• You are currently viewing our forum as a guest, which gives you limited access to view most discussions and access our other features. By joining our free community, you will have access to additional post topics, communicate privately with other members (PM), view blogs, respond to polls, upload content, and access many other special features. Registration is fast, simple and absolutely free, so please join our community today! Just click here to register. You should turn your Ad Blocker off for this site or certain features may not work properly. If you have any problems with the registration process or your account login, please contact us by clicking here.

Public Service Announcement On Password Security

highlander

Administrator
Staff member
Joined
Dec 23, 2009
Messages
25,200
MBTI Type
INTJ
Enneagram
6w5
Instinctual Variant
sx/sp
markzuck.jpg


No doubt many of you have heard about the numerous social media password breaches as of late. Many sites such as LinkedIn, MySpace, and 939 forum sites managed by a company called VerticalScope have had large numbers of passwords breached/leaked. Mark Zuckerberg is an example of one such person whose account was hacked.

Lessons From Mark Zuckerberg's Social Networking Account Breach

What does this matter to you? What it means is that there is a chance your passwords may have been been compromised in one of these big breaches. Maybe you received a notification from them and you changed your password on their site. That’s good! The thing you might not be thinking about is if your password was compromised and if you use the same password on other sites, your password on those other sites isn’t doing you much good anymore. There are a few places to check and see if you might have a problem. One site that allows you to check this is LeakedSource. Just put in your email address and it will tell you if your password was leaked in any of the recent major breaches. If you pay the $4 you can actually view some of the passwords that were breached but you don’t really need to in order to get the idea. Don't panic if you find yourself on the list - after all it's a social networking site and not your life savings. Just take a few precautions.

I'd like to take this opportunity to make a few recommendations:
  1. Don’t use the same password on all the sites you access. It is best to use a different password on every site. Be especially careful about your email account password and accounts where you do financial transactions, like your bank.
  2. Change your passwords on a periodic basis. You might want to do this once every six months or so. If you find your password was leaked in one of those major breaches, make sure you change it wherever you are using it.
  3. Pick good passwords. Here is an article that has some recommendations on how to do that.
  4. Recognizing how difficult it is to do #1, #2 and #3 above if you access more than a few sites, which means almost everyone, get a password manager tool. There are a bunch of them out there. I use LastPass. This password security thing isn't worth messing around with and the password manager tools make make your life a lot easier. For a few bucks you can get some software that picks strong passwords for you, remembers them for you and automatically scripts them when you log in. It works seamlessly across your laptop and smart phone. One thing I like about LastPass is it has a tool to allow you to audit your passwords, gives you a score and look for places where you have bad ones.
  5. For sites that are important, use "multi-factor" or "two-factor" authentication. What sites are important? It's the sites where you can access sensitive things - like your email account, bank account or brokerage. The option for two-factor authentication is often there if you check. Two factor authentication generally requires you to put in an additional one time password in addition to your standard password. Think of it as being authenticated by what you know (your normal password) and what you have (a token or your phone typically). We have two-factor authentication available as an option on the forum. You can find it here or look for Two Factor Authentication under UserCP and follow the simple instructions. This technology works differently on different systems. In the case of our forum, it requires you to install a couple of apps on your phone. It took me three minutes to turn on for my account. The way the software works on the forum is that if you come from an IP address that you haven't come from before, it asks you to put in a one time password which is generated every sixty seconds using the Google Authenticator app on your phone.
Anyway, that’s it. I thought maybe not everyone realizes some of these things so it would be good to communicate. Because of these broader problems out there, we might end up implementing a requirement to change passwords on a periodic basis on the Forum - like once every six months or once a year. We have this already for moderators and administrators but not for normal users.
 

Mal12345

Permabanned
Joined
Apr 19, 2011
Messages
14,532
MBTI Type
IxTP
Enneagram
5w4
Instinctual Variant
sx/sp
Oh boo hoo, someone hacked my myspace account in 2011.
 

highlander

Administrator
Staff member
Joined
Dec 23, 2009
Messages
25,200
MBTI Type
INTJ
Enneagram
6w5
Instinctual Variant
sx/sp
Oh boo hoo, someone hacked my myspace account in 2011.

Which I guess doesn't matter as long as you don't use the same password for other things now.
 

highlander

Administrator
Staff member
Joined
Dec 23, 2009
Messages
25,200
MBTI Type
INTJ
Enneagram
6w5
Instinctual Variant
sx/sp
Yeah, I found out my MySpace got hacked a few years back.
I forgot i even had an account there.

