For help, advice and discussion about stuff not related to aviation. Play nice: no religion, no politics and no axe grinding please.
By rdfb
#1882191
avtur3 wrote:I will admit that I don't have individual passwords for every online account that I use...


You should fix this first, because it's the biggest hole in your online security by far.

Sites get hacked every so often. Lists of personally identifying information (names, emails, usernames) together with the passwords of accounts from those hacked sites get published. Then attackers try those usernames and passwords and various variations on other sites, exactly because so many people use the same passwords (or with minor variations) on multiple sites. The attackers don't target individuals specifically. They hit the lists en-masse and exploit any that get in.

You can try https://haveibeenpwned.com/ to search these lists to see if your details are there. But even if they're not, they eventually will be, because major sites continue to get hacked on a regular basis.

You might think that since you only use that same password on a few "low value" sites a hack there won't get an attacker into some "high value" site. But that's where the password reset stuff comes in. It's really hard to follow who will require what to get them to reset someone's "forgotten password". It's been demonstrated that if an attacker has access to one account, they can expand that to access to other accounts in surprising ways. For example: https://www.infosecurity-magazine.com/n ... the-world/

Because of this, it's considered much safer to use a password manager that stores all your passwords, one for each site. These can to some extent be protected by two factor authentication. If you're really worried, buy a hardware FIDO2 USB token like a Yubikey and lock your password manager with that. But even without that, you're safer with a password manager with all your passwords "in one basket" than you are sharing passwords between sites.
By riverrock
FLYER Club Member  FLYER Club Member
#1882197
If a company uses a central identity store for everything, with each application using that to log in with ( via backend protocol such as SAML) then turning on 2 factor authentication is normally as simple as ticking a box.
Trouble is many legacy applications can't be authenticated that way.

An obvious way to have different passwords for each application / site is to use a standard pattern for all, with perhaps part of the brand of that site in the password.
It's better than nothing, and will stop automated attacks. Wouldn't stop a human working out your password if you are personally targeted, but that is rare unless you are dealing with large critical systems or information.
By Cessna571
#1882252
Rob P wrote:I have had that trying to pay money into accounts. I do point out that I really don't care if some little chap on the sub-continent wants to fund my lifestyle.

And!

"Can you just confirm your address?"

"Yes, I can"

"<long pause>

" I need you to confirm your address"

"I can't confirm it until you read it to me, can I?"

Rob P


I had that recently.

“But you have to tell me, I can’t tell you, it’s data protection”.

“But then I’m telling my address to a random stranger, you could be anyone”.

“But I’m your bank”

So, I gave her a slightly wrong address, and she said “that’s not what I’ve got here, it says number 29”.

“Just checking… now we’re both happy, what is it?”

She was NOT impressed, started telling me calls are recorded etc etc. :roll: :D
User avatar
By OCB
#1882254
Really stupidly smart question- but how many on here have answered to a social media question like “what was your first car”?

I know I have.

Most of us think that “social engineering” is only via corporate identity.

No it’s not.

The next time you see some random social media “quiz” question- be skeptical.
rikur_, avtur3, StratoTramp liked this
User avatar
By Flyin'Dutch'
FLYER Club Member  FLYER Club Member
#1882255
Cessna571 wrote:[

I had that recently.

“But you have to tell me, I can’t tell you, it’s data protection”.

“But then I’m telling my address to a random stranger, you could be anyone”.

“But I’m your bank”

So, I gave her a slightly wrong address, and she said “that’s not what I’ve got here, it says number 29”.

“Just checking… now we’re both happy, what is it?”

She was NOT impressed, started telling me calls are recorded etc etc. :roll: :D


Depends on whether they ring you or you ring them innit?
User avatar
By Trent772
#1882318
At work, we had to change our password every 2 months - some pathetic Human Remains edict...

I used 2 styles.

First was Arsehole1, 2, 3, 4 etc.

The second was month and year

April2018, May2018, etc

Both were easy to remember and you could leave yourself a memory jog.
tr7v8 liked this
By avtur3
FLYER Club Member  FLYER Club Member
#1882347
There are multiple websites offering to check the 'so called' security of passwords, but they appear to offer massively inconsistent results.

Here is an example of the point I was making, this is a password I have made up to to make the example. This has no relevance to anything to do with me.

#1964#dwphm ... one website tells me this is poor and could be broken within a mater of minutes, yet another website tells me the very same password is really secure and it would take 14 centuries to break.

