Someone tried to steal my gmail account?

Brooke Hodgman · 2013-01-08T23:40:50

I use 2-factor authentication on my google account -- when I log in on a new computer, it sends a code to my phone to confirm that it's me. I was just sitting at my desk, about to go to bed, when unprompted, I receive a text message with one of these google verification codes. That means that someone has entered my user-name and password into the google login box! Of course, I immediately opened up my account page and set a new password... and sure enough, my "Account activity" info says: Last sign-in countriesAustralia, NetherlandsI live in Australia, so someone in the Netherlands has gotten my password! It was a 12 character password, made up of dictionary words and numbers, so it's guessable, but not easily. I try not to use the same log-in details on different services usually... but my StarCraft 2 login details were this email address and this password, and (encrypted) SC2 user-data was stolen recently. When that hack occurred, I did change my SC2 password, but I didn't change my google password... so I guess it's possible that someone decoded the SC2 database and recovered my email/password from it, and tried to use them to log in to google, which would've worked... Besides making sure that I don't have any other services where I use that password (and that email as the username), what else should I be doing? Have there been any other high-profile game database hacks recently that I could point the finger at? Anyone have any recommendations for good malware scanners that I should run to be sure my own PC isn't to blame?

GDNet Lounge Community

Started by Hodgman January 06, 2013 02:01 PM

15 comments, last by NetGnome 11 years, 3 months ago

ApochPiQ

23,138

January 07, 2013 12:07 PM

Hundred bucks says this is a run-of-the-mill password database compromise. We see this all the time.

The best advice I can offer anyone on account security is don't reuse your damn passwords ;-)

Even my throw-away passwords are all unique to the account they belong to. There are patterns to them but you'd have to know me personally very well to even see the pattern, let alone guess how I construct new passwords. Not perfection by any means but it gets the job done.

If your memory is not so hot, or if you want the extra layer of paranoia, use a password management tool and go nuts with the really hideously long passwords. Otherwise, use the passphrase-and-symbol trick (five dictionary words separated by punctuation is much stronger than ten random alphanumeric characters).

But above all: if you use the same password or a trivial variant thereof in more than one place, assume that eventually both accounts WILL be stolen. People suck at securing password databases.

Wielder of the Sacred Wands
[Work - ArenaNet] [Epoch Language] [Scribblings]

LennyLen

5,720

January 07, 2013 12:25 PM

weird, i literally got an email from gmail about suspicious activity yesterday, i changed my password, but it said it was from china.

I've had notification about suspicious activity from China on several occasions, no matter how often I change my password.

NetGnome

773

January 07, 2013 01:33 PM

a little while back i created this cipher program to generate ciphered text from a couple clear text sources plus some mutation values. Its not cryptographicaly secure, but then that is not its purpose. It just allows you to keep some clear-text reminders somewhere then bring them together to generate your password for whatever. I don't use it yet as i still want to add a "user seed key" that is separate so that even if someone used your clear text, they still couldnt get your passwords cause they lacked your user seed key. I also want to add the ability to restrict specific special characters from the output, just havent gotten a round-tuit yet.

Anyway, its the best i've come up with that obviates memorization.

oliii

2,202

January 08, 2013 05:24 PM

I'm seriously considering writing my own password obfuscation tool.

Everything is better with Metal.

Bacterius

13,181

January 08, 2013 06:55 PM

a little while back i created this cipher program to generate ciphered text from a couple clear text sources plus some mutation values. Its not cryptographicaly secure, but then that is not its purpose. It just allows you to keep some clear-text reminders somewhere then bring them together to generate your password for whatever. I don't use it yet as i still want to add a "user seed key" that is separate so that even if someone used your clear text, they still couldnt get your passwords cause they lacked your user seed key. I also want to add the ability to restrict specific special characters from the output, just havent gotten a round-tuit yet.

Anyway, its the best i've come up with that obviates memorization.

You may be interested in password derivation, which allows you to cryptographically derive a pseudorandom password of any length from any number of tokens you find convenient to remember (or are just implied) such as the website in question, your username on that site, or any other metadata, really. I believe recent password managers support this out of the box, but it's not too difficult to implement yourself, all you need is a secure HMAC function.

“If I understand the standard right it is legal and safe to do this but the resulting value could be anything.”

slicer4ever

6,773

January 08, 2013 06:58 PM

personally i'm going to start using rip-off's technique, simply to remember, and unique to every website, the only diffrence is i'll probably do something like: gamedev_password, rather than creating a prefix for the site.

Check out https://www.facebook.com/LiquidGames for some great games made by me on the Playstation Mobile market.

NetGnome

773

January 08, 2013 11:40 PM

[quote name='Bacterius' timestamp='1357671343' post='5019137']
You may be interested in password derivation, which allows you to cryptographically derive a pseudorandom password of any length from any number of tokens you find convenient to remember (or are just implied) such as the website in question, your username on that site, or any other metadata, really. I believe recent password managers support this out of the box, but it's not too difficult to implement yourself, all you need is a secure HMAC function.
[/quote]

I may have to look into that. I based mine off some simple concepts used in encryption but via character ops instead of bit ops. It produces some very good passwords as it stands, so i didn't feel the need to increase its encryption level further, but i'm going to have to look more into HMAC :)

Someone tried to steal my gmail account?

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Someone tried to steal my gmail account?

This topic is closed to new replies.

Popular Topics

Recommended Tutorials

Reticulating splines