[Question regarding password security]

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
jebmke
Posts: 11654
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security question on one's passwords

Post by jebmke »

Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
I only skimmed it. It seems to imply that strength is less critical. But unless I misread some of the items in the table, it would appear that using the same PW across multiple sites might increase the risk of specific attacks.
When you discover that you are riding a dead horse, the best strategy is to dismount.
User avatar
warner25
Posts: 519
Joined: Wed Oct 29, 2014 4:38 pm

Re: Security question on one's passwords

Post by warner25 »

Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
As a trained computer scientist and information security professional, I fully understand what the author is saying, but the title and the conclusion defies logic. He repeatedly says that your password "just doesn’t matter – unless..." and then goes on to explain how a strong password does, in fact, protect against certain threats. It's like someone saying, "Wearing your seat belt just doesn't matter - unless you are wearing one when you get into a collision under certain conditions."

Edited to add, this is a nice rebuttal: https://techcommunity.microsoft.com/t5/ ... true#M1468
Last edited by warner25 on Sun Sep 13, 2020 12:27 pm, edited 1 time in total.
User avatar
Kenkat
Posts: 6732
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

jebmke wrote: Sun Sep 13, 2020 12:18 pm
Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
I only skimmed it. It seems to imply that strength is less critical. But unless I misread some of the items in the table, it would appear that using the same PW across multiple sites might increase the risk of specific attacks.
Yes, that was actually #1 on the list as “Credential Stuffing” - i.e., I take a compromised password from “idontcare.com” and try it at “mybank.com“ and every other high value site I could be a user on.
whomever
Posts: 993
Joined: Sat Apr 21, 2012 5:21 pm

Re: Security question on one's passwords

Post by whomever »

One thing I haven't seen mentioned: if you are dealing with financial institutions where you are potentially exposed to large losses, you probably want to keep in mind that many of them publish guidelines along the lines of 'you will be reimbursed for fraudulent transactions if you have followed these guidelines'.

Whether you personally think those guidelines are wise or dumb, failing to follow them ought to be a decision you have carefully made, with due consideration for the consequences.
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

jebmke wrote: Sun Sep 13, 2020 12:18 pm
Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
I only skimmed it. It seems to imply that strength is less critical. But unless I misread some of the items in the table, it would appear that using the same PW across multiple sites might increase the risk of specific attacks.
The main take away is we should all be using multi-factor authentication for access to sensitive data. If you use MFA it doesn't matter if your password is compromised provided the other factor isn't also compromised.
User avatar
Kenkat
Posts: 6732
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

warner25 wrote: Sun Sep 13, 2020 12:22 pm
Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
As a trained computer scientist and information security professional, I fully understand what the author is saying, but the title and the conclusion defies logic. He repeatedly says that your password "just doesn’t matter – unless..." and then goes on to explain how a strong password does, in fact, protect against certain threats. It's like someone saying, "Wearing your seat belt just doesn't matter - unless you are wearing one when you get into a collision under certain conditions."

Edited to add, this is a nice rebuttal: https://techcommunity.microsoft.com/t5/ ... true#M1468
I agree with the rebuttal overall as well - it improves upon the original. I was mainly commenting on presentation of the real life examples of how passwords are compromised rather than the attention grabbing headline but I was a little lazy there as the title and conclusion were more attention grabbers than good advice.
Last edited by Kenkat on Sun Sep 13, 2020 12:39 pm, edited 1 time in total.
Jeff Albertson
Posts: 841
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Security question on one's passwords

Post by Jeff Albertson »

steve321 wrote: Sun Sep 13, 2020 11:42 am Is there a way you can find out (besides the hard way...) if there's malware on your computer (PC or chromebook)?
Malwarebytes has a free version, but read these basic guides also:
https://www.nytimes.com/wirecutter/blog ... ty-layers/
https://www.nytimes.com/wirecutter/blog/best-antivirus/
https://www.nytimes.com/wirecutter/blog ... r-yes-you/
https://www.nytimes.com/wirecutter/revi ... -managers/
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

Kenkat wrote: Sun Sep 13, 2020 12:34 pm
warner25 wrote: Sun Sep 13, 2020 12:22 pm
Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
As a trained computer scientist and information security professional, I fully understand what the author is saying, but the title and the conclusion defies logic. He repeatedly says that your password "just doesn’t matter – unless..." and then goes on to explain how a strong password does, in fact, protect against certain threats. It's like someone saying, "Wearing your seat belt just doesn't matter - unless you are wearing one when you get into a collision under certain conditions."

Edited to add, this is a nice rebuttal: https://techcommunity.microsoft.com/t5/ ... true#M1468
I agree with the rebuttal overall as well - I was mainly commenting on presentation of the real life examples of how passwords are compromised rather than the attention grabbing headline but I was a little lazy there as the title and conclusion were more attention grabbers than good advice.
I don't find the rebuttal particularly compelling. Just about any financial Web site will use some form of 2fa authentication. For the password to matter at all, they first need to be able to compromise the other factor. This might be accomplished via a SIM Swap attack, but most of these reported cases have been targeted against cryptocurrency whales. There's not much evidence these attacks happen against normal individuals with any frequency.
User avatar
Kenkat
Posts: 6732
Joined: Thu Mar 01, 2007 11:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

oldfort wrote: Sun Sep 13, 2020 12:41 pm
Kenkat wrote: Sun Sep 13, 2020 12:34 pm
warner25 wrote: Sun Sep 13, 2020 12:22 pm
Kenkat wrote: Sun Sep 13, 2020 12:10 pm
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
As a trained computer scientist and information security professional, I fully understand what the author is saying, but the title and the conclusion defies logic. He repeatedly says that your password "just doesn’t matter – unless..." and then goes on to explain how a strong password does, in fact, protect against certain threats. It's like someone saying, "Wearing your seat belt just doesn't matter - unless you are wearing one when you get into a collision under certain conditions."

