158 comments

[ 3.0 ms ] story [ 206 ms ] thread
I am curious: does anyone here on HN have a registrar to recommend who they know (preferably from experience) would actually be more helpful in this circumstance?

Because from the sound of it, the unwillingness of the registrars (both of them) to take action here without being compelled to by a lawsuit is the root of the problem. The FBI's willingness to be helpful is nice, but doesn't solve the root problem, and as a law enforcement agency they can only really help in cases where they manage to "catch the criminal". And paying off the criminal just isn't an acceptable solution (although stopping the payment immediately is cool and all).

I would be willing to select a registrar on the basis of their policies, not their prices. Policies like this sort of dispute resolution and policies about how they handle DMCA notices or government subpoenas (and non-subpoenas), if only I knew which registrars had the best reputations for these things.

I second this. I'm beginning to hear more an more of this problem, and while this is anecdotal, it does seem to be increasing.
Look at it from the GoDaddy's point of view: This woman is claiming she has rights to a domain in one of their customer's accounts. As far as they know it was legitimately transferred in by one of their paying customers. Her real issue rests with HostMonster and the ICANN dispute resolution system.
GoDaddy could seize the domain until the dispute is settled. If everyone recognized she was the previous owner, that should be enough to cause an investigation into the transfer.

Not saying a claim from anyone should cause a seizure, but the legitimate previous owner should be able to dispute it for a time period. Domains are stolen all the damn time.

I worked in webhosting for nearly a decade so I'm quite familiar with the volume of fraud and stolen domains. But to play the devils advocate how would you feel if somebody claimed a domain you own was stolen just to freeze your account and waste your time. You'd be furious at GoDaddy for freezing your account over a fictitious claim.
They only need to freeze the account if the domain was moved very recently.
This. I want to upvote this comment a hundred times. If there's a dispute with probable cause, temporarily freezing the domain while launching an immediate investigation seems by far the best balance of thwarting domain theft and minimizing fraudulent claims.
By ICANN policy domains can only be moved once every 60 days. Did you want the domain name taken offline?
I'm not very familiar with their policies. Does that apply even in the case of theft? Didn't the article's author recover her domain within a few days?
It's no matter what you are only allowed to move domains once every 60 days. It is to prevent somebody from stealing a domain and moving it through 10 different registrars to wash the history of ownership.
No, not offline. Just have the administration of it frozen.

And it's only for recently transferred domains where it's the previous owner disputing the legitimacy of the transfer.

Domains are entries in a table. A "60 day freeze", if it exists, is just a policy.

And that you were demonstratively the previous owner.
The business goals of GoDaddy preclude them from giving a shit because they can't hire enough people to support issues like this.
No, GoDaddy was never in doubt: "No one at either company questioned my statement (supported by written proof) that the website belonged to me. No one doubted that it had been transferred without my authority".

So GoDaddy's refusal to help was ridiculous. At the very least, they could have frozen control of the site for a day or two while investigating.

By ICANN policy domains can only be moved once every 60 days. How did you want them to go about freezing the site? ICANN has a dispute resolution policy in place.
They could have disabled access to it by the thief.

The 60 day policy does not apply to cases where it is "being transferred back to the original Registrar in cases where both Registrars so agree ..." http://www.icann.org/en/resources/registrars/transfers/polic...

And given that both registrars acknowledged that she was the real owner, I'd expect the transfer (to the thief) would not be counted as a legitimate one within that period.

Namecheap offers two-factor-authentication.
I've used Namecheap for years and they've been great for me (never had a situation like this happen though).
Moniker claims that they have never lost a domain. I've got several domains (over 50) registered with them and never had a problem in almost 8 years. Many of them belonged to high traffic sites that might be desirable to thieves. I also have many with Name cheap right now and haven't had a problem them either.
I use them as well and have had no issues; however just because two of us have had no issues, it's not much of a data point.
True, I'd be more interested in their actual resolution process and the steps they take to safeguard domain owners.

It works both ways though I think, the same steps they take to secure your domain are the same ones that will make it hard for you to get it back.

I use Moniker as well. I pay for their "Portfolio MaxLock" (https://www.moniker.com/domainnames/domainsecurity.jsp) service. Whenever I want to make a change (even DNS), I'm forced to answer the security questions that only I would know. In order to get around that, I'd have to contact their security team directly and provide a substantial amount of identification.

Aside from the security features, Moniker's site and technology seems to be fairly unimpressive.

