Namedrive has changed my password without my knowledge!

Have yours also?

What's going on?!

Gaaaaa.

They've imposed 90 day password expiry.

Sheesh.

Fine for idiots that make their password at all their sites "harley", but for those that pick a difficult password that's a scrambled mix of letters and number, this is just a PITA.

If I have such a password, making me change it every 90 days does NOTHING to enhance my security.

They should have made this opt-out. This sort of thing really fucks me off.

Coming from a site that uses http instead of https for logged in customers and inserts a session ID in the URL? Puh-lease!!!!

A big fat -1 for NameDrive today. :(

Sedo, get your fucking act together for UTF8 support.

If I have such a password, making me change it every 90 days does NOTHING to enhance my security.

100% agree. 90 days pwds is so 90's.

Coming from a site that uses http instead of https for logged in customers and inserts a session ID in the URL? Puh-lease!!!!

BINGO. Maybe that's the reason for the sudden and imposed pwd change...

Sedo also put the session id in the url, at least some time ago, I remember one time when I followed a sedo link and I was directly logged in, obviously they didn't even bother to check the ip/browser...

Drewbert: plz reply to my PMs. Thanks...

Hi guys,

NameDrive made these changes in order to enhance security.

We were alerted of a possible security breach affecting less than 1% of our accounts, although we have no indication that any unauthrorised access was gained, we have reacted forcefully to ensure absolute security for your account.

Feel free to PM or mail me if you have any problems.

Thanks,

Aidan

http://www.domainnamenews.com/ppc-industry/3884/3884

So I was right from the beggining. Didn't get the mail thought, does this means I was not affected?!

I didn't get an email either.

Maybe this explains the vector?

http://www.theregister.co.uk/2009/02/04/phpbb_breach/

To be honest, what pisses me off is the lack of honesty. I went to my ND site account yesterday, and I couldn't log in, then read some message about having to now change passwords every 90 days. No mention of being hacked.

If you've been hacked, just let me know, either by email or on the website. Don't put up some bs message telling me I have to change my password every 90 days because I really really hate doing that.

Please click one of the Quick Reply icons in the posts above to activate Quick Reply.

As we are #1 for "Namedrive hacked" on Google, here's what I think happened:

I think ND DID NOT stored the pwds in plain text files and used hashes (salted or not).
But I also think ND DID NOT kept the db on a different server as it should have... only one port open, accessed only from the inside, allows pwd check/write but not read.

I think they most sure got the complete database of passwords.

So, why were only certain users affected?
Because those were the ones with passwords like "123456".

But that doens't mean you wont be affected on the future.
It's just a mater of how long will they kept running the rainbow tables on the db.

Now I ask ND: has the special set fake accounts&emails been used?
You had those, didn't you?

Pooh sure loves his honeypot. :)

perhaps that explains why the new passwords run to about 3 pages. :D

As we are #1 for "Namedrive hacked" on Google, here's what I think happened:

I think ND DID NOT stored the pwds in plain text files and used hashes (salted or not).
But I also think ND DID NOT kept the db on a different server as it should have... only one port open, accessed only from the inside, allows pwd check/write but not read.

I think they most sure got the complete database of passwords.

So, why were only certain users affected?
Because those were the ones with passwords like "123456".

But that doens't mean you wont be affected on the future.
It's just a mater of how long will they kept running the rainbow tables on the db.

Now I ask ND: has the special set fake accounts&emails been used?
You had those, didn't you?

Pooh sure loves his honeypot. :)

I don't think Pooh is likely to turn out to be a Panda more likely a Grizzly.

Yeah, the bears are so bloody greedy that even the bit they didn't manage to monopolize they keep coming back and trying to steal!

But I also think ND DID NOT kept the db on a different server as it should have... only one port open, accessed only from the inside, allows pwd check/write but not read.
So common though - anyone running a startup on a budget is guilty of this. Usually folks create a separate user for the DB, but often start out with a single empty box and put everything on it.

I think they most sure got the complete database of passwords.Indeed - how on earth would someone only get 1% of the account info?

All the more reason to preach to folks to stop using the same password on all sites. SEE THE BORING POST: http://www.idnforums.com/forums/21080-start-getting-smart-about-passwords.html Big corporations are the worst. They get account info stolen by the millions, as opposed to namedrive's thousands of customers.

Yeah Drew it aggravates me too that I have to give up my strong password. But this kind of policy has been imposed on me often enough before where I have a strategy for it. Unfortunately this 90-day thing is commonplace in big companies. People there write down passwords and stick them under keyboards about every 3 months.

Namedrive c'est démodé un mauvais ton