warning Increase in credential stuffing attacks targeting domainers

[Paul]

NamePros is observing an increase in credential stuffing attacks targeting domain investors. This is a semi-regular occurrence. It typically works as follows:

1. An arbitrary website in the domaining industry is compromised. Typically, we have no way of knowing which site it was.
2. The username and passwords are harvested from the compromised website.
3. Attackers assume that most people use the same (or a similar) password everywhere, so they plug the username and password combination into other, more secure websites.
4. The attacker will steal any assets in the account and potentially scam other people while impersonating the compromised user.

I've written about this quite extensively in the past, but people are still using the same password on multiple websites. Password reuse is a great way to get hacked: if you know your password, it's a bad password.

Get a password manager and enable 2FA. It's your responsibility to keep your accounts secure. If you use the same password on NamePros and SomeRegistrarWebsite, and SomeRegistrarWebsite leaks your password, attackers are going to have no trouble logging into your NamePros account.

In the short term, we'll be requiring some high-risk accounts to enable 2FA. We'll also be enforcing stronger password requirements for some accounts. This is not a perfect solution, and we still expect members to maintain good internet hygiene by choosing more secure passwords.

 

[Sjpals]

If you want memorable passwords, a great way is to have a phrase, with some numbers and symbols. For example:

I love domains

1 has 1 letter, love has 4, domains has 7.

I1Love4Domains7

Then add 2 symbols eg @@

I1Love4Domains7@@

Finally for every website, add the letter of the name or 2 letters eg np for name pros

I1Love4Domains7@@np

Its long, memorable and different for every site.

 

[Goku]

This is the sole reason why I keep all my passwords random. I remember only 4 passwords - of my email, router admin, password manager & crypto wallet. Again these 4 are more than 20 characters long with a combination of A-z0-9$-! :D

Coming to 2FA - will NP integrate Google Authenticator in future?

 

[Armageddon]

If you want memorable passwords, a great way is to have a phrase, with some numbers and symbols. For example:

I love domains

1 has 1 letter, love has 4, domains has 7.

I1Love4Domains7

Then add 2 symbols eg @@

I1Love4Domains7@@

Finally for every website, add the letter of the name or 2 letters eg np for name pros

I1Love4Domains7@@np

Its long, memorable and different for every site.

This are not passwords
This is type of password i have for sensitive data:

A&#;ys863(gsi:#!#(hskwpzHaeu65#(+#;@!

 

[Sjpals]

This are not passwords
This is type of password i have for sensitive data:

A&#;ys863(gsi:#!#(hskwpzHaeu65#(+#;@!

If you can remember your all paswords, then kudos to you. I need something simplier to remember, so if my password wallets, etc get hacked, I know what all the original passwords, should be, and what I used before, to change them quickly.

 

[kor]

 

[Paul]

If you want memorable passwords, a great way is to have a phrase, with some numbers and symbols. For example:

I love domains

1 has 1 letter, love has 4, domains has 7.

I1Love4Domains7

Then add 2 symbols eg @@

I1Love4Domains7@@

Finally for every website, add the letter of the name or 2 letters eg np for name pros

I1Love4Domains7@@np

Its long, memorable and different for every site.

Please don't generate passwords that way. That's susceptible to password reuse: if an attacker sees that you're using "I1Love4Domains7@@np" on NamePros, they can easily guess that your GoDaddy password is "I1Love4Domains7@@gd".

Going forward, NamePros will be treating logins with such passwords as high-risk, and you may receive a 2FA challenge even if you don't have 2FA enabled.

Coming to 2FA - will NP integrate Google Authenticator in future?

We already do. You can enabled it here: https://www.namepros.com/account/two-step/ You can use any TOTP implementation, be it Google Authenticator, Authy, or another app.

 

[JB Lions]

I just finished last month updating 300+ passwords.

For 20 years never had any issues, then had my first ever Twitter account hacked. Hacker did some bad stuff, got it suspended. Found out about it, sent info to Twitter proving it's mine, no go. They didn't give it back to me. They seem to be harvesting some good Twitter handles, sometimes outright taking them.