I'd definitely be open to exploring other options if people have suggestions for truly-safer registrars.

I use gandi.net never had any serious issues with them and since their located in France (yes i intentionally avoided American companies) all this suing problem may not apply to them or at least it would be a lot more difficult.

One thing is certain though most people i know have had issues with GoDaddy and avoid it like the plague.

Gandi now has offices in the USA, so they are effectively an American company as far as being subject to the US legal system and extraconstitutional orders from agencies and such. You won't get any privacy protection or immunity from illegal orders from Gandi.
Oh well off to find another good company for may gray area domains then.

Too bad I liked them why are all of them going to America.

I don't want my stuff subject to American laws.

I think you mean extraterritorial jurisdiction. Extraconsitutional orders would be... against the U.S. Consitution and illegal :-)
Gandi does have an office in San Francisco, but our registrar service is accredited and located in France. It is under EU law.

Those who have been following the industry's responses to the massively reprehensible, illegal dragnet surveillance will know better than to take any company at their word as they swear up and down that they care about their users' right to privacy. So I know this will be taken with a grain of salt (hell, I take it with a grain of salt and I work here)...

But as far as I know, and I've asked around, we _actually_ do protect our customers' privacy to the maximum possible legal extent.

The day I find out otherwise is the day I no longer work here.

http://gandi.net - I have never had my domain stolen but in general Gandi.net are good people and they care about their customers.
I lost a domain because Gandi refused to do anything about it; although I was well within the renewal period and tried to contact them many times Gandi refused to process any sort of renewal until it expired and was deleted by their system.

Gandi ONLY accepts support requests through their web form (no email, no phone), and generally ignores those or provides nonsense answers several days later.

As long as you never ever need any sort of support, Gandi is fine.

@jellicle, that doesn't sound like us. Can I look into your case further? If we messed up, we'll make it right.
This was several years ago; what's done is done. I moved all my domains to another provider shortly afterwards. I'm not giving you another chance to screw me.
You publicly complained about their customer service. They have offered to right the wrong. You have a poor sense of fairness if you are willing to make a public claim and then aren't willing to address the issue when the company calls you out on it.
Oh, the stupidity, it burns. What sort of righting do you think they could do, several years past the fact? Gandi refused to respond to their web form for a period of about four weeks or more; they let my domain expire and be deleted (if I recall, the only problem was that my credit card expiration date needed to be updated in their system and the charge processed). Besides the immediate hassle and serious annoyance of having an uncontactable company ignore their support form, it ended up costing me a few hundred dollars to buy the domain back from a domain speculator who snatched it up.

What price should I put on that? What price is it worth to Gandi? Are they going to offer me a year's free domain registration with them? That offer has negative value to me; I wouldn't take it unless paid a lot of money to do so. Are they going to offer me a pile of money (no they aren't, it's not worth it to them). So what exactly are they going to offer here to right the wrong?

The point here - which the top of this thread made, but maybe it wasn't explicit enough for you - is that services such as domain registration can easily have effects disproportionate to the cost of providing them. If all of Google's domains were deleted tomorrow, the cost to Google would easily exceed ($10 x number_of_domains). So a poor service experience can easily do more damage than the sum total of all revenue ever received from a particular customer. Thus the commenter looking for companies which try hard to provide good service. Gandi.net is not such a company, in my experience. (Hint: companies which provide good service have email addresses and phone numbers to contact them.) That's my only comment.

just to drive a point home about "calling out stupidity". Your follow up statement is the equivalent of stating "I'll never ever ever use a Windows product because several years ago I use Windows M.E. and it was so bad and they wouldn't fix anything so they can't possibly have fixed any of the issues I may or may not have actually experienced".

It really irks me when people use this sort of logic. I can't say what their support was like several years ago, but I have heard nothing but fantastic things about their support and service offerings over the last 2-3 years, and not by the general web user, but by us "nerd elites". So dude, chill the Eff out and don't be such a hard ass against something that happened admittedly several years ago.

Oh, and you call out "what could they possibly provide me after so many years", well you have a direct response from a customer support person who has offered the ability to "make it right". You do not know what they would be willing/capable of doing until you ask. So get off your high horse and just ask. They might surprise you...

/rant

Maybe I'm stupid, but I agree wit the parent - if a company fails me, I won't go back to them no matter how much they promise to have cleaned up their act.

