Protect you Apple ID, I mean it!

zYx

zYx

zYx

Associate
Joined
2 Dec 2007
Posts
421
Location
ISS
Some time ago my account has been hacked into.
No, I did not give my password to anybody nor I used it everywhere else.

The password I was using (I thought) was strong, but it wasn't.

Somebody made several purchases in AppStore, for over 25 pounds. Not a lot, but I noticed quickly when received first email confirming my purchase.

The passpword contained a word. Please make sure that you don't use any words from any dictionary in password. Even with numbers and other characters, passowrds like that are very weak and hackable.

I just remembered about it and thought I'm gonna share the info with others. Also don't use the same password on different sites.

Search the web for tips on how to create unhackable passwords easy to remember.
#justsaying ;-P
 
I doubt it was brute forced as Apple will block an IP after a certain amount of failed attempts.

Phished/keylogged. :)
 
So far nobody could explain how did this happen. I don't think I'll ever find out. Hackers have their ways to do these things.
I was just saying or reminding people to use very strong password.
 
I think they wouldn't accept a password unless to had upper and lower case and numbers, which makes it a pain to remember. Barclays do something equally annoying too, what's wrong with just having a really long phrase and a few numbers, why all the uppercase nonsense?
 
The good way to create a strong password is to think of a sentence that you often repeat, something like a "saying". Say first half of the alphabet would be lower case and the second half upper case. Stick some special characters in the middle and some numbers at the end.

It has to be a combination of random letters. Basically, if your password contains a word, any word from any dictionary, in any language, in any combination of lower and upper case letters, back to front etc etc is not good. The algorithms hackers use will easily brake your password.
 
Last edited:
RKO said:
One of the reasons I use the gift cards. I tend to only purchase apps now and again so it's the handiest way. :)
Click to expand...

I'm pretty confident with my new password now, so I'm not worried. Though since then I've never registered my card with Apple ID again.
 
my password looks like this:

OepSiV8SPdqc3pwDvtH23o9m

Not exactly easy to remember, but nice and secure. :cool:

Top tip: Make sure you don't use 1 password for every website either...
 
MikeHunt79 said:
my password looks like this:

OepSiV8SPdqc3pwDvtH23o9m

Not exactly easy to remember, but nice and secure. :cool:

Top tip: Make sure you don't use 1 password for every website either...
Click to expand...

Are you serious? :D what is it based on? and how do you.. remember that?
 
A brilliant program I use, called "LastPass" It remembers all your passwords for you and stored them in a 256 bit encryption vault. It also generates and autofills your secure passwords, so you don't need to remember them.

All my passwords for different sites are a combination of upper and lower case, special characters like, *%~{ and nothing from a dictionary. I don't need to remember them as it fills the fields in for you.

Worth looking into it, I've been using it well over a year and never looked back. It's a firefox extension, I use anyway... however I believe it can be used as a standalone, not sure.

Oh... definitely keylogged or phished, no way was it brute forced.
 
Buchanan0204 said:
A brilliant program I use, called "LastPass" It remembers all your passwords for you and stored them in a 256 bit encryption vault. It also generates and autofills your secure passwords, so you don't need to remember them.

All my passwords for different sites are a combination of upper and lower case, special characters like, *%~{ and nothing from a dictionary. I don't need to remember them as it fills the fields in for you.

Worth looking into it, I've been using it well over a year and never looked back. It's a firefox extension, I use anyway... however I believe it can be used as a standalone, not sure.

Oh... definitely keylogged or phished, no way was it brute forced.
Click to expand...

Would it work with Opera browser? (I'm trying it now) and why do you think it wasn't brute forced?

Also could you explain how the keyloging or phishing works?

Thanks

edit: that program looks cool, though I'd love to use it on my iPhone too, but to do that I'd have to pay for the premium account, not much though :)
 
Last edited:
zYx said:
Would it work with Opera browser? (I'm trying it now) and why do you think it wasn't brute forced?

