Encrypting Usernames and Passwords to and from their Destinations

i posted this in one of the CD threads and thought i would put it here as well…

here is something thats kind of alarming that i wanted to say here at comodo…i googled the username i have used for 20 some yrs and came up with my username and password that i use occasionally on several lists out there…i was trying to think where i could put a wishlist to the comodo team about somehow(again, know nothing about dev’ing) encrypting u/n and pwd so even if it is sniffed on its destination cant be de-ciphered, and when it gets to its destination, cant be either…and if you forget your pwd, and you click on the “i forgot my pwd” link at a site, they can only send you an encryped “key” that only you can de-crypt, with hopefully a piece of software from comodo…i may copy and paste this portion to the comodo wishlist…

but 1st, is it even do-able? i "

try googling your usernames…see what you come up with!

Here it goes:

I’m afraid I’m not going to read 608.000.000 pages…

eXp

no fair…your usernames are in the dictionary…but i bet your on a published list

i may have found them…but there is more than one…

anyway, i think you get my point.

Because your username is not in the least unique. :stuck_out_tongue:

But mine is…and Google finds a lot of me. 88)

v941726 isnt unique? your kidding right? its cus laser is in the dictionary. and extreme, and brucine…

mine might be easier to find if your looking, but the fact is its happening

v941726 is random and hard to remember. Laserwraith is not in dictionary. Laserwraith is not random. Laserwraith is easy to remember.

shoo shoo :stuck_out_tongue:

v941726 its easy for me to remember. hehe. but, either way, we could search the username and find a password

Not unique ? it’s the most unique user name there is 88).

sure, bank account password 88)

hehe. but, either way, we could search the username and find a password
try : Melih pm me with your findings ;D

eXp

but what i mean is the ability for hackers to grab our usernames and passwords on their way to their destinations or back and then either use them for stealing identities, and/or just post them as a list somewhere on the internet for all to use at will.

so my point isnt about uniqueness, its about lack of encryption for those milliseconds or seconds that info is being passed…

ive wondered about it for a while as ive had some hacking done to me no matter what i seem to change password to…then i googled my username out of boredom and easily found 2 lists(w/o looking very hard) of thousands of usernames and passwords(including mine) on a few different domains…when i get a minute i can post the links. on 2nd thought…i better not…

anyway, i just thought comodo people could/would be the ones that could come up with a solution

You better change your passworld for this forum now. I found it online… :-\

I’m not sure if this is allowed or not (and if it isn’t I’m very sorry, and I only did it to help), but to make sure it wasn’t a fake I tried logging in on this forum with it. The login worked. I didn’t do anything when I did login, besides log right out. I was using the incognito feature on Chrome so nothing should be remembered.

You also need to think of a better password system. Most of my passwords are all different. I use a process based on what the password is for to make it.

Or, get a password manager. I recommend LastPass (free). You can make generated passwords with it. As long as you have an internet connection, you can get your passwords when you login to their site. Don’t put anything too sensitive on there, though.

I like their one-time login passwords. You can have them make one-time login passwords (auto-generated) and print them and put in your wallet. Then when you go to a public computer, you can login once. That password then is used up, so no keylogger can use what it steals. ;D

~LW

P.S. I didn’t find any of my passwords when I searched for them. Maybe they were so swamped with other sites/profiles I have made… :stuck_out_tongue:

I just did a search and found it to… This is pretty weird.

  • Are you using global passwords ? (you use the same pass on several sites)
  • Are you using CIS 4 ?
  • where are you saving those passwords ?
  • when you change your pass here, do you change your other pass’s also ?
  • why do you use the same password for over 3 years ?