It's not that I don't believe companies can fix their problems; it's that I believe in feedback and the one form of feedback companies cannot ignore is revenue. It's Darwinian - if a company screws too many customers, they die.

So I haven't used Windows since Microsoft's deeply unethical attacks on OpenDocument; I moved all my US domains from GoDaddy to NameCheap after the elephants broke that camel's back; and Domain Central have all my Aussie domains after NetRegistry de-registered a heavily used domain name in very dubious circumstances.

I do worse (I'm bad, I know). A large Telco in Australia once charged me $800 in phone calls several years ago before the TIO and ACCC mandated SMS notifications when accounts go over a certain amount.

I explained the situation to them, that I was a good customer, I'd just had my first child, could they shave off some of the bill as a goodwill gesture. Even $40. They didn't budge an inch.

Over the next 6 years I've made a complaint about every single fault, bill error, outage and mistake they have made. Each time I've demanded compensation. I have a number of accounts with this Telco.

I estimate that I've recovered $700 worth of compensation. I'll keep going till I get the entire amount back, then probably go on for another $100. Then I'll stop. And probably find alternative services and dump them completely.

Don't piss off your customers.

From experience it's generally not worth the risk. Perhaps they got it right but 90% don't. It's like playing the lottery.
Besides the immediate hassle and serious annoyance of having an uncontactable company ignore their support form, it ended up costing me a few hundred dollars to buy the domain back from a domain speculator who snatched it up.

I once let a domain expire by accident, but since it was obscure the squatter who snatched it let it lapse after the ~45 day ICANN "trial" period that used to be a boon to evil squatters (AIUI, IIRC). So I just registered it again myself.

@soulshake - check out legal #4827870. We were, as we would say in Australia, bloody lucky.
This is me nodding in greeting and letting the legal team do their thing.
While I doubt neither the veracity of your claim nor your reaction to Gandi's actions (if such a situation happened to me, I would certainly not want to give a company my business going forward), I have had a very different experience with them: all of my queries to Gandi support have received prompt, relevant replies that addressed my issue.

Also, ny domain registered with Gandi can be renewed by any Gandi handle. In the event that you're having trouble accessing the handle that owns a domain or otherwise cannot renew it normally, you can create a new handle and use that to renew the domain. See https://wiki.gandi.net/en/domains/renew and https://www.gandi.net/domain/renew?lang=en for details.

I'm not sure if their "any handle can renew any domain" policy/system existed at the time of your situation, but it should prevent similar issues from occurring today.

One aspect I found puzzling about Gandi is that until recently they published your "handle" in the WHOIS information, which in effect gave away your username. Now, some may tell me hiding that is security through obscurity or some such, but in my mind it adds another protection layer.
I seem to remember that being the case with Network Solutions back in the early days.

Gandi seems to hide your handle these days for certain domains if you have whois privacy enabled: my .com/.net names with Gandi don't show the handle, but my .org domains do. My .us domains (which don't allow whois privacy) also show the handle.

Then again, one can easily enable two-factor authentication and it's essentially irrelevant if the handle is known.

I use NameSilo

2 Factor Authentication and other security policies

I use iwantmyname.com and their service is amazingly good and fast. I never got my domain name stolen, but I'm confident they would do anything they could for me to recover it!
>I would be willing to select a registrar on the basis of their policies, not their prices.

Yes, absolutely this. I've searched through forums and read various reviews of various registrars and some say gandi is good, some name.com, some others, but at the end of the day nobody said "I've had this problem where my domain was stolen and this company was willing to help".

I'm also willing to pay more for good support when serious problems arise.

namecheap.com is definitely one of the best per my experience and what I have heard.
namecheap.com is definitely one of the best per my experience and what I have heard.
I use DNSimple.com. They've been great and are quick at support.
I would recommend Melbourne IT or Namecheap for what you are looking for. I would recommend you take advantage of WHOIS protection, two factor authentication, locking your domain at the registrar level (not just with Namecheap for example, but with the actual registrar), using strong passwords, etc.

The company can only do so much, so make sure you do everything you can do as well to make your domains as secure as possible.

How was it hacked? I find that info in the article except that they used HostMonster's email confirmation system somehow?
Sounds like it was just social engineered out of HostMonster. Almost all of the EIG hosts (HostMonster, BlueHost, iPage, HostGator, etc) use awful outsourced support that are only rated on amount of tickets closed/solved. They are very lackadaisical with customer information and verify accounts based on the last four digits of the card used. I'm guessing the "hacker" in this case guessed the last four of the card via livechat or a support ticket and then got in and moved the domain over to GoDaddy.
"I remembered the notification from YouTube that someone had accessed my account from a different location – a notification I had ignored, assuming that I had logged in on a mobile device or that my husband had accidentally logged into my account instead of his own."