Also could you explain how the keyloging or phishing works?

Thanks
Click to expand...

Just google, lastpass for opera. I'm sure you will find out.

The reason was mentioned. Brute forcing is the act of a program trying different combinations of passwords usually from a dictionary file list. When a website notices so many different attempts at a password in such a short space of time they will block the I.P address of the machine. This puts the brute forcing to an end. Especially a website like apple... they will have many security precautions in place to stop your average 14 year old using a brute forcer to access your account.

I realise I could have also told you to just google that aswel... so go ahead and google phishing and keylogging, there is lots on it.

I think the forums on here only allow you 5 attempts at a login with the same username... so even if you were connecting through multiple proxies simultaneously it wouldn't allow you to login for a set period of time... rendering it useless again.
 
Guys, there is almost the same chance of someone stealing a password regardless of how complex you make it.

Unless you use a different password for every single website and check how that website stores your password then you are not very secure.

If you use the same password for your appleID along with the same email, all it takes is someone with access to some rubbish little site that you use for one of your hobbies or something that hasnt bothered to encrypt your password and they will have your credentials.

As mentioned, every large site should be limiting the number of attempted logins and should be using a very strong encryption to protect against a rainbow table attack should someone get hold of their members database. All that effort is completely negated as soon as you reuse that password on a less secure site though.

There are steps you can take to be as secure as possible but ultimately, you are trusting everyone who you share that password with to be as secure as the top companies and they are clearly not.

Use a different password for every site which is important or has access to payment details and ensure that its not a dictionary word and includes some non-standard characters.
 
Last edited:
fez said:
Guys, there is almost the same chance of someone stealing a password regardless of how complex you make it.

Unless you use a different password for every single website and check how that website stores your password then you are not very secure.

If you use the same password for your appleID along with the same email, all it takes is someone with access to some rubbish little site that you use for one of your hobbies or something that hasnt bothered to encrypt your password and they will have your credentials.

As mentioned, every large site should be limiting the number of attempted logins and should be using a very strong encryption to protect against a rainbow table attack should someone get hold of their members database. All that effort is completely negated as soon as you reuse that password on a less secure site though.

There are steps you can take to be as secure as possible but ultimately, you are trusting everyone who you share that password with to be as secure as the top companies and they are clearly not.

Use a different password for every site which is important or has access to payment details and ensure that its not a dictionary word and includes some non-standard characters.
Click to expand...

How would a Nigerian hacker know what hobbies you were into and what other sites you visited? The only way this is plausible is if it was a friend who knew you and then you have a lot more to worry about than 25 quid spent on apps.

Like you ended with... this is why it is important to use a different password for each site.
 
Buchanan0204 said:
How would a Nigerian hacker know what hobbies you were into and what other sites you visited? The only way this is plausible is if it was a friend who knew you and then you have a lot more to worry about than 25 quid spent on apps.

Like you ended with... this is why it is important to use a different password for each site.
Click to expand...

They wouldn't and neither would they need to. You can buy databases full of passwords and email addresses from sites that have not secured themselves properly. Seeing as most people reuse the same password, chances are, some of those people will be on itunes.

People who do this follow the path of least resistance. They know that a lot of people have googlemail accounts, once they have that, they can see what other sites you use, go to that site and reset your password and watch as the reset comes into your inbox ready for them to change.

They don't target individuals, they will just find the least secure people and target them. Its not that hard to do.
 
Doesn't really matter how complex you make your password most sites use a fixed length hash anyhow.

Brute forcing passwords doesn't really work against any semi secure site for indiscriminate logins, it needs a fairly complicated and targetted approach, usually it comes down to phishing and shared logins.
 
I use 1Password for every site. I already know my Dropbox now though, curse you photographic memory!

16 characters, 2 symbols and random capitals for all sites that support them.
 
You must log in or register to reply here.
Back
Top Bottom