them some community contribution. Overall though the whole thing kinda sucked because someone went well out of their way to ruin quite a few people's day and hack people's reddit passwords just to be childish. I heard the database owner even paid money to avoid getting the codebase leaked and the hacker did it anyway.

        tl;dr Using the same password for stuff is a bad idea. Also Hackers suck.

        [–]iamnos 0ポイント1ポイント  (0子コメント)

        In attempt to heighten security awareness, one of our two security groups at a former company decided to send out a phishing email internally to see who would respond. This was after a required online security training course aimed at non-technical users.

        The group conducting this test wrote an email that looked like an official email telling the user that they needed to verify their account by replying to the message with their username and password. They picked, at random, a number of people in our organization to email it to. The idea wasn't so much to single out people, but to get an idea of how the security training went and if people were learning from it.

        Now, from a security perspective, this is a good idea. You get real world data from your organization on how effective a course was and how likely users are to fall for phishing attempts. The problem with this one was that instead of using BCC, they used CC.

        In case you don't see the problem, people often use the reply-all button. So, what we ended up seeing was user credentials getting sent to everyone on the list, forwarded to others saying things like "is this legitimate", etc. Our account management team spent most of the rest of the day forcing password resets on all these accounts.

        Of course the mail server admins weren't happy either as they dealt with a massive increase in emails, a number of which were reply-alls saying "STOP REPLYING TO ALL".

        [–]Pikalyze 1ポイント2ポイント  (1子コメント)

        An older sibling knew my rs password.

        Logged onto it to try and get his acc back but stupidly gave my acc details away.

        So make sure only you know your passwords, not even 'trusted' people.

        Rip

        [–]Adobz 0ポイント1ポイント  (0子コメント)

        This happened years ago. A friend of mine was at hanging out at my place when he asked to borrow my laptop to log into MSN Messenger. When he left, I went on my laptop to log back into my own MSN account. Because he was the last one using MSN Messenger on my laptop, I had to retype my password to login. When I logged in, however, I noticed my friends list was totally different. That's when I realized that I accidentally logged into my friend's MSN account. Thinking my computer somehow gained some super ability to log into any MSN account, I tried logging into other people's account, but none of them worked. It was at this point that I realized that my friend and I shared the same generic password. I called him the minute I found out so he could change it. He didn't sound happy that I accidentally hijacked his account but it was a good lesson for the two of us.

        [–]DuntadaMan[🍰] 0ポイント1ポイント  (0子コメント)

        While working for a start up logistics company I had to check our ability to link up our automated transport system with a client's account on a major web retailer.

        I'm not exactly an engineer, I can only read the code not generate it so I'm not entire certain what the query code was... but as a third party I suddenly found myself with a print out that contained our clients username, password, and IP address for their admin account with that retailer.

        Entirely by accident I now had the ability to order... well literally anything on someone else's company card.

        I sent the print out right back to their tech support team (with edits to the password and username) and informed my client to change their password... now.

        Thankfully that error was fixed, but seeing as all I needed was a company name to get that report sent to me...

        [–]blueboybob 3ポイント4ポイント  (0子コメント)

        /r/nba last week

        コメントをもっと表示する (24 返事)

          [–]KeyserSosa[S,A] 324ポイント325ポイント  (418子コメント)

          Reply to this comment with suggestions on good password managers and heuristics for making passwords. I'll try to plug the good ones in an edit.

          [–]Executioner1337 260ポイント261ポイント  (47子コメント)

          Sorry for hijacking an admin comment. If you ever get there to release the 2FA for regular users, please please please don't make your own implementation of it so it only works with your own app, like Blizzard of Steam even if it's based on the widespread TOTP algorithm. Let us use Google Authenticator or FreeOTP or our own app!

          [–]KeyserSosa[S] 116ポイント117ポイント  (21子コメント)

          Nope. Never! Having more than one 2FA drives me NUTS.

          In fact, like I mentioned, we have 2FA enabled for admins for accessing the secure bits of the stack and we're using GA I believe (I personally use Authy).

          コメントをもっと表示する (25 返事)

            [–]actuallobster 169ポイント170ポイント  (6子コメント)

            I always use "sAts$rC;"bj3tZQ#K" as a password. It was generated by a secure password generator site, so I know it can't be cracked.

            [–]KeyserSosa[S] 109ポイント110ポイント  (1子コメント)

            Checks out

            [–]xkcd_transcriber 48ポイント49ポイント  (0子コメント)

            Image

            Mobile

            Title: Random Number

            Title-text: RFC 1149.5 specifies 4 as the standard IEEE-vetted random number.

            Comic Explanation

            Stats: This comic has been referenced 509 times, representing 0.4538% of referenced xkcds.

            xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

            コメントをもっと表示する (4 返事)

              [–]KeyserSOhItsTaken 116ポイント117ポイント  (4子コメント)

              KeyserSosa huh? So you're the son of a bitch who took my name.

              [–]KeyserSosa[S] 86ポイント87ポイント  (3子コメント)

              I had it first. IT'S MINE ALL MINE MWAHAHAHA!

              [–]LEGALIZEMEDICALMETH 1ポイント2ポイント  (6子コメント)

              Hitler did nothing wrong

              [–]asantos3 -20ポイント-19ポイント  (16子コメント)

              Are you serious about the suggestions made on the post? You should know better than trusting proprietary software with your passwords.

              At least use free software in your security needs, in this case the popular and better alternative would be keepass.

              Edit: Downvote me all you want and trust your passwords with online cloud managers. Enjoy the same security as you have before.

              [–]KeyserSosa[S] 30ポイント31ポイント  (8子コメント)

              ...which is why I asked for suggestions from people about their favorite password managers and said I would update the post.

              [–]ooebones 9ポイント10ポイント  (1子コメント)

              I use and enjoy KeePass quite a bit. It's a locally stored issue that you can have 2FA on. I'm also a big believer in password managers. I realize it's a single point of failure, however I believe the benefits (random, long, not reusable passwords for every site/application I use) outweighs the fact that it's in a database on my computer. If someone is already on my computer, I'm likely screwed anyway. I also like KeePass because I use it on application log in (Steam, work programs etc.) and it's not always tired to internet connectivity.

              [–]badcookies 2ポイント3ポイント  (2子コメント)

              I would update the post.

              Can you update it to include Keepass? Been an hour and multiple other people have suggested it.

              コメントをもっと表示する (3 返事)

                コメントをもっと表示する (7 返事)

                  [–]ur_a_fine_person 57ポイント58ポイント  (21子コメント)

                  Hi! I am not a fan of using a password manager, because I'm old fashioned and think that the best possible security is keeping the password in your head. However, I am a fan of creating a unique, rule-based password.

                  What is a rule-based password?

                  A rule based password is a password comprised of: (1) a base password and (2) a set of logic rules that modify the base password for each unique website.

                  How do I create a rule-based password?

                  First, pick your base password. In this example, I'll use "Fi$h.net" as my base.

                  Second, create a rule that you and only you can know and remember. I like to create rules based on the domain name of the website I am visiting. For this example, let's suppose the rule is that you'll take the first two letters of the domain, put them in front of your base password, and then take the last vowel and put it at the end of your password.

                  So your password for reddit becomes: reFi$h.neti But your password for google would be: goFi$h.nete

                  You can make the rule as complicated as you want. For example, you could add a condition that the password will include a number in the middle of the base equivalent to the number of consonants in the domain name.