All of her accounts were compromised - seems more likely to be malware than social engineering.

Also the hosts you mentioned use in-house support.

Actually many of their support staff are outsourced through GlowTouch which is an Indian based support firm. It's in the EIGI S1 filing here: http://secfilings.nasdaq.com/filingFrameset.asp?FileName=000...
Yeah, they are in charge of Hostgator India. They have no reach into the US based brands.

Source: I work at one of the aforementioned brands.

Unless you're in Burlington you probably aren't familiar with the brands you don't work at. Most of them have support provided through GlowTouch. Even HostGator USA has GlowTouch Indians doing transfers and helping in ticket queues.
Source? You just replied to someone who works there and who specifically said "They have no reach into the US based brands.".
My guess is that the author's home computer was compromised or their gmail password was guessed. They mentioned that they ignored a warning that someone logged into their account remotely.
And the how to avoid it section mentions using a different computer for banking than your kids use to click around the web...
At home I have a Chromebox machine that I only use for online banking and no other purpose.

My other machines are used for the usual consumer Web activities, including Web site administration. I'm wondering if perhaps I should modify my approach to do the admin only from the Chromebox... which brings up the classic tradeoff of security vs convenience.

So apart from the 4 pretty much "how not to happen", try using a host that supports 2FA.
Got a list? It seems like every day GoDaddy is leaking domains.

I've been using Hover a lot, but I'm not sure what their exposure is like.

Namecheap does 2FA.
Curious why this is being down voted? Is it because namecheap does not offer 2FA? Seems to simply be answering the question above.
For me, their 2FA is essentially unusable. It uses a UK SMS gateway (no Authy / Google Authenticator support) and out of the 20 or so times I've tried to set it up, only once has the code actually come through to my phone. I've had an open support ticket for 6 months, 3 months since the last reply.
I just set it up (US cell phone) and it took less than 5 minutes end to end. Have you tried lately?
NameSilo supports both Authy and Google Authenticator
GoDaddy was the recipient registrar of the stolen domain, not the one who allowed it to be stolen.
I'm curious as to how the FBI helped, because it doesn't really say in the article
They were considerate i guess and they asked a lot of questions.

Not sure if they did anything useful but they certainly looked more interested then GoDaddy.

(comment deleted)
I use Namesilo with Google Authenticator.

(Probably other registrars support it as well, that's just the data point I have first-hand knowledge of.)

I never trust shared hosts provided by a registrar. I have my own blog software running on AWS and I am the programmer and only user. The fewer people involved is better security but that's not generally possible for the average person. At least I can't lose both the domain and the content.
I feel for her but I do need to point out that some of the suggestions she makes for making it easier to get her stolen domain back would also make it easier for bad actors to cause mischief in the first place. But GoDaddy sucks. True dat.
GoDaddy has two-step authentication. If you make any type of money off of a website or other account, you should use two-factor authentication. Facebook, email, and godaddy would be a decent start. A similar incident occurred when the man lost his $50k? twitter account because he didn't use two-factor anywhere.
Godaddy also has proven their Phone Support personell are easy victims to social hacking, which negates any electronic security. If I can call up godaddy and have them change account details or the mobile number on the 2 factor settings then your 2 factor security is pointless.

GoDaddy may have great electronic protections, but I do not trust their phone support personnel at all

Is there any domain register that offers 2 factor authentication to make changes that are detrimental to a site?

I have Network Solutions, KVC Hosting, and have tried 1and1, but all of them...from a security standpoint...are lackadaisical when it comes to security.

Network solutions WANTS their clients to bundle userid's into 1 account...that makes it easy.

KVC, I emailed them to update my domain contact info, then I transferred one of my domains out with that new email.

I never did any test with 1and1...but then again the 2 above (with kvc and netsol) weren't even tests.

Another security breach involving GoDaddy(1)?

