Passwords, Internet Security and Website Hack - Suggestions?

SaberX on 31/08/2017 - 14:33

I run a few core paasswords that are reasonably long and strong. Albeit eventually i do recycle here and there. Recently read this article and tried the haveibeenpwned link:

www.news.com.au/technology/online/hacking/change-your-email-…

https://haveibeenpwned.com/

My hotmail address i've had since the 2000s came up with several leaks, my gmail luckily none. These included:

dailymotion, exploit.ln (combination list), linkedin, gPotato (i have NFI when i signed up to this gaming site??), Heroes of Newerth (played like 1 game…), myspace and even my old, old school neopets has come back to haunt me…

Now i'm no internet savvy user, but can someone explain what these mean. Does the website confirm that your email address is actually in the lists of those hacked/released websites, and therefore are the passwords from those websites back then therefore on the web? In which case i can't even remember what i used for myspace or neopets, but i would have to change it?

Apart from changing passwords what can I do now? Should I ditch the hotmail address? It gets less of the personal, sensitive stuff but it gets alot of 'everything else' so it would be hard to just switch over. I'm worried old connections could use it to get in touch in 20, 30 years as well…

People mention using password managers where you enter one long password to access all your others. But how can one practically use this where you may not be at your home computer? Is there a password manager that's free or affordable that can be access from your phone app, through cloud, as well as on your hard drive, so that you can always find passwords? Otherwise if your on holidays or on the go it could be detrimental to not be able to access your accounts when you can't even remember the password?

What's the best way to go from here? What needs to be changed or done - what do most do with their passwords and getting new ones generated and in a way that you can easily remember or call them up on the go i.e. overseas, on other people's computers etc, or even when no internet access is avialable?

Internet

Comments

  • scrimshaw on 31/08/2017 - 14:48
    +1

    people hack your accounts using details and profiles you provided on other sites. If your passwords are the same for several sites, that opens you up to a lot of hacking vulnerabilities.

    Let's say I pwned Neopets, your embarrassing high school hobby site.

    I discover that your username is SaberX, your hotmail address is [email protected], what your real name could be, your password is Hunter2, you live in city Sydney and you are born in year XXXX (birth date info).

    I can go around testing other sites now! There are 1000's of possible websites I could pwn next, so I write a automated script with all your details, then the script methodically tests all possible combinations of your information onto MySpace, Facebook, email and so on. Eventually, one or two of these will result in a hit (if your password is the same). If I'm able to access your email, I can take control of all of your personal information — I can reset passwords to websites for example.

    To make things harder for hackers, you would use different passwords for every site you visit (but difficult for yourself to remember) hence password managers make the process simpler by autofilling passwords for the sites you visit.

    • idonotknowwhy on 31/08/2017 - 17:28
      +1

      Different emails for each site.

      • SaberX on 31/08/2017 - 18:08

        different emails per website you sign up? there'd be a million membership accounts, websites, and other things - how could one practically create a new email for each?

        • SaberX on 31/08/2017 - 18:27
          +1

          @John Kimble:

          interesting. vaguely rings a bell…

          " [email protected] then use [email protected]"

          So from the linked post, your saying if i user [email protected] to signup to websites going forward with [email protected]

          So i can write whatever i want after the "+" and emails will still goto [email protected]? But won't this only identify who sold me out, and in the end spam will still get redirected to the mailbox?

          Not only that, if websites get pawned and my email address is released surely they will know my email address by removing the "+" and whatever is written after, given they would likely know this trick? So it doesn't necessarily help with the hacking/security side of things right?

        • John Kimble on 31/08/2017 - 18:40

          @SaberX: Yes, this is just an option to prevent having to create an email address per website.

        • SaberX on 31/08/2017 - 18:48
          +1

          @John Kimble:

          thanks will use this going forward to see who sells me out. Solved another issue i guess haha. I signed up for i reckon comparethemarket or some other site (maybe that dodgy mystery shopper ones) and have been plagued with dodgy emails each day. Otherwise my spams fine. I recognise the fake name but cant remember the bugger that sold me out. So this will be great!

    • SaberX on 31/08/2017 - 18:20

      So if i am listed on 6 different sites per haveibeenpwned - does this mean they are likely able to gather all 6 lists, pair up all different detials e.g.: real name from neopets, address from linkedin, and build an assault on your email address that way?

      In which case is the only real way to solve this to begin with a fresh email address so that the ultimate email password recovery route can't be hijacked? As assumedly if they garner enough details they could password reset your website accounts, but the recovery email typically needs an email to the old email to be confirmed? So the ultimate holy grail is safeguarding your linked email?

      So all this is automated to test 1000s of websites to see what they can fish? So going forward - what is the best way to safeguard details. If sites like linkedin are compromised the concern is even facebook or other large sites like paypal which have more personal details than neopets: addresses, phone numbers etc. can be compromised?

