Jump to content
Malice4you

Don't re-use your passwords everywhere!

Recommended Posts

I got an email today about an account I have not used much recently.  It told me of a new login, and then a new email about my primary email address had changed.

Now, first thing, I know a lot of you are using phones for internet, but the nice thing about using a real PC is you can hover over links to see if it is indeed the correct link (i.e. Microsoft isn't sending you to

paswordstealer.cn

instead of microsoft.com ).  Using a phone, it is harder to verify where you are going to go if you click a link...so be aware of that too - there is a LOT of phishing out there.

Anyway, I was able to reset the email back to my email account, got in touch with support, and regain the account in fairly quick order.  It isn't something that critical (a game account), but it could easily be bad.

 

If I had used the same password for multiple accounts (especially my email), there would be the real possibility that the hacker could have access to anything linked to that account, or to try and get into other accounts.  Since every service seems to constantly spam you, anyone who now has access to your email could know where you have accounts, intercept anything like updated email addresses/passwords/password resets, and wreak havoc in your life.

 

Be sure that - if absolutely nothing else - your email account(s) and financial accounts use a totally different password from ANY other accounts you have now or ever have used.  If you have the possibility of using 2 factor authorization, DO SO, especially for banking accounts or anything linked to bank accounts (paypal, ebay, etc).  It usually involves a 4-6 character code sent to your cell phone via text that you must enter before logging in or when doing certain activities.

 

Don't use dumb passwords that are easily guessed.  I sincerely hope no one here uses 123456, password, or their full name as a password.  Use a gun name and serial number/year, or use a phrase, or use the name of something always on your desk, or anything else not easily guessed, add in a symbol and number or two, and you've got a password.  If you are forgetful, perhaps use a similar format (change a few things for each individual site) if you must. And if you are really forgetful, write down a HINT, not the password itself.

If your password is "Mosin~1937Nagant", I'd think a written hint like "Russia '91" would be a decent hint that would be meaningless to someone else

If your password is "IHateMyNeighbors@5", perhaps "noisy dogs" would be a good hint.

Back many years ago, someone I knew asked me to see if her account was secure.  It took about 5 guesses before I was into her account.  (I mean, it was a yahoo account, but still, I guessed her password based solely on knowing her name and how her account name was displayed.)  There is a lot of information on you out there.  Don't make it any easier for someone to screw you.  If the potential payout is good enough, someone can and will try.

 

  • Like 4

Share this post


Link to post
Share on other sites

Yeah, I always check the actual url on a PC.  Don't know how to do that on phone, often you can tell by the grammar in the email though.  Or just type in the URL rather than follow links if you're not sure.

Over one year ago, concerned about my banking and investment accounts, I moved them all to Keepass.  And all financial or sensitive docs on my computer moved to a Vera crypt volume.  And those (very long) passwords are handwritten in paper. With backups in safe and safe deposit box.

It is a little more difficult for me to access stuff, but infinitely more difficult for bad guys. And better peace of mind over ID theft.

  • Like 1

Share this post


Link to post
Share on other sites

Yeah, much like caller ID can be spoofed, it is incredibly easy to spoof the "from" address.  If you use something like outlook on a PC, there is a way to go into details and see all the technical stuff about where the email actually originated from.  I have yet to quickly figure out how to see full headers on the standard email client included on android.  Not sure about any other email clients on phones, but if you suspect something, don't click anything, view the email on a PC (with antivirus installed) if possible, view the headers for the email, and view the actual link, as the displayed link text is not always accurate.  If still not sure, go to the website yourself by typing the known good address, and log in that way.

www.microsoft.com/totally/a/legit/site/guys/I/swear

Password length:  The longer and more complex your password is, the harder it is to crack.  Unless you choose "1234567890" or "password" or "password123456" - seriously, just don't.

If you use only upper/lower-case letters and numbers on a standard keyboard, that is 62 characters to pick from. A standard computer keyboard has ~95 characters with the various symbols.  So if you had a 5 character password, using everything easily typed on a computer keyboard, you have a password with 7.7 billion possible combinations.  If you only used letters and numbers, that 5 character password has 916 million possible combinations.  A 10 character password using the full keyboard has 59.8 quintillion (59,873,693,923,837,890,000) possible combinations.  Using only letters and numbers, you're down to 839 quadrillion (839,299,365,868,340,224)

These numbers would be substantially larger if you were able to use all of ASCII/Unicode's 128(256) / 130,000+ characters...and were a glutton for punishment every time you entered a password.  But I'd bet the number of people using a ±, °, or ² in their password is pretty damn low....

And I am pissed off that some sites that limit the use of most symbols, or sites limit me to only 20 character long passwords... 3.8 Duodecillion possible combinations (3,584,859,224,085,422,500,000,000,000,000,000,000,000) is not nearly enough!

Share this post


Link to post
Share on other sites

Safari has a “suggest password” feature when it recognizes the typical “set password” form most sites use. This generates a pretty long string of random characters as the new password.   When you visit the login form for that site it populated the password for you (protected by password, touch, or Face ID)  

Of course this password is stored by safari. On the iPhone it is stored on the keychain and secure (ish).  There are other password managers out there. Most do the same thing. 

Share this post


Link to post
Share on other sites

I broke down recently and subscribed to LastPass (the $$ version syncs between devices, there is a free one tho) 

 

sucks having to pay but the strong p/w generator and ease of having a unique p/w for every single site is valuable 

 

of course...we’re a few years away from quantum computing, right? At which point even 256 bit encryption will be readily crackable *sigh*

Share this post


Link to post
Share on other sites
5 minutes ago, Shocker said:

I broke down recently and subscribed to LastPass (the $$ version syncs between devices, there is a free one tho) 

 

sucks having to pay but the strong p/w generator and ease of having a unique p/w for every single site is valuable 

 

of course...we’re a few years away from quantum computing, right? At which point even 256 bit encryption will be readily crackable *sigh*

You do realize that Lastpass has been hacked multiple times, right?