(1): Naoki lost his twitter (https://medium.com/cyber-security/24eb09e026dd)

Hover has 2fa as well.
Even Dreamhost has two factor authentication.
I'm unsure why this is relevant to a site like HN. People are compromised all the time. It's not news. It's not even helpful for avoiding the same mistake: the author does not tell the details of the attack and gives some pretty bad advice for avoiding "cyber hackers" (such as turning off your computer to prevent your email getting hacked).
I agree with you with the "bad advice," opinion. There's no glamour or valor with how she got her domain back. In reality...it appears from her article that she really just paid to get it back.

So I guess her suggestion is to have $30k stashed to make up for lack of security. From what I read...she's still out money, even though she did get her domain back.

She retained the money.

And then I called the wire transfer company and placed a stop on the payment.

It's unclear to me how this works. At first, it seems as though she and Anthony pursued this action independently, which would seem quite risky: risk of the apparently-fraudulent stop payment not being processed in time, or at all, resulting in the loss of 30k; risk of legal action from the seller, however seemingly ridiculous and unlikely, is scary. Later it sounds like maybe this was done with the FBI's blessing (point 5 under "Here's what to do").

I don’t have my money back yet, but the man who stole my site from me doesn’t have it, either, and won’t be getting it, ever.

I don't think she got her money back, it may be held, but the method in which she got her domain back involved money transfer. The FBI, was really just sprinkled in the article. I understand the shock in how they handled the case immediately taking statements, but the resolution she had involved her money to get her domain back.

I (Anthony from the story) negotiated the price with the seller to $3,500. I had Jordan wire that to escrow.com while we waited for the domain, db and files to be transferred. We made this decision because nobody was helping (hosts/law enforcement) and with this action the worst case scenario became paying $3,500 for the site (assuming the seller didn't back out). After this the FBI took the case and they were involved in stopping the funds from transferring.

I'm positive she would have gotten it back eventually even if it did sell to someone else and they took control, but it could have been a more lengthy process and her entire living is derived from the website and the business associated with it. Having it out of her control for any amount of time could have been very damaging.

I had a Flippa account with history and no visible connection to her so the seller did not know that I was working with the actual site owner and she was working with the FBI.

The investigation is still ongoing and I've had some interesting conversations with the seller (thief is more accurate) since the money was frozen.

Glad it was $3,500 as opposed to $30k....hope she gets it back! Would love to hear some back and forth between you and douche, I hope you post a blog!
We exchanged 47 emails from the 24th to the 28th. If I can grab some time I'll put a different kind of post together... more about the interactions, which were very up and down with this guy. I don't write a blog or anything so not sure where I'd post it though.
I sent you an email to your inbox mentioned in your user profile. Someone tried to sell me that website as well and I did some research about him (got his skype, his email, and even his address ).
Thanks for reaching out - just sent you an email back.
From the Hacker News Guidelines[1]:

> Please don't submit comments complaining that a submission is inappropriate for the site. If you think something is spam or offtopic, flag it by going to its page and clicking on the "flag" link. (Not all users will see this; there is a karma threshold.) If you flag something, please don't also comment that you did.

[1]: http://ycombinator.com/newsguidelines.html

The most unfortunate part of this story is that the site owner had to use underhanded tactics of her own to regain control of her site. She didn't get her site back by going through formal legal channels, she got it back by using tactics similar to those used by the criminal she was dealing with. Different intent and legal standing, but same methods.

It would be interesting to know what would have happened if she had instead waited for the legal methods to play out. Instead, it's a story of one trick undoing another trick.

That's a more unfortunate part of the story than the registrars' inaction? Or the theft itself? I don't think so.
> That's a more unfortunate part of the story than the registrars' inaction?

Okay, fair enough, I'll give that fact a close second in the rankings. But to me, the fact that she had to descend to the level of the criminals she was dealing with, had to do things that under slightly different circumstances would have made her a criminal, is the most discouraging part of the account.

I don't see how much she paid to get it back. A civil suit filing with a demand for a temporary restraining order and preliminary injunction could be filed in a few hours and since godaddy and hostmonster are US companies, they would have had to comply. She'd have her domain back in a matter of hours for maybe a couple grand.
She didn't pay anything. She stopped/cancelled the wire transfer
This was the most interesting (unique) thing about the whole ordeal.

I did not realize that wire transfers can be cancelled after the receiver has already had the funds placed in the account(else the thief would not have released the domain).

It's an escrow service, not a wiretransfer company.

The bit that I don't get is that escrow.com (the one party that didn't actually do anything wrong here) now has acted in a way which they probably should not have done, from their point of view the transaction actually is legit (buyer has control of the domain name, so funds should be released).

