Jamie and Cow Pie: Weird - maybe there's a bit of an onslaught on the go at the mo.

Charles: lol at the rant! No anorak needed!

There certainly is a potential problem with using web based email on public computers - although it is incredibly useful to be able to access your email when away from home (and often very necessary for me for business purposes). You really have to consider any password you use on any public computer to be potentially hacked - so much so that when I do so now I phone home for my password to be changed on a secure pc.

That's the thing - whilst it is less secure (quite right Tony), I often need to be able to access my emails from various places away from home.

I guess I'll never know exactly how the hack happened.

I've had my hotmail account since 1999, and I've been on eBay since about 2001/2002, and this is the first time either have been hacked (to my knowledge!).

Very mature way to look at it Michael! I totally agree, I've been using these accounts online for over a decade and never once not been able to get into them and only once had my passwords frauded but it was sorted in minutes. You will never actually know how they got in most probably, as there are hundreds and thousands of ways it could have happened, just got to learn from the experience and in future think a bit more about the security of your accounts. I have a spreadsheet protected by a very secure password that I use, it has lal the websites I access and the passwords for each one. I'd also suggest using different passwords for each site, pain to remember but but if you use a spreadsheet or secure password databse. Mainly because so many sites like Ebay, Paypal etc use you email address so if you have someone who knows your password for hotmail they or there hacking tools will simply go and login to the other sites using the same credentials.

But the key to it is to not treat yourself as someone who has been targeted as it really is not how it happens, you've just got to move on from it which it sounds like you have.

This site is a great example of why it is very important to use different passwords for every site. Some companies / organisations are unbelievably uncaring with such potentially sensitive information. "Outdoorsmagic (this site)" is a shinning example of bad practise. Take a look at the Cookie Outdoorsmagic generates on your computer, they have not encrypted your password and hold it in a variable called "pass" take a look for yourself.

So what does this mean, well basically if you leave yourself logged in, anyone using the same computer or in some cases anyone in your office network can take a look at what password you are using, and probably any half decent hacker can also access this cookie and your password!

Good practise for login passwords involves using one of the many one way encryption functions that php provides, basically no one else in the world should ever be able to see your password, unfortunately some companies such as OM not only store your password on a database they publish it in your cookie!

Reiver is spot on.

I once had a temp job administering logons for a charity website. Because the logon was not a security critical matter - just a registration process - the passwords weren't encrypted. As a matter of course the details on each user were sorted in excel and passed to marketing for mailshots. This included logon/password. Like I said this only gave access to this one non-security critical site.

What do you think happened when purely as a test we banged some of those logon/password combos into hotmail? You've guessed it full access.... Ebay wasn't big back then otherwise we'd have tried that as well.

NB The test was performed with staff test logons only and performed in front of then - still made them jump!

Reiver also highlights poor cookie management -- always clear all cookies at the end of every session - even during long sessions. Spyware and rogue sites out there will collect your cookies, screen them for unencrypted passwords and then perform exactly the same sort of test I mentioned above. As it's all done by 'bots they'll just churn through millions a day until they get hits. And that's not counting the dangers of all the temps in web organisations who can do this kind of lookup manually in their lunch hour...

1 Don't reuse passwords - be especially careful of sites like this where they ask for your email as a logon - if you use the same password you're just giving your email access to the backroom temps

2 Clear cookies and all browsing data regularly

3 Spyware and virus scans at least fortnightly

4 Apply browser and software patches asap - use a secure browser - for Mac that's Camino or Opera; for PC it's Firefox 3 or Opera.

5 Don't use other peoples' pcs - if you need mobile mail access set your phone up

Blimey, some very interesting posts chaps.  Whilst, as Jamie says, I have moved on from this incident, and chalked it down to experience (a process which might not have been so easy if I'd actually suffered loss as a result of the hack), it has enlightened me to so much.  I naiively used the same password on so many different sites, and this incident has made me change that practice.

Never knew about the OM password cookie thing!!

Reiver,

it's appalling isn't it! Passwords in Clear in cookies! If anyone from the OM web management is reading this, I would be glad if you could get this sorted out.

I am no 'security expert' but I do generally adhere to some practices that improve my chances a little. I do reuse 'soft' passwords for sites where no significant risk is posed by having them hacked, and then have more evolved and regularly updated passwords for anything more sensitive - email accounts, or financial stuff. But as I said above, security is only as good as the weakest link... and that is often the online company at fault. In this case, OM should never be putting passwords into cookies like that. It's just asking for trouble.

I remain exceedingly displeased by one particular credit card company who invited me to sign up to their online account system. When I came to choosing a password, they 1) restricted me to 8 characters; 2) said that their passwords were not case-sensitive and 3) recommended choosing something 'memorable' (evidently to make their lives easier with fewer people forgetting their logins).

So, I am forced to have a weak password that is orders of magitude easier to crack than any of my typical methods... and inside this site they default to saving details of other cards used to make payments?!? No thank you! Essentially weakening the security that any other financial organisation chooses to put in place.

Another classic weakening of security is to oblige you to set a question/answer prompt in case of forgotten password. Usually these are far weaker than the password itself; a hacker merely has to guess the response to some pretty open questions to be able to get the password reset to their choosing. When I am forced to respond to one of these backdoor questions, I sometimes fabric a nonsense answer in the hope that it would be harder to guess than 'name of your pet' or whatever blox they suggest. Given how open some peoples online profiles are - e.g. facebook, myspace... - guessing a pet's name could be as hard as looking at the caption of a photo...

In other words, even when sites give the impression of good security, they often undermine it with poor systems design.

I pointed out the OM password in clear ages ago.

I was appalled by the security questions I was recently asked to give by a financial institution.  Questions like "mother's maiden name", "employer's name", "birth place", etc.

Crackers.  You'd think they have no idea of how easy it is to get these details.

I had my hotmail and ebay hacked the other week, I got an email telling me I was selling polo shirts, and how much was the postage.

I NEVER even so much as click on any link from any email from ebay as they are easy to fake.

What option on C cleaner do i download?

mike

from http://www.ccleaner.com/

click on download ccleaner now

new screen

click on download from filehippo.com

new screen

top right in the green box click download latest version

save it then install it. the programme is pretty straightforward.

Jon,

I appreciate that OM is taking action. And I know what you are saying in terms of the information on an OM cookie alone... but given this (already dated) information from my preferred online security reference...

http://www.schneier.com/blog/archives/2006/12/realworld_passw.html

I would say that it is serious cause for concern. Given the vaste number of people who reuse passwords and the vaste number of members of OM, I would have thought that a large number of people could have a key part of their security breached. More fool them, you may say, but OM should seek to be blameless in these matters.