                  Your password for reddit is now: reFi$h.4neti Your password for google is now: goFi$h.3nete

                  What are the advantages of a rule-based password?

                  A rule-based password allows you to create a unique but memorable password for each and every website you visit. Instead of having to rely on a password manager (which requires you to trust others with your passwords), a written password book (which can be stolen) or a single "chairbatterychainhorse" type password, you can now use a unique password that only you have access to. And the best part is that the only thing you have to remember two things: (1) the base password and (2) your rule!

                  What are the disadvantages of a rule-based password?

                  While a rule-based password is more secure than re-using a password, it comes with some risks. First, if a dedicated hacker has two or more of your passwords, it is possible that the hacker could work backwards to figure out your rule. However, it is unlikely that you'd find this kind of dedication for any mass-attack type of hacker, because they are generally focused on the least time consuming targets (e.g. people who reuse passwords).

                  Because this method would require having at least two passwords to figure out the person's rule, and would require spending a significant amount of time working backwards to figure out the logic of the rule, it is not likely that anyone other than a dedicated stalker (that you happen to know in real life) and/or creepy significant with a keylogger other would be able to learn your rule.

                  Edits for more FAQs

                  How do you deal with a site that has weird special rules?

                  Generally, I try to use a base password and rule that would cover most password rules: something that's at least 8 characters, does not contain any reference to any username I have, contains numbers, an uppercase and a lowercase letter, and at least one special character. Occasionally, I run into websites that have their own special rules. For example, maybe Target won't allow special characters. If that's the case, I email myself Target's own rule -- the email might say something like: "subject: target; body: no special characters." I keep these emails in a special folder, and I never put my password or rule in the email -- just the site's requirements. That's usually enough to jog my memory on how the password should be different. Following my example above, Target's password becomes: taFiSh4nete. This requires additional memory, and won't work for folks with memory problems. That said, I tend to have terrible memory when it comes to names/places/etc. and I have yet to be unable to log into anything.

                  What happens if a site is compromised?

                  So another weird quirk is that I generally change my passwords once a year, because I'm a little paranoid. (Happy new password year!) Every year, I'll come up with a new base and rule. When a site is compromised, I'll change the password ahead of schedule to the new year's rule. I'll also send myself an email that says something like "Subject: target, body: compromised on 4/25/16; changed on 4/26/16" just as a reminder. If I have trouble logging in, I'll look at this email for guidance to help jog my memory. Again, do not put your password or base in the email.

                  Does the rule have to be about the domain name?

                  No, but that's generally the easiest. If you were particularly concerned about the rule being secure, you could make your rule about something else related to the product/service. For example, you could make a rule that also incorporates the colors of the company logo, the purpose of the site, how you feel when you visit, etc. So long as you can remember your own rule, what it incorporates is up to you.

                  [–]Victoria_Lucas -13ポイント-12ポイント  (6子コメント)

                  How can I view quarantined subs like /r/spacedicks ? I've done everything that I'm instructed to do by verifying my password and I still can't view them. Can you help?

                  [–]KarmaAndLies 57ポイント58ポイント  (15子コメント)

                  I just want to reply to say, if you choose to use a cloud-based password manager, then you should be utilising two factor authentication (e.g. Google Authenticator). LastPass supports Google Authenticator on both free and premium accounts.

                  They also support:

                  • Alerts (e.g. login from new device, change account password, etc).
                  • Country Restriction (e.g. US only).
                  • Auto-expiration of trusted devices.
                  • Auto-log off
                  • And the Master Password is hashed using PBKDF2-SHA256 with the rounds being configurable, the database is then encrypted using the hash as the key, and AES-256 as the algorithm. So picking a strong master password with high rounds is important, I recommend 10,000 rounds as a starting point.

                  All of this on the free accounts.

                  [–]Mapleyy 36ポイント37ポイント  (16子コメント)

                  xkcd-style passwords are a good start, but they're still vulnerable. There's a tool from Dropbox, zxcvbn, which allows you to estimate how secure your password is based on a number of factors (length, simplicity, dictionary words, common passwords, etc.). For example, my old password on reddit was an xkcd-style password which could be guessed in 36 minutes at best. Adding a bit of complexity to such a password makes a huge difference: a couple punctuation marks, a random number in the middle of a word, etc.

                  Also, haveibeenpwned.com is a must-have tool for making sure your password hasn't been published in any dumps, making checking across dozens of sites really easy. LinkedIn recently suffered a major breach and they didn't notify their users for hours, but this site caught on quickly.

                  [–]iwant2fly 64ポイント65ポイント  (11子コメント)

                  KeePass is very nice if you don't want to store your passwords in the cloud. There are a lot of plugins to make it integrate with most anything.

                  [–]dejaentendu280 144ポイント145ポイント  (38子コメント)

                  Keepassx! https://www.keepassx.org/

                  Not the prettiest, but it's cross-platform, functions well, and is published under GNU GPL.

                  [–]AnnuitCoeptis 38ポイント39ポイント  (1子コメント)

                  I use KeePass. Its auto-type feature comes in very handy when logging in to a new site.

                  [–]PicturElements 43ポイント44ポイント  (9子コメント)

                  I wrote a neat super secure password generator for you in Java. Use it wisely. Thank me later.

                  public class securePassword{
    public static void main(String[] args) {
        Scanner in=new Scanner(System.in);
        System.out.print("Type in a number: ");
        System.out.println("Your super secure password is: hunter"+in.nextInt());
    }
}

                  [–]lurkotato 16ポイント17ポイント  (1子コメント)

                  Password card and 1password are my go-to generator/managers.

                  1password for most everything and passwordcard + sticky note under my keyboard in my wallet (with vague interpretations of the coordinates of the password) for places where I don't have access to 1password.

                  [–]Bossman1086 10ポイント11ポイント  (5子コメント)

                  I just started using Dashlane. It's regularly pitted up against LastPass as a good alternative. Its apps (and desktop app!) are very polished and work really well at automatically logging you in, giving you stats about how secure you are, etc. It's more expensive than most alternatives, but I like it a lot.

                  I still haven't moved completely over yet because I hate having to deal with passwords I can't type from memory. Dashlane syncs to the cloud for you, but it's such a pain still. I should bite the bullet and make sure they're all unique though...at least the ones that don't have 2FA and aren't games (because password managers can't really work with game clients).

                  [–]TheBigKahooner 136ポイント137ポイント  (15子コメント)

                  I like KeePass.

                  [–]everydayIProgram 4ポイント5ポイント  (0子コメント)

                  Dashlane is a great password manager. Been using it for years. Not as polished as some but it has some cool features.

                  For example, it can automagically change passwords on your accounts. Alerts you to breaches (although, this might be standard). Gives you a security rating. Supports 2FA. Etc.

                  [–]keepthethreadalive 12ポイント13ポイント  (26子コメント)

                  LASTPASS!

                  I'm hearing a lot of keepass responses, but if anyone honestly tried lastpass but a prolonged period of time, and make use of all the features - password sharing, password generator with options, and notes, and many more, and still like keepass, you're probably a bit more paranoid than me, or you pay a lot more for the others. And it costs $12/yr, approximately a month's worth's of netflix. And mobile access is the only paid feature that's worth it IMO, and I'm okay without it.

