Sneaker-in' around

[captainsblog]

Remember this scene, from one of my favorite Redford movies?



Yeah, let's get on that. Because this written password crap is getting old.  Unfortunately, so are the old passwords.

If you don't have your own account on this blogging service, or if you do but don't get the dw_news  feed on your Friends Reading page, then you should probably read this post from the other day put out by the management of this joint, or at least the tl;dr summary of it-

* Many legitimate older accounts have been broken into this week and used for spamming.

* This is not a security issue with Dreamwidth itself: we've confirmed the hijacked accounts were compromised through password re-use.

* Our investigation makes us think this is connected to 2020's LiveJournal security incident.

* For your safety, treat any password you have ever used on LiveJournal, on any account, at any point, as compromised.

* Do not reuse any password you have ever used on LiveJournal on any other site, but especially on Dreamwidth.

* If your Dreamwidth password is the same as any password you've ever used on LiveJournal, on any account, at any point, change it now.

* Please install a password manager, let it generate your passwords for you, and use it to remember your passwords.

There's a plethora of detail in that post about whether the LJ hack occurred (the current Russian owners deny it, but take that with a grain of borscht), how it did, what effect it is having, and what you should do about it.

My own sitch with this is this: I've had a LiveJournal since 2004, which I rarely even look at and even more rarely post to anymore. Its password was not the same as the one here, but I deep-dove into the site after reading that News post and went to change it. It's not the easiest thing in the world to find: not quite bottom-of-stairs-in-disused-lavatory-with-Beware-of-Leopard-sign hidden, but not just sitting there, either.  If you have an LJ, even an unused one, best to change that sucka, which you can do (once logged in, if you or your browser even can remember your current one), by clicking this:

https://www.livejournal.com/manage/settings/?cat=account

And even though the password was not the same, just in case it ever was the same, I am going to change it on Dreamwidth as well as soon as this entry posts. To be followed by all the fun that comes with THAT change.

Which is my next point about that last bit from the admins above, to let password managers do the work for you. Which they do, quite nicely, as far as they go. Here's the reminder about how far they don't go.

----

In the beginning, there were weak, puny passwords.  I first encountered them at Cornell, which developed PC's that really weren't either personal or on-their-own computers; they were "virtual machines" with monitors and keyboards but were running off a humongous mainframe miles away next to Tompkins County International Airport*.  I was using one of these while finalizing my not ill-fated enough application to UB Law School, which I recounted here a few years back. It mentions a login and password I used for Actual Work back then: the former, a three-character combo, the latter a four-letter word ending in "ck." (No, not that one.) 

It took decades for computers to become truly personal, and for sensitive data on them to become transferable over the internet airwaves. Four-letter words just wouldn't do anymore. So of course Stupid America responded by changing their password to "password," much to the delight of criminals and cranks who could guess that one in a millisecond.  Parallel to that evolution, there were browsers to access all this information. Originally text-based (anybody remember Lynx? It was still being updated as recently as 2020!), they became graphically oriented through open-source efforts of Netscape, the monopolistic attack on it by Microsoft's push of Internet Explorer, the side efforts of AOL, the separate walled Apple tree garden of Safari, and finally the latter joined by Firefox, Chrome** and Edge.  I use Firefox for most things on two laptops, Chrome for a few things on both, and Edge only when I have to on mostly this one. The iPhone is mostly Safari, but all these browsers come with downloadable app versions, of which I have only added (but rarely use) Chrome on. 

Confused enough? Try a 18 character jumbly password created by a manager function.

----

Originally, there were two intended parties invited to a website login: the customer/user/member and the site running it.  Then naughty h8ck3rs crashed the party and the sites demanded longer, stronger, unique and uncrackable passwords. The hackers said, hold my code and kept trying to crack them anyway. Then the party really got crowded, as even more uninvited guests came in. Third party sites promised to create "strong passwords" for you, store them, and make it easy for you to use them and hard for the bad guys to guess them. The bad guys laughed and thanked them for making these treasure troves of data so easy for them to steal so much at one time. These were eventually supplanted by "password managers" within the various browsers themselves. Firefox, Chrome, even Microsoft's cranky old Internet Explorer in its dying days, could sense when you were entering login data, and they'd offer to remember them for you. Next time up, they'd be filled in for you and you wouldn't have to remember what you used there.

