Digikey Mail/ Protect your account!

Am 28.07.19 um 14:18 schrieb Uwe Bonnes:

I got that, too. My auto-login does not work currently. Earlier this week there was a banner that their servers would be down for a day or so.

cheers, Gerhard

I got that, too. Went to their site (not using any of the email) and was prompted to use my old password and enter a new one. The new one had to be somewhat longer, 8 alphanumeric IIRC. Did it and it seemed to work. Have not ordered there recently, Mouser beat them in that they handle the customs for you in the EU, I just get the package delivered at my doorstep.

Dimiter

====================================================== Dimiter Popoff, TGI

======================================================

I didn't get an email, but couldn't log on until I changed my old password. It was 7 characters, now they insisted on 8 or more. I used 9 characters.

--
 Thanks, 
    - Win

Looks like Digi-Key has started hiring millennial "programmers" weaned on Arduino.

I received the same email today from Digikey. I dutifully changed my password in the manner specified. I don't think there was a security problem or we would have read something about it by now in the news. My guess(tm) is that Digikey wants to know which accounts are still active even though some may not have bothered to order anything for a while. For example, I haven't ordered anything from Digikey in four years. In a few months, Digikey can then purge their user list to only those who bothered to change their password.

Drivel: Tracking cookies after logging into Digikey and Mouser.

Social Networks Ad Tracking Web Analytics

Digikey (none) Tealium Optimizely Google Adsense ClickTale Doubleclick Google Analytics

Mouser Facebook Doubleclick Google Analytics Google Adsense Google GTM Mediamind DG BlueKai Eloqua Appnexus Casale Media Aggregate Knowledge

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
Santa Cruz CA 95060 http://802.11junk.com 
Skype: JeffLiebermann     AE6KS    831-336-2558

Other drivel; I'm running windows 7, maybe once or twice a year DK's website will start to 'misbehave' on me. (Starts screwing up my shopping cart and things.) I have to delete all my cookies and such and it works again... (I'm mostly a ludite when it comes to 'puters.)

GH

No, it was real, but only if your password was less than 8 characters long. I didn't get an email, but went to their website immediately got a page saying I needed to update my password (7 chars), which I did (to 9 chars).

--
 Thanks, 
    - Win

Likely to be a fake and have a nasty payload behind it...

Please tell me how you created that list. Thanks.

maybe they read that thread about how all passwords of any combination of alphanumeric characters length 10 and under are trivially breakable off-line by direct hash and look-up, the rainbow table is only 300 gigs in size.

and all ASCII character set passwords of length 7 are probably off-line breakable via brute force exhaustive search in minutes

One technique is to run the "noscript" plugin.

When you load a page http:x/a, it shows which sites try to load and run javascript, and gives you the option of allowing a site permanently or for this browser session.

Frequently you see 20 or more(!) "strange" sites(i.e. nothing to do with x) being invoked. Usually you want to enable site x, but the others?

Facebook and twitter are almost always there - and that's how they track your activity, whether or not you have a farcebook account. Ditto google, albeit via tools that many websites find useful to help with their operation.

Yes, it slows down browsing a little, but it is revealing and entertaining in a tinfoil-hat sort of way.

I used one of the features of Avast Free Anti-virus which includes a cookie viewer and manager. The actual list was manually created with cut-n-paste.

I'm using Windoze 7, Firefox 68.0.1, and Avast 19.6.2383. After logging into the Mouser web site, the Avast extension to Firefox shows

10 "security issues" on the Mouser home page. As I browse through other Mouser pages, this number will go up and down. Here's what it looks like: Installing a virus scanner just to track cookies is overkill. Your usenet news header shows that you're using Firefox 52, which is rather ancient. I think it's possible to find a cookie manager or viewer extension for Firefox 52, but I don't want to attempt it. There are plenty of possibles, but many show a minimum Firefox version much higher than Firefox 52. Good luck.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
Santa Cruz CA 95060 http://802.11junk.com 
Skype: JeffLiebermann     AE6KS    831-336-2558

I found an easier way that might work with Firefox 52 and not require installing an extension. Go to the Mouser web site. To the left of the URL in the address box is a small letter "i" with a circle around it. Click on it. A window should open which offers a list of Trackers and Cookies.

If you wait a few seconds, a new item will appear at the bottom of this window offering to "Clear Cookies and Site Data". This is handy for vaporizing the cookies of sites that off a few free views per month, but then demand a subscription. You can also clear cookies for a specific site at: Tools -> Page Info -> Security -> Clear Cookies and Site Data

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
Santa Cruz CA 95060 http://802.11junk.com 
Skype: JeffLiebermann     AE6KS    831-336-2558

Same here, had to change to a longer password to get onto the site.

--Spehro Pefhany

So does that mean Digikey stores passwords in the clear, or did they store the number of characters when the password was created but they only store a hash of the password that is reasonably non-invertible? If in the clear, definitely don't reuse that password anywhere else because it is only one hack away from guaranteed exposure. Even the latter would make a brute force attach easier.

--
Regards, 
Carl Ijames

A more robust approach (and fairly standard these days) is for the vendor to store the user ID, a random "salt" value (different for every user), and a hash computed from the salt and the password.

That way, someone who pilfers the database has to try hashing N*M different things (N possible passwords, M different user-specific salts) rather than just N. It reduces the utility of precomputed "rainbow tables" and makes brute-force cracking of a password table somewhat harder.

You have to use a good hash algorithm to benefit by this, but that's a pretty well-studied problem these days.

And, the user still needs to use a sufficiently long (and sufficiently random) password. Using "1234" to password-protect your planetary air shield remains a bad idea.

Too complex :) You choose who to believe...

"According to nuclear safety expert Bruce G. Blair, the US Air Force's Strategic Air Command worried that in times of need the codes for the Minuteman ICBM force would not be available, so it quietly decided to set the codes to 00000000 in all missile launch control centers. Blair said the missile launch checklists included an item confirming this combination until 1977. A 2014 article in Foreign Policy said that the US Air Force told the United States House Committee on Armed Services that "A code consisting of eight zeroes has never been used to enable a MM ICBM, as claimed by Dr. Bruce Blair.""

---and i understand that 15 or less characters is also breakable. See

I'd like to figure out how to get rid of the tracking I encounter on my And roid phone through the Google News. I assume that is simply running some a spect of Chrome, so I've tried deleting all cookies in Chrome, but that doe sn't do it. Any idea of how to clear the Google News cookies? A search on ly returns hits on clearing Chrome.

--

  Rick C. 

  - Get 1,000 miles of free Supercharging 
  - Tesla referral code - https://ts.la/richard11209