      Would one revolve and create a system of creating new email addresses every few years? What would one recommend? And how does one 'respond' if various details are leaked on some websites, assumedly your address may be out there already, which can't be easily changed? So are you already screwed?

      so far all the compromised sites are generally username, passwords etc. the "gpotato" has the following:

      "Compromised data: Dates of birth, Email addresses, Genders, IP addresses, Names, Passwords, Physical addresses, Security questions and answers, Usernames, Website activity"

      Does haveibeenpwned actually check what compromised data exists for me specifically?? or does it list all the 'compromised data' types that all people in the breach/leak suffered - so it doesn't necessarily mean all of this same info for myself is out there?

      Re: Password managers:

      Wouldn't having one password for the manager be risky? And again my worry is when your on your mobile, travelling offline overseas or on someone else's computer and generally not at home, how does one easily access and retrieve passwords on the fly if you make a password manager store complex passwords? Currently I remember 5-6 strong passwords which have 10+ characters, numbers, sometimes symbols, but it means i can login to a website or account instantly than having to dig up the password. My worry is i don't want anyone who gains my phone or computer the ability to goto a website and the password manager automatically fills in the password. But I assume by switching that off the double edged sword is you will haveto retrieve the complex pwd everytime you visit the website??

      • Member 0230 on 01/09/2017 - 08:50

        Re: Password managers — there are two threads over at 1P you may be really interested in:

        How is this safe anyway?

        We frequently hear "I have a strategy for creating passwords" as counterarguments against using a password manager at all. Some people have very clever ways of creating passwords that they can remember. Often these are better than the typical weak passwords most people use — and reuse… more

        and

        What is the weakest link?

        As a natural skeptic, my main concern was putting all my eggs in one basket, though operating on a desktop and after everything I've read thus far gives me hope. I just want to clarify that I'm not 'missing the point' somewhere.more

      • mattyman on 01/09/2017 - 10:53

        It's less risky than having identical passwords.

        I recommend that you don't keep the login details for the email address you have linked to the password manager within the password manager itself. If you did and the password manager account did get hacked, you could potentially lose control over the manager software and it would be that much harder to wrest control back.

        Getting a phone with a fingerprint scanner makes using a password manager a breeze.

  • Beanvee on 31/08/2017 - 14:49

    Yes, haveibeenpwned checks your email address against a database of known mass user detail breaches, and it should tell you what kind of information was leaked from each site. Sometimes it's limited to just usernames, sometimes it's the whole shabang i.e. usernames, passwords, addressess.
    If it says you've been hit, then depending on how bad the leak was for that site, those details are somewhere online publically accessible.

    Do you have to change it? Well if you don't care about your myspace or neopets then probably not. Just be careful if you left any information in those accounts they could use to try impersonate you.

    Not ditching the email has its risks. Even with the password changed, they could still try use what details they have to gain access into accounts such at attempting to abuse a forgotten password process on one of the sites to gain more access to your accounts. That's up to you really.

    I believe there are password managers across all devices. But I don't personally know of any.

    • SaberX on 31/08/2017 - 17:54

      So haveibeenpwned is completely accurate in that it will tell me exactly all the details leaked? So if it lists it there then I can assume it's compromised?

      My main worry is neopets and myspace are pre 2010. I can't even remember my password. So I guess if i can't remember if it is a common password still being used now on other websites - would my risk be that they could match emails and the myspace/neopets compromised passwords to gain access to a host of other websites? I assume these are all automated so will they try your typical facebook, linkedin, video sites, email addresses, other commonly frequented sites etc. to try and find user names and password combinations that match what they've gotten from the hacked websites?

      Can you please explain why not ditching the email is a risk? If i change and get a new set of passwords for all my websites and accounts would it not be irrelevant if i am still using my old email? Or is it becuase it forms the 'username' typically?

      • Beanvee on 31/08/2017 - 18:09

        Well there's always room for error, but haveibeenpwned is based on what was publically revealed and known about the breach. If it's listed there, it's almost certainly compromised.

        And yes, that's exactly the risk your facing. Someone can try your myspace username and password for example and get access to other sites where you've used the same details. Happened to me, someone got my minecraft account because it had the same email and password as a site that haveibeenpwned shows me as hit.

        The risk with your email is that if they gather enough information about you, they could use that information to get access to your email. Say they get access to another account where you've listed your name, address, maybe even a secret question and answer, they could contact hotmail pretending to be you and get a new password sent to them. Now they've got your email, they can reset all your passwords on all your other websites.