If Escrow.com can't be trusted to release the funds when the recipient has the goods then what point is there to use them in the first place?

That's what surprised me as well, but maybe the FBI intervening in the case was what pushed them to not honor the wire transfer.
I use Escrow.com a lot as a domainer, so I was initially concerned that a hold could be placed on the wire transfer after receiving the domain. The whole point of Escrow.com is that you are not able to cancel wire transfers and run away with my domain. However, it looks like they were operating under special circumstances due to the FBI investigation. Brandon Abbey is the president of Escrow.com and said “Escrow.com is holding the funds based on the proper legal authorities filing the necessary paperwork with the judicial system. We strictly follow the Escrow Law. That is what licensed escrow companies do.” Looks like it was just not explained correctly in the initial article.
Isn't escrow.com supposed to prevent payments from being stopped after the domain is released? Obviously, in this case it's justified, but for regular customers, you don't want escrow releasing a domain and then the buyer stops payment.
I believe the thief demanded payment first, outside of escrow. Which seems odd considering they actually did return the name. Maybe they were afraid Escrow.com would determine the domain was stolen and simply return it to its owner?
Totally guessing, but it might be the thief was getting antsy and wanted to conclude a deal quickly. Maybe they did in fact have another buyer on the hook. Rather than spend all the extra time going through escrow and the potential risk of the buyer doing exactly what she intended to do (rely on raising the dispute of the domain after escrow had both halves of the transaction), the thief tried to pressure a quick sale through less regulated means.

From what I understand though, it isn't all that easy to actually stop a wire transfer once it is being processed. I wouldn't be at all surprised to hear that both sides might have actually gotten the money and the backing bank will be left trying to go after one or both of them for it.

The buyer can't stop the payment as the wire is already complete and money in escrow.com's account. Escrow.com had to stop the payment and in this case they did so because there was a request from law enforcement.
Yes, I'm pretty sure this is where the FBI comes in. So the solution to this is: you agree to buy back your stolen property using an escrow service, then the FBI tells the escrow service not to release the money to a thief. Eventually you get your money back.
I am absolutely shocked at how simple it is for this sort of fraud to take place. If someone calls GoDaddy, for instance, and says "Hi, I'd like to transfer a domain name. Here's all of my proof that I am who I say that I am." I understand that GoDaddy, ever dutifully obliged to their customers, will transfer the domain with haste. However, should there not be some sort of probationary period? 45 days or so where both GoDaddy and the new "owner" of the domain both have full, master control? It seems to me that an account manager in GoDaddy could handle this task easily enough. Simply coordinate with the new owner, notify that there's a dispute, and lock everything down until a resolution has been completed. Am I missing something here or are these companies simply lazy and unmotivated?
The author did not mention that you can pay extra money to lock down a domain.

If it is locked down, it can not be transferred without, iirc, a picture of your driver's license or something like that. There may also be time delays. For my valuable sites, I pay for this service.

That sounds like a good idea. How do you do it?
Quote from GoDaddy:

Go Daddy offers Protected Registration, which prevents a domain name from being transferred to another registrar. The product includes our privacy service, as well as a Deadbolt lock.

Our Deadbolt lock means that in order to cancel the service, you must show documented proof of your identification, which makes the lock more robust than a standard registrar lock. This may seem “cumbersome,” but that is the point; if the domain name is valuable to you, you would be well-served to use product that safeguards against making it easy for a hijacker to gain access.

> 1. Have a really, really good password, and change it often. Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense.

http://xkcd.com/936/

But really, I'm a bit puzzled by her 5 "recommendations". Turn off your devices while you're not using them? I feel like the most important one is missing - don't use HostMonster or Godaddy, their representatives are not paid enough to care about the implications of you losing your domain name.

Use PwdHash, it only improves the situation. [1] Even a bad password like "123456" turns into "rY9RHtJZ" (for HN). Turning computers off seems weird, but if that computer's got your ssh keys or your cached passwords, off is safest.

[1] https://www.pwdhash.com/

> don't use HostMonster or Godaddy

http://internetshitlist.org is free for the taking :)

To follow up, I will say that my favorite way to create a password is to use sayings from two or more of your favorite books or other sources.

So, if you like Harry Potter and Enders Game, what are the phrases that come to mind?