Edited to add, this is a nice rebuttal: https://techcommunity.microsoft.com/t5/ ... true#M1468
I agree with the rebuttal overall as well - I was mainly commenting on presentation of the real life examples of how passwords are compromised rather than the attention grabbing headline but I was a little lazy there as the title and conclusion were more attention grabbers than good advice.
I don't find the rebuttal particularly compelling. Just about any financial Web site will use some form of 2fa authentication. For the password to matter at all, they first need to be able to compromise the other factor. This might be accomplished via a SIM Swap attack, but most of these reported cases have been targeted against cryptocurrency whales. There's not much evidence these attacks happen against normal individuals with any frequency.
It’s a complicated subject. For example, 2FA reduces the exposure of using the same password across different accounts, but it still matters. Not using an obvious password still matters. So passwords do still matter, but only in certain ways and maybe not as much as some would believe.
User avatar
warner25
Posts: 519
Joined: Wed Oct 29, 2014 4:38 pm

Re: Security question on one's passwords

Post by warner25 »

oldfort wrote: Sun Sep 13, 2020 12:41 pm I don't find the rebuttal particularly compelling. Just about any financial Web site will use some form of 2fa authentication.
And the same author's follow-up article is all about MFA vulnerabilities. So defense-in-depth to some degree still matters. https://techcommunity.microsoft.com/t5/ ... a-p/855124
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

wander wrote: Sun Sep 13, 2020 10:13 am That's good then. I don't think carry different passwords serve any benefits considering now you have 2-steps verification.
It should probably be further emphasized this is bad advice for good measure. On top of everything else, most 2-Step verification on most sites involve phones. It is generally pretty straightforward for a criminal to circumvent this and have the phone number switched to a cell phone they now own to make this security measure ineffective.
https://www.howtogeek.com/212219/here%E ... ntication/

While it may require slightly more effort on the part of the criminal, they may feel it is worth it if they suspect this will allow them to access a substantial amount of money. It still is better than nothing and might clue you in that something is up, but there are certainly circumstances where by the time you figure out what is going and and successfully contact the right financial institution (especially given all of them may be compromised if you used the same password) it could be too late.

As also noted, if it comes out at some point that you reused the same password in various sites, that would generally give the financial institution potential grounds to refuse to reimburse your losses.
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

JoeRetire wrote: Sun Sep 13, 2020 11:58 am
Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?
Let me guess: you are a fan of Clint Eastwood.
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
otinkyad
Posts: 305
Joined: Wed Jun 01, 2016 5:35 pm

Re: Security question on one's passwords

Post by otinkyad »

atikovi wrote: Sun Sep 13, 2020 10:28 am I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc. You'd think you were creating a pw to access the site for NORAD, but its just some internet forum. If I can't use the pw I want, sometimes I just don't join.
atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
It was mostly because emailing passwords was (and to some extent remains) so insecure. The reset keys typically expire after a few minutes, so even if they are compromised they are hard to exploit. We still see repeated compromises of clear text passwords, so obviously not everyone is one-way encrypting them, and as many others here have said, reusing passwords makes it more likely that your password will be compromised by a less secure site.

I used to reuse a throwaway password for low-value sites (like Bogleheads, eh? ;-)), one for personal use and one for work. Both were eventually compromised somewhere, and I discovered that one problem with such reuse is that I had no idea of where I had used it. It's been two years since my work password was compromised, and I am still discovering places where I used it. Even if you don't want to hassle with a third-party password manager, I strongly recommend using the builtin ones (Apple's Keychain, Google's Smart Lock, etc.), so you get password generation (to avoid the nuisance of making of %#&* passwords) and a record of your accounts.
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

warner25 wrote: Sun Sep 13, 2020 12:47 pm
oldfort wrote: Sun Sep 13, 2020 12:41 pm I don't find the rebuttal particularly compelling. Just about any financial Web site will use some form of 2fa authentication.
And the same author's follow-up article is all about MFA vulnerabilities. So defense-in-depth to some degree still matters. https://techcommunity.microsoft.com/t5/ ... a-p/855124
Can you point to any real world examples where a SIM swap was used to compromise someone's bank accounts or investment accounts at major financial institutions?
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
On top of the other critiques of the article, it tends to ignore some of the password cracker options by just mentioning "brute force" and "password spray."

Another definite option for a hacker is "combo attacks" and this means you password can get guessed even if it is not actually reused anywhere else or would theoretically be close to impossible for a true dumb "brute force" attack given its length.
https://arstechnica.com/information-tec ... passwords/

This means among other things if you use a similar password with slight variations on various sites, hackers can definately potentially use this to figure out your password on multiple websites.

The article is also deceptive in it seems to assume the site is for sure using strong protective hashing to protect their passwords, when in reality some sites are using really weak hashing such as MD5 & SHA-1, which means for example a hacker can go through a massive list of previously used passwords they got from elsewhere. If anything the difference is today it is possible to guess even faster with newer technology. The problem is you virtually never know for sure how strong the security measures of any site are, and there are also ways to screw up and have left the same password under weaker hashing protections somewhere on the site.

Now there probably is some truth that outright password reuse is the greatest risk, but there absolutely are reasons the best advice is to at least use strong unique passwords for any important site (and ideally all of them) with writing them down conceivably an option if you know how to generate truly strong ones, but a password manager is essentially the best option.
hilink73
Posts: 476
Joined: Tue Sep 20, 2016 3:29 pm

Re: Security question on one's passwords

Post by hilink73 »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
No, definitely not.
Never use the same password.