                  They recently also released an 2-factor authenticator (like Google Authenticator) which is similar to Authy but not that awesome. Once they make it as good as authy (read: chrome extension), I see it as no contest, except for the closed source thing.

                  Pls make lastpass open source

                  PS: You can get 6 months of fee paid premium if you have a student email handy. And its not one of those charge you once we get done things.

                  [–]mickeyknoxnbk 8ポイント9ポイント  (6子コメント)

                  Personally, I'm a fan of PasswordSafe:

                  https://pwsafe.org/

                  [–]Sudo_apt-get_install 8ポイント9ポイント  (4子コメント)

                  Diceware

                  http://world.std.com/~reinhold/diceware.html https://en.wikipedia.org/wiki/Diceware

                  Uses the universes randomness for moving dice around.

                  [–]lev 6ポイント7ポイント  (17子コメント)

                  Shameless plug: https://levneiman.com/?p=458

                  Basically:

                  • Remember a master password.
                  • Add username + name of service to the end of master password.
                  • Run the resulting combo through a hash function such as sha.
                  • Use resulting hash as a password for some service.

                  Advantages * Relies on your memory to store master password. It's not anywhere else physically unless you put it there. * Hash algorithms are ubiquitous and you can bookmark a webpage that will generate hashes for you: bcrypt calculator. This means that you only need your memory + access to any kinda browser to compute the hash.

                  Disadvantages * If you forget master password, you're fucked. * If someone steals master password, you're fucked. * Can be more cumbersome than just remembering an easy password and reusing it everywhere. But thats the whole point!

                  I use such method for almost everything I use.

                  [–]jazzwhiz 1ポイント2ポイント  (1子コメント)

                  Is pwdhash a good thing to use?

                  It works by taking my password (for me, the same for every site) and hashing it with the domain name (google.com, reddit.com, etc.) and makes that the password.

                  What is the thought from experts on whether or not this is secure?

                  Pros: the resultant password is long, and contains random upper, lower, and numbers (and symbols if I use symbols). My passwords are different for every site without trying, easily solving the password reuse problem.

                  Cons: Ultimately it is just one password. If someone went through the additional step of cracking it they could run it through pwdhash.com and get access to all of my passwords.

                  [–]allthefoxes 16ポイント17ポイント  (1子コメント)

                  Keepass

                  [–]occamsdagger 24ポイント25ポイント  (2子コメント)

                  KeePass master race.

                  [–]deadowl 1ポイント2ポイント  (0子コメント)

                  I saw someone submitted a password reset request on my Reddit account the other day. I've been going through everything I can find or think of and switching to a password manager. I'm using KeePassX and KeePassDroid alongside Google Drive. LastPass is definitely a lot fancier, but I prefer open solutions.

                  In the meantime, I would not have guessed the number of accounts I actually have. A handful were deleted for inactivity or purged in a merger. I also deleted a few myself.

                  [–]rocketwidget 1ポイント2ポイント  (0子コメント)

                  For password managers, I like KeePass because

                  1. Free and open source software. Open source is especially important for security applications.

                  2. Because it's free and open source, you never have to worry about a discontinued service, or depend on a company for service.

                  3. Has free and open source ports to almost every OS.

                  4. You can choose to synchronize your database on any cloud service you want... or not at all.

                  [–]Devam13 1ポイント2ポイント  (1子コメント)

                  I use a weird combination of Lastpass and Keepass and Enpass and a USB thumbdrive. Seriously it's a weird way but it works amazingly and is quite secure. If you wanna know in detail, shoot a reply. I am too lazy to type a long ass reply right now but will reply tomorrow.

                  [–]poochyenarulez 2ポイント3ポイント  (5子コメント)

                  I always use two or three different base password, then add to that password something unique based on the website. Such as, for reddit my password would be rpassworde, for google, gpasswordo. Take the first two letters of the site name, and add it to your password. It makes remembering your password extremely easy.

                  [–]xadriancalim 0ポイント1ポイント  (0子コメント)

                  I have three passwords forms. One is my network login at work, the others are websites or applications I use at work, and the other is personal sites.

                  Personal sites I use rule based. It's already been described, but the one I use is taking two four character words, converting one to how it's spelled on a touch tone phone, and then ending it with the name of the site. Sometimes you'll need to capitalize or have special characters, I just have to remember those. For example, if you're fan of Star Trek, your reddit password would be star8735red, be fancy and put a symbol in there. Now the only thing that changes are the site names.

                  My work related sites, I have one word that's capitalized and has numbers and symbols, and the I just tack the site name on the end. S1TH*cisco, haven't had a time that didn't work. My problem here is remembering user names.

                  Network password I use a pattern. This password changes the most often so it's easier to have something I can change a lot, but I don't want to have to remember it. Put your fingers on the 1, 2, and 3 keys. Type 1, 2, 3, hold shift, do it again, !, @, #, now go down to the letters and repeat. Your password is now 123!@#qweQWE. Meets most requirements, you don't have to remember what each one is, when you have to change it, shift over a key. When you get to 8, 9, 0, congrats, you've been there 8 years and you can start reusing old passwords.

                  [–]RibShark 4ポイント5ポイント  (3子コメント)

                  I use pass, which is very good for technical users, however may not be great for the majority of people.

                  [–]lattakia 1ポイント2ポイント  (0子コメント)

                  I use ansible vault to edit/view a local password file stored on a USB drive.

                  $ ansible-vault view mypasswords
$ ansible-vault edit mypasswords

                  [–]ani625 28ポイント29ポイント  (5子コメント)

                  Lastpass!

                  [–]Saxi 0ポイント1ポイント  (0子コメント)

                  If you are not using a generator in tools like 1Password, Roboform, LastPass then use a phrase and a not a password.

                  Spaces can make a password much more rememberable and exponentially harder to crack.

                  For example:

                  This is a typical password I use: @K[UzFL"qpN;q28nx8XrL7YREX*YwYEv

                  I never would remember that, and thanks to my password manager I don't have to.

                  But if I had to remember a password, I would do something like this:

                  'Reddit is a good way to waste time in 2016'

                  This password is extremely secure, and quite easy to remember. You don't need a complicated formula or a complex password, just something long and preferably with as many symbols/numbers/uppercase as you can manage to use, but length is the most important factor.

                  Finally, never use your password on more than one site, this is where a password manager shines, but if you can't/won't use one, make sure you are not using your dogs name on all your websites because when one site is hacked (and it will happen) hackers don't go down the list trying popular sites with the same username/email and password combo (and they will, automatically with little to no user intervention).

                  [–]Da2Shae 0ポイント1ポイント  (0子コメント)

                  Actually another good point to mention is being careful what kind of information you post on reddit as you may reveal some answers to your account's password recovery questions.

                  This is an ongoing issue on /r/runescape and /r/2007scape where users would make posts based on their achievements in game which make them a target for account hijackers. Hijackers would go through your post history for any hints about your email/runescape/reddit account's secret questions and try to use that to answer your security questions.

                  Typically these questions are those that come up in everyday conversation "What is your high school's mascot" (Google his school and find it) or "What is your pet's name" (Search his post history).

                  Nowadays people have to be aware of what their security questions are and be careful about accidentally answering them in everyday conversation. Its important to choose really specific security questions when setting up your account to lower the odds of giving them away accidentally.