That's part of the problem. We create so many accounts on so many places and they accumulate over time. You forget about them. Most people can't remember all the different passwords so they end up reusing them all over the place over a period of years which is really the point of my post above - to elaborate on the risks of it.

The password manager is an ideal solution because it enables you to automatically create a different password on every system you access. So if one account is compromised, it doesn't put others at risk.
 

highlander

Administrator
Staff member
Joined
Dec 23, 2009
Messages
25,200
MBTI Type
INTJ
Enneagram
6w5
Instinctual Variant
sx/sp
This is a pretty nice demo and explanation.

 

Cowardly

deactivated
Joined
Mar 25, 2016
Messages
412
My LinkedIn account was hacked as well. At least I never got into AshleyMadison, that one proved to be troublesome, and amusing.
 

Cor Luctis

Between the Shadows
Staff member
Joined
Apr 18, 2010
Messages
26,579
MBTI Type
INTJ
Enneagram
5w6
Instinctual Variant
sp/sx
The password manager is an ideal solution because it enables you to automatically create a different password on every system you access. So if one account is compromised, it doesn't put others at risk.
Unless that one account is your password manager account. Then everything else is compromised.
 

highlander

Administrator
Staff member
Joined
Dec 23, 2009
Messages
25,200
MBTI Type
INTJ
Enneagram
6w5
Instinctual Variant
sx/sp
Unless that one account is your password manager account. Then everything else is compromised.

Of course. If you want, you can use multi-factor authentication to control that one account.

It's a trade-off. What's worse
A) Trying to remember 60 different passwords and inevitably reusing the same password on a lot of those systems, whereby if one is compromised, a number of them are compromised (high probability this will happen) or
B) Putting all your eggs in one basket and guarding it like hell
 

SearchingforPeace

breaking out of my cocoon
Joined
Jun 9, 2015
Messages
5,461
MBTI Type
ENFJ
Enneagram
9w8
Instinctual Variant
sx/so
My late FIL used a password manager. Unfortunately, he did not write it down anywhere or tell his wife, so all his accounts were locked and inaccessible after his coma...... it created a huge hassle....
 

Totenkindly

@.~*virinaĉo*~.@
Joined
Apr 19, 2007
Messages
46,774
MBTI Type
BELF
Enneagram
594
Instinctual Variant
sx/sp
I go old school. I have a piece of paper tucked away somewhere with passwords, and all the sites using coded names so that others probably can't read it.
 

PeaceBaby

reborn
Joined
Jan 7, 2009
Messages
5,950
MBTI Type
N/A
Enneagram
N/A
Of course. If you want, you can use multi-factor authentication to control that one account.

It's a trade-off. What's worse
A) Trying to remember 60 different passwords and inevitably reusing the same password on a lot of those systems, whereby if one is compromised, a number of them are compromised (high probability this will happen) or
B) Putting all your eggs in one basket and guarding it like hell

Exactly. A multifactorial authentication system is going to be much less penetrable than the notepad file on your desktop.

And, if you're squeemy about using an online system, use KeePass - it's free, installed locally and you can set it to multi-factor authenticate as well.
 

Totenkindly

@.~*virinaĉo*~.@
Joined
Apr 19, 2007
Messages
46,774
MBTI Type
BELF
Enneagram
594
Instinctual Variant
sx/sp
spies don't need passports just private jets and fast internet well maybe you do but spies can just call their boss and not have to do it like us plebs do.

Times are hard.
My covert agency won't even let me fly economy plus.
 

Cor Luctis

Between the Shadows
Staff member
Joined
Apr 18, 2010
Messages
26,579
MBTI Type
INTJ
Enneagram
5w6
Instinctual Variant
sp/sx
Of course. If you want, you can use multi-factor authentication to control that one account.

It's a trade-off. What's worse
A) Trying to remember 60 different passwords and inevitably reusing the same password on a lot of those systems, whereby if one is compromised, a number of them are compromised (high probability this will happen) or
B) Putting all your eggs in one basket and guarding it like hell
I like Totenkindly's Option (C), and use it myself.

I go old school. I have a piece of paper tucked away somewhere with passwords, and all the sites using coded names so that others probably can't read it.
 
Top