I would like to comment on passwords security

Ghot · 27 Apr 2021

Try3 said:

So where are you going to start with me?

Denis

I find a street thug. I tell him to go after you. I tell him he can keep the wallet, the watch, the smart phone, w/e.
I say, I just want the key chain.

Then I find a 13 year old Japanese kid with a super computer, to crack your Excel password.

This is all after I have a hacker kid, use bots to search everything you type on the internet, so I can tell the street kid where to find you.

Yes... it's far fetched. But here's the kicker. Everywhere we go on the internet, we leave tracks.
We get in a conversation with someone we trust on the internet, and say something like...

Yeah, I know that cafe... I was there last Tuesday.

With bots these days, people can find a lot of information about us, while they're not even at the computer.
To be honest... the captchas on websites to stop a bot, wouldn't even stop a... toaster.

As long as a bot isn't trying to hack a specific website... as long as it doesn't cause problems for the sites owner...we ignore them.

I don't know any English folk lore, so I'll use some American versions...

I mean would Daniel Boone get on the internet and tell the bad guys where he kept his bowie knife... heck no!

All I'm trying to say is that no matter how well thought out... the best policy is... just don't talk about it.

/edit

Just as a teeny example. I remember when they first came out with 256 bit encryption. Big announcement about how secure that would make things.

A few weeks later I read an article about how a 13 year old Japanese kid, cracked it in so many , hours, days, weeks.
And he wasn't even a bad guy.

ignatzatsonic · 27 Apr 2021

Kol12 said:

I have probably 100 passwords. Don't you guys find a password manager so much easier?

I would......................if I had a need for 100 passwords that supposedly protected something halfway important.

But I don't. Nowhere near that.

I have looked at password managers in the past and came to the conclusion that they required that I jump through some hoops and make certain leaps of faith that I wasn't prepared to make. I don't recall the details.

I have passwords for probably 40 sites. Half of those sites I have not looked at in at least 5 years and may never look at again.

Of the other 20 or so.....all but 3 or 4 are purely for amusement....like this site. Insignificant.

The remaining 3 or 4 are all related to finances and credit..........and only one of those has any significant exposure in dollar terms. It's the only one I am seriously concerned about.

My greater fear is that these 3 or 4 important sites are themselves not secure from hackers.....that their security measures are not as strong as I'd like. Not a lot I can do about that other than taking my meager business elsewhere.

Ghot · 27 Apr 2021

Here's one...

I once posted a pic of a holly bush I planted. The only things in the pic were the bush and about a 4 foot circle of grass.
Someone said you shouldn't post pics of things that are located where you live.

I figured I was safe.

Now this other person knew what city, state I lived in. The only thing I can assume is that they did an image match on Google maps. It wasn't 4 days after I posted the pic, that they sent a message to me with a pic from Google maps, of my entire house.

ignatzatsonic said:

My greater fear is that these 3 or 4 important sites are themselves not secure from hackers.....that their security measures are not as strong as I'd like. Not a lot I can do about that other than taking my meager business elsewhere.

That too.
It's not just the information (tracks) the we personally leave on the internet, it's also the tracks every site, company, etc., that we deal with that are left on the internet.

Think about calling lists, or mailing lists that we inadvertently end up on. I doubt their security is even something they worry about. There's our addresses and phone numbers... etc.

Or how about something else with low to zero security, like the veterinarian. They also have name, address, phone, and what bank you belong to.

Then there is social security numbers, and w/e they have in the UK or anywhere else. That number is in a LOT of places.
Hopefully all of them have commercial security, but how secure is that.

And then there's social media sites, who seem to semi annually get hacked (so they say), and regurgitate 150 million people's information that they have.

Or our internet service providers, that could watch everything we do online, if they wanted.

Or even Microsoft. Like folks in the Beta channel, for example. they come right out and tell you they're gonna watch everything you do online.

I would like to comment on passwords security-image1.png

Ghot · 27 Apr 2021

Obviously, a lot of this is out of our control. But I think it's best to be a bit more paranoid than we think we should be.
At least until the legal system can catch up a bit.

Compumind · 27 Apr 2021

All of this is so simple...