                  [–]3226 0ポイント1ポイント  (1子コメント)

                  Use something like the correct horse battery staple password generator, based on this XKCD comic.

                  This lets you have a secure password that you can actually remember.

                  That's why people reuse passwords, because you're never going to remember large numbers of random passwords. You need a way to remember them. Let's be honest, once you've got a decent password for Ebay, Paypal, Etsy, Gmail, Amazon, Steam, online banking and whatever other really important cash related accounts you use, something like reddit falls to the bottom of the pile of importance, and lots of people will have a much longer list than that. That's why passwords get reused. If you don't have a trick, there's no way you'll remember that many.

                  [–]Jaiswahnye 1ポイント2ポイント  (2子コメント)

                  I use RoboForm for my computer and phone. Works really well for me; especially fond of the chrome extension.

                  [–]Sidelink 0ポイント1ポイント  (0子コメント)

                  I use a custom password generator, which does a SHA-1 hash of "<pwd>;<uid>;<site>;<pwd>;<count>", where <pwd>=hunter2, uid=username, site=base website url, and <count>=password number, and the password is pulled form a chunk of that hash. Benefit is that I remember one password, and can use that to get as many passwords as I want, plus I know exactly how it operates and therefore not worry about a surprise hidden in the source code.

                  Problem is SHA-1 is considered broken, should I upgrade this to SHA-2 or SHA-3?

                  Also,

                  we're going to start issuing password resets to these accounts

                  Can you exclude mine from having the password forcefully reset when I'm not looking? Thanks.

                  [–]wanderingbilby 1ポイント2ポイント  (1子コメント)

                  Correct Horse Battery Staple

                  For people who absolutely hate password keepers or who want examples and information on what makes a good password in the modern era. Based on this XKCD.

                  edit just noticed you linked that XKCD in the post. The password generator site is still worth mentioning. I use it as an educational tool to show users what a strong password really looks like, because they tend to use something like this1 or Th1s or This123.

                  コメントをもっと表示する (88 返事)

                    [–]newsdaylaura18 204ポイント205ポイント  (82子コメント)

                    I think I have two throw-away accounts I used like, once or twice. Can't even recall the usernames. Can't imagine how many throw-aways there are out there.

                    [–]KeyserSosa[S,A] 413ポイント414ポイント  (78子コメント)

                    lots

                    [–]swimbikerunrun 46ポイント47ポイント  (29子コメント)

                    Can you tell us approximately how many Reddit accounts there are?

                    [–]KeyserSosa[S,A] 261ポイント262ポイント  (28子コメント)

                    many lots

                    [–]zang227 4ポイント5ポイント  (0子コメント)

                    How do you guys determine if its a throwaway? Do you look at if theres "throwaway" in the username or are you looking at it's post history? Both?

                    Cause I know there are people who actively use "throwaway" accounts as non throwaways.

                    [–]SpeedGeek 45ポイント46ポイント  (8子コメント)

                    Metric or imperial?

                    [–]xyos 2ポイント3ポイント  (7子コメント)

                    how many lots?

                    コメントをもっと表示する (10 返事)

                      [–]Kahzgul 150ポイント151ポイント  (19子コメント)

                      Why doesn't reddit have a "this account is a throwaway" option when you make an account that causes it to automatically expire in 1 month?

                      [–]BinaryIdiot 36ポイント37ポイント  (9子コメント)

                      Perhaps it's time to create a way to post anonymously, then? To keep the throwaway numbers lower and to make it easier for people to post things they don't want traced back to them?

                      [–]FredWampy 174ポイント175ポイント  (3子コメント)

                      Holy crap, that's at least 29.

                      [–]W_I_Water 44ポイント45ポイント  (8子コメント)

                      We Are Legion

                      [–]toomuchtodotoday 3ポイント4ポイント  (0子コメント)

                      We are prepared. Let the purge begin.

                      [–]speedofdark8 1ポイント2ポイント  (0子コメント)

                      any chance of releasing some data on how many accounts responded/got purged/etc after the fact?

                      コメントをもっと表示する (3 返事)

                        コメントをもっと表示する (3 返事)

                          [–]Flylighter 74ポイント75ポイント  (37子コメント)

                          I came here to make a smug 2FA comment. Damn you for anticipating meeeeeeeeeeeeeee

                          [–]KeyserSosa[S] 103ポイント104ポイント  (35子コメント)

                          For the record: I actually do really want to set up 2FA (and we're in the planning phase for how to do it), but the other problem with it is the people who know about and love 2FA are also generally the people who already use good passwords.

                          [–]Santi871 33ポイント34ポイント  (5子コメント)

                          I think it should be obligatory for moderators, or at least users that mod subreddits large than X subscribers.

                          [–]KeyserSosa[S] 42ポイント43ポイント  (4子コメント)

                          Moderators is an interesting situation because the security of the subreddit is only as good as its least secure moderator, so, yes, I agree. If we were going to provide this for mods, it'd have to be all or nothing.

                          [–]hansjens47 14ポイント15ポイント  (1子コメント)

                          It'd have the great secondary effect of cleansing out inactive mods that hog subreddits but don't do anything other than hog subs and sometimes sweep by to do silly things to the subs.

                          On other sites I've modded, 2fa has also been standard for years and years.

                          コメントをもっと表示する (2 返事)

                            [–]ItsMeCaptainMurphy 1ポイント2ポイント  (6子コメント)

                            Good passwords are not nearly enough of a defense, especially because reddit doesn't lock you out of an account no matter how many incorrect attempts are made (if this is no longer true then I apologize, but it at the very least used to be).

                            [–]KeyserSosa[S] 13ポイント14ポイント  (5子コメント)

                            We have ratelimits in place around incorrect password attempts, and we also have alerts in place for large-scale weird behavior. Generally the "lock account" feature is manual, and that's on purpose.

                            [–]aryst0krat 4ポイント5ポイント  (2子コメント)

                            I had a couple sign-ins - just sign-ins, nothing else - from weird IP addresses, and reddit locked my shit down and told me about it. It was pretty nice!

                            コメントをもっと表示する (2 返事)

                              [–]allthefoxes 11ポイント12ポイント  (5子コメント)

                              I understand that!

                              but even if thats the case, there is no harm in offering it anyways!

                              (Plus, give out a trophy for those with 2fa enabled. A bit more motivation. While we are talking about trophies, please let me re-arrange that box)

                              [–]InsaneNinja 0ポイント1ポイント  (1子コメント)

                              Will the official Reddit app also be a code generator? Like how FB allows external, as well as uses itself as a generator. It would also drive more people toward having the app. This is more of a marketing suggestion than an actual request.

                              [–]KeyserSosa[S] 0ポイント1ポイント  (0子コメント)

                              I'd rather use an off-the-shelf, tested, secure solution that uses open standards rather than building our own version in house.

                              [–]anlumo 4ポイント5ポイント  (1子コメント)

                              One suggestion: Take a look how Google manages 2FA with external applications.

                              You can generate new passwords (which are supplied by the system and thus good random garbage) you're supposed to use for only a single non-2FA-aware application, which can be named when generating it. They can be listed and invalidated at any point from the web interface (which is where you need the name), and it also shows when this password was last used.

                              [–]IAMAVelociraptorAMA 4ポイント5ポイント  (0子コメント)

                              I understand that the people who already use good passwords are the ones who know about it, but a good education campaign of "2fa will help prevent hax" can possibly influence this.