Another nice one from the trenches: password enumeration and counting
You have a password for a certain account like Summer2020? Good chance the next password is Fall2020, Winter2020.
This happens, when you force users to change their password regularly. (Which isn't recommended anymore anyway).


Use strong, different password for different sites. A password manager provides for this without much thinking.
Use two factor authentication where possible.
Pro tip: use different email addresses/account names for different sites.

And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Last edited by hilink73 on Sun Sep 13, 2020 1:30 pm, edited 2 times in total.
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

oldfort wrote: Sun Sep 13, 2020 1:14 pm Can you point to any real world examples where a SIM swap was used to compromise someone's bank accounts or investment accounts at major financial institutions?
There are specific examples out there now.
https://www.bbc.com/news/technology-50043230
https://timesofindia.indiatimes.com/cit ... 793284.cms
https://www.infosecurity-magazine.com/o ... ing-fraud/

While it appears to still be somewhat rare, although catching on in Europe, the question is to what degree do you want to risk it staying this way when there are alternatives to protect yourself?
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

Mordoch wrote: Sun Sep 13, 2020 1:24 pm
oldfort wrote: Sun Sep 13, 2020 1:14 pm Can you point to any real world examples where a SIM swap was used to compromise someone's bank accounts or investment accounts at major financial institutions?
There are specific examples out there now.
https://www.bbc.com/news/technology-50043230
https://timesofindia.indiatimes.com/cit ... 793284.cms
https://www.infosecurity-magazine.com/o ... ing-fraud/

While it appears to still be somewhat rare, although catching on in Europe, the question is to what degree do you want to risk it staying this way when there are alternatives to protect yourself?
Any examples in the US? Would password strength have mattered in any of these cases? If the attackers are able to reset the password, password strength doesn't matter.
otinkyad
Posts: 305
Joined: Wed Jun 01, 2016 5:35 pm

Re: Security question on one's passwords

Post by otinkyad »

oldfort wrote: Sun Sep 13, 2020 12:41 pm I don't find the rebuttal particularly compelling. Just about any financial Web site will use some form of 2fa authentication. For the password to matter at all, they first need to be able to compromise the other factor. This might be accomplished via a SIM Swap attack, but most of these reported cases have been targeted against cryptocurrency whales. There's not much evidence these attacks happen against normal individuals with any frequency.
I've actually found banks to be nearly the worst high-value sites for 2FA, though that may be changing. Ironically, but predictably, they are typically slow to adopt technical best practices. A lot of banks rolled out SMS 2FA *after* the NIST stopped recommending that method. About half my financial institutions still don't support 2FA, and none of them truly support something other than SMS. The only exception may be Capital One, which after being egregiously late to support 2FA, seems to require you to use their mobile banking app for it.

The weak link for 2FA isn't actually SIM swapping, it's your email. When my phone died, I recovered all of my authenticator-based 2FA accounts by getting a reset link in my email. I didn't even need to use the rescue codes the sites offered (which I had). Both 2FA and password managers typically have relatively insecure recovery practices, because in order to be truly secure, they would continually lock people out of their accounts, which would be a support and probably eventually a legal nightmare. (This was one reason why Apple backed off of end-to-end encryption for iCloud backups.)

Still, using 2FA and password managers is much better than not, and a builtin or cloud-based password manager is better than a potentially more secure one you don't actually use or use well, and SMS 2FA is better than avoiding 2FA in order to avoid authenticator apps or security keys.
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

hilink73 wrote: Sun Sep 13, 2020 1:20 pm
And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Tried it: my email address was:
Oh no — pwned!

Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)
Am I in any danger in practice now? What should I do?!
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

oldfort wrote: Sun Sep 13, 2020 1:27 pm Any examples in the US?
An assumption that something happening on a measurable scale in a country like Austria could never occur in the US certainly strikes me as a reach.

While a slightly different situation, a SIM swap did apparently end up with a woman having $10,000 in bogus credit card charges in Canada late last year for example.
https://toronto.ctvnews.ca/nurse-scamme ... -1.4690702

Basically assuming the phone's two factor authentication is always going to provide sufficient protection simply strikes me as a simply unnecessary risk when there are viable precautions you can take.
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

Mordoch wrote: Sun Sep 13, 2020 1:45 pm
oldfort wrote: Sun Sep 13, 2020 1:27 pm Any examples in the US?
An assumption that something happening on a measurable scale in a country like Austria could never occur in the US certainly strikes me as a reach.

While a slightly different situation, a SIM swap did apparently end up with a woman having $10,000 in bogus credit card charges in Canada late last year for example.
https://toronto.ctvnews.ca/nurse-scamme ... -1.4690702

Basically assuming the phone's two factor authentication is always going to provide sufficient protection simply strikes me as a simply unnecessary risk when there are viable precautions you can take.
It's ridiculous to worry about bogus credit card charges. The information is impossible to protect. Every fast food drive through employee could write down the number, expiration date, and security code. It's trivial to get the credit card companies to reverse charges. It's not clear a stronger password would have done anything in any of these cases anyway. If the attackers can reset the password, the password doesn't matter.
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

Katietsu wrote: Sun Sep 13, 2020 12:17 pm I separate how I handle passwords based on risk to me. I mean how much damage can someone do if they get my Netflix password? Is there some risk here that I am not considering? For that matter, I include credit card companies in the “not overly concerned” category. Don’t get me wrong, I still use a decent password on these sites, though may reuse the password based on category. Now when it comes to my bank and my money, I use a greater level of care.
One possible risk is if they can gain access to enough of these sites, they may accumulate enough info to commit identity theft, or for example figure out your security question answers for your financial sites if you use genuine answers. This can especially be an issue because you may not always realize how much personal info a particular account actually contains.