  • Switchblade88 on 31/08/2017 - 14:58
    +2

    Start here: https://xkcd.com/936/

    Back? Good. Now you understand how the complexity of a password is best increased by LENGTH and not symbols/caps/numbers etc, here is my password solution:

    • One master password. Six or more letters, and at least one each of a number and symbol. Being at least eight long will cross the hurdle of 'too short password' on almost all sites. Feel free to increase this if you like.
    • Append the website NAME to the end (or start)
    • You now only remember one master password, and you can already see the name of the site you are on. Complex for cracking, easy to remember.
    • Always use two factor authentication where available. Chrome/Gmail is critical as I'm using Chrome's password manager to save my passwords, so this 2FA becomes my 'master key' to access the rest of my passwords.
    • Use Authy for 2FA syncing and backup. If I don't have my phone I can still login to do banking at my work PC, for example. And I can always remotely deauthorise an Authy install if my phone is compromised.

    Am I at risk if the webmaster fails in their encryption? Yes, same as before, but now that specific password is unique and will not work across other site accounts.

    And remember, even though you got red-flagged on your email address, if your password is already changed then there is no more risk to you. And if you don't remember your password for neopets, there's a good chance you're no longer using it anyway, so it won't be a risk to unauthorised access on other accounts.

  • boomramada on 31/08/2017 - 15:52
    -2

    Use a simple password (few characters and number will do), don't recycle password. ie password that you use in hotmail/gmail, don't use it on your ozb site. End of story.

  • Diji1 on 31/08/2017 - 16:28
    +1

    I run a few core paasswords that are reasonably long and strong. Albeit eventually i do recycle here and there

    Why aren't you using a password manager?

    Lastpass is a password manager that is free to use on one device, 12 USD annually otherwise.

    Keepass is a free open source password manager that you can use anywhere and sync with dropbox to use across all your devices. I believe (but have not used) there are browser extensions to auto fill using Keepass so it will be like Lastpass.

    Use a simple password (few characters and number will do)

    That is terrible advice due to the army of brute forcing bots that guess passwords on pretty much any service you want.

    • SaberX on 31/08/2017 - 17:49

      The reason a password manager always put me off because before using it i thought about it practically - if I have one master password, and passwords vaulted away behind it, how do I easily retrieve these passwords when I could be trying to access websites and accounts on any device or anywhere in the world? It seemed easier that ad hoc checks of emails, websites i visit, banking etc. i could revolve say 6-8 strong passwords. The other worry was what if password manager is compromised?

      Maybe I don't understand it well, I thought you have to open a program to see your list of passwords, so it seemed very time consuming. For example if your on mobile and not a desktop. You may be out of internet connection or at a friends house and just want your master list of passwords without compromising it and trying to open it on their computer?

      Lastly i may not understand how password managers work well.. but the idea of it prefilling into websites I visit worried me for when im away from the computer, won't someone be able to - similar to 'save my password' on websites, get easy access to my favourite websites?

      Or have i completely misunderstood password managers and how they work, and how easily they can be accessed from whatever device or place you are at?

      • Member 0230 on 01/09/2017 - 08:27

        I believe there are a handful of truly very good password managers in terms of strong security AND convenience, but I'm only familiar with 1Password.

        Their video on the homepage explains the benefits much more eloquently than many of us could — https://1password.com

    • mattyman on 01/09/2017 - 10:55

      You are better off with longer passwords using unrelated words than you are with shorter passwords with numbers and symbols.
      http://preshing.com/20110811/xkcd-password-generator/

    • JLHC on 01/09/2017 - 12:56

      LastPass is free for multi devices as well so you won't need the Premium version unless you need to share your passwords with family members.

      It also has a mobile app so you can still login from your phone (even protected by your fingerprint).

      As for using it in third-party computers, I don't know about you but I'll NEVER use a third-party computer (I don't even use public WiFi without VPN) so it won't be a problem.

  • SaberX on 31/08/2017 - 18:37

    So theoretically - is subscribing to haveibeenpwned notifications for being compromised by definition increase your exposure too? Because if they are hacked they will have a list of emails too, albeit no names etc - but does things like this increase 'risk' of your cyber profile being slowly built up online?

    Or no risk with subscribing to notifications for a site like this? They only ask for email after all..

    • John Kimble on 31/08/2017 - 18:43

      Man, you are going full paranoid right now aren't you? :p

      • SaberX on 31/08/2017 - 18:48

        haha tbh i was just curious on what constitutes risk now…

        at least if i know the answer to this q i know what not to divulge (where possible).

        This raises some interesting q's, if it isn't paypal and essential services, putting a fake address and birthday would surely be 'safer' going forward?

    • mattyman on 01/09/2017 - 10:59

      Little risk. If your email address isn't on their hacked list already and they get hacked, the perpetrators will only get your email address. It might put you at increased risk of getting SPAM or phishing emails sent to you, but that's about it.