                              [–]philipwhiuk 4ポイント5ポイント  (1子コメント)

                              Honestly, I might reuse my password. But I support 2FA. 2FA is actual security. Password reuse prevention is mitigation for crappy website administrators who can't implement password storage properly.

                              Thing is, I just am not going to remember a new password for every lame comments section that insists I create an account. So I tend to use a bad password until I stay long enough to justify the effort.

                              Password reuse is inevitable and LastPassword etc is a nice idea but all it is really doing is a crap version of OAuth where I have to trust a browser extension / manually copy and paste stuff. Websites should just support OAuth / 2FA / single-sign on.

                              They haven't because they either can't be bothered / think it's simpler to force me to solve their security problem OR actually it's just a way of getting my personal details.

                              And I refuse to think of complex passwords only for site admins to not bother doing any hashing or salting.

                              People aren't breaking non-ridiculous bcrypt/SHA-256 encrypted passwords. So password reuse should not be a big deal if salting and hashing was actually done.

                              PS: Disqus is actually great here, because it's meant lots of tiny websites now don't need a their own login and password storage system. Facebook Login as a form of OAuth is good progress on this as well.

                              TLDR: LinkedIn was incompetent and the response from the cybersecurity field of 'stop reusing passwords' is not really solving the problem of companies being terrible at authentication management.

                              [–]trublood 2ポイント3ポイント  (0子コメント)

                              You'd think that, but in my experience, that's not true. My husband is a lazy man, so he won't make a new password for every website, but he will set up 2FA, because it's easy.

                              コメントをもっと表示する (8 返事)

                                コメントをもっと表示する (1 返事)

                                  [–]ChunkyLaFunga 27ポイント28ポイント  (10子コメント)

                                  Oh, what the hell, there's an anomaly in my recent activity. And my password is solid.

                                  The description there is a little vague, by account activity does that mean only successful access? And it looks like the cut-off is the last 30 days?

                                  [–]K_Lobstah 316ポイント317ポイント  (53子コメント)

                                  Reply to this comment to get a courtesy upron and also get me to the top for karma.

                                  Unrelated- my password strategy is just forget my password for every site and have to reset it when I get logged out. It's working pretty well.

                                  [–]KeyserSosa[S] 94ポイント95ポイント  (15子コメント)

                                  Are uprons convertible to dank memes?

                                  [–]K_Lobstah 59ポイント60ポイント  (8子コメント)

                                  Yes, they can be converted but there is an administrative fee.

                                  [–]seamachine 3ポイント4ポイント  (0子コメント)

                                  Why are you doing admin work and not playing Overwatch? Filthy casual.

                                  [–]NotANestleShill 3ポイント4ポイント  (0子コメント)

                                  /r/IFTACirclejerk says the conversion rate for reddit gold to reddit notes is about tree fiddy, which is a dank enough meme for our purposes, so using tree Fiddy as our base, we can assume that reddit gold to reddit notes = tree fiddy. Assuming uprons are the same as a dank meme, except with a multiplier of 4.20%, the narwhal bacons at midnight

                                  コメントをもっと表示する (4 返事)

                                    コメントをもっと表示する (37 返事)

                                      [–]the_entitiy 12ポイント13ポイント  (15子コメント)

                                      How would you know if some one is using the password hunter2? I hope my password isn't stored as plaintext

                                      [–]KeyserSosa[S] 25ポイント26ポイント  (6子コメント)

                                      Nope. In fact that's what makes this really hard for us: we use bcrypt so even we don't know what your password is. All we can do is authenticate that it is correct when you enter it. That's why we're asking people to think about the passwords they choose!

                                      [–]bland_white_IT_guy 7ポイント8ポイント  (2子コメント)

                                      However, you could easily run a script to try only the password "hunter2" against all possible usernames and their salts, and get a number from that.

                                      コメントをもっと表示する (3 返事)

                                        コメントをもっと表示する (8 返事)

                                          [–]JRockPSU 7ポイント8ポイント  (21子コメント)

                                          The thing that bothers me about blanket suggestions to just use a password manager is that for someone like me whose work computer us heavily locked down (can't install any applications or browser extensions or even run any non approved applications), I can't use password managers there. What would my options be in this case?

                                          [–]KeyserSosa[S,A] 20ポイント21ポイント  (3子コメント)

                                          Several password managers have mobile clients. 1Password for sure does (it's what I use). Generally they can be set up to synch across your devices via a cloud service.

                                          Also, I didn't say "just use a password manager" and mentioned good heuristics in both the post and the comment.

                                          [–]JRockPSU 3ポイント4ポイント  (2子コメント)

                                          Sorry, I guess I wasn't specifically venting to your post, I just see it a lot when people talk about password security, they say to use a password manager and call it a day. I'll check out some of those options, thanks.

                                          コメントをもっと表示する (17 返事)

                                            [–]KevinMcCallister 7ポイント8ポイント  (2子コメント)

                                            Please. Stop.

                                            https://i.imgur.com/Ufbr5ej.gifv

                                            [–]Harionago 2ポイント3ポイント  (11子コメント)

                                            What if I use a password manager and I have to log on to a machine that can't use the plugin? How do I get hold of my password if that happened?

                                            [–]KeyserSosa[S] 13ポイント14ポイント  (8子コメント)

                                            Speaking as someone who uses 1password, there's a mobile client that synchs to your password database. It's generally a pain to have to log in manually but better than the alternative.

                                            [–]ryanasimov 4ポイント5ポイント  (4子コメント)

                                            If you sync your 1Password keychain via Dropbox, you can securely access all your passwords through a nice GUI from any computer than can reach www.dropbox.com. Works great.

                                            コメントをもっと表示する (3 返事)

                                              コメントをもっと表示する (2 返事)

                                                [–]Jajoo 5ポイント6ポイント  (5子コメント)

                                                Sounds like a WWII propaganda poster

                                                [–]KeyserSosa[S] 19ポイント20ポイント  (2子コメント)

                                                Only YOU can prevent forest fires.

                                                [–]Tig0r 7ポイント8ポイント  (0子コメント)

                                                boy thats a lot of responsibility for one person... good luck out there

                                                コメントをもっと表示する (1 返事)

                                                  コメントをもっと表示する (2 返事)

                                                    [–]xkcd_transcriber 77ポイント78ポイント  (9子コメント)

                                                    Image

                                                    Mobile

                                                    Title: Password Strength

                                                    Title-text: To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize.

                                                    Comic Explanation

                                                    Stats: This comic has been referenced 2307 times, representing 2.0568% of referenced xkcds.

                                                    Image

                                                    Mobile

                                                    Title: Password Reuse

                                                    Title-text: It'll be hilarious the first few times this happens.

                                                    Comic Explanation

                                                    Stats: This comic has been referenced 293 times, representing 0.2612% of referenced xkcds.

                                                    xkcd.com | xkcd sub | Problems/Bugs? | Statistics | Stop Replying | Delete

                                                    [–]PM_ME_BOOB_PICTURES_ 1ポイント2ポイント  (1子コメント)

                                                    You linked to Coding Horror! OMG! <3 <3 <3

                                                    [–]KeyserSosa[S] 1ポイント2ポイント  (0子コメント)

                                                    Agreed. It's like nerd porn.