best regards,
eXp

actually im glad you did that laser…now you know im not crazy…but the thing is, i could change my password and it could get intercepted again. and again…hence, my point of this thread…thats why i say, i figure comodo would be the company that could prevent this somehow…and what you were saying previously about searching for the user name makes mine easier to find…but it doesnt mean yours cant be with looking harder…

i do use roboform, which is supposed to be secure…but i think thats only locally secure…i guess it must be…

so my wishlist for comodo for new products would be a way to encrypt it somehow(dont know anything about that stuff) after it leaves your machine and somehow the response back…

now your gonna start cussing and making me look bad under my acct here huh? lol

btw, roboform uses a master pwd that i make different and difficult(i think) to access RF itself than some i use for logging into sites…and those are the ones that are vulnerable it seem…after all, locally im safely guarded with CIS…

v941726, I’m not sure you have the right understanding of the password situation. :stuck_out_tongue:

I doubt the passwords were intercepted, but rather they were “bruteforced.” Someone found your username, and had a tool to automatically try tons of different commonly used passwords.

If you would just use stronger passwords, and not use the same for each site, you would be safe.

BTW, did you pay for Roboform?


For example, a safe, strong password (I don’t use it):

HarrypOTTER^incarcerous[at-bypass]me

“Incarcerous” is a spell in Harry Potter. Maybe Harry is doing the spell at ([at]) me.

Hi again,

normally it is safe to use/insert passwords in trusted sites like facebook.com or hotmail.com or whatever. They can only steal your password when they inject some code in the site, and that’s extremely complicated and mostly almost impossible. So on normal sites there shouldn’t be any problems.

The problem is : phising. It looks the same as the normal site should be (for example a bank site), but it’s a fake one. It’s designed to simply save the account you insert.

Now Comodo can protect you (partially) with V-engine. it will help you with those phising sites, but it can’t protect you from… (I don’t know how to say it otherwise) ‘legit fake sites’. those are the sites that they use and post on messengers.

Hey, I've got some great pictures from you, here : www.somebadsite.com LOL

when you’re at that site, you’ll have to insert your username and password. → another way to lose them…

these would be the only online methods that popped into my mind now. and I bet it’s nb 2, but again, you’re still using a 3 year old password which you know can be found on a website ???

eXp

i use different passwords for sites…some that i dont reallly care about security too much i use the same one. but right now im thinking it doesnt matter if i change it…know what i mean?
do use cis 4…
i let roboform handle my passwords…i have about 4 different ones…

thats a pwd ive used for 20 ys…but that was quick to find…almost effortlessly…what im worried about is the fact that it wont matter if i change it 10 times a day…my memory is ok, but not that good…i would have to change it 10 times a day. everyday…to be safe…apparently…

maybe my suggestion isnt do-able either…but i wanted to throw it out there to see

yes. i paid for RF long ago…

but my username and pwd aside, the lists i saw had hundreds, maybe thousands…i didnt look much further after seeing mine…but i did a quick scroll. there were easily hundreds on just 2 sites…who knows how many more are out there.

aka, click jacking?
i do use CVE too. i like that. i actually just discovered this little thing the other day when just for kicks i thought i would google my username…it comes from something long ago which i know no one will ever use…

but again, i can change passwords…who knows how many sites ive joined though? but it could easily get “phished” again is my concern…i get your point about 3 yr old pwds and stuff…but in a nutshell, if i change it again and again, whats to stop it from getting grabbed over and over…and dont forget, im not talking about just me…there maybe millions being sold out there…

oh. and i use no script in FF for click jacking and the like

but again, i can change passwords..who knows how many sites ive joined though? but it could easily get "phished" again is my concern...i get your point about 3 yr old pwds and stuff...but in a nutshell, if i change it again and again, whats to stop it from getting grabbed over and over...and dont forget, im not talking about just me...there maybe millions being sold out there....
This might be, but I'm afraid it's against the Comodo forum policy. So I would like to ask you to change it.
* Password. Your login and password are for your personal use only. The sharing of logins and passwords is expressly forbidden. If you suspect your username and/or password has been compromised, please contact an Administrator or a Moderator.
aka, click jacking? i do use CVE too. i like that. i actually just discovered this little thing the other day when just for kicks i thought i would google my username...it comes from something long ago which i know no one will ever use..
only if you save your username and password in your browser.

eXp