Share this post


Link to post
Share on other sites
8 hours ago, leahcim said:

I use Keepass, send to work pretty well and it's free

I second Keepass.   I use it personally and it's what my company uses as well.

Another useful resource to keep an eye on if anyone is worried that they have been breached in anyway is : https://haveibeenpwned.com/

Plug in your email address and it will tell you if that email has been part of any major breaches and/or if its been found in any pasted on any known login/password black sites

  • Like 2

Share this post


Link to post
Share on other sites

I hate what is going on with passwords lately.  Too many sites have crazy rules that you have to use characters for like six different categories and it makes remembering passwords crazy hard.  I much prefer where possible to use a simple password that I can remember with two factor authentication.  For those that are not familiar that is when the site sends you a unique code to a different device and then you have to enter that code.  I also like it when sites challenge you if they don't recognize your IP or unique facts about your device.  This is especially good for financial sites.  Best of all are sites like eTrade where you can have a password that you then have to append six digits to each time you login based on an authentication program on your phone or dongle on your keychain.

Share this post


Link to post
Share on other sites
6 minutes ago, 1LtCAP said:

my bank forces me to change the password every 3 months, and it can't be the same as one used in the last 6 months.....then of course the stupid special characters and all......

 

I think that is so stupid.  My wife had a work account like that each time that happened she would just increment the two digit number on the end by one.

Share this post


Link to post
Share on other sites
26 minutes ago, Howard said:

I think that is so stupid.  My wife had a work account like that each time that happened she would just increment the two digit number on the end by one.

before they added the "not the same as one in the last 6 months" thing, we used to just switch back n forth between 2 pretty screwy ones........now we gotta use a cheatsheet to keep track of the goddam things.

Share this post


Link to post
Share on other sites

I am a 30 year + IT professional. OP,  excellent thread and advice.  In all instances, I use different difficult to guess passwords.  Whenever 2 way authentication is available, I use it.  For keeping track of what has grown to over 300+ user ids and passwords, I use Keepass. I have it installed on my home pc and all database changes are done there. I periodically copy the db file to my iPhone which I treat as read only. Keepass is straightforward and has fit my needs.  I specifically did NOT want a program that autofills websites.

Now if I could only convince my wife to think the same regarding password selection .....(:-) 

  • Like 2

Share this post


Link to post
Share on other sites

So today, I got an email from "myself" claiming to be from a hacker organization.  It was pretty standard unbelievable bullshit...until the part where they gave me my password.  Well, an old password.  It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims, and would release them to all my contacts if I didn't pay $700 in bitcoin to x account.  They claimed to be sending the mail from my own account, though the password they provided proves they ain't got shit other than an old password.  The fact that there's no webcam on any of the PCs is another giveaway...

So - at some point, some website with an account linked to that email address had been hacked and the info has gotten out there on the internet, and someone is trying to get $700 outta me.  I got the same email about 5 times today.

 

Scams are getting smarter.  The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam.   Furthermore, if you are reusing passwords places, one site's security lapse can compromise a bunch of sites.  So stop reusing passwords everywhere, and if you've had the same password for a site for years, might not be a bad time to change it.

Share this post


Link to post
Share on other sites
44 minutes ago, Malice4you said:

It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims,

Good advice on picking difficult passwords and never re-using them.  

Also, when unboxing a new computer, putting electrical tape over the webcam is alway step two for me; it comes before things like plugging it in, turning it on, etc.

Share this post


Link to post
Share on other sites
1 hour ago, Malice4you said:

So today, I got an email from "myself" claiming to be from a hacker organization.  It was pretty standard unbelievable bullshit...until the part where they gave me my password.

I got the exact same one today, but the password was wrong. I've been seeing different versions of this scam for the last month or two.

1 hour ago, Malice4you said:

and would release them to all my contacts if I didn't pay $700 in bitcoin to x account. 

They're getting desperate, it was up around $2400 a few weeks ago, apparently no one is biting on the scam.

1 hour ago, Malice4you said:

Scams are getting smarter.  The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam.

These scams and general hacks are getting a lot smarter, including all the data being stolen from financial, banking and other online retail places. No information is truly safe anymore, even if you use different passwords at different places. The hackers break into the databases and steal the passwords.

 

Share this post


Link to post
Share on other sites
1 hour ago, Malice4you said:

So today, I got an email from "myself" claiming to be from a hacker organization.  It was pretty standard unbelievable bullshit...until the part where they gave me my password.  Well, an old password.  It claimed that they'd installed a virus and gotten webcam captures of me and various other blackmail claims, and would release them to all my contacts if I didn't pay $700 in bitcoin to x account.  They claimed to be sending the mail from my own account, though the password they provided proves they ain't got shit other than an old password.  The fact that there's no webcam on any of the PCs is another giveaway...

So - at some point, some website with an account linked to that email address had been hacked and the info has gotten out there on the internet, and someone is trying to get $700 outta me.  I got the same email about 5 times today.

 

Scams are getting smarter.  The inclusion of the password is a new twist that gives it legitimacy that you might otherwise dismiss as spam.   Furthermore, if you are reusing passwords places, one site's security lapse can compromise a bunch of sites.  So stop reusing passwords everywhere, and if you've had the same password for a site for years, might not be a bad time to change it.

This one's been going around.  Websites like Adobe or whatever have been hacked and they spoof your email address as the sender.  We've been getting support tickets about "MY EMAIL'S BEEN HACKED" from customers when it really isn't.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

  • Recently Browsing   0 members

    No registered users viewing this page.



×
×
  • Create New...