Now it is fair to say this is generally a lower risk since most hackers like to go after easier targets with less effort, but it still exists. (If you are in a situation where it is potentially known you are significantly financially well off that probably increases the potential risks somewhat.)
User avatar
Ged
Posts: 3927
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: Security question on one's passwords

Post by Ged »

atikovi wrote: Sun Sep 13, 2020 10:28 am I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc. You'd think you were creating a pw to access the site for NORAD, but its just some internet forum. If I can't use the pw I want, sometimes I just don't join.
Once you start using a password manager it's all cut and paste. It is no more work to use a complex password.

I have had passwords stolen from a variety of sites in the past. Usually on low volume site where there apparently was a software breach that allowed the hacker access to the password database. The usual result was I lost the account and message history, and got a lot of spam.

Now I make account signups unique. Email, name, password, answers to security questions. All easy to do with a good email service provider and password manager. No loss of accounts since.

Financial hacks have generally been due to stolen credit card numbers. One provider was giant pain and refused to reimburse my losses until I complained to a State Attorney General.

Local banks are scary sloppy about 2FA. I think they are low hanging fruit right now. It is why I keep a minimal amount of money in my local bank.
Last edited by Ged on Sun Sep 13, 2020 2:25 pm, edited 1 time in total.
RetiredAL
Posts: 1057
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Security question on one's passwords

Post by RetiredAL »

Katietsu wrote: Sun Sep 13, 2020 12:17 pm I separate how I handle passwords based on risk to me. I mean how much damage can someone do if they get my Netflix password? Is there some risk here that I am not considering? For that matter, I include credit card companies in the “not overly concerned” category. Don’t get me wrong, I still use a decent password on these sites, though may reuse the password based on category. Now when it comes to my bank and my money, I use a greater level of care.
+100 to Katiestu.

I too, don't rely care much if my BH type of password is compromised.

I highly care about financial passwords, and my financially used E-mail account.

The next step down is the couple of buying accounts I have. These are always to a Credit Card. Much of my on-line buying is done as anonymous.

The rest, IMO, are really immaterial.

What I do HATE is any site that requires the use an E-mail address for the user-id. Most E-mail addresses are public, easily harvestable, so why give away to any jerk part of your logon credentials. I've been known to not sign up with someone just because they use E-mail addresses as the user name.

Unfortunately, a couple of popular high visibility sites require that e-mail name, so I can't totally close that door. I am a fan of using a different E-mail for financial sites and my Outlook is set up the show me the mail account the e-mail came thru without me needing to opening the e-mail. Perfect, no, it sure quickly highlights phisher scams.

About once a year, I do check my routine E-mail addresses against the known account hacked lists. I did find that there was a name association from a "linkedIn" hack, that I did not create and that it was incomplete as the offender attempting to create the account could not get verification e-mail needed to fully create the account. So in this case, a know hack did let me know someone had tried to impersonate me. In the real world, LinkedIn is a "I don't care" site.
User avatar
BolderBoy
Posts: 5056
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Security question on one's passwords

Post by BolderBoy »

oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
Interesting article. About a year old. They use SHA256 to create the password hashes? At least one, much more secure method has been available for some time. The crypto gurus have long ceased recommending the use of SHA256 or SHA512 to create pw hashes for the very reasons cited in the article.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
User avatar
tuningfork
Posts: 543
Joined: Wed Oct 30, 2013 8:30 pm

Re: Security question on one's passwords

Post by tuningfork »

steve321 wrote: Sun Sep 13, 2020 1:43 pm
hilink73 wrote: Sun Sep 13, 2020 1:20 pm
And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Tried it: my email address was:
Oh no — pwned!

Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)
Am I in any danger in practice now? What should I do?!
Depends on which sites were breached, but in general you should change the passwords at those 3 sites (if you haven't already done so after the breach occurred). You should also change the password at any sites where you reused that same password.

EDIT: Each breach lists the compromised data. If it says a password was part of the breach, then you need to change the password at that site. Otherwise, it was a breach of personal data where you might not be able to take any specific action. This is one way your email or phone number get on spam lists.
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

tuningfork wrote: Sun Sep 13, 2020 2:30 pm
steve321 wrote: Sun Sep 13, 2020 1:43 pm
hilink73 wrote: Sun Sep 13, 2020 1:20 pm
And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Tried it: my email address was:
Oh no — pwned!

Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)
Am I in any danger in practice now? What should I do?!
Depends on which sites were breached, but in general you should change the passwords at those 3 sites (if you haven't already done so after the breach occurred). You should also change the password at any sites where you reused that same password.
it's not sites, it's email addresses. Does it mean they accessed all the content in my inbox?
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
User avatar
BolderBoy
Posts: 5056
Joined: Wed Apr 07, 2010 12:16 pm
Location: Colorado

Re: Security question on one's passwords

Post by BolderBoy »

RetiredAL wrote: Sun Sep 13, 2020 2:16 pmWhat I do HATE is any site that requires the use an E-mail address for the user-id.
Hear! Hear!

Fortunately more-and-more sites are allowing anything as a username so I use KeepassXC to generate two, unique, very complex "passwords" of different lengths. One I use as the username and the other as the password.

The Vanguard website allows this, for example.

Take that, bad guys!

From a programming standpoint, there is no reason to disallow any characters from being used as a password, yet many [most?] sites do have such prohibitions.
"Never underestimate one's capacity to overestimate one's abilities" - The Dunning-Kruger Effect
User avatar
warner25
Posts: 519
Joined: Wed Oct 29, 2014 4:38 pm

Re: Security question on one's passwords

Post by warner25 »

oldfort wrote: Sun Sep 13, 2020 1:27 pm Any examples in the US?
I don't work in the financial industry, so I'm not privy to what isn't available with a web search, and I wouldn't expect to find detailed technical reports in the public domain anyway. With that said, I concur with your sentiment that this would be very rare for a number of reasons, mainly:

1. I suspect that major US financial institutions have the best security in the world; better than most systems and applications in the US DoD (where I do work, and I think you do too). It's all about financial incentives.

