Tag Archives: password

Why your passwords MUST be more complicated!!!

WIth today’s (alleged) password breach of LinkedIn, it made me think to change some passwords. Why? Because I had a few accounts that use the same passwords. Yes, I know that’s bad. But they were “unimportant” to me at the time I was checking them out, but later they because more important and yet I still had a week password.

If you don’t know why it’s bad here’s why: password.jpegNow that they’ve got your login and password, the bad guys are going to start plugging in that password into every computer system out there (Facebook, Amazon, Google, the USPS, Twitter, etc.) and knowing many of you, they’re probably all the same. Some variation doesn’t count, having your google password is gary1234google means someone’s probably going to guess for Facebook it’s gary1234facebook. There are computers out there trying to guess your password all day long, I promise you.

A few of the sites I could log into, but couldn’t find where to change my password. So I logged out and clicked “I forgot my password” and it sent information to my e-mail account on how to reset the password.

They’ve mentioned it’s only a small number of the passwords stolen (6 million), it’s assumed the other 150 million users were also compromised, they just had easier passwords to crack. They also believe that a bunch of eHarmony passwords were breached also, because many of the passwords consisted of the words “harmony” or eHarmony”. I think most of this is done for money, but do you really want some bored hacker posting your eHarmony information to your LinkedIn profile?

To clarify about my accounts, most of my accounts that deal with money all have unique passwords (and unique logins) the same goes for my places that I shop. But a few older accounts still had some older shorter passwords. Does it matter to me if someone hacks those passwords? Maybe not, but still I want my Flicker photos right where I put them.

With a site like “www.HowSecureIsMyPassword.net” you can punch in some passwords and it’ll tell you how long they might take to hack. FYI, most 8 character (letter and numbers) are about 3 hours. Try it, you don’t have to give them your password (if you don’t trust it), if you use a word, year or name, just try a different name and year, just so you can see (how many minutes or seconds it takes).

Also, keep in mind if someone has access to your e-mail, they can have your password reset at many sites and have the change password information sent to the compromised e-mail (that someone else has access). Some sites are smart, Ticketmaster when resetting your password, also deletes your credit card information.

Back to my passwords: Keep in mind some sites the function changes. Maybe when I created that password at the Post Office or FedEx, I just used it for tracking alerts or vacation holds. But now they might let me purchase postage or other things that I just couldn’t buy when I set it up with a non-complicated example.

And I know some people don’t worry about shopping accounts, because they don’t keep their credit card information on-line. But all your receipts are in there, you might want that someday (and where you had all that stuff sent). What if you sign up for that Amazon card with the $50 bonus and it automatically puts it into your account?

And when your computer remembers passwords for you, that’s great, but who else uses your computer? You trust them, but do you trust they won’t download a virus or something that will steal that information? What happens if you lose that computer or it’s stolen?

Personally, I keep passwords on my computer just to wake it up from sleep mode. Passwords on my iPhone (10 tries and it deletes all the data on it). I even keep a password on my Kindle, why? Because I occasionally check my mail or access my Amazon account on it.

I was surprised that some of the apps on my phone didn’t need new passwords. They had already authenticated to the other accounts so many seemed okay. I’m not sure I liked that…

Did someone hack my iTunes account?!?

So I get an e-mail from iTunes today stating that an episode for my new season pass for “Sophie” has arrived. The first thing I thought was that I accidentally clicked “buy season” when I downloaded the free pilot last week. But when I check the receipt I see six other items (in addition to the season pass) totaling $61.93! Not only that, I see another order for $5.97! Not a chance that I placed these orders (FYI, the orders were placed at 1 am and 5 am).

Here’s the really strange part:Almost all of the purchase was videos (tv, movies, movie rentals) and I think those kinds of videos still have DRM in them and no additional computers were authorized. What good are these to anyone if they didn’t authorize a computer? Can they even play them? Wouldn’t it have been easier to have just downloaded torrents of these files? These oddities make me think it’s an accounting error.

So I had to “report a problem” to Apple/iTunes for each of the 10 individual items. The e-mails went something like this:

I did not place this order for any of the 3 items on this order. Nor has my computer downloaded these items. It’s order XXXXXXXX I also have another order from today (ZZZZZZZZ) that I did not place.

I’ve changed my password as a precaution. I also tried to play some older protected/DRM’d music and it still plays (so I’m guessing if someone hijacked something they didn’t deauthorize my computers).

Gary LaPointe (phone ###-###-#####)

PS – These purchases don’t even meet my normal purchasing patterns.

My responses appear to be identical other than contact info (and I only got one response for each of the two orders):

Dear Gary,

My name is Jane Doe with the iTunes Store. I’m so sorry to hear of the unauthorized charges made with your iTunes Store account. I can certainly appreciate your concerns, and will do everything I can to assist in having this resolved.

With regards to financial reimbursement for the charges in question, these would have to be removed by a specialized team, designated to handle requests of this nature. I would urge you to contact your credit card company as soon as possible to inquire about canceling the card and removing the unauthorized transactions. A member of your credit card’s fraud department will contact the iTunes Store directly, and this team will resolve the issue. I apologize that I’m unable to remove the charges myself, but all unauthorized transactions must be handled in this manner.

