Hacker News new | ask | show | jobs
by Hackbraten 2008 days ago
> I've actually had an attacker contact me personally (that is, actually chatting with me live) and ask me to sign up for his forum under the hope that I would reuse my valuable account's password on the forum.

How did you eventually find out their true motivation?
1 comments
Thorrez 2008 days ago
I had one of the most valuable accounts in a video game, so attackers of all kinds were constantly contacting me. I was immediately suspicious of anyone who contacted me. I signed up for the forum with a password from my password manager (I like toying with attackers). I told him I signed up, and a few minutes later he said there was a problem with my account and asked if I used a password manager. I said yes. He said to sign up without it because the site doesn't support it. I tried arguing with him that that makes no sense. But arguing with someone who's lying and refuses to admit it is generally not productive, and the argument got nowhere.

His idea to make me sign up without a password manager was illogical anyways. If I use a password manager on his site, it should be obvious I use a password manager for my video game account, so me halting my password manager usage for his site wouldn't help him get my video game account.

link
GoblinSlayer 2008 days ago
All security eventually relies on obscurity, it's a bad idea to disclose your security practices. Use hunter2 as password for junk sites.
link
Thorrez 2007 days ago
From a humor point of view that would be a good idea, something like "dontbothertryingtostealmyaccount".

I also agree somewhat about obscurity. Notice that I haven't said what password manager I use, or where I store it. The fact that I use a password manager I don't consider sensitive though.

link
lstamour 2008 days ago
By that same logic, use disposable email addresses and the password doesn’t matter? I mean, this kind of thing only holds up while you don’t care to enter any data about yourself and re-visit the site later. Those who need to be anonymous can provide junk info to junk sites, sure, but for everything else, there’s email and 2FA TOTP codes and password managers for a reason... largely because OAuth and FIDO2 aren’t universal yet I suppose ;-)
link
red0point 2008 days ago
Can you elaborate on why all security will eventually rely on obscurity?
link
GoblinSlayer 2008 days ago
It's jokingly called Fleming's cryptanalysis: if there's a secret key, you just send James Bond to steal it.
link
Thorrez 2007 days ago
The only type of obscurity that would protect me against that type of attack is if I myself am entirely obscure. By having one the most valuable accounts in a video game, I've already given up on that.
link
jerezzprime 2008 days ago
https://xkcd.com/538/
link