2. There is some evidence that even dumb users don't use "123456" or even "Pa$sword1!" on their bank accounts. Again, there are financial incentives, and major US financial institutions won't allow it (because, apparently, they think passwords matter). The well-studied password dumps in the public domain came from places like RockYou, not Fidelity.

Do you really use the same weak password across all your accounts just because you have SMS 2FA turned on?
hilink73
Posts: 476
Joined: Tue Sep 20, 2016 3:29 pm

Re: Security question on one's passwords

Post by hilink73 »

Regarding breaches: do not get fooled by emails like this:

Code: Select all

Hi, I know one of your passwords is: blablah
Your computer was infected with my private malware, your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".
My malware gave me full access to all your accounts (see password above), full control over your computer and it also was possible to spy on you over your webcam.
I collected all your private data and I RECORDED YOU (through your webcam) SATISFYING YOURSELF!
After that I removed my malware to not leave any traces and this email was sent from some hacked server.
I can publish the videos of you and all your private data on the whole web, including the darknet, where the very sick people are, social networks, over email of all contacts.
But you can stop me and only I can help you out in this situation.
Transfer exactly 800$ in bitcoin (BTC).
It's a very good offer, compared to all that horrible shit that will happen if I publish everything!
You can easily buy bitcoin here: www.paxful.com , www.coingate.com , www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger.
You can send the bitcoin directly to my wallet, or create your own wallet first here: www.login.blockchain.com/en/#/signup/ , then receive and send to mine.
My bitcoin wallet is: 18jZzWe4Wv4mUNm93rjeWJscqPdhecwsAY
Copy and paste my wallet, it's (cAsE-sEnSEtiVE)
I give you 3 days time to pay.
As I got access to this email account, I will know if this email has already been read.
If you get this email multiple times, it's to make sure that you read it, my mailer script is configured like this and after payment you can ignore it.
After receiving the payment, I will remove everything and you can life your live in peace like before.
Sorry, next time update your browser before browsing the web!
Mail-Client-ID: 9849878843
Yes, it's probably one of your real passwords. But, they didn't get from hacking your computer but from one of those breaches mentioned above.

Just make sure to change your password on the relevant accounts!
Otherwise nothing more to do... especially: do not pay!
RetiredAL
Posts: 1057
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Security question on one's passwords

Post by RetiredAL »

hilink73 wrote: Sun Sep 13, 2020 3:10 pm Regarding breaches: do not get fooled by emails like this:

Code: Select all

Hi, I know one of your passwords is: blablah
Your computer was infected with my private malware, your browser wasn't updated / patched, in such case it's enough to just visit some website where my iframe is placed to get automatically infected, if you want to find out more - Google: "Drive-by exploit".
My malware gave me full access to all your accounts (see password above), full control over your computer and it also was possible to spy on you over your webcam.
I collected all your private data and I RECORDED YOU (through your webcam) SATISFYING YOURSELF!
After that I removed my malware to not leave any traces and this email was sent from some hacked server.
I can publish the videos of you and all your private data on the whole web, including the darknet, where the very sick people are, social networks, over email of all contacts.
But you can stop me and only I can help you out in this situation.
Transfer exactly 800$ in bitcoin (BTC).
It's a very good offer, compared to all that horrible shit that will happen if I publish everything!
You can easily buy bitcoin here: www.paxful.com , www.coingate.com , www.coinbase.com , or check for bitcoin ATM near you, or Google for other exchanger.
You can send the bitcoin directly to my wallet, or create your own wallet first here: www.login.blockchain.com/en/#/signup/ , then receive and send to mine.
My bitcoin wallet is: 18jZzWe4Wv4mUNm93rjeWJscqPdhecwsAY
Copy and paste my wallet, it's (cAsE-sEnSEtiVE)
I give you 3 days time to pay.
As I got access to this email account, I will know if this email has already been read.
If you get this email multiple times, it's to make sure that you read it, my mailer script is configured like this and after payment you can ignore it.
After receiving the payment, I will remove everything and you can life your live in peace like before.
Sorry, next time update your browser before browsing the web!
Mail-Client-ID: 9849878843
Yes, it's probably one of your real passwords. But, they didn't get from hacking your computer but from one of those breaches mentioned above.

Just make sure to change your password on the relevant accounts!
Otherwise nothing more to do... especially: do not pay!
My 95 year old Dad got 8 or 10 of these this year before they quit coming. I don't know if the offenders are smart enough to realize there was no acknowledgement thus a waste of their time, or if the spam filters started trapping them at the mail gateways so we never saw them.
MathWizard
Posts: 4388
Joined: Tue Jul 26, 2011 1:35 pm

Re: Security question on one's passwords

Post by MathWizard »

steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
No, passwords must be different.
A breach of one becomes a breach of all.

