Malice4you 627 Posted July 10, 2018 I got an email today about an account I have not used much recently. It told me of a new login, and then a new email about my primary email address had changed. Now, first thing, I know a lot of you are using phones for internet, but the nice thing about using a real PC is you can hover over links to see if it is indeed the correct link (i.e. Microsoft isn't sending you to paswordstealer.cn instead of microsoft.com ). Using a phone, it is harder to verify where you are going to go if you click a link...so be aware of that too - there is a LOT of phishing out there. Anyway, I was able to reset the email back to my email account, got in touch with support, and regain the account in fairly quick order. It isn't something that critical (a game account), but it could easily be bad. If I had used the same password for multiple accounts (especially my email), there would be the real possibility that the hacker could have access to anything linked to that account, or to try and get into other accounts. Since every service seems to constantly spam you, anyone who now has access to your email could know where you have accounts, intercept anything like updated email addresses/passwords/password resets, and wreak havoc in your life. Be sure that - if absolutely nothing else - your email account(s) and financial accounts use a totally different password from ANY other accounts you have now or ever have used. If you have the possibility of using 2 factor authorization, DO SO, especially for banking accounts or anything linked to bank accounts (paypal, ebay, etc). It usually involves a 4-6 character code sent to your cell phone via text that you must enter before logging in or when doing certain activities. Don't use dumb passwords that are easily guessed. I sincerely hope no one here uses 123456, password, or their full name as a password. Use a gun name and serial number/year, or use a phrase, or use the name of something always on your desk, or anything else not easily guessed, add in a symbol and number or two, and you've got a password. If you are forgetful, perhaps use a similar format (change a few things for each individual site) if you must. And if you are really forgetful, write down a HINT, not the password itself. If your password is "Mosin~1937Nagant", I'd think a written hint like "Russia '91" would be a decent hint that would be meaningless to someone else If your password is "IHateMyNeighbors@5", perhaps "noisy dogs" would be a good hint. Back many years ago, someone I knew asked me to see if her account was secure. It took about 5 guesses before I was into her account. (I mean, it was a yahoo account, but still, I guessed her password based solely on knowing her name and how her account name was displayed.) There is a lot of information on you out there. Don't make it any easier for someone to screw you. If the potential payout is good enough, someone can and will try. 4 Quote Share this post Link to post Share on other sites
leahcim 673 Posted July 10, 2018 Yeah, I always check the actual url on a PC. Don't know how to do that on phone, often you can tell by the grammar in the email though. Or just type in the URL rather than follow links if you're not sure. Over one year ago, concerned about my banking and investment accounts, I moved them all to Keepass. And all financial or sensitive docs on my computer moved to a Vera crypt volume. And those (very long) passwords are handwritten in paper. With backups in safe and safe deposit box. It is a little more difficult for me to access stuff, but infinitely more difficult for bad guys. And better peace of mind over ID theft. 1 Quote Share this post Link to post Share on other sites
Malice4you 627 Posted July 10, 2018 Yeah, much like caller ID can be spoofed, it is incredibly easy to spoof the "from" address. If you use something like outlook on a PC, there is a way to go into details and see all the technical stuff about where the email actually originated from. I have yet to quickly figure out how to see full headers on the standard email client included on android. Not sure about any other email clients on phones, but if you suspect something, don't click anything, view the email on a PC (with antivirus installed) if possible, view the headers for the email, and view the actual link, as the displayed link text is not always accurate. If still not sure, go to the website yourself by typing the known good address, and log in that way. www.microsoft.com/totally/a/legit/site/guys/I/swear Password length: The longer and more complex your password is, the harder it is to crack. Unless you choose "1234567890" or "password" or "password123456" - seriously, just don't. If you use only upper/lower-case letters and numbers on a standard keyboard, that is 62 characters to pick from. A standard computer keyboard has ~95 characters with the various symbols. So if you had a 5 character password, using everything easily typed on a computer keyboard, you have a password with 7.7 billion possible combinations. If you only used letters and numbers, that 5 character password has 916 million possible combinations. A 10 character password using the full keyboard has 59.8 quintillion (59,873,693,923,837,890,000) possible combinations. Using only letters and numbers, you're down to 839 quadrillion (839,299,365,868,340,224) These numbers would be substantially larger if you were able to use all of ASCII/Unicode's 128(256) / 130,000+ characters...and were a glutton for punishment every time you entered a password. But I'd bet the number of people using a ±, °, or ² in their password is pretty damn low.... And I am pissed off that some sites that limit the use of most symbols, or sites limit me to only 20 character long passwords... 3.8 Duodecillion possible combinations (3,584,859,224,085,422,500,000,000,000,000,000,000,000) is not nearly enough! Quote Share this post Link to post Share on other sites
