It’s just as informative and thought provoking as anything in the NY TImes or the Wall Street Journal…
We’re all familiar with the Adobe scandal by now. I received some emails from various companies stating my passwords had been reset. I have no problem with extra caution on the part of these companies – I even appreciate it. But this article from the BBC causes me some concern. Whereas the non-adobe company which reset my password stated people sometimes reuse passwords across different sites as the reasoning behind their policy decision to reset passwords of accounts with emails matching those found in the adobe booty stash, the above linked article states Facebook is specifically resetting passwords found to match email/password combos determined to have been compromised. The article then states the same actions are occurring at other companies. Something is wrong here. I never use the same password twice, yet my password for an undisclosed website was reset, so I figure one of three things is happening here:
- The article is mistaken. Facebook may be actively matching passwords from the stash to their active users’ accounts, but other companies are finding email addresses found in the adobe dump and resetting passwords for accounts using the same email address regardless of password match. I think this is the most likely.
- The article is mistaken, but deliberately so in an effort to bring awareness of the dangers of reusing passwords, especially online. Thanks big brother, what would we do without you?
- Alternately, and most disheartening, the article is drummed up fear mongering with the set intent of selling commercial password managers. I don’t know about this, because I would never even so much as research the existence of any potential commercial password manager, much less purchase or use one, but the paranoid in me has to mention it as a possibility.
So in closing, don’t reuse passwords, close your Facebook account, use open source software alternatives to adobe products, and don’t drink the water 😉
Trying to create a Yahoo account but they insist on a valid mobile number to create an account. I do not have a mobile number and wouldn’t give it to them if I did. Guess they’re not overly concerned with gaining new users… Yahoo, you JOKE! do you really think you’re relevant as it is? Thanks for nothing.
Intelligent Devices, the Internet Of Things. Oh so futuristic. Oh so potentially worrisome… I only hope our dreams are fulfilled and not our nightmares.
UPDATE: Site seems to be working at this time, so perhaps those responsible for running the site have corrected their error (?). Hopefully…
The representative I spoke to on the telephone assured me that the treasurydirect.gov website had not been hacked, but Firefox seemed pretty sure something is amiss.
The representative I spoke with on the phone said there is a known issue using Safari which will result in a similar warning message to users, but that my report is the first he has heard of this warning being present in Firefox. [Thank God he didn’t suggest I try using Internet Explorer or I would have closed my account on the spot!]
There seems to me a good possibility there has been no hack here and the government/treasury [not the same entity!] is so careless they just don’t care about presenting trusted certificates. As a consumer of treasury goods I, however, care a great deal that I can trust the connection to my money. With the recent headline grabbing attacks on the NY Times, Amazon, and the rest, perhaps this is an attack on the treasurydirect.gov site? How the hell can one tell if they admit they have certificate issues on good days?!
Perhaps I ought to close that account anyway if this is their approach to online security.