Further Comments

Ravyn raises an interesting point that I thought it would be worthwhile echoing for everyone to understand.

If you are particular about the security of your diary (and indeed ANY system that you use) then you should be careful with your password. The following guidelines will help you a lot:

1. Never use the same password on more than one system, we’re all guilty of having “standard” passwords that we use but this means that if someone breaks in to your Hotmail account (or any other, I don’t single Hotmail out for any particular reason other than they are a public online system!) they have access to everything you do online. Keep your passwords in a notebook you keep on your person if you can’t remember them all, but dont use poor memory as a reason to use the same password everywhere. Also remember that not all systems store passwords in an encrypted form – any system that can tell you or email you your password is storing them in a readable format, therefore if anyone were to hack that system they could just read a bunch of passwords – once they found them on the machine of course. I’ll add that Dear Diary does NOT store passwords in plain readable format, they are one-way encrypted and hence if you lose your password the only thing we can do is reset it.

2. Use combinations of numbers and upper and lower case letters. Your password on Dear Diary is case sensitive so take advantage of it. If your password is ‘fish’ then try something like “f1Sh” – that’s “eff, one, capital-ess, aitch”.

3. Never use real words or names as your password. As Rayne says, passwords can be brute-forced. How this works is the spell check database that most unix boxes come with and indeed now available through a wide range of alternative sources. What the crackers do is they just constantly try and log in using a username and each and every word from the spell check database. So if your password was “fish” they’d find it fairly quickly, if it was “f1Sh” they wouldn’t find it from the spell check database at all.

The second method of brute forcing is more involved and often a second wave of attack for those that are desperate to get access to an account. This involves trying every combination of letters and numbers, so for example they’ll try “a” thru “z” first. Then “aa” through “az”, “ba” through “bz” and so on to “zz”, next “aaa” and onwards until they find it or they give up. Of course, this method is extremely time consuming but some people will just set it running overnight and see what it’s got done by the morning.

You can make life harder for the second method of attack by using more characters in your password, there are 11881376 combinations of 5 letter passwords – assuming all lower case and no numbers, add in upper case and numbers and you get 916132832 combinations. Go for an eight character password with upper, lower and numeric and suddenly your attacker has 218340105584896 possible combinations to investigate! That means a worst case of around 7000 years to find your password assuming they can get around 1000 validated per SECOND – highly unlikely given that each attempt will have to be done across the Internet connection.

As I say, if you’re particular about your privacy then don’t make it easy for them, hopefully the guidelines and advice i’ve just given you will help to secure yourself online.

Matt.

4 thoughts on “Further Comments”

  1. Thanks for the heads-up, as far as hacking the accounts goes, could be brute-force (as in sending a LOT of trial passwords for the one username via use of a wordlist

    eg. if my password was "fish" (which it of course isn’t) someone could run a list of a billion words to try as passwords and eventually one might unlock the diary with the word "fish"

    and someone just got lucky, the easy solution for that, is use numbers & words to make it harder to crack. Although I’m sure there are methods I haven’t thought of. Just a thought.

    Ravyn

  2. `safely gives you a hug if you want one`

    Everyone Needs A Hug,
    SecretHugger

    P.S. I have a question. What if your password is two words put together, with no fancy stuff? Is that easy to get?

  3. Another password idea might be to change your password every say three or four months, just in case, to keep potential hackers guessing. Windows NT has a mechanism that you can set so that network passwords must be changed in a specified period of time. Diarist might think it a good idea to change there passwords once every 3 or 4 months, more frequently if you want to be very safety conscience. And to be just that little bit safer, it might be an idea if you are to change your password to something completely different…

    As an example, I heard a story from my school about a girl whose name was lauren, and her password was "lauren" and so, was quickly hacked by some bored school kids. They sent pornography from her account to every student in the school. Needless to say, the school was unimpressed…to remedy this situation, she changed her password. Word spread within two weeks her new password was "lauren1". That’s a long-winded way of saying, make sure if you change your password, it’s completely different.

    Good luck,

    Ravyn

  4. Cool I will use the Help function and get you to change my diry name for me… thanks!!

    I am trying to find out from the person who got it hacked how it was done, but he is reticent to tell me for obvious reasons. All he said is it took just a few seconds, so he mustn’t have been trying normal word combinations, (as mine is not just a word). I cannot offer you any further help than that I am sorry.

    Thanks for the advice though!!

    ~HBM~

Comments are closed.