If you suspect you are the victim of identity theft, please consider following these recommendations:

(they then gave 14 lines of tips that I cut out)

I sincerely hope that you are able to resolve this matter with the help of your credit card company, as soon as possible, Gary. Please let me know if I can be of any further assistance.

Sincerely,

Jane Doe
iTunes Customer Store Support

Please note that I work, Sunday, Wednesday, Thursday, Friday and Saturday, 12:30 PM – 9:00 PM this week

The identity theft issues don’t even make sense. Why would someone steal my charge card number and log into my iTunes account? The CC number won’t even get them into my account and if they had a CC number, they could just create their own new account and I wouldn’t have know about it for days. And Apple doesn’t display the account number. I’m thinking, it’s an accounting or some bits on the web got mixed up. And the responses were generic enough where I’m not 100% sure they read the post.

I did notice they they did include their working schedule, which was even evdifferent for the two different people who responded (neither of whom were named “Jane”), it’s a nice touch but they both had the same return address (although the “follow-up” code could possibly redirect it).

I responded with:

Jane,

I will have my charge card company dispute/remove the charges as you said to do below. I have changed my password.

I have four (4) questions below in bold.

Unless I’m mistaken, they only gained access to my iTunes account. They don’t have my charge card number, iTunes doesn’t display the number for them to see, correct? A charge card number will not get them into my iTunes account. If they actually have my charge card number, I’d think they’d charge more than $70 of music/videos and

So this is either someone guessed my password (which was letters, numbers and non-alphanumeric characters) or some data packets got mixed up as someone else was placing their order. Since I have the two authorized computers in my possession and I know no one else was here using them, I’m assuming the latter.

Can someone actually download songs/videos to a non-authorized computer if they guessed my password?
Since videos still have DRM, someone wouldn’t actually be able to play them, correct?

Someone at the iTunes Customer Store Support can’t actually intervene in some way, at least to stop someone from downloading the season pass?
If it’s just an accounting error, it’s still going to download the season pass to my computer the next time I purchase a song.

Without my new password I’m assuming someone cannot download more of the season pass. I don’t even see how they could have in the first place without authorizing a computer.

Thank you,
Gary

And I can’t even dispute these charges yet since they haven’t fully been charge to my credit card company yet.

If anyone from iTunes/Apple is reading this and wants to fix this. You can leave a comment below or contact me directly.

UPDATE:

Wow! Lots of people with similar problems these last few weeks (see comments below), but I’m the only one that didn’t seem to have gift cards purchased on my account.

So it looks like my charge card is refunding the two dollar amounts to my charge card. This is contingent to Apple not disagreeing with my claim. FYI, after I said it was kind of stupid that they weren’t going to cancel the season pass since I was disputing it and they were still delivering the shows, Apple did contact me to say they would refund the rest of the season pass (right around the same time).

PS – It appears the Apple does not allow you to cancel a season pass! This is insane, it’s to their benefit to get you to subscribe, the fact that you can’t cancel is a non-motivator. Obviously if it was a discounted season pass and you canceled it, you’d pay the full price for episodes already received. Just seems like an obvious solution.

I still don’t understand what they are doing with these iTunes protected movies/shows if they can’t play them? Why not just download torrents off the ‘net if they are going to steal?

MY UPDATE: I got Apple to cancel the season pass and I did get my money refunded from my credit card company. It was confusing the way it cam through, I might have actually gotten credited from the rest of the season too (so I might have come out ahead, but after all the e-mails/contacting, I’m sure I ended up way behind).

——- ARE YOU FROM BOSTON?!? ——

A news station is doing a story on this and was looking for some people in the Boston area. If you are interested in being contacted please state so in your comment. I’ll pass your e-mail on to them. If you put your phone number, I’ll pass that on too, but I’ll delete it from the comment (if you’ve never commented before your comment should not appear until I approve it). Sadly I never heard any more details about the Boston story after forwarding details to them…

Passwords suck

Argh! I’m annoyed with creating user accounts. Everyone has their own damn process for passwords:

  • all numbers
  • must contain one upper-case character, one number, and be at least 8 characters (but ONLY 1 uppercase letter)
  • no characters other than letters or numbers
  • must be 8 characters

    But no, I can’t use 12 characters with letters, numbers and punctuation because it’s more than 8 or because it doesn’t have a capital letter.

    An the real pain is when you go to log in, they won’t remind you of this “rule”. And I really like it when it says “username” when what they really want is my “e-mail address”.

    My absolute favorite stupid rule is the hint to get your password must be at least 8 characters. Sorry, my hometown, mother’s maiden name, first pet and street aren’t that long! How am I supposed to remember this.

    And all these companies need to have the ability to handle multiple e-mail addresses. It’s such a hassle when I need to change something (for something I signed up for 5 years ago) and I can’t remember their rule and the e-mail address I signed up with doesn’t exist any more.