Jumping in - I agree with Ben but I wanted to add... The biggest problems are caused by obscure websites that require username/password (or email address/password) and then don't secure their storage of the same. A hacker gets the password file (whether encrypted or not) posts it online & very shortly all of the username/password combos are public domain. If you use the same password for many sites (as most people do) then the hackers have access to all of those sites. Furthermore, the passwords can be broken into constituent parts and become part of the dictionary used to break future passwords, so using passwords that are made up of variations of clever components also breaks down.
In short, use randomly generated passwords & store them securely on your local machine. Hugh. -----Original Message----- From: liveaboard-boun...@liveaboardonline.com [mailto:liveaboard-boun...@liveaboardonline.com] On Behalf Of Ben Okopnik Sent: Friday, October 12, 2012 11:05 AM To: liveaboard@liveaboardonline.com Subject: Re: [Liveaboard] (no subject) On Fri, Oct 12, 2012 at 01:21:16PM -0400, Craig wrote: > Another account hacked? Yahoo and Hotmail are bad about this. My > understanding is that Yahoo and Hotmail login passwords are sent in the clear, > so if you’re using a public network (McDonald’s?) then your password can be > captured. In principle, if you're using a network that you don't control, then a man-in-the-middle attack is fairly trivial (given sufficient know-how - which is a good bit more complex than cracking a WiFi access point, for example.) In practice, going after and collecting individual logins is way too time- and effort-intensive, so that's generally not how it's done. > It is also my understanding that Gmail encrypts their passwords end-to-end, > and > therefore are more secure. If I’m wrong, then courteous corrections would be > appreciated. If you go to gmail.com, you'll note that you immediately get forwarded to an 'https://'-based URI. At that point, Google has handed you a public key exchange cookie, so you've got encryption as well as the rest of the security menu. Yahoo does the same; so does Hotmail. None of which really makes a difference - sending your initial login/password in the clear is actually very low risk, and barring truly unusual circumstances, would not result in your account being hacked. The problems, as well as the attacks, are happening further up the chain - at the corporate levels. Google is fairly decent about protecting its data; others, not nearly as good (with Hotmail and Yahoo being some of the worst.) Ben -- OKOPNIK CONSULTING Custom Computing Solutions For Your Business Expert-led Training | Dynamic, vital websites | Custom programming 443-250-7895 http://okopnik.com http://twitter.com/okopnik _______________________________________________ Liveaboard mailing list Liveaboard@liveaboardonline.com To adjust your membership settings over the web http://liveaboardonline.com/mailman/listinfo/liveaboard To subscribe send an email to liveaboard-j...@liveaboardonline.com To unsubscribe send an email to liveaboard-le...@liveaboardonline.com The archives are at http://www.liveaboardonline.com/pipermail/liveaboard/ To search the archives http://www.mail-archive.com/liveaboard@liveaboardnow.org The Mailman Users Guide can be found here http://www.gnu.org/software/mailman/mailman-member/index.html _______________________________________________ Liveaboard mailing list Liveaboard@liveaboardonline.com To adjust your membership settings over the web http://liveaboardonline.com/mailman/listinfo/liveaboard To subscribe send an email to liveaboard-j...@liveaboardonline.com To unsubscribe send an email to liveaboard-le...@liveaboardonline.com The archives are at http://www.liveaboardonline.com/pipermail/liveaboard/ To search the archives http://www.mail-archive.com/liveaboard@liveaboardnow.org The Mailman Users Guide can be found here http://www.gnu.org/software/mailman/mailman-member/index.html