Then had a hosting account hacked, screwed up some sites. This was an older account with just a few sites not making much, so cleanup cost was more than the sites were generating. Of course, I wasn't doing backups on a regular basis as I should have. I guess then I could have just deleted everything and upload a current backup.

I've really been getting more into security this year, even all my external/flash drives are now all password protected/encrypted and kept in a biometric gun safe.

That was the kick in the butt to take this more serious. So I've been using Roboform for many years now and just went thru all my logins and used the generated passwords they spit out.

 

[JB Lions]

If you can remember your all paswords, then kudos to you. I need something simplier to remember, so if my password wallets, etc get hacked, I know what all the original passwords, should be, and what I used before, to change them quickly.

With password wallets/managers you don't have to remember them. I have Roboform on my computers/phone so it pops up when I need to login somewhere. With the password manager site itself I have a strong password plus one password enabled so if somebody tries to login from an authorized device, i get a temp password sent to me, that the unauthorized user would need, but doesn't have access too.

This:
One Time Password Option
Enabling this feature will add a layer of security to your RoboForm Account. It will require you to enroll all computers and devices used to login to RoboForm so that only those specific computers and devices can access your account. When attempting to access your account from a new computer or device, a One Time Password will be sent to you. You will enter that One Time Password to complete the registration of that computer or device.

then you have these options
email
phone (SMS)
authenticator

I was wondering, what if someone just hacks my password manager account, then they'll have all my passwords, so the above should do the trick as far as that.

 

[Kyle Tully]

If you want memorable passwords, a great way is to have a phrase, with some numbers and symbols. For example:

I love domains

1 has 1 letter, love has 4, domains has 7.

I1Love4Domains7

Then add 2 symbols eg @@

I1Love4Domains7@@

Finally for every website, add the letter of the name or 2 letters eg np for name pros

I1Love4Domains7@@np

Its long, memorable and different for every site.

Hackers rejoice at this advice.

Please don't do this.

Get 1password. Generate your passwords using it. Use 2FA everywhere.

The only password you should need to remember is to log in to 1password.

 

[Sjpals]

I have LastPass and that company got hacked, so don’t have any faith in password managers. I’d rather save my passwords on my laptop or in a physical book.

 

[Kyle Tully]

LastPass is infinitely more secure than either of those options.

And 1password is better again.

 

[JB Lions]

Consumer Reports Scores - Paid Options
1Password - 84
Dashlane - 76
Keeper - 74
Bitwarden - 71
LastPass - 70
Norton 360 - 70
McAfee - 66

My brother (IT guy) on a recent visit, uses 1Password. He kind of smirked when I mentioned Roboform but again, I have been using it for 20 years, never an issue. Also, has never been hacked like some of the others. If I wasn't using that. I would go with 1Password, Consumer Reports and little brother approved.

 

[Paul]

I have LastPass and that company got hacked, so don’t have any faith in password managers. I’d rather save my passwords on my laptop or in a physical book.

LastPass is a bit of an anomaly. If you use something like 1Password, for the most part, it doesn’t matter if they get hacked; decrypting the passwords would be infeasible.

LastPass has been repeatedly criticized by reputable security professionals—notably including Tavis Ormandy. I’d recommend sticking to something with a better reputation.

All that being said, if you use an algorithm to generate your passwords like the one you mentioned previously, you’re going to get hacked no matter where you store your passwords.

I've really been getting more into security this year, even all my external/flash drives are now all password protected/encrypted and kept in a biometric gun safe.

Personally, I don’t really worry about flash drives and portable drives. They shouldn’t be storing anything sensitive anyway, since they’re liable to be misplaced or fail without warning.

If you do store something sensitive in a biometric gun safe, keep in mind that they tend to only prevent opportunistic theft. They’re usually pretty easy to open non-destructively, so you wouldn’t necessarily notice if someone forced it open.