                                                    [–]banksnld 244ポイント245ポイント  (11子コメント)

                                                    if we get hacked, the most that an attacker can do is post something smug and self serving with a little [A] after it

                                                    So you're saying there's no way we'll be able to tell?

                                                    Sorry, couldn't resist...

                                                    [–]KitchitiKipi 34ポイント35ポイント  (18子コメント)

                                                    While we're on the topic of account security, why isn't there a way to sort through your accounts comments from old-New? A lot of us who have old reddit accounts I'm sure think about how young and stupid we were, and how much personal information we posted about ourselves, and would love to go and remove it, but RES only loads a certain amount of comments, and the default reddit UI tells me there's nothing new to be seen after about 2 years of comment history.

                                                    What is the best way you guys would suggest going back and erasing some of my comments without wiping put my whole account?

                                                    [–]daveime 7ポイント8ポイント  (14子コメント)

                                                    why isn't there a way to sort through your accounts comments from old-New?

                                                    I'd imagine their DB moves posts older than N days to slower "archive" servers, on the basis not many people will want to look at them.

                                                    [–]KeyserSosa[S] 22ポイント23ポイント  (11子コメント)

                                                    Not exactly this, but you're on the right track. We have several caches at varying level of recency, with a database at the bottom. The model relies on the notion that we basically never have to read from the database because the data should be cached somewhere. Going back to your old stuff would require a lot of database access, and would hurt at scale.

                                                    [–]Boolderdash 3ポイント4ポイント  (4子コメント)

                                                    Is this the reasoning behind post archival, too?

                                                    [–]KeyserSosa[S] 12ポイント13ポイント  (3子コメント)

                                                    Yup. It's correspondingly expensive to have to count votes on old content or have to apply new comments.

                                                    [–]aryst0krat 1ポイント2ポイント  (0子コメント)

                                                    *shakes fist*

                                                    You damn admins and your 'efficiency' ruining my pushups thread.

                                                    コメントをもっと表示する (2 返事)

                                                      [–]rasherdk 26ポイント27ポイント  (4子コメント)

                                                      How about an inconvenient (behind captcha, available to the current user only, not exposed by the api) bulk export function? Similar to Google Takeout.

                                                      [–]boa13 1ポイント2ポイント  (0子コメント)

                                                      Maybe part of the scaling issue could be mitigated by limiting it to Gold subscribers or people who have otherwise paid to access the very old data. (Yes, sometimes I'm tempted to read my ten-year old comments.)

                                                      コメントをもっと表示する (2 返事)

                                                        コメントをもっと表示する (3 返事)

                                                          [–]kagaku 4ポイント5ポイント  (2子コメント)

                                                          Can you increase the detail on the account history page? When I check it right now I can only see the last 20 hours, which already shows that I've logged in from the following:

                                                          • Comcast
                                                          • Sprint PCS
                                                          • ATT Wireless
                                                          • My employer
                                                          • Some other company, that is also probably related to my employer.

                                                          That's 5 different locations in the past 20 hours. I don't know how much is tracked behind the scenes, but even some kind of list of actions might be useful. My account activity might not be typical, Comcast is my home internet, and between my tablet and phone I have Sprint and ATT - and then browsing while at work. But if someone were to compromise my account and they happen to be on Sprint, Comcast or ATT (which is probably a huge population) then I would never notice.

                                                          Can we see additional details? Or maybe even any unusual actions or activities? The information shown is not enough to make any reasonable determination of that. How about increasing the length of time to a week? 72 hours? If the access is strictly via the reddit API, can we see what app was performing that access? How about what web browser or user agent? If I exclusively use Chrome to access reddit (I do...at least when not using a mobile app) and I see activity from someone using Safari or Firefox...that's not me and I know it.

                                                          Finally, can we have any kind of alert generated for suspicious activity? Even a system generated PM or email. I've had my own account (this one) shadow banned before and when I contacted the admin team I was told that it was because of suspicious activity. I had no clue anything was going on until I contacted an admin - if it wasn't for a moderator kindly informing me that my post was shadow banned I'd have never known!

                                                          Edit: Actually, the "Some other company" looks like a hosting provider for internet services. My guess is one of the mobile reddit apps I use is using that company to host their push notification service. This goes further to prove my point.. if I use a reddit app that happens to use a hosting company in Sweden for example because the developer is European based, and the push notifications log into my account (with permission!) from another country...as an end user I'm being told that should freak me out! I'd go change my password and then feel safe..until the next day when I see another login from this strange country!

                                                          [–]dcmcderm 9ポイント10ポイント  (2子コメント)

                                                          I don't quite get why abandoned throw-away accounts are a risk. I mean, even if these accounts get taken over by someone malicious, so what? The account has no history/karma/reputation on reddit. The account is forgotten by whoever created it so it can't be used to identify/attack that person. I don't see what the hacker/spammer would have to gain by doing this - wouldn't it be easier and just as effective for them to just create a brand new account?

                                                          [–]TeflonDapperDon 57ポイント58ポイント  (2子コメント)

                                                          Well, whoever gets my account can enjoy looking at all my downvoted shit posts and memes

                                                          [–]HorrendousRex 0ポイント1ポイント  (1子コメント)

                                                          /u/KeyserSosa - the admin we all need and love.

                                                          [–]Espionage724 5ポイント6ポイント  (0子コメント)

                                                          I've recently started using KeePass, and I'm almost ashamed I didn't start using it sooner :p It makes password management a breeze and easily lets you create randomized passwords. Plus it's cross-platform (with Mono on Linux; there's also KeePassX) and open-source. I like the sync feature too, so I can easily have my database accessible and updated aross my computers.

                                                          Prior to that, I used Master Password. It was ok, but for the GUI app, I didn't really like having to pull in Java on my installs (that was the only thing I needed Java for). There's apparently a CLI version for Linux, but meh (as much as I like CLI, I can't imagine a CLI password manager being too convenient)

                                                          Was lately working on updating my accounts (switching my passwords over to KeePass generated ones; updating email addresses and other details as-needed) and closing ones I don't use. PSN is a fun one :p (can't change my email address because it matches my username... apparently this is only like this on the PC, whereas consoles will let you change regardless of that; wtf kind of weird restriction is that)

                                                          [–]local-area-man 6ポイント7ポイント  (0子コメント)

                                                          Should we trust security advice from someone named Keyser Sosa? That's the real question here

                                                          [–]AnSq 4ポイント5ポイント  (0子コメント)

                                                          Check your own account activity page!

                                                          It would be nice if this could be a little more specific. All other GeoIP lookup tools I've seen can get it down to the city.

                                                          [–]RedEnvelopesScareMe 12ポイント13ポイント  (12子コメント)

                                                          Besides not reusing passwords, don't reuse usernames. Use different e-mail accounts if you can! That way even if someone does get your login info for another service, they can't connect it to other services.

                                                          [–]i_am_useless_too 4ポイント5ポイント  (0子コメント)

                                                          Reading the xkcd comic linked, I wonder what happened in march 1997, googling that the first result is https://www.explainxkcd.com/wiki/index.php/792:_Password_Reuse, crazy

                                                          [–]brickmack 1ポイント2ポイント  (0子コメント)

                                                          On a related point, a quick note about throw-aways: throw-away accounts are fine, but we have tons of completely abandoned accounts with no discernible history and exist as placeholders in our database. They've never posted. They've never voted. They haven't logged in for several years. They are also a huge possible surface area for ATOs, because I generally don't want to think about (though I do) how many of them have the password "hunter2". Shortly, we're going to start issuing password resets to these accounts and, if we don't get a reaction in about a month, we're going to disable them. Please keep an eye out!

