Gmail hacked?

Cheetah Designs said:
That means someone actually cracked my password and logged in from Russia doesn't it? Is there anyway to find out how? Brute force attack?
Click to expand...

More likely you use the password on multiple sites, and they got the password like that. Or possibly a flash ad exploit got a keylogger onto your system.
 
iviv said:
More likely you use the password on multiple sites, and they got the password like that. Or possibly a flash ad exploit got a keylogger onto your system.
Click to expand...

I have different passwords for different things. The particular password is something I only ever use for things I want secured...obviously I have changed it everywhere.

...the keylogger thing sounds interesting though....how would I check/ensure I am protected against such a thing.....generally if I think I am going to visit a dodgy site I will load up a different browser to look.
 
Obviously there's a number of ways this could have happend as listed above.

As suggested it could simply be the case that your email has been made the reply address of a spam message that was sent out.

You could have also accessed your email via an unsecured wireless connection or on a friends/work or your own computer that is compromised with malware or a keylogger (software that has been installed directly or remotely on your computer, or a computer you have used, that would have access to ever key stroke you make).

It could have simply been due to exploits found in software that you don't have up to date on your computer. From Windows itself to your Flash plugin for your browser.

To be safe change your password for you email.

Also, "The particular password is something I only ever use for things I want secured...obviously I have changed it everywhere." *sigh*

Look into using something like KeePass (http://lifehacker.com/software/feature/geek-to-live--securely-track-your-passwords-184774.php) or LastPass (http://lifehacker.com/5041463/lastpass-saves-and-syncs-passwords-between-all-your-browsers)

Both have advantages and disadvantages. I personally use KeePass because I use it to also store non online based services and just sync the database online with DropBox (http://www.dropbox.com).

If you don't want to take it that far simply create some good rules for yourself in the future when creating passwords. Some tips: http://lifehacker.com/software/top/geek-to-live--choose-and-remember-great-passwords-184773.php
 
Cheetah Designs said:
That means someone actually cracked my password and logged in from Russia doesn't it?
Click to expand...
Well there's a chance they were using a proxy in Russia, but someone other than you has logged into your account by the looks of it.
Cheetah Designs said:
Is there anyway to find out how? Brute force attack?
Click to expand...
I doubt it was a brute force attack. Try brute forcing your own account and you will find after a few wrong guesses that you need to start using capatcha codes, so unless your password is very weak then a keylogger if far more likely I'm afraid. :(
 
Cheetah Designs said:
Right ok....learning some lessons here.

Came across this: http://lifehacker.com/software/geek...re-your-saved-passwords-in-firefox-154099.php

How secure is that? Is it the same as using KeePass? Secure for things that need top security like paypal and banking and the likes? Is it possible to share the database at all?
Click to expand...

It's very secure, but it's also annoying because of the number of times you will be prompted for the master password.

Use KeePass instead for better usability.
 
Cheetah Designs said:
What do you mean...it says every time you start firefox?....or is it more times than that in reality?
Click to expand...

When I tested it it prompted me far more times than really required, but that does offer you slightly stronger security as it isn't maintained in memory when not needed.

You won't go wrong security wise with either Firefox + master password or KeePass though, but keepass offers you much more features for the job.
 
tntcoder said:
When I tested it it prompted me far more times than really required, but that does offer you slightly stronger security as it isn't maintained in memory when not needed.

You won't go wrong security wise with either Firefox + master password or KeePass though, but keepass offers you much more features for the job.
Click to expand...

I can't seem to get KeePass to integrate with Firefox though...do you know of a tutorial for this?

Thanks for your responses.

EDIT: Also, is it bad practise to keep things logged in?....I remember once reading about cookie stealers.
 
Last edited:
Cheetah Designs said:
I can't seem to get KeePass to integrate with Firefox though...do you know of a tutorial for this?

Thanks for your responses.

EDIT: Also, is it bad practise to keep things logged in?....I remember once reading about cookie stealers.
Click to expand...
I use Keepass and I just copy and paste my usernames and passwords into Iron/FF/IE or any other browser. :)
 
MikeHunt79 said:
I use Keepass and I just copy and paste my usernames and passwords into Iron/FF/IE or any other browser. :)
Click to expand...

Likewise, this is easiest tbh. There is a KeeFox extension you could try: http://keefox.org/

Cheetah Designs said:
IEDIT: Also, is it bad practise to keep things logged in?....I remember once reading about cookie stealers.
Click to expand...

It's not exactly good practice but this isn't an ideal world :p if it's just you that uses you're pc then don't worry about it. Cookies will normally only be valid from your IP, so unless someone on your LAN is questionable then cookie theft shouldn't be a problem. Uni networks, public wifi etc are of course a different story though.
 
tntcoder said:
It's not exactly good practice but this isn't an ideal world :p if it's just you that uses you're pc then don't worry about it. Cookies will normally only be valid from your IP, so unless someone on your LAN is questionable then cookie theft shouldn't be a problem. Uni networks, public wifi etc are of course a different story though.
Click to expand...

Forgive my ignorance, but aren't IPs easily to spoof?
 
tntcoder said:
Nope, conversely IP spoofing can only be done for very specific things (UDP), typical internet communications (TCP) not being one of them.
Click to expand...

Ah right...OK, what about Cooking Stealing.....after a bit of googling it appears that it can only steal cookies from the site that you are currently on and most sites only allow you to use cookies with certain IPs...

...is that correct?
 
Cheetah Designs said:
Ah right...OK, what about Cooking Stealing.....after a bit of googling it appears that it can only steal cookies from the site that you are currently on and most sites only allow you to use cookies with certain IPs...

...is that correct?
Click to expand...

Correct and using SSL sites reduces the risk even further. When you logout of a site the cookie should be invalidated, so the risk is present if an adversary can a) obtain the cookie and b) replay it from a valid source address while the session is still active.
 
Right ok....given all the information in this thread I have come up with a new plan.

- 1 strong different password for internet banking (that I can remember).
- 1 strong different password master password for firefox (that I can remember).
- Different passwords for all other services which are as strong as the service allows but I dont have to remember these and are stored in firefox password manager.
- Sync my firefox profile among all computers using Firefox Sync
- Only keep sessions logged in if I am on my home computer, else logout.

Can anyone see any flaws with my plan?....I assume syncing the passwords and everything will be encrypted and safe with Firefox Sync as it encrypts using key technology and only I know the key?
 
You must log in or register to reply here.
Back
Top Bottom