Use a password manager, and multifactor ( preferably not SMS/ text based) where possible .
Katietsu
Posts: 4083
Joined: Sun Sep 22, 2013 1:48 am

Re: Security question on one's passwords

Post by Katietsu »

Mordoch wrote: Sun Sep 13, 2020 1:50 pm
Katietsu wrote: Sun Sep 13, 2020 12:17 pm I separate how I handle passwords based on risk to me. I mean how much damage can someone do if they get my Netflix password? Is there some risk here that I am not considering? For that matter, I include credit card companies in the “not overly concerned” category. Don’t get me wrong, I still use a decent password on these sites, though may reuse the password based on category. Now when it comes to my bank and my money, I use a greater level of care.
One possible risk is if they can gain access to enough of these sites, they may accumulate enough info to commit identity theft, or for example figure out your security question answers for your financial sites if you use genuine answers. This can especially be an issue because you may not always realize how much personal info a particular account actually contains.
Interesting thought. I will keep this in mind. But most of these sites will show only my name, address, home phone, and email I use for shopping/forums/streaming services. These things are all publicly available for free. Do a trial with one of the people search sites and you can get my birthday and the last time I got a traffic ticket for free too. Given that these things are plastered everywhere with no access to my logins, I do not see spending more than a moderate amount of effort to protect the accounts. But, because of your response, I will consider if other information that could be leveraged would be available from a given login.
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

warner25 wrote: Sun Sep 13, 2020 2:59 pm
oldfort wrote: Sun Sep 13, 2020 1:27 pm Any examples in the US?
I don't work in the financial industry, so I'm not privy to what isn't available with a web search, and I wouldn't expect to find detailed technical reports in the public domain anyway. With that said, I concur with your sentiment that this would be very rare for a number of reasons, mainly:

1. I suspect that major US financial institutions have the best security in the world; better than most systems and applications in the US DoD (where I do work, and I think you do too). It's all about financial incentives.

2. There is some evidence that even dumb users don't use "123456" or even "Pa$sword1!" on their bank accounts. Again, there are financial incentives, and major US financial institutions won't allow it (because, apparently, they think passwords matter). The well-studied password dumps in the public domain came from places like RockYou, not Fidelity.

Do you really use the same weak password across all your accounts just because you have SMS 2FA turned on?
I use a password manager for most accounts, but for convenience as much as anything else. If the attacker can't get the other factor, the password doesn't matter. If you fall for a phishing attempt, your password doesn't matter. If malware with a key-logger compromises your machine your password doesn't matter. If the attacker is able to reset your financial site password, your financial site password doesn't matter. If you can avoid using 123456 or any of the other 25 most common passwords, the benefits to added password complexity diminish quickly. Brute force or dictionary attacks on sites with enabled 2FA is very low on the list of threats, I would be worried about from a computer security perspective.
User avatar
JoeRetire
Posts: 5988
Joined: Tue Jan 16, 2018 2:44 pm

Re: Security question on one's passwords

Post by JoeRetire »

steve321 wrote: Sun Sep 13, 2020 12:58 pm
JoeRetire wrote: Sun Sep 13, 2020 11:58 am
Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?
Let me guess: you are a fan of Clint Eastwood.
Not so much.
It's the end of the world as we know it. | It's the end of the world as we know it. | It's the end of the world as we know it. | And I feel fine.
RetiredAL
Posts: 1057
Joined: Tue Jun 06, 2017 12:09 am
Location: SF Bay Area

Re: Security question on one's passwords

Post by RetiredAL »

BolderBoy wrote: Sun Sep 13, 2020 2:46 pm
RetiredAL wrote: Sun Sep 13, 2020 2:16 pmWhat I do HATE is any site that requires the use an E-mail address for the user-id.
Hear! Hear!

Fortunately more-and-more sites are allowing anything as a username so I use KeepassXC to generate two, unique, very complex "passwords" of different lengths. One I use as the username and the other as the password.

The Vanguard website allows this, for example.

Take that, bad guys!

From a programming standpoint, there is no reason to disallow any characters from being used as a password, yet many [most?] sites do have such prohibitions.
It's a throw-back to Ye Olde days. IBM DB2 databases back then used special characters as controls within a database record.
User avatar
warner25
Posts: 519
Joined: Wed Oct 29, 2014 4:38 pm

Re: Security question on one's passwords

Post by warner25 »

oldfort wrote: Sun Sep 13, 2020 4:00 pm I use...
Since you are using a password manager in practice, it appears that we agree more than we disagree. Listing all the attacks in which a strong password doesn't matter does not mean that passwords don't matter. The likelihood of any such attack is low, yes, but we mitigate all sorts of low probability threats if the mitigation is cheap and easy (buying term life insurance, wearing a seat belt, using a password manager, etc.).

My one remaining quibble is that avoiding just the top 25 worst passwords is still not good enough. With a stolen password database, even with a large salt and slow hash function, an attacker can compute a lot of hashes. The last time I played with John the Ripper and hashcat, it was trivial to get a password dictionary with a few hundred thousand strings and then compute millions of some hashes per second on a commodity laptop.
User avatar
tuningfork
Posts: 543
Joined: Wed Oct 30, 2013 8:30 pm

Re: Security question on one's passwords

Post by tuningfork »

steve321 wrote: Sun Sep 13, 2020 2:39 pm
tuningfork wrote: Sun Sep 13, 2020 2:30 pm
steve321 wrote: Sun Sep 13, 2020 1:43 pm
hilink73 wrote: Sun Sep 13, 2020 1:20 pm
And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Tried it: my email address was:
Oh no — pwned!

Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)
Am I in any danger in practice now? What should I do?!
Depends on which sites were breached, but in general you should change the passwords at those 3 sites (if you haven't already done so after the breach occurred). You should also change the password at any sites where you reused that same password.
it's not sites, it's email addresses. Does it mean they accessed all the content in my inbox?
No, it means they have your email address correlated with whatever other info listed. For example, one of my breaches at haveibeenpwnd says "Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses" so they have my name, phone number, physical address and email address. If a hacker finds my email address at some other breach, and if they can get the data from this breach, they now know much more about me than my email address alone.

Another one of my breaches says "Compromised data: Email addresses, Passwords, Usernames" so they potentially have my username and password for that site (which I have since changed) associated with my email address. Someone may be able to find more about me at other sites where I used that same email address, and if I used that password at another site they might be able to login pretending to be me.