 

[kor]

LastPass is infinitely more secure than either of those options.

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Never ever use third party services to store your critical data.

 

[Paul]

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Never ever use third party services to store your critical data.

It's still more secure than the password scheme proposed by @Sjpals. Just because a password manager gets breached doesn't mean the passwords get out; that's the beauty of end-to-end encryption. That being said, LastPass' default KDF parameters weren't great, and they have a history of issues, so I would pick a different service.

 

[JB Lions]

LastPass is a bit of an anomaly. If you use something like 1Password, for the most part, it doesn’t matter if they get hacked; decrypting the passwords would be infeasible.

LastPass has been repeatedly criticized by reputable security professionals—notably including Tavis Ormandy. I’d recommend sticking to something with a better reputation.

All that being said, if you use an algorithm to generate your passwords like the one you mentioned previously, you’re going to get hacked no matter where you store your passwords.



Personally, I don’t really worry about flash drives and portable drives. They shouldn’t be storing anything sensitive anyway, since they’re liable to be misplaced or fail without warning.

If you do store something sensitive in a biometric gun safe, keep in mind that they tend to only prevent opportunistic theft. They’re usually pretty easy to open non-destructively, so you wouldn’t necessarily notice if someone forced it open.

Where would you store sensitive/important data? I don’t store stuff on the cloud because the cloud can be hacked. Nobody will be getting my external drives

 

[Paul]

Where would you store sensitive/important data? I don’t store stuff on the cloud because the cloud can be hacked.

It depends on the type of sensitive data. For the most part, in the cloud using encryption methods that match the sensitivity of the data and how easy it would be for someone to obtain the same data via other methods.

It's not as simple as "anything can be hacked." If I keep most of my passwords in 1Password and their database gets hacked, my passwords remain safe, at least for a few decades. If 1Password's supply chain gets hacked, my passwords aren't safe--regardless of whether I keep said passwords in 1Password. That's because there would be compromised software running all on my devices that could see anything I enter. The same holds true for most other software on your computer.

For some types of data--particularly large datasets, such as backups--a local server at my home. Most of this isn't sensitive; I just want to be absolutely certain that I don't lose it. Family photos are a great example. If I store those on a flash drive, eventually, the flash drive is going to die. If I store them on a few hard drives, eventually, bit rot will get the better of them--probably all around the same time. But if I store them on a proper server--or in the cloud, for that matter--bit rot is less of a concern.

At the end of the day, if someone really wants my data:

CC-BY-NC 2.5, xkcd.com + Randall Munroe: https://xkcd.com/538

 

[NameInbox]

 

[Kyle Tully]

https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Never ever use third party services to store your critical data.

The data from the hack was still encrypted with your LastPass master password:

" These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass."

Once again, using LastPass is infinitely more secure than saving data on your laptop or writing in on a stickynote or whatever.

 

[kor]

LastPass is infinitely more secure

Quantum computers greet you.

saving data on your laptop or writing in on a stickynote

Well, critical data shouldn't be saved/written as plain text in any case of course.

 

[Paul]

Quantum computers greet you.

Any quantum computer capable of breaking AES256 is going to have no trouble decrypting everything you do on the internet anyway, including every password you enter on every website.

That’s not a risk worth worrying about unless you’re lucky enough to find yourself in a position to be designing and implementing quantum-ready encryption.

 

[kor]

Any quantum computer capable of breaking AES256 is going to have no trouble decrypting everything you do on the internet anyway, including every password you enter on every website.

So technically nothing is infinite. Even the universe itself.

 

[Paul]

So technically nothing is infinite. Even the universe itself.

Security is about risk assessment and risk management. Your risk is much higher if you reuse passwords or follow a pattern than if you use a password manager with proper end-to-end encryption.

LastPass is not that, though. Sure, they might have been using AES256, but AES is only as good as your KDF--and their KDF parameters were garbage. That wasn't a surprise to anyone, though, and they have a history of security issues.