The sites, especially financial ones, hated this, because it put that data someplace on the user end that might get hacked. So they fought back with their own code, either disabling code portions to not enable autocomplete, or, eventually, putting the logins and passwords on separate screens. The browsers kept up, and so, I imagine, did the hackers.  I still have a bookmark for a piece of code that fights back:  Removed autocomplete=off from 0 forms and from 0 form elements, and removed onsubmit from 0 forms. After you type your password and submit the form, the browser will offer to remember your password. Sometimes this worked, sometimes it didn't, yet other times it would work in one browser and not another, which is why I drive Eleanor crazy with having half our billpaying sites saved in Firefox and the other half in Chrome.

The latest round in this game of 4D chess is the browsers not only remembering passwords but offering ridiculously long and complicated ones that they will then remember.  I just picked a random site, gave it a fake registration email address, and Firefox created and offered to save this as the password:
i5TMF2Q7nmgHexZ

Good luck hacking THAT, huh.  Also, good luck typing it on an iPhone virtual keyboard.  Therein lies the rub in all of this: It only remembers it in the browser you're using, likely only on the computer you're using at the time unless you've enabled sync which I mostly haven't, and only on websites accessed by browsers and not on phone apps.

So just now, I updated a bunch of apps on my phone. One was the Buffalo News one. When it reloaded, I found I was logged out, and the password for it stored in the phone for the app no longer worked. That's because on one computer or another, using one browser or another, I'd also been logged out and its stored password no longer worked. I changed it to one of those i5TMF2Q7nmgHexZ things, but doing so there did not carry it over to any other computer or browser and not to the app on the phone. To get back in, I had to look it up, and then slooowwwwleee and carefulllleeeee type it in on a keyboard the size of a fun-size candy bar*** which, on iPhones anyway, do not display what you're typing or offer an 👁 code to allow you to see it as you go.  Took me three tries before I finally got it right- and often, as many as two failed tries will lock you out because they think you're trying to hack yourself.

Hack. Hock. Fuck.  So many good words ending in "ck," and none of them can be used as a password anymore:P

Anyway, go change your passwords. If you never hear from me again, you'll know I successfully changed mine and now can't remember all of the 30 different places I have it stored in.


ETA. And, yup. Changed it here, went to change it in my blogging software (yet another party to the party) and DW said it was invalid, tried again and failed, manually typed in the 256 characters and not only failed this time but banned myself temporarily for trying an invalid login too many times. So this will be my last post for awhile once this session gets auto logged out until I can figure out what the hell went wrong.

ETA2 Back in! I found what the problem was: Semagic, the software I use to post blog entries, connects, not with your DW password but with an API key generated off your profile page at this link:
https://www.dreamwidth.org/manage/emailpost

Picked one, pasted THAT into Semagic after my banhammering expired, and now it's fixed- in there, on both browsers on this laptop and on my phone. Now to just remember to update it on my old Dell beast for the rare occasions I use it on there.

----


* This name for Ithaca's paper-airplane, one-flight-a-day facility was a joke we used, until suddenly a few years ago, it wasn't one anymore.

** There's a lot of confusion among people, some living in this house, about the difference between a browser and a search engine.  Think of it this way: if the internet is a library shelf full of books, the browser is what lets you read the books on your screen, while the search engine is the catalog (I still call it "card catalog" in my head) that lets you find the books. Making it more confusing is the involvement of major players like Google and Microsoft in both concepts. One oddity from last week: Eleanor was on this laptop, in the Chrome browser, to pay some bills. She noticed that the address bar had a Yahoo logo next to it. This does not compute: Chrome is the browser, but it's developed by Google, originally and still most famously known for developing a search engine. How did they let Yahoo, a competing search engine without its own browser, get up there? Certainly I never asked for it. It probably came through one of the seemingly twice-weekly updates of the Chrome browser that get pushed through and change lots of settings whether you ask it to or not.

*** Who the hell decided that a candy bar smaller than your pinky is "fun size," anyway? We need more fun in life, dammit!