Security Notice for your SL Password

I would just like to take a moment to remind people about a possible security exploit to their Second Life accounts, because of the increasing number of privately owned websites catering specifically to Second Life users.

DO NOT USE YOUR EXACT SL PASSWORD ON WEBSITES/FORUMS/BLOGS DEVOTED TO SECOND LIFE.

Even using a password that is similliar or slightly altered may leave you vunerable to having your account taken over, Lindens stolen, on down to Identity theft in a rare case. I have seen things of this nature happen in the past.

I, too, have seen this happen. A friend set up an account with a player run forum for an online game, using the same password as to the game, only to have the owners of the forum log into the game using her account. She lost all her money, and a lot of other damage was done as well.

Be careful!

That's very good advice - thank you for mentioning it.

I tend to use the same password for everything - time to change a few I think.

Alexa

I just wanted to mention that SLUniverse.com uses encrypted, hashed passwords - your actual password is not stored in the database and cannot be recovered. It is good advice not to use your SL password on any site, however. I would also advise to increase the complexity of your SL password - make sure it has several numbers, and also a non alphabet character like #, @, or something similar. The more digits/randomness you add to your password, the more it secures it from dictionary attacks.

Good advice in the posts above!! Even if you can't use a different password for EVERY website you log in to, at LEAST use 2 or 3 different ones - and never use the same password as your Bank/Email/SL account/Important Stuff as you would use on a plain "HTTP" site. A secure "HTTPS" site is a bit more secure by default - but with an "HTTP" connection, theoretically ANYONE could read your password in plain text, if they intercepted the network traffic (either physically, or by having a trojan/virus on the server you're sending your info to - remember that even the website you're communicating with may not be aware of security problems on their own server!).

If you are unsure how to tell if you're on a secure site, look in the address bar of your web-browser for "HTTPS://" AND look down on the status-bar for a Key/Padlock type icon. Your system may use different symbols; so check the help files for your Web Browser if you don't know.

As mentioned, numbers are really good to add to passwords, as they will make it harder for any hacker to guess, or use a dictionary attack on. But you can't use your Birthday or your age, because those are too easy to guess, right? And any numbers that appear on your bills, driver's license, marriage certificate, or other public records are a definite No-No!

So here's a tip for people who think that adding numbers to their password is tough: There are plenty of easy-to-remember numbers in your life that aren't likely to be guessed by any but the most paranoid government snoops, or closest of friends/spouses. Things like: The year model of your car, the year your house was built, the day you moved off to college, the number of classes you flunked in college. Be creative - but pick numbers that are significant to YOUR life that only you (and maybe your spouse/parents) would know. Then alternate letters and numbers, or reverse the order of the numbers. You can be consistent in your pattern, if you use different information for your different passwords. This will make it easier to remember your various passwords.

Special characters are also good; but some systems can't accept them - so be aware that you may get an error trying to sign up some places with special characters in the password.

Take care, be safe!

--Noel "HB" Wade
(Tread Whiplash)

[text removed via texter]

I'd just like to add a couple thoughts to the thread:

1. Linden Lab will never ask you for your password. We don't even have access to them in the office; we hash them in our CS tools. So, while we can change them, or create a temporary password in the case of checking out something with your account that neccessitates us to log in as you, we don't need your password to do this so you do not need to add it to an email to help identify youself.

2. Never give your password or a hint of it to someone else. Regardless if its a Terms of Service violation (it is!) we've yet to see a "hacked" account where the password was not given to someone else who either used it or gave it to someone else, or, the "hacker" used social engineering to guess the password.

3. Never create a password that can be guessed by social engineering. If you are an Emily Dickenson scholar, choosing "Emily" as a password is asking for trouble. The same goes for names of relatives, pets, the city you live in, some variation on your email or home address, your favorite food etc.

4. Never give your password to someone else. I know this is a repeat of #2, however, it needs to be said again. I know it's convenient to have a friend log in as you to complete a transaction, trade inventory etc, but beyond it being a TOS violation (it still is!) it is also asking for trouble. Online relationships have been known to go bad, or your friend may accidently reveal the password, or enough clues to it, to a third party that doesn't think highly of you or knows someone who doesn't like you.

Good thread folks!

Everyone have a great New Years!

Colin

I feel I have to add something to what Colin stated.
Even if no account has been "hacked" before, it is trivial to "hack" them.
Do NOT use a password that is:

- any number
- any word in the english language
- a combination of two english words
- "password"
- your username

Good passwords will be:

a) human-readable (alternate vowels with consonants)
b) relatively long, but still easy to remember
c) not a real word or trivial combination of words!
d) contain both lowercase and uppercase letters, digits and even non-alphanumeric symbols (!@#$%^&* among others)

Sample passwords (do not use these! ) :

JaybuTura#294$
69$matrengo$96
^krOnAY$lOgtYm798

Last tip for me in this thread:

BE CAREFUL when accessing anything from a computer that is not in your own private residence!

Public computers might store your login information for any website or program - either deliberately or with a web cookie. And both Public AND Friend's computers may be infiltrated with virii/trojans!

Take care all,

--Noel "HB" Wade
(Tread Whiplash)

I happen to strongly agree with what the original poster said. As far as SecondServer goes, all user accounts are SHA-1 hashed (irreversible), so we dont ever actually store your password.

-Adam

Thank you for your comments all, great tips!

I prefer to use passphrases that are valid English sentences. They're easy to remember, and even harder to guess than random character passwords. Things like "Colorless green ideas sleep furiously" make for great passwords.

Until someone gets to the 5th iteration of his dictionary attack

Yeah. One of the better 'password generation routines', I've heard of is to use substitution in a phrase, example phrase: 'I am going to take two dogs for a walk', convert to an acryonym and substitute 'two' for 2, and 'for' for 4. 'IAGT2D4AW' - voila, a fairly secure password, and you can regenerate it from the original phrase if you forget.

-Adam

Wrong. Figure there are 10,000 relatively-common English words. There are 100,000,000,000,000,000,000 possible five-word passphrases. If there are 86 usable alphanumeric+symbols, you would need a password of 11 random characters to be more secure -- and the passphrase is a heck of a lot easier to remember.