Whatever the rights and wrongs these websites are out there and many people will be using them and responding to their advice.
User avatar
By OCB
#1882354
avtur3 wrote:There are multiple websites offering to check the 'so called' security of passwords, but they appear to offer massively inconsistent results.

Here is an example of the point I was making, this is a password I have made up to to make the example. This has no relevance to anything to do with me.

#1964#dwphm ... one website tells me this is poor and could be broken within a mater of minutes, yet another website tells me the very same password is really secure and it would take 14 centuries to break.

Whatever the rights and wrongs these websites are out there and many people will be using them and responding to their advice.
cconv

Basically - single factor authentication is dead. Long live robust MFA.

For the techno-geeks and luddites out there, I used to run a security and privacy website and domain.
I gave up, basically because almost everyone traded in security for convenience.
rikur_ liked this
User avatar
By akg1486
#1882443
Trent772 wrote:At work, we had to change our password every 2 months - some pathetic Human Remains edict...

I changed jobs some 13 years ago and we're forced to get a new pw every quarter. I've had the same base since I started and added a two digit number: 01, 02, etc. I'm at 55 right now.

I'm not worried about security: it requires either connection to company network (which only company-issued laptops have) or MFA.

For really important personal stuff--taxes, banks, insurance--we have an MFA solution created by the banks and endorsed by the government. Very convenient.
kanga, Trent772 liked this
User avatar
By eltonioni
#1882604
StratoTramp wrote:CessnaFlyermagazineInvertedTomcat


C152IanSeagar’sMag^F14


*unlocks hidden Admin forum so you can see what they really think of us*
StratoTramp liked this
User avatar
By Ian Melville
#1882610
avtur3 wrote:There are multiple websites offering to check the 'so called' security of passwords, but they appear to offer massively inconsistent results.

How you you know that there isn't a hacker at the back end of that?
kanga liked this
User avatar
By OCB
#1882667
Ian Melville wrote:
avtur3 wrote:There are multiple websites offering to check the 'so called' security of passwords, but they appear to offer massively inconsistent results.

How you you know that there isn't a hacker at the back end of that?


https://haveibeenpwned.com/

It’s both reassuring and also alarming that online security in the Western world has for so long relied on the good will of well meaning individuals.

The website above, for example, is a gold standard reference when it comes to verifying if an identity has been potentially compromised.

I’ve followed the evolution of that site, and how it came about for a long time. I have the luxury that my professional life overlaps with cyber-security, so get paid to know if something is legit, or click-bait.

Unfortunately right now there is no easy answer. There clearly should be various “ISO” standards for online security that are both well respected and also implemented- but that’s not yet the case. Until then, “be careful out there”…

…whilst talking about this point with a friend a few hours back, he mentioned his father lost money via an eBay scam not that long ago.
User avatar
By leiafee
FLYER Club Member  FLYER Club Member
#1882764
avtur3 wrote:On several occasions when entering a 10+ character password (with a good mixture of characters) I have found that I get to say 10 characters , which show very good strength, then when I add one more character the security rating takes a nose dive. Can anyone explain why???


Probably because it’s a pattern that has been previously leaked in a breach and the checker you’re using is looking at that list as well as theoretical stregth.

Many also check for things like dictionary words but with @ for a, 1 for l and similar.

Overall length is way more important than stuffinf symbols and caps in.

Non reuse is important because bad guys will engage in “credential stuffing” if they jpget one username password combo they’ll try it as many places as possible hoping you’re reused it.

2FA is the way. I deal with one to two breaches every week among customers without 2FA and a similar number among friends and family, Have never yet seen an account with 2FA breached. There are ways but they tend only to deployed against hig vaule targets not scatterbombed at individuals.

Password managers feel riskier than they are because of the eggs’ baskets principles but with strong passwords and 2FA the actual risk is lower.

Changing on a cycle only encourages reuse which is bad. Change if you suspect a breach or realise your password is rubbish.
kanga liked this
By riverrock
FLYER Club Member  FLYER Club Member
#1882793
I'd argue not allowing your password to be in a "rainbow" table is what you want.
Its pretty rare for passwords to be simply brute forced (a system is compromised to such an extent, that someone is able to try every possible combination of letters and numbers one after another till a result is found). Instead attackers will have a generated list of likely passwords, probably harvested from elsewhere as a list of "most commonly used passwords" (and will likely have pre-calculated the hashed version of all of those too - hence why "salts" should be used behind the scenes, but that is a different topic).

You'd be better with a combination of 8 very random characters, than "ThisIsAVeryLongPassword"
Colonel Panic liked this