Since some of these breaches match email address to personal info like name, address, phone, employer, DOB, etc. I use a different email address for accounts where I want to remain as anonymous as possible. Here at bogleheads, for example, I don't want anyone to know exactly who I am, so my email address registered at bogleheads is an anonymous email that I never associate with my real info. If bogleheads (or another site where I used that email to remain anonymous) were to be breached, nobody could trace back to the real me. That's the plan, anyway.
oldfort
Posts: 1905
Joined: Mon Mar 02, 2020 8:45 pm

Re: Security question on one's passwords

Post by oldfort »

warner25 wrote: Sun Sep 13, 2020 4:37 pm
oldfort wrote: Sun Sep 13, 2020 4:00 pm I use...
Since you are using a password manager in practice, it appears that we agree more than we disagree. Listing all the attacks in which a strong password doesn't matter does not mean that passwords don't matter. The likelihood of any such attack is low, yes, but we mitigate all sorts of low probability threats if the mitigation is cheap and easy (buying term life insurance, wearing a seat belt, using a password manager, etc.).

My one remaining quibble is that avoiding just the top 25 worst passwords is still not good enough. With a stolen password database, even with a large salt and slow hash function, an attacker can compute a lot of hashes. The last time I played with John the Ripper and hashcat, it was trivial to get a password dictionary with a few hundred thousand strings and then compute millions of some hashes per second on a commodity laptop.
Here's how I would look at it from a probability perspective:
P(A) - probability hacker bypasses two-factor authentication using a SIM swap = extremely low
P(B) - probability hacker steals password database from a major financial institution = extremely low (as far I know this has never happened)
P(C|A) - probability hacker can't reset my password given a SIM swap already happened to allow the 2FA bypass = low
P(D) = probability password matters = P(A)*P(B)*P(C|A) = negligible
User avatar
tuningfork
Posts: 543
Joined: Wed Oct 30, 2013 8:30 pm

Re: Security question on one's passwords

Post by tuningfork »

RetiredAL wrote: Sun Sep 13, 2020 4:14 pm
BolderBoy wrote: Sun Sep 13, 2020 2:46 pm
RetiredAL wrote: Sun Sep 13, 2020 2:16 pmWhat I do HATE is any site that requires the use an E-mail address for the user-id.
Hear! Hear!

Fortunately more-and-more sites are allowing anything as a username so I use KeepassXC to generate two, unique, very complex "passwords" of different lengths. One I use as the username and the other as the password.

The Vanguard website allows this, for example.

Take that, bad guys!

From a programming standpoint, there is no reason to disallow any characters from being used as a password, yet many [most?] sites do have such prohibitions.
It's a throw-back to Ye Olde days. IBM DB2 databases back then used special characters as controls within a database record.
Not just DB2. Depending on what software stack is used, there could be all sorts of restrictions that make using certain characters difficult enough that the programmers throw up their hands. Single and double quotes and backslashes are often quite problematic to handle correctly (especially by rookie programmers), and a simple parsing bug could become a huge security flaw. Much safer to just prohibit those characters in user names if such a software stack is being used.

EDIT: but I agree passwords should have few if any restrictions, since the site should only be storing a hash and not the actual characters of the password.

Relevant xkcd:
Image
TallBoy29er
Posts: 1025
Joined: Thu Jul 18, 2013 9:06 pm

Re: Security question on one's passwords

Post by TallBoy29er »

wander wrote: Sun Sep 13, 2020 11:22 am
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
What you do is up to you, all true :sharebeer

That said, the advice is objectively very poor. I thought it was good for Op to know that.
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

tuningfork wrote: Sun Sep 13, 2020 4:49 pm
steve321 wrote: Sun Sep 13, 2020 2:39 pm
tuningfork wrote: Sun Sep 13, 2020 2:30 pm
steve321 wrote: Sun Sep 13, 2020 1:43 pm
hilink73 wrote: Sun Sep 13, 2020 1:20 pm
And another edit:
https://haveibeenpwned.com gives you a an overview if your account/email address has been leaked.
Tried it: my email address was:
Oh no — pwned!

Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)
Am I in any danger in practice now? What should I do?!
Depends on which sites were breached, but in general you should change the passwords at those 3 sites (if you haven't already done so after the breach occurred). You should also change the password at any sites where you reused that same password.
it's not sites, it's email addresses. Does it mean they accessed all the content in my inbox?
No, it means they have your email address correlated with whatever other info listed. For example, one of my breaches at haveibeenpwnd says "Compromised data: Email addresses, Employers, Job titles, Names, Phone numbers, Physical addresses" so they have my name, phone number, physical address and email address. If a hacker finds my email address at some other breach, and if they can get the data from this breach, they now know much more about me than my email address alone.

Another one of my breaches says "Compromised data: Email addresses, Passwords, Usernames" so they potentially have my username and password for that site (which I have since changed) associated with my email address. Someone may be able to find more about me at other sites where I used that same email address, and if I used that password at another site they might be able to login pretending to be me.

Since some of these breaches match email address to personal info like name, address, phone, employer, DOB, etc. I use a different email address for accounts where I want to remain as anonymous as possible. Here at bogleheads, for example, I don't want anyone to know exactly who I am, so my email address registered at bogleheads is an anonymous email that I never associate with my real info. If bogleheads (or another site where I used that email to remain anonymous) were to be breached, nobody could trace back to the real me. That's the plan, anyway.
Thank you. I don't get any of the detailed information that you mention on haveibeenpwnd: when I click on the word 'breached' in their sentence 'Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)' I just get to a page with a definition of breach (which I don't fully grasp btw). But I don't get any kind of specific information like you mention, of the type "Compromised data: Email addresses, Passwords, Usernames". Not sure why and what to do now... Perhaps I'll just change my email password...
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
Bridgebumbob
Posts: 9
Joined: Thu Aug 20, 2020 12:12 am

Re: Security question on one's passwords

Post by Bridgebumbob »

I have been using a variety of similar passwords for a number of Non-Financial accounts and individual strong passwords for financial accounts including 2-factor authentication, account lockdown and e-mail notification when any transaction is made, including transactions when credit card is not present.

