Ars Technica Asks Readers to Change Password Following Security Breach

Ars Technica

Due to the recent hack on the website, Ars Technica “strongly encourages all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.”

Full Email:

Ars Technica was hacked: Please change your password

You are receiving this email because you may have – at some point – registered as a user on ArsTechnica.com. Our site was recently hacked.

Log files suggest that this intruder had the opportunity to copy the user database. This database contains no payment information on Ars subscribers, but it does contain user e-mail addresses cryptographically-protected passwords.

Out of an excess of caution, we strongly encourage all Ars readers — especially any who have reused their Ars passwords on other, more sensitive sites — to change their passwords today.

Read more about the incident here: http://arstechnica.com/staff/2014/12/ars-was-briefly-hacked-yesterday-heres-what-we-know/

Please login to Ars and update your password or use the “Forgot your password” form to change your password.

Settings page: https://arstechnica.com/civis/ucp.php?i=profile&mode=reg_details

Forgot your password? https://arstechnica.com/civis/ucp.php?mode=sendpassword

We sincerely apologize for any inconvenience this has caused.

– Ars

To paraphrase Al Bundy: “Hey! Come to think of it, I remember creating an account at Ars Technica.”

Hackers Claim to Have Nearly 7 Million of Dropbox Usernames and Passwords

Dropbox-icon-960x540

UPDATE:
From Dropbox Blog:

Dropbox wasn’t hacked

Recent news articles claiming that Dropbox was hacked aren’t true. Your stuff is safe. The usernames and passwords referenced in these articles were stolen from unrelated services, not Dropbox. Attackers then used these stolen credentials to try to log in to sites across the internet, including Dropbox. We have measures in place to detect suspicious login activity and we automatically reset passwords when it happens.

Attacks like these are one of the reasons why we strongly encourage users not to reuse passwords across services. For an added layer of security, we always recommend enabling 2 step verification on your account.

Ars Technica:

Popular online locker service Dropbox appears to have been hacked. A series of posts have been made to Pastebin purporting to contain login credentials for hundreds of Dropbox accounts, with the poster claiming that altogether 6,937,081 account credentials have been compromised.

Reddit users who have tested some of the leaked credentials have confirmed that at least some of them work. Dropbox seems to have bulk reset all the accounts listed in the Pastebin postings, though thus far other accounts do not appear to have had their passwords reset.

Statement from Dropbox:

Dropbox has not been hacked. These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.

Regardless of the claim from both the hackers and Dropbox, it is recommended for users to change their passwords. Enabling two-step verification is also highly recommended.

Security versus Convenience

Elliott Kember wrote the headline: “Chrome’s insane password security strategy

Kember points out the way Google Chrome manages saved passwords.

There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don’t believe me.

Yes indeed. Unlike Mozilla Firefox, Google Chrome does not offer users to set Master Password. Apple added Passwords Manager in Safari 6; the passwords are actually stored in users’ Keychain.

Justin Schuh, who works on Google Chrome Security according to his Hacker News profile, says that it was a design decision to not include Master Password in Google Chrome.

For most users, there’s a certain level of inconvenience they are willing to tolerate when dealing with security. Unsurprisingly a lot of users are still using obvious passwords or none at all for their computer login. That’s because they prioritize convenience over security.

Security and convenience have an inverse relationship. It would look something like this:

Security-vs-Convenience-Linear

that is true if it is a linear relationship. In reality it looks more something like the following:

Security-vs-Convenience-Curved

It is more like a curve line. More convenience means less security.

The concern about the way Google Chrome manages passwords is valid. At the same time there is a bigger issue with security. Having a Master Password option would be useless if it is the same obvious password people are using for their computer login. Most users using Mozilla Firefox never set the Master Password at all.

Users need to understand why they need to secure their computers. Ultimately the users are the one to set the security level based on their convenience level.