Patreon Hacked

Discussion in 'Off-topic Zone' started by Worf, Oct 2, 2015.

  1. Worf

    Worf Vice Admiral

    Messages:
    1,582
    Likes Received:
    22
    Trophy Points:
    35,135
    For those who haven't read it, Patreon was hacked earlier this week or last week. The information taken has been posted online.

    While passwords and payment data were either hashed or not stored, the real extent of this hack is that members identities, both giving and receiving are now public, including amounts pledged and received, private messages and other information. This is recent information, with the latest dating to Sept 25.

    This is a PSA for all those who supported Denis Loubet in the other forum as well as general Patreon users to change your passwords and realize that the data is out there.

    On a lighter note, we can find out how short we come up every month...
     
    Last edited by a moderator: May 24, 2018
  2. ChrisReid

    ChrisReid Super Soaker Collector / Administrator

    Messages:
    14,179
    Likes Received:
    395
    Trophy Points:
    69,485
    Location:
    Seattle, Washington, USA
    What do people think about password managers like 1password? Do they use sufficiently trustworthy magic that makes them a better option? Or is that just putting all your eggs in one basket waiting to be cracked?
     
  3. Worf

    Worf Vice Admiral

    Messages:
    1,582
    Likes Received:
    22
    Trophy Points:
    35,135
    Password managers work. The well known ones like legitimate 1Password (there are so many fakes), KeePass and others store their database in a secure format, typically encrypted before it hits the disk with industry-standard hard to break encryption like AES256.

    The key is that your master password needs to be secure. In fact, they don't recommend passWORDs, but pass-phrases. This is just a nice long string of text that's easy to remember but has a lot of text and is basically impossible to brute-force. So instead of a simple word, you might use "The price of freedom is eternal vigilance". Or make it longer - the longer the better. You might use "'The price of freedom is eternal vigilance.' - WCIV" making it even harder to brute force if someone has a quote book. (Using the single quote and dash and adding the WCIV makes it a less common phrase).

    The next thing to consider is cloud access - because you really do want to store your encrypted database in the cloud for convenience. Either something that syncs it across your devices and computers, or a service like DropBox accessible from anywhere. Good password managers, mobile and desktop, will be able to handle this. Mobile password managers often have stuff like DropBox integration so they can access the database. Apple users I believe 1Password syncs with iCloud between iOS and OS X.

    The key is to use a long passphrase to generate the random key used to encrypt the database. And it may seem like "all your eggs in one basket" (and there have been malware attacks that try to steal the database and key log the passphrases), the fact remains they remain the most convenient and easy way to enforce complex passwords. And it's much easier for a user to remember a long string of easily remembered text than many dozens of passwords.

    That said, I separate my passwords into three quality barriers - there's the secure passwords - for stuff like my bank, Paypal, eBay, Amazon and other places that deal with money, there's not-as-secure passwords for stuff like my Xbox and PSN accounts for accounts holding valuable data, but less money related, and then there's the not-secure passwords for stuff like forums and whatnot, so if someone hacks them, all I lost is just forums and such.

    Of course, the main problem with the Patreon hack is not the passwords, it's the other data - messages, pledges and other stuff. All that is public, and sometimes you don't want your account linked to some pledges.
     

Share This Page