    Harry Potter - expelliarmus
    Enders Game - win all the future fights
Now you have a great password: "winallthefuturefightsexpelliarmus" Nice and long (33 chars), with some made up stuff. Maybe tack some numbers on the end.
Modern password crackers are pulling all of wikipedia and youtube for seed words. If your words are in either of those, don't expect the password to stand to a dedicated attacker
There are 1160290625000000000000000 combinations of 5 words with a dictionary of 65000 words. That's not brute-forceable. If you take existing phrases it's another story, but random words works well.
not sure what your calculation is, but permutations is what you should have calculated.
His calculation was (65000 Choose 5) * 5!. His premise required a combination then a permutation.
Being a little loose with my estimates and a bit of Fermi Math, thats only about 300 years of computing time on a small home built GPU cluster.

Basically tells me that 4 random words are definitely crackable and 5 are theoretically possible (and definitely doable with 5-10 years of Moore's law)

lg(65k^4) is very nearly 64. If you worry about 4 random words being brute forced, you should worry about 64 bit symmetric keys being brute forced. I don't know where the current recommendations come down on that.
If you're picking with structure (including "phrases that spring to mind"), agreed. If you genuinely include enough entropy, then it doesn't much matter what mnemonics you layer on top.
winallthefuturefightsexpelliarmus

Why not "Win all the future fights expelliarmus"? Passwords that don't accept spaces are pretty rare, and you end up with a longer password 'for free'.

> Passwords that don't accept spaces are pretty rare

Oh how I wish that was the case. Twitter is one such example which don't allow spaces (Last time I checked anyway)

Two factor authentication should be one of the top recommendations. I'm not sure about the domain sites, but she mentioned a hacked Youtube account and it's possible to set up 2FA for that.
The xkcd-style passwords may be less vulnerable to a brute-force attack, but they are more vulnerable to a dictionary attack.

There are (very) roughly 2^17 words in the dictionary, so if you pick 4 there are 2^68 possibilities, or 2.95e20.

There are 94 printable characters on a US keyboard. This means that an 11-character "hard to remember" password has over 16 times as many (~2^72, 5.06e21) combinations as a four-word xkcd style password.

But again, we are comparing two different types of attacks. I don't even know how feasible a 4-word dictionary attack is, or whether it's actually used "in the wild". Still interesting to think about.

The issue with "random" passwords is trying to remember them. XKCD-style isn't perfect, but it is loads better than "Password91" and "Dragon" style passwords which are what most people actually use.
As I already said, I am not arguing that "random" passwords are better in practice.

Also, a password that uses a very large character space does not have to be random at all.

The issue with the numbers you give is that nobody really has an 11 character password compatible with it.

The reality is that people have trouble remembering 11 truly random and unrelated things, so they try to simplify and group things - e.g. by taking a base word and changing the spelling, or adding numbers on. This is what leads to the easy to brute force passwords; the cracking techniques now cater for the most popular variations.

So again, while you may be right on paper, you can't compare a 4 word passphrase with a true 11 character random password; they are on completely different scales of difficulty to remember. If you're interested, take a look at how the xkcd comic constructs the difficulty of the two passwords, it is fairly realistic. For what it's worth, it considers only "common" words (top 1000 to 2000 most popular) from the dictionary, and the passphrase wins out even so. Throw in a word from another language, would be my suggestion.

I think you're missing the point. I'm not arguing that passwords like "H$&v46S13^a" are actually better in practice than passwords like "TheCowSaysMoo". I'm providing one specific case where they are superior in terms of difficulty, i.e. the unlikely event of a directed dictionary attack, and a rough comparison of the level of security in that case as compared to a brute force attempt.

As far as "true randomness", it's irrelevant here since we are only counting permutations, meaning "Hello,2048" is just as difficult as "^6H9Ox#g`!" (i.e. their length and superset are both equivalent).

I think we're mostly on the same page, but still talking past each other. In my opinion, the only _reasonable_ way to compare the two password styles is in a practical way, taking into consideration human memory limitations. In that sense, the equivalent to an 11 character "random character" password is NOT an 11 character sentence. It would be more like a 5 or 6 word sentence due to the way your brain works. When you compare these, the pass phrases do win out, even for directed dictionary attacks.

Essentially, what I'm saying is that your brain seems to have better memory (or compression?) for sentences than random character jumbles, allowing you to use longer / stronger ones. Even when you consider dictionary attacks. Again, the original XKCD article is fairly objective and accurate; what's shown there IS a dictionary attack.

