Jul. 23, 2008 -$180.00 USD Gaming Resources LLC
Jul. 23, 2008 -$180.00 USD Gaming Resources LLC
Jul. 23, 2008 -$50.00 USD aeRO Gaming

“”"
My point was that regardless of keyscramblers and unique passwords, your PayPal account can still be hacked!
“”"

Sure, every systems can have flaws. I was talking about the “educate” part for the 99.9% of computer users who still don’t care about (unique/password strength) for a sensitive websites or don’t know what a key logger is. As a software developer I just say it is *extremely easy* to write a new keylogger on Windows, just plain *extremely easy*. The first step to avoid a danger is to know its existence. From that point people do what they want, I really don’t mind.

“”"
There are plenty of programs out there that will brute-force figure out your password… no matter how unique it is.
“”"

Sure, but after my death I don’t really care. The stronger a password is the longer it will take to crack (assuming it wasn’t a key logger).

“”"
Bit strength can be calculated by taking the total number of possibilities for each character in a proposed password, and multiplying by the total password length.
…
Currently, distributed.net estimates that cracking a 72-bit key using current hardware will take about 403′784.9 days or 1′105.5 years.[7]
No currently expected increase in computer power will be sufficient to break 128-bit or 256-bit encryption using random keys via a brute-force attack.
“”"
http://en.wikipedia.org/wiki/Password_strength

This numbers assume you have a local access to the users’s data. Through the internet the delay between each try will probably give you times much longer than the age of the universe itself and you’ll quickly run into a “denyhost” anyway.

Assuming that password strength is not important for a sensitive service is IMO a bad idea for “educating” people to security.

If cybercriminals retrieve the users database of a popular service (like for example a php forum through an SQL injection if there is a security flaw), they can then brute-force the weakest passwords. With the retrieved login/mail/passwords they can try other popular service like ebay/paypal/etc and since lot of people keep the same login/password for a sensitive service…

Cybercriminals search for the easy catch first, they are not going to spend few years to crack a strong password, time is money, simple business logic.

Who knows, maybe there is someone inside PayPal that can compromise an account? Who knows how strong PayPal’s internal security is or if anyone really reviews logs?

Again, given that we don’t know how this (or other) break-in’s are really accomplished, I’d highly recommend getting the security key.

Concerning the “educate” part, as I said in my comment above, it is extremely easy to write a new keylogger on Windows which will then be undetected (I would say 30 minutes for a ‘reasonable’ student beginning programming). I think the best way to avoid them is to assume there is always one lurking around (and use a keyscrambler for example).

Also concerning paypal my password is unique (not used on any other website or application), long, using also numbers and special characters.

I don’t normaly have any money in the account so they took it off 2 card’s i have stored in paypal

the person left a few days between each payment, fortunatly I have now notified paypal but i don’t know how long this is going to take.

Tom