voyager9 3,417 Posted July 11, 2018 Safari has a “suggest password” feature when it recognizes the typical “set password” form most sites use. This generates a pretty long string of random characters as the new password. When you visit the login form for that site it populated the password for you (protected by password, touch, or Face ID) Of course this password is stored by safari. On the iPhone it is stored on the keychain and secure (ish). There are other password managers out there. Most do the same thing. Quote Share this post Link to post Share on other sites
Shocker 150 Posted July 11, 2018 I broke down recently and subscribed to LastPass (the $$ version syncs between devices, there is a free one tho) sucks having to pay but the strong p/w generator and ease of having a unique p/w for every single site is valuable of course...we’re a few years away from quantum computing, right? At which point even 256 bit encryption will be readily crackable *sigh* Quote Share this post Link to post Share on other sites
Krdshrk 3,872 Posted July 11, 2018 5 minutes ago, Shocker said: I broke down recently and subscribed to LastPass (the $$ version syncs between devices, there is a free one tho) sucks having to pay but the strong p/w generator and ease of having a unique p/w for every single site is valuable of course...we’re a few years away from quantum computing, right? At which point even 256 bit encryption will be readily crackable *sigh* You do realize that Lastpass has been hacked multiple times, right? Quote Share this post Link to post Share on other sites
Oleg 8 Posted July 11, 2018 There is 1password and 1password for families. It is expensive, it is worth it. Quote Share this post Link to post Share on other sites
Shocker 150 Posted July 11, 2018 Yes lastpass seems to be the popular choice and thus the popular hacking target. They seem to be responsive when vulnerabilities are exposed but who knows Dashlane was a good alternative when I was looking too Quote Share this post Link to post Share on other sites
leahcim 673 Posted July 11, 2018 (edited) I use Keepass, seems to work pretty well and it's free Edited July 11, 2018 by leahcim Fix auto complete error 3 Quote Share this post Link to post Share on other sites
leahcim 673 Posted July 11, 2018 And I always had the impression that going much being 20 characters does not as value due to limitations of SHA256 Quote Share this post Link to post Share on other sites
Lakota 342 Posted July 11, 2018 8 hours ago, leahcim said: I use Keepass, send to work pretty well and it's free I second Keepass. I use it personally and it's what my company uses as well. Another useful resource to keep an eye on if anyone is worried that they have been breached in anyway is : https://haveibeenpwned.com/ Plug in your email address and it will tell you if that email has been part of any major breaches and/or if its been found in any pasted on any known login/password black sites 2 Quote Share this post Link to post Share on other sites
Howard 538 Posted July 11, 2018 I hate what is going on with passwords lately. Too many sites have crazy rules that you have to use characters for like six different categories and it makes remembering passwords crazy hard. I much prefer where possible to use a simple password that I can remember with two factor authentication. For those that are not familiar that is when the site sends you a unique code to a different device and then you have to enter that code. I also like it when sites challenge you if they don't recognize your IP or unique facts about your device. This is especially good for financial sites. Best of all are sites like eTrade where you can have a password that you then have to append six digits to each time you login based on an authentication program on your phone or dongle on your keychain. Quote Share this post Link to post Share on other sites
1LtCAP 4,259 Posted July 11, 2018 my bank forces me to change the password every 3 months, and it can't be the same as one used in the last 6 months.....then of course the stupid special characters and all...... Quote Share this post Link to post Share on other sites
Howard 538 Posted July 11, 2018 6 minutes ago, 1LtCAP said: my bank forces me to change the password every 3 months, and it can't be the same as one used in the last 6 months.....then of course the stupid special characters and all...... I think that is so stupid. My wife had a work account like that each time that happened she would just increment the two digit number on the end by one. Quote Share this post Link to post Share on other sites
1LtCAP 4,259 Posted July 11, 2018 26 minutes ago, Howard said: I think that is so stupid. My wife had a work account like that each time that happened she would just increment the two digit number on the end by one. before they added the "not the same as one in the last 6 months" thing, we used to just switch back n forth between 2 pretty screwy ones........now we gotta use a cheatsheet to keep track of the goddam things. Quote Share this post Link to post Share on other sites
oldguysrule649 397 Posted July 11, 2018 I am a 30 year + IT professional. OP, excellent thread and advice. In all instances, I use different difficult to guess passwords. Whenever 2 way authentication is available, I use it. For keeping track of what has grown to over 300+ user ids and passwords, I use Keepass. I have it installed on my home pc and all database changes are done there. I periodically copy the db file to my iPhone which I treat as read only. Keepass is straightforward and has fit my needs. I specifically did NOT want a program that autofills websites. Now if I could only convince my wife to think the same regarding password selection .....(:-) 2 Quote Share this post Link to post Share on other sites
Krdshrk 3,872 Posted July 11, 2018 Keepass user here as well. Encrypted password vault, not kept online. Sure it doesn't log you in automatically like Lastpass or Dashlane or any of those, but that just means your stuff is more secure. Quote Share this post Link to post Share on other sites