Just my own paranoid opinion -

Never use a Password Manager. Never!

I don't care about the level of encryption.

Create a 256 bit encrypted Word document or Excel spreadsheet, print and store it away from the computer.

The files can be stored on a quality USB drive in a special secure spot.

FWIW.

WXC · 27 Apr 2021

Ghot said:

I use the same password everywhere... it's: C'mon in, let's fight.

Just kidding.

The very first rule of internet passwords, is.... don't talk about them on an internet forum. ^^

Truth.

Steve C · 28 Apr 2021

Try3 said:

I agree with the others. Write them down somewhere secure yet accessible.

I write mine in a password-protected Excel file that lives on a small USB stick that lives on my keyring.
I write down the password to the password-protected Excel file on a strip of paper that lives in one of those dog nametag cylinder things that also lives on my keyring.
The USB stick is never connected to my computer whilst I am connected to the internet.

Here's a [UK] link for some example ID tags https://www.amazon.co.uk/Pet-Barrel-.../dp/B00DEB1JVQ There are lots of available choices but I bought ones that, like these, have a slot in the bottom for me to swing off so I can be confident they won't come apart accidentally while I'm out & about.

All my passwords are, at least, 18 random characters long.
- I estimate that, even after taking account of possible technological advances over the next twenty five years, online hackers [who have often offered a 100 hours password cracking effort as their standard service] will only have a 1/1,000,000 chance of cracking such long, random passwords even if they dedicate a complete datacentre of 2 million PC-equivalents to the job.
- Hackers are more likely to be able to crack the host of a poor-quality online store of passwords such as a poorly-secured website. That's why it is important to use different passwords for each purpose.
- There's a 2015 discussion of this topic in the context of Office 2007 passwords at Office passwords - MSAForum

You might hear about 'Password reset disks' for Local user accounts [only]. They are an expensive alternative to a piece of paper.

Denis

I also take the extra step of bitlocker protecting the USB drive and have a duplicate copy on another USB drive

FreeBooter · 28 Apr 2021

It’s not enough to just use any old password. You can improve the security of any operating system and, hence, of your entire network—by making each password robust enough that it is impossible to guess and is impervious to software programs designed to try different password combinations. Such a password is called a strong password. Ideally, you want to build a password that provides maximum protection while still being easy to remember.

You really need to know only three things to create strong-like-bull passwords:

Use passwords that are at least 8 characters long—Shorter passwords are susceptible to programs that just try every letter combination. You can combine the 26 letters of the alphabet into about 12 million 5-letter word combinations, which is no big deal for a fast program. If you bump things up to 8-letter passwords, however, the total number of combinations rises to 200 billion, which would take even the fastest computer quite a while. If you use 12-letter passwords, as many experts recommend, the number of combinations goes beyond mind-boggling: 90 quadrillion, or 90,000 trillion!
Mix up your character types—The secret to a strong password is to include characters from the following categories: lowercase letters, uppercase letters, numbers, and symbols. If you include at least one character from three (or, even better, all four) of these categories, you’re well on your way to a strong password.
Don’t be too obvious—Because forgetting a password is inconvenient, many people use meaningful words or numbers so that their password will be easier to remember. Unfortunately, this means that they often use extremely obvious things such as their name, the name of a family member or colleague, their birth date, their social security number, or even their system username. Being this obvious is just asking for trouble.

RolandJS · 28 Apr 2021

bleepingcomputer news section reported a recent hack or ransomware involving several million accounts, I forget the details, however, I do remember the article reported 700k users apparently used the word password as their password. Found the link:
bleepingcomputer.com/news/security/hacker-leaks-20-million-alleged-bigbasket-user-records-for-free/

Steve C · 29 Apr 2021

Compumind said:

All of this is so simple...

Just my own paranoid opinion -

Never use a Password Manager. Never!

I don't care about the level of encryption.

Create a 256 bit encrypted Word document or Excel spreadsheet, print and store it away from the computer.

The files can be stored on a quality USB drive in a special secure spot.

FWIW.

I agree. I also use bitlocker to protect the USB drive and have a duplicate USB drive.