Is this adequate?
Also, does Fidelity or Vanguard require you to periodically change passwords anyway?
User avatar
oldcomputerguy
Moderator
Posts: 9450
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: Security question on one's passwords

Post by oldcomputerguy »

I'll echo the sentiment of those who use KeePass. I use it here at home, and chose that over options that store their databases in the cloud precisely because I saw storing my password database in the cloud as itself an unnecessary exposure to risk of cracking. My database is stored on an external drive on my home network.

I have not experimented with this, but I have also read that KeePass (through appropriate add-ons) can provide protection of the password database by means of a Yubikey device. Since I have not investigated, I can't say for sure, but it seems to me that this would provide an extra layer of protection for your password database.

I'll also echo the sentiment that it is a very bad idea to use the same password for multiple sites that access critical information. I confess that I do use the same "throw-away" password for some non-critical sites (such as sites which I access for entertainment value), but my critical passwords (investment accounts, bank accounts, Medicare / Social Security accounts, medical providers, basically anything involving money or personal information) all have unique and complex passwords stored in the KeePass database.
"I’ve come around to this: If you’re dumb, surround yourself with smart people; and if you’re smart, surround yourself with smart people who disagree with you." (Aaron Sorkin)
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

oldcomputerguy wrote: Mon Sep 14, 2020 4:42 am I'll echo the sentiment of those who use KeePass. I use it here at home, and chose that over options that store their databases in the cloud precisely because I saw storing my password database in the cloud as itself an unnecessary exposure to risk of cracking. My database is stored on an external drive on my home network.

I have not experimented with this, but I have also read that KeePass (through appropriate add-ons) can provide protection of the password database by means of a Yubikey device. Since I have not investigated, I can't say for sure, but it seems to me that this would provide an extra layer of protection for your password database.

I'll also echo the sentiment that it is a very bad idea to use the same password for multiple sites that access critical information. I confess that I do use the same "throw-away" password for some non-critical sites (such as sites which I access for entertainment value), but my critical passwords (investment accounts, bank accounts, Medicare / Social Security accounts, medical providers, basically anything involving money or personal information) all have unique and complex passwords stored in the KeePass database.
Do you think it's ok to use KeePass (besides using it on a PC) also on one's smartphone, as I found
There are no official mobile apps for KeePass, but ...unofficial ports for Android
and eventually on Chromebook?
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
User avatar
oldcomputerguy
Moderator
Posts: 9450
Joined: Sun Nov 22, 2015 6:50 am
Location: In the middle of five acres of woods in East Tennessee

Re: Security question on one's passwords

Post by oldcomputerguy »

steve321 wrote: Mon Sep 14, 2020 5:16 am Do you think it's ok to use KeePass (besides using it on a PC) also on one's smartphone, as I found
There are no official mobile apps for KeePass, but ...unofficial ports for Android
and eventually on Chromebook?
I myself couldn't say, I've never tried to use it on any device other than my home Linux PC. I don't know from firsthand knowledge where the iPhone version nor the Chromebook version stores their database. Sorry.
"I’ve come around to this: If you’re dumb, surround yourself with smart people; and if you’re smart, surround yourself with smart people who disagree with you." (Aaron Sorkin)
User avatar
tuningfork
Posts: 543
Joined: Wed Oct 30, 2013 8:30 pm

Re: Security question on one's passwords

Post by tuningfork »

steve321 wrote: Mon Sep 14, 2020 1:27 am Thank you. I don't get any of the detailed information that you mention on haveibeenpwnd: when I click on the word 'breached' in their sentence 'Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)' I just get to a page with a definition of breach (which I don't fully grasp btw). But I don't get any kind of specific information like you mention, of the type "Compromised data: Email addresses, Passwords, Usernames". Not sure why and what to do now... Perhaps I'll just change my email password...
The details about each breach are lower on the page. Scroll down and you should see them. Hope that helps.
Mordoch
Posts: 430
Joined: Sat Mar 10, 2007 11:27 am

Re: Security question on one's passwords

Post by Mordoch »

steve321 wrote: Mon Sep 14, 2020 5:16 am Do you think it's ok to use KeePass (besides using it on a PC) also on one's smartphone, as I found
There are no official mobile apps for KeePass, but ...unofficial ports for Android
and eventually on Chromebook?
I use it on my smartphone and find it works fine. Basically since its open source the major ports for Android are fine and get plenty of scrutiny.
User avatar
Topic Author
steve321
Posts: 706
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

tuningfork wrote: Mon Sep 14, 2020 10:43 am
steve321 wrote: Mon Sep 14, 2020 1:27 am Thank you. I don't get any of the detailed information that you mention on haveibeenpwnd: when I click on the word 'breached' in their sentence 'Pwned on 3 breached sites and found 1 paste (subscribe to search sensitive breaches)' I just get to a page with a definition of breach (which I don't fully grasp btw). But I don't get any kind of specific information like you mention, of the type "Compromised data: Email addresses, Passwords, Usernames". Not sure why and what to do now... Perhaps I'll just change my email password...
The details about each breach are lower on the page. Scroll down and you should see them. Hope that helps.
Yes, thanks for your help. They have my email address and password :(
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
Post Reply