OT - How secure is your password

[rkhatibi]

Quote:

Originally Posted by C40_guy

Most criminals aren't that smart, and they'd probably need more than one to figure out the pattern.

If criminals start using big data and AI to figure this out, it's game over anyway. Might as well just leave my wallet on the driveway.

I have some unfortunate news for you.

• Build your own $10k password cracking machine https://www.tomshardware.com/news/ei...-under-an-hour
• Software that automates cracking https://hashcat.net/hashcat/
• Probably too technical for this crowd, but "credential stuffing" is the methodology once you've run enough of the publicly available passwd dumps through your system. https://www.troyhunt.com/password-re...-i-been-pwned/

"Credential stuffing is the automated injection of breached username/password pairs in order to fraudulently gain access to user accounts. This is a subset of the brute force attack category: large numbers of spilled credentials are automatically entered into websites until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes."

People tend to think of attacks like this as directly targeting them. Everyone is being targeting. You only lose if your online behavior, weak password or password reuse even partials, is susceptible to these attacks.

[fourflys]

any recs for a password manager from someone in the industry?

Quote:

Originally Posted by NYCfixie

I work in Cybersecurity as well and what I tell friends/family/co-workers is:
- Use a password manager
- Have it create and store the passwords for you (15 characters minimum but the more the better)
- DO NOT use the same password for multiple accounts/services
- Make sure ALL accounts/services are setup for multi-factor authentication
- Your email password should be the STRONGEST password
(because if hackers can into your email they can often reset passwords for all other accounts/services since most people do not use multi-factor authentication)
- Your password manager should have your second strongest password
- Write your eMail and Password Manger passwords on an index card (yes, I mean paper) and store them safely some place in your home. DO NOT save them anywhere else.


Many commercial password managers can be (or have been) broken. Nothing is perfect. The safest method is to keep everything on paper, locked away at home, and never share with anyone.

Multi-factor authentication is not perfect. Hackers have found interesting ways to get around it (i.e. they can clone your mobile number to receive the multi-factor code you need to authorize yourself to a system after entering the password they have been able to figure out or steal from you).

The point is, most hackers are lazy so if you use a few different methods to protect yourself, hackers will move on and try to terrorize another person who may not have safeguards in place.

Be careful out there.

[benb]

Any good system shouldn’t be particularly vulnerable to credential stuffing and brute force attacks. It should detect that and insert delays or completely reject the requests after a small number of guesses.

Those attacks work well if the hacker has already breached the system and dumped databases and the database is storing passwords in a poor or well known way.

“Capture the password file” is a great first step in any kind of breach so of course a look work goes into making that hard.

[VeloceNiente]

Just wanted to reiterate what has been said (and is just as important as using strong passwords):

Use different passwords on every account.

[johnniecakes]

Quote:

Originally Posted by oldpotatoe

I make them up myself...various letters, caps and lower case, numbers and characters none which really apply to me, not related like no WlBldrTdy123&&, etc.

Then I write them in a notebook I have and yes, I have 5-6 pages of them but I don't have to depend on any 'service' to store them.

You must be my twin. Written in steno pad and stored in the gun safe. Some are memorized and those require 2 step authorization. I also change them every 6 months. Christmas time and Independance Day.

[Louis]

Quote:

Originally Posted by VeloceNiente

Use different passwords on every login.

You must mean every account. Every login would be nuts.

[VeloceNiente]

Quote:

Originally Posted by Louis

You must mean every account. Every login would be nuts.

I meant the noun form of ‘login’, but ‘account’ is clearer. Edited.

[fourflys]

funny enough, after reading this thread I went and changed my BoA credit card password to a random one from the Apple/Chrome extension password generator.. went for a ride, came back and just got a text that my card had a charge that had been declined for suspicious activity.. coincidence I'm sure, but just a little funny.. went through the process to get two charges taken off and and new card and changed my password once again.. I assume it was from a skimmer or something similar and not an account hack..

[rogerspam]

Help request from the more informed--If you have to be the home IT guy for the family (read: wife) and pick a secure but easy to manage option for phone/computer (Apple based) system, would you choose 1password vs Bitwarden vs going all in on Apple Keychain/iCloud? Or any other options to consider?

[NYCfixie]

Quote:

Originally Posted by C40_guy

So...lets say I need to log on to an airline site at a hotel using their computer...pw manager won't help me there...

This is about as safe as using a "glory hole" for your sexual needs.

I would never use a public computer for any of my password protected accounts. I would never put personal information on a personal computer.