                                                          Reddit should implement a built in way to "abandon" a comment. Post something under your normal username, and then remove your account's relation to it (but without actually deleting the account or the comment). This would have the same effect as a throwaway in most cases (unless a user is worried about reddit itself/the government snooping on their post history), except that it would require less effort on the users end (just click a button instead of making a whole new account), and it would reduce the security risk for reddit overall.

                                                          [–]Bioman312 1ポイント2ポイント  (0子コメント)

                                                          Alright, a few things:

                                                          Unfortunately, to roll this out further, reddit has a huge ecosystem of apps, including our newly released iOS and android clients, to say nothing of integrations like with iffft.com and that script you wrote as a school project that you forgot to shut off. "Adding 2FA to the login flow" will require a lot of coordination.

                                                          That's really not an excuse, on the grounds of making 2FA optional. If it's opt-in, then there's no way for it to break already-existing things.

                                                          From a comment on this page:

                                                          The other problem with [2FA] is the people who know about and love 2FA are also generally the people who already use good passwords.

                                                          You already completely nullified this idea with your own statement from OP:

                                                          It's behind a second authentication layer to make sure that if we get hacked[...]

                                                          If you get hacked, then password choice is completely irrelevant.

                                                          Basically, it's getting to the point where it's just irresponsible for a site as big as reddit to not have at least opt-in 2FA.

                                                          [–]Turbo-Lover 1ポイント2ポイント  (0子コメント)

                                                          completely abandoned accounts with no discernible history and exist as placeholders in our database... we're going to disable them.

                                                          What exactly does "disable" them mean? Will the usernames become available again? You've got some awesome ones tucked in there. There's one that I particularly want because it was a childhood nickname of mine and the account is 10 years old with no activity ever, obviously just a placeholder.

                                                          You could put up a site where we type our reddit name in and the name we want and then before it becomes available to the public you could message us a link where we could register it, and if we don't do it in 2 days it just becomes available to anyone. You could limit it so people would only get their first one or two they signed up for to discourage squatting. This is all easy to automate.

                                                          I'm just saying if you're going to disable those accounts please make them available again to the rest of us because you wasted them when reddit was in its infancy.

                                                          [–]Traviscat 5ポイント6ポイント  (3子コメント)

                                                          Would it be possible to create 2FA as a opt in beta feature?

                                                          It can have a big disclaimer that it may not work for all apps and should only work if you use the website? Or at least have the option for us to receive an email after every new sign in from a new IP address?

                                                          Maybe an email after X password attempts that someone has tried to log into your account (For people with registered emails set up).

                                                          [–]makeswordcloudsagain 6ポイント7ポイント  (3子コメント)

                                                          Here is a word cloud of every comment in this thread, as of this time: http://i.imgur.com/VxmUmSA.png

                                                          [source code] [contact developer] [request word cloud]

                                                          [–]apaksl 2ポイント3ポイント  (0子コメント)

                                                          Lets see, hmm, if my reddit account is compromised can someone spend my money? Nope. Can I easily create a new account? Yep. I'm just gonna keep using my same easy/junk password I use for every other financially insignificant website.

                                                          [–]MasterAgent47 1ポイント2ポイント  (0子コメント)

                                                          the most that an attacker can do is post something smug and self serving with a little [A] after it, which...well nevermind.

                                                          Is it possible that you are a hacker who has hacked /u/KeyserSosa's account? And you made this big post that seems like something an admin would post while raising chaos on reddit by making everyone switch their passwords so that you can intercept any data about their new passwords? After this, you have control over each and every reddit account with new passwords! You plan to use these accounts as bots to spam every reddit thread and thus destroying reddit, and then demand Reddit to pay you a million dollars in exchange for those hacked reddit accounts.

                                                          Nice plan. Aaaaa! We got played like a damn fiddle!

                                                          [–]Theleux 2ポイント3ポイント  (0子コメント)

                                                          Thanks for emphasizing this. I know too many people who either forget their password and can't access their account because of it, or had their account compromised because they made a password that was incredibly easy to guess.

                                                          [–]slyf 2ポイント3ポイント  (0子コメント)

                                                          "Adding 2FA to the login flow" will require a lot of coordination.

                                                          Have you considered just saying "Apps which are not using oath will no longer function if you enable this"?

                                                          [–]neko 2ポイント3ポイント  (0子コメント)

                                                          Will the usernames be freed up from the dead accounts?

                                                          My dream is to adopt /u/they then harvest all the karma from replying to "that's what they said"

                                                          [–]Barry_Scotts_Cat 1ポイント2ポイント  (0子コメント)

                                                          Unfortunately, to roll this out further, reddit has a huge ecosystem of apps, including our newly released iOS and android clients, to say nothing of integrations like with iffft.com and that script you wrote as a school project that you forgot to shut off. "Adding 2FA to the login flow" will require a lot of coordination.

                                                          Enable 2FA as a feature, and if you break your own connection to the site, that's your own problem

                                                          [–]drrevevans 12ポイント13ポイント  (12子コメント)

                                                          Reply to this comment with all the strong passwords you have come up with and I will tell you if they are strong enough or not!

                                                          [–]T_K_427 4ポイント5ポイント  (5子コメント)

                                                          Would it be worth having some sort of throwaway 'buy back'? Like we turn in our throwaways that have been gathering dust for x amount of time (more than a year, otherwise I could just keep making accounts and 'turning them in') for y amount of gold? Perhaps some sort of flair/trophy instead of gold? Just an idea.

                                                          [–]TheTacoEater 88ポイント89ポイント  (5子コメント)

                                                          But what about SRS

                                                          [–]a_park_bench 5ポイント6ポイント  (1子コメント)

                                                          Is haveibeenpwned.com still a good resource to check if you're affected by these leaks?

                                                          [–]ClimaxedMyBlueBand 3ポイント4ポイント  (2子コメント)

                                                          Though Reddit itself has not been exploited,

                                                          That you know of.

                                                          Jeez, guys why don't you enable two-factor authentication (2FA) already?

                                                          Are you fucking kidding me? You're a web forum. How about you guys make sure a hash of my password can't be stolen in the first place, and I promise to use a unique very long password and take responsibility if it is stolen from me by my own incompetence.

                                                          [–]iagox86 1ポイント2ポイント  (0子コメント)

                                                          THANK YOU for actually getting it! I work in security and have done a lot of work with passwords, and the biggest piece of advice I give people is to make them unique! Strength barely matters, especially how fast they can be cracked - it's a meaningless stat if you have unique passwords!

                                                          [–]FatStig 3ポイント4ポイント  (0子コメント)

                                                          Yeah guys it's all these hacked accounts. It's totally not being doxxed by those in league with the admins. Or the admins being influence peddlers. (P.S. I'm sure this isn't both a deflection and a crackdown on competitors)

                                                          [–]WrathInPTown -12ポイント-11ポイント  (2子コメント)

                                                          hi mom

                                                          [–]parkerlreed 2ポイント3ポイント  (2子コメント)

                                                          I see a lot of "Amazon.com" in my recent history. Is this the regular reddit website?