They are more vulnerable to a dictionary attack for a given password length. The theory is that memorability (and ease of typing) decays more slowly with respect to the entropy contained in an xkcd style password than in a jumble of random characters.
If you read the comments she is no computer security expert. And she accepted the comments of others that passwords that "look like nonsense" are not necessarily best.

My guess is "turning off" relates to not leaving a device that is logged in and open available for someone at school/work/... to stop by and mess with.

She ends up advising 2 factor authentication for email (an old email that was compromised is he guess on the cause of the problem). It is a good article. For advice it might be nice to put a TLDR of: "use 2 factor authentication."

Don't the companies have the lawsuit issue backwards? By not helping aren't they opening themselves up to being sued whereas if they immediately fixed the problem the person would have almost no reason to initiate a law suit.
Here are 3 simple changes that can prevent this:

* use 2 factor authentication (if your registrar doesn't find one that does or better yet, have ICANN rule that all registrars must have it)

* ICANN rule that says if a domain has been recently moved it can be frozen by previous owner until the matter is cleared up

* whois privacy will not only hide who the owner of the site is but also who the registrar is (if you don't know who the registar is among the hundreds out there, you can't target the right one with social engineering!)

Welcome to 1999. This reminds me of when sex.com was stolen with fake stationary. I see the "unauthorized transfer" in the blog post but I wonder if she forgot to renew the domain? Happens to good people all the time. I'm not a lawyer, but in that case, unless she's incorporated as "ramshackleglam" there's no cybersquatting argument. That's why it's helpful to use your real name--then a thief has no leg to stand on.
Simple way to secure your passwords:

* 1) Use 1Password to generate and store them

* 2) Use DropBox or similar to share your encrypted vault between your devices

* 3) Secure your shard vault with a strong computer-generated password, and keep it written down somewhere

I wonder why strong password management isn't built into operating systems, thus educating everybody and making them ubiquitous. What am I missing? Where is MacPass? WinPass?

The advice on the blog and this comment thread isn't any good, but there's really no good advice besides use a password manager.

OS X/iOS have cross device password syncing using keychain these days.
> 2. If possible, use a separate computer (an old one or a cheap one purchased for this purpose) for things like banking; if your family computer is the same one that you use for bank transactions you risk having your kids click on a bad link that results in a hacking.

Or don't let your kids use your work computer when you have very important privileges at stake? I would definitely keep all of this in a very encrypted environment that isn't accessible by my kids or anyone else.

-Your password should not contain “real” words (and definitely not more than one real word in immediate proximity, like “whitecat” or “angrybird”), and should contain capital letters, numbers and symbols. The best passwords of all look like total nonsense

I think this is a bad advice. You only need long password that are not feasible for a brute force attack and not trivial (personal data). If you have a password you can't remember you are going to write it somewhere and that can be a security issue

I wonder if her or her husband ever accessed any of their accounts using their cell phones. I've seen tons of stories lately about Samsung Galaxy phones being compromised so at this point I just assume that if top of the line phones are pwned, then all cell phones are.

I'm kind of shocked that there have been no class action lawsuits on phone manufacturers. Especially from banks.. just imagine the liability of millions of customers getting keylogged no matter what the bank uses to secure its site (even two factor authentication). It's almost unfathomable.

Someone really should make a one time pad login that doesn't work a second time even if you look over the user's shoulder. For example their password could be their favorite song and the site would ask them to enter the 2nd, 3rd and 4th letters of the 5th, 6th and 7th word respectively or something. Or how about a custom grid of letters printed on the back of the phone they’d look up positions on so it would have to at least be in someone's physical possession. Or how about a dongle in the headphone jack that's hardcoded and can't be hacked, that the user would type rolling codes through. There has to be a better way of doing this!

It is not reassuring to see the level of compromise, the cost of disclosure, and the abuse of antiquated protocols rising faster than the institutions that depend on them can respond. In particular there was a lot of resistance early on to using credit cards on the Internet, now it is nearly compulsory, and yet many of the fears that banks and others raised in the early days of e-commerce are coming to pass.

I have to believe there are some seriously rich criminals out there. What do they expect to do with their ill gotten gains?

I'm partial to the "t33nz 1o1 \o/" cipher.

    input: correcthorsebatterystaple
    output: ~~krct^hrs333bttstpl$$:)

    input: password
    output: lulz!isma:PASSWORD#sorrynotsorry
This is why corporations with 12 million users need to establish personal relationships with every client. If that was the case, they'd have just known she was the real owner.