mossburger 406 Posted July 11, 2018 Look at porn on a throwaway device An old tablet, smartphone, etc. That's logged out of everything, and just runs on wifi Works like a charm. Let's be real here we all know where our viruses come from. Quote Share this post Link to post Share on other sites
1LtCAP 4,259 Posted July 11, 2018 i keep my id's/passwords on a sheet of paper. i wasn't kidding when i used the "cheatsheet" reference. Quote Share this post Link to post Share on other sites
Krdshrk 3,872 Posted July 11, 2018 32 minutes ago, 1LtCAP said: i keep my id's/passwords on a sheet of paper. i wasn't kidding when i used the "cheatsheet" reference. Is it taped to your monitor? Quote Share this post Link to post Share on other sites
1LtCAP 4,259 Posted July 11, 2018 1 minute ago, Krdshrk said: Is it taped to your monitor? lol. i'm not quite that stupid, lololol Quote Share this post Link to post Share on other sites
Krdshrk 3,872 Posted July 11, 2018 8 minutes ago, 1LtCAP said: lol. i'm not quite that stupid, lololol I mean, you're in NJ, not Hawaii... http://www.businessinsider.com/hawaii-emergency-agency-password-discovered-in-photo-sparks-security-criticism-2018-1 Quote Share this post Link to post Share on other sites
Shocker 150 Posted July 11, 2018 4 hours ago, mossburger said: Look at porn on a throwaway device The old "beater burner" lol Quote Share this post Link to post Share on other sites
Malice4you 627 Posted September 26, 2018 So today, I got an email from "myself" claiming to be from a hacker organization. It was pretty standard unbelievable bullshit...until the part where they gave me my password. Well, an old password. It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims, and would release them to all my contacts if I didn't pay $700 in bitcoin to x account. They claimed to be sending the mail from my own account, though the password they provided proves they ain't got shit other than an old password. The fact that there's no webcam on any of the PCs is another giveaway... So - at some point, some website with an account linked to that email address had been hacked and the info has gotten out there on the internet, and someone is trying to get $700 outta me. I got the same email about 5 times today. Scams are getting smarter. The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam. Furthermore, if you are reusing passwords places, one site's security lapse can compromise a bunch of sites. So stop reusing passwords everywhere, and if you've had the same password for a site for years, might not be a bad time to change it. Quote Share this post Link to post Share on other sites
10X 3,278 Posted September 26, 2018 44 minutes ago, Malice4you said: It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims, Good advice on picking difficult passwords and never re-using them. Also, when unboxing a new computer, putting electrical tape over the webcam is alway step two for me; it comes before things like plugging it in, turning it on, etc. Quote Share this post Link to post Share on other sites
Zeke 5,504 Posted September 26, 2018 https://youtu.be/a6iW-8xPw3k Quote Share this post Link to post Share on other sites
Sniper 6,372 Posted September 26, 2018 1 hour ago, Malice4you said: So today, I got an email from "myself" claiming to be from a hacker organization. It was pretty standard unbelievable bullshit...until the part where they gave me my password. I got the exact same one today, but the password was wrong. I've been seeing different versions of this scam for the last month or two. 1 hour ago, Malice4you said: and would release them to all my contacts if I didn't pay $700 in bitcoin to x account. They're getting desperate, it was up around $2400 a few weeks ago, apparently no one is biting on the scam. 1 hour ago, Malice4you said: Scams are getting smarter. The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam. These scams and general hacks are getting a lot smarter, including all the data being stolen from financial, banking and other online retail places. No information is truly safe anymore, even if you use different passwords at different places. The hackers break into the databases and steal the passwords. Quote Share this post Link to post Share on other sites
Krdshrk 3,872 Posted September 26, 2018 1 hour ago, Malice4you said: So today, I got an email from "myself" claiming to be from a hacker organization. It was pretty standard unbelievable bullshit...until the part where they gave me my password. Well, an old password. It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims, and would release them to all my contacts if I didn't pay $700 in bitcoin to x account. They claimed to be sending the mail from my own account, though the password they provided proves they ain't got shit other than an old password. The fact that there's no webcam on any of the PCs is another giveaway... So - at some point, some website with an account linked to that email address had been hacked and the info has gotten out there on the internet, and someone is trying to get $700 outta me. I got the same email about 5 times today. Scams are getting smarter. The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam. Furthermore, if you are reusing passwords places, one site's security lapse can compromise a bunch of sites. So stop reusing passwords everywhere, and if you've had the same password for a site for years, might not be a bad time to change it. This one's been going around. Websites like Adobe or whatever have been hacked and they spoof your email address as the sender. We've been getting support tickets about "MY EMAIL'S BEEN HACKED" from customers when it really isn't. Quote Share this post Link to post Share on other sites
Kevin125 4,772 Posted September 26, 2018 Use a password tool like Dashlane. Let it randomize your passwords and remeber them for you. These tools have some limitations but it deals with the issue of manage passwords and re-use. Quote Share this post Link to post Share on other sites