                                                          [–]stubob 1ポイント2ポイント  (0子コメント)

                                                          Thanks for all the hard work you guys (and gals) do to keep this place running. I know I have one throw-away that I don't want any more. Is there a way to mark those accounts as throw-away, and then delete them later on? Would that be any easier to maintain?

                                                          [–]bring1 1ポイント2ポイント  (0子コメント)

                                                          Does this seriously mean mean LinkedIn was storing the plaintext passwords? Isn't hash your users' passwords the ass fundamental first rule of authentication? I'd like to start seeing people do jail time for mistakes like that.

                                                          [–]UESPA_Sputnik 4ポイント5ポイント  (1子コメント)

                                                          Q: Do you realize you linked to https://www.reddit.com/prefs/update/ like three times?

                                                          A: Actually it was four.

                                                          THERE. ARE. FOUR. LIGHTS LINKS.

                                                          [–]magus424 1ポイント2ポイント  (0子コメント)

                                                          "Adding 2FA to the login flow" will require a lot of coordination.

                                                          Eventually, sure, but you could roll it out and not let people use all of those if they enable it (or add it just to your apps, so they work, etc)

                                                          [–]Wordsworthswarrior 1ポイント2ポイント  (0子コメント)

                                                          I just want to compliment you on the humanity and humor of this post. I think you may have finally convinced me to seriously get my password shit in order out of my empathy for you. Good on you Admin. :)

                                                          [–]G19Gen3 7ポイント8ポイント  (2子コメント)

                                                          Jesus Christ these comments.

                                                          We're all aware of hunter2. You aren't unique.

                                                          [–]Kumorigoe 7ポイント8ポイント  (2子コメント)

                                                          Mods need 2FA

                                                          Mods need 2FA

                                                          MODS NEED 2FA

                                                          [–]i_killed_hitler 1ポイント2ポイント  (0子コメント)

                                                          the most that an attacker can do is post something smug and self serving with a little [A] after it

                                                          How would that differ from normal admin posting? :) /s

                                                          [–]itisnotatumah 0ポイント1ポイント  (0子コメント)

                                                          it seems to me that password reuse is the worst enemy of security. In particular that's true of a site without 2FA.

                                                          I don't think weak passwords are the primary enemy. Yes, weak passwords are less than ideal but frankly if a website is doing their security properly even a weak password should be plenty strong enough to keep out an attacker. How many tries would someone need to enter to guess mixmaster7? That's an easy password but the account ought to lock long before someone could guess it. If a site allows unlimited password guesses I think that's a severe weakness on the part of that website.

                                                          having said that I use a password manager so I've migrated toward 16-20 character (upper, lower, numbers, special chars) passwords over time. but really, even that isn't long enough if a website allows unlimited guesses.

                                                          [–]rafajafar[🍰] 2ポイント3ポイント  (1子コメント)

                                                          Did /u/nate and /u/p1percub get hacked and that's why I was banned from /r/science for no good god damn reason?

                                                          [–]Fri-Mar-25 0ポイント1ポイント  (0子コメント)

                                                          You just had to link a video didn't you? /u/KeyserSosa did you know if you click the expansion box from the front page the videos STILL auto play whether you click the "don't auto play" button or not? Can this be changed? Before we had that box to click in the "options" the video wouldn't auto-play when you expanded them from the front page, but now, even though we have a box to click telling them not to...they do!?!?! The box only works for the comment section...it should work for the whole site. BTW before the box the comment section didn't auto-play it simply wasn't a problem, but now that you've added this RES functions to the site, which is a good move but you gooched it up...you could have done a better job at it, the least you could do now is admit the error and fix it.

                                                          I don't really care about a safe-place from trolls, scammers and flamers nearly as much as I would like a safe-place away from auto-playing video and audio.

                                                          [–]djuggler 0ポイント1ポイント  (0子コメント)

                                                          Another vote for LastPass. Pay the $12/yr. Go to http://yubico.com/ and buy a Yubikey or use one of the many other 2 factor authentication methods they have. The convenience of having all your passwords available from any connection and device outweighs the risk of a cloud based service. I'm so comfortable with LastPass that I heavily use the secure notes for things like passport numbers, social security numbers, etc and I use the credit card feature which has the added benefit of circumventing keyloggers.

                                                          I've used 1Password and Passwordbox. I still prefer LastPass. Ultimately it doesn't matter which one you use. Use a password manager and randomly generate all your passwords.

                                                          [–]kkndahizo 0ポイント1ポイント  (1子コメント)

                                                          I like the phrase method myself. Pick a phrase that you and only you will always remember. Then just take the first letter of each word and make that your password, capitalize any names or places to add difficulty . You can add numbers that you like or symbols as well to make it more complicated.

                                                          Example phrase: "my name is Quagmire and I live in Quahog." (this is just basic example, please make it a little bit more complicated.) Your password would be "mniQailiQ"
                                                          If you need numbers just add the numbers of letters in your name to the beginning and number of letter to the city at the end. "8mniQailiQ6"

                                                          Fuck add @ to the beginning and end: "@8mniQailiQ6@"

                                                          Bam you just covered all requirements for some sites.

                                                          [–]jailminer 1ポイント2ポイント  (0子コメント)

                                                          Who would steal Reddit accounts...? Why not Xbox or Steam accounts? Are they really that valuable?

                                                          [–]shawmino 0ポイント1ポイント  (0子コメント)

                                                          A little off-topic, but how hard would it be to add some kind of official support for throwaway accounts? There's obviously some value in them, but there also seems to be a pretty big risk involved if someone creates a throwaway for one post (presumably reusing a common password since it's, you know, a throwaway), and then forgets about it for years. Something like a burner cell phone number would be good, where they're active for a week or something, and then they're automatically deleted. Or maybe based on the last time logged in, where if you designate your account as a throwaway when you're creating it, you have to keep logging in every two or three days, and if you don't, they're gone.

                                                          [–]CY4N 1ポイント2ポイント  (1子コメント)

                                                          All accounts should have to create new password every X months or something by default.

                                                          [–]ani625 1ポイント2ポイント  (1子コメント)

                                                          Explainxkcd of the comic if you're looking for an explanation.

                                                          [–]DwelveDeeper 1ポイント2ポイント  (1子コメント)

                                                          My very first password on the internet was "neopets"

                                                          I feel like that was a good one.

                                                          [–]MajorMajor 0ポイント1ポイント  (0子コメント)

                                                          Set and verify an email address. We currently have exactly one way for you to reset your account and that's by email.

                                                          If I had to choose between providing an email address vs having my account taken over, I'd choose having my account taken over. Not asking for an email address is one of the absolute best things about reddit. Whatever you do to address security can't compromise that feature.

                                                          [–]_Megain_ 0ポイント1ポイント  (0子コメント)

                                                          we have tons of completely abandoned accounts with no discernible history and exist as placeholders in our database. They've never posted. They've never voted. They haven't logged in for several years.

                                                          One of those is me, though it was never intended as a throwaway, I merely forgot my password. But since I didn't set it up with an email account, there's apparently no way to get it back?

                                                          If you go about disabling these accounts, does that mean they're forever blocked/locked, or will the usernames become available again?

                                                          コメントをもっと表示する (302 返事)