Sophos Cloud Optix
Graphics technology firm NVIDIA has temporarily closed its online developer forum, after it fell victim to hackers who may have gained access to members’ hashed passwords.
A notice on the NVIDIA Developer Zone website has reminded users of the importance of ensuring that you do not use the same passwords on multiple websites.
NVIDIA suspended operations today of the NVIDIA Developer Zone (developer.nvidia.com). We did this in response to attacks on the site by unauthorized third parties who may have gained access to hashed passwords.
We are investigating this matter and working around the clock to ensure that secure operations can be restored.
As a precautionary measure, we strongly recommend that you change any identical passwords that you may be using elsewhere.
Password re-use is a big problem – with an alarming number of people using the same password on multiple sites.
The consequences of that lax attitude to security is that if you get hacked in one place, your other online accounts could also be accessed. For instance, if you used the same password on NVIDIA as you did on your web email account – it would be child’s play for hackers to gain access to your personal communications and steal other information about you.
Earlier this week, an online community popular with fans of Android smartphones also suffered at the hands of hackers. Phandroid’s AndroidForums.com was breached using “a known exploit”, and data including usernames, hashed passwords and so forth were accessed.
Before reading this - please take a moment to change your password on androidforums.com. This can be done while logged in through your UserCP, or using the "forgot your password?" page if logged out.
I have some unfortunate news to pass along. Yesterday I was informed by our sever/developer team that the server hosting androidforums.com was compromised and the website's database was accessed. While the breach is most likely harmless there are important and potential pitfalls, and we want to provide as much helpful information to our users as possible (without getting too technical).
The trust of our users is extremely important and several staff members worked through the afternoon, evening, night, and morning to ensure we're doing everything possible to regain complete security.
Android Forums has over a million registered members. I’m one of them – so I was less than pleased to find myself having to change my password just in case it had been compromised.
The administrators of Android Forums said that they believed the hack was done with the intention of collecting email addresses to spam at a later date. So if you receive unexpected email messages, perhaps related to Android, think very carefully before clicking on their attachments or any embedded links.
Other sites to have been hit by hackers stealing information about users in recent weeks include Yahoo Voices, Formspring, Last.fm, eHarmony and LinkedIn.
You don’t have to be a soothsayer to accurately predict that other websites are going to have their users’ information accessed in the near future. Make sure you are following password best practice now – using different passwords for different sites, and ensuring that they are hard to guess and crack.
Hi everyone,
As a member of the Nvidia forums, I received an email explaining what Graham has mentioned here. Luckily my Nvidia password was 18 characters long and was made up of upper and lower case letters, punctuation and numbers. I also did not use it for any other website passwords.
I will be upgrading my password to 28 characters in length for that forum. I use a secure password manager that stores the passwords in the cloud and offers to enter them into the relevant login form on the relevant website. E.g. it will automatically prompt me to login with my Nvidia forum password upon visiting the Nvidia forum, so it is quick and convenient. This password manager is bundled with my security software (from a very well-known company). This is why moving to a 28 character password is not a problem.
I realize that this is very excessive but I don’t see why I should make it easy for anyone to access my account when implementing such a tough password is so easy due to my password manager. Even the master key to my password manager is 16 characters long and made up of upper and lower case letters, punctuation and numbers which I simply remember (after some practice!).
As has been pointed out on this blog before, some guidelines for making a secure password are available from the following blog post:
http://nakedsecurity.sophos.com/2012/05/25/how-lo…
My 18 and 28 character passwords will take many centuries to crack. I hope this helps.
Thanks.
Hi,
I would prefer to keep my passwords locally but your pass manager seem a nice option. What security software included it?
Hi Juan,
My security software is Symantec (Norton) Internet Security 2012. I know that this is not everyone’s favourite. I can access my passwords on any of my 3 computers since they all have the same security software installed.
Here are some links to information about their online Identity Safe:
https://www-secure.symantec.com/norton-support/js…
http://us.norton.com/internet-security/
The Roboform Password Manager also has similar capabilities but I have not used it:
http://www.roboform.com/
I like password managers since I have more than 20 online accounts including forums and I have created unique complex passwords for each account. Remembering all of these passwords would be impossible. If a password is more than a few months old I also change it and store the new version in the Identify Safe.
I have found this to be a great solution. I hope this helps. Thanks.
It's alright to have a single password across some websites – like forums – where you don't store personal information.
Keep separate passwords and usernames for banking and finanical sites, and social networking sites. No matter where the forum user/pass is used, it's not going to allow anyone into your financial accounts as long as they are kept separate.
Hi Aixia,
You are correct, that is good advice.
My banking details are “stored” and come from 2 physical authentication tokens / Identity cards from my bank. I actually need 3 pieces of information to access my bank account.
1.A PIN (I remember this in my head!)
2.My membership number (written on a separate bank ID card)
3.Some random numbers from secret questions that the banking website asks (they do NOT include questions on date of birth or other easily guessable questions).
Finally If I try to access online statements or other more privileged operations I am asked for a code from a very long list of codes give on large card from the bank. There are about 80 to 90 codes on this and they ask for random numbers from a matching set of numbers e.g. they ask for code 81 and you provide the random numbers from code 81 as requested, e.g. perhaps the first, third and fifth numbers from this code.
None of this is stored in my computer, so it is secure. I also bank in a private session of my internet browser i.e. no cache or history recorded and with all add-ons turned off. Once the browser is closed, the session and all other info is lost.
Thanks.
I don’t see the logic in storing anything important on “the cloud”, or any online ‘free’ or ‘paid’ storage facility. Are we becoming more complacent and relying on others to manage our important docs, and passwords?
I would never think to store my important information including passwords at gigantic corporation’s juicy-looking, ripe-for-hacking servers.
I keep my important docs on my computer and If I should lose them, I have it all synced up to a secondary HDD. Would you park your Porche in a neighbors garage who states clearly that he cannot be held responsible for whatever happens to the car, or park it in your own garage and set up your own security?
Far too many companies are relying on sub-contracting too much out to too many places with too little control.
Unfortunately, it costs companies like Nvidia a lot of money to protect themselves and customer database. When hacked, they have to fix, patch, and restore data at a huge expense and possible loss of customer base. Guess who is going to pay for it? Hint: It isn’t the CEO.
IMHO
While long and complex passwords are to be commended, in this circumstance, the password length and complexity have little significance, as the passwords were stolen, not cracked.
Additionally, whilst password reuse is a rather insecure practice, the password thief would need to know your social networking username to make use of this information, so it may well be of limited use.
Just thought I would try to introduce some perspective on all this.