      If your email address is already on their hacked list, then that information can probably still be found on the internet somewhere, so the risk doesn't really increase from that point of view.

  • PlasticSpaceman on 01/09/2017 - 07:44
    +1

    1password. Desktop and mobile apps. Once off payment, and syncs via cloud service like Dropbox. There are free versions of password managers but I prefer 1password.

    • PlasticSpaceman on 01/09/2017 - 07:46
      +1

      Oh, and if your mobile has a fingerprint reader it can use that.

      • John Kimble on 01/09/2017 - 07:51

        But then his fingerprint might get compromised!

        • Member 0230 on 01/09/2017 - 08:24
          +1

          I'm sure you meant that in jest, but out of curiosity I looked up "apple secure enclave" (I don't know what mobile devices OP actually has) and found What code is running on Apple's Secure Enclave security chip? Now we have a decryption key…

          TLDR version:

          "This key being available does not reduce security of the Secure Enclave in any way," said Strafach.

          and

          The researchers said Apple's security hardware design is "light years ahead of competitors" but also noted potential avenues of attack. SEPOS, the Secure Enclave's operating system, lacks basic exploit protections like memory layout randomization, they said, and also observed that its biometric application has a significant attack surface.

        • John Kimble on 01/09/2017 - 08:31
          +1

          @Member 0230: Behind every joke there is a little truth ;)

        • PlasticSpaceman on 01/09/2017 - 11:11

          Lol. True. But just because it can be done doesn't mean the risk of it happening is all that high. Anyhow, can always choose not to use it if don't trust the reader. Also supports 2 factor authentication. Basically, if you want you can make things very secure. Personally I stick with one long complex password to secure my (encrypted) data file, and use the password generator to create unique complex passwords for each website/account as required. Good enough for me, and I know that I'm way more secure than the vast majority of the great unwashed out there. :-)

    • Member 0230 on 01/09/2017 - 08:18

      1P is expensive, but like you, the seriously deep security focus coupled with a strong user experience (Mac and iOS mainly, but Win/Android is coming along) makes it so very worth it for me.

      Check out their security model mentioned here.

      There's even a 70-plus page Security Design White Paper for anyone a little more interested and/or technically inclined.

  • furys12 on 01/09/2017 - 09:35
    +1

    To start with, it's not really about just showing up as having been pwned, it's about what details they got, hibp provides details about each breach, for example the myspace breach they got "email addresses, usernames and SHA1 hashes of the first 10 characters of the password converted to lowercase and stored without a salt.", no one could log into your myspace account using that data, so from that alone they didn't get any significant data, all they got is that your email address is linked to your username on myspace, that can be used to head to other sites where that username is in use and attempt some funny business since they know your email address,,but thats honestly not a huge concern, unless they somehow know your a worthy target there probably isn't someone trying to build a massive data collection on you.

    As for the veracity of hibp, the site simply takes the data the hackers release/sell and searches it, it's literally checking the data anyone could get so yeah its 'true' in that your email address is in the data, where it gets tricky is that those lists are infamous for being padded out with fake entries or using emails from a list of "potential users" i.e a gaming site brought your email from a third party because you are interested in gaming so they will target an ad run to you, if you are 100% sure you never signed up for a site then you can probably ignore it but just to be safe and sure you might as well pretend they have that data.

    Now to password managers, their point is to basically ensure that if anyone ever got one of your passwords they don't automatically have access to everything else as would be the case for people who use the same password everywhere, now they can still use the one password they did get to try and find some more info about you like mentioned above to use in different attacks later, which is why you should also still use 2FA on all sites that offer it, especially key ones like email and if you want to be extra cautious don't put any identifying details on sites that don't have 2FA.

    Speaking of 2FA, i would only use password managers that offer 2FA or leave everything in your own hands, password managers are basically in two camps, and this solves your "how do i get my passwords everywhere" issue, some password managers, like lastpass, store your encrypted passwords on their servers in (what they claim) to be very secure ways such that no one but you can ever see them, that means you can log in from anywhere and it can download and decrypt your passwords, the alternative is options like 1password (i think) which store all the password in an encrypted file and leave it up to you to keep that file safe and to transfer it around you various devices, most people store it in dropbox or something so they can grab it when needed.

    Each option has its positive and negatives, which you can research, but either way there are many options to make sure you are never without your passwords and things like 2FA make it safer, no option is truely bulletproof all you can do is make it harder to be got.

  • lainey13 on 05/09/2017 - 13:21

    What I find ridiculous is websites that do NOT allow you to have a longer password! (Outlook.com I'm looking at you)

    • Switchblade88 on 20/07/2021 - 14:55

      Please don't necro a 4 year old post

Login or Join to leave a comment
Login Join