The Straight Dope

Go Back   Straight Dope Message Board > Main > General Questions

Reply
 
Thread Tools Display Modes
  #1  
Old 05-09-2012, 04:23 PM
cmyk cmyk is online now
Door-2-Door Wikipedia Salesman
Charter Member
 
Join Date: Mar 2001
Location: Detroit Yankee in Memphis
Posts: 11,565
Choosing a password.

There's several methods, for general security, in creating a password for online accounts.

I hate passwords that mix caps and numerals. The height of annoying. I mixed names and dates and a string of random words (yes, I've seen the XKCD comic on that). I've also employed the keyboard pattern, too, which I do like, as you can devise a complex but memorable pattern, yet end up with seemingly random letters and numbers.

However, I've thought about doing this: pick a word and double or triple up the characters. For instance, taking my user name, you'd end up with "ccmmyykk."

Might this be a bad idea, or is it about as secure as any other method?

Also, any other clever tips for generating passwords would be appreciated.

Last edited by cmyk; 05-09-2012 at 04:24 PM..
Reply With Quote
Advertisements  
  #2  
Old 05-09-2012, 04:35 PM
Fiendish Astronaut Fiendish Astronaut is online now
Guest
 
Join Date: Jan 2001
My old boss was half-Polish. He'd use Polish words backwards with a spelling error. He claimed all the Zs and Ks meant his passwords were almost impossible for bots to guess. I'd say for the same reason your passwords might be quite good but I'm no computer whizz.

Last edited by Fiendish Astronaut; 05-09-2012 at 04:36 PM..
Reply With Quote
  #3  
Old 05-09-2012, 04:42 PM
biqu biqu is offline
Guest
 
Join Date: Jun 2003
Quote:
Originally Posted by cmyk View Post
However, I've thought about doing this: pick a word and double or triple up the characters. For instance, taking my user name, you'd end up with "ccmmyykk."
Doubling or tripling is probably not sufficient in that case, since the length is still only 8 characters and can be brute-forced in a reasonable time. But you're on the right track. Using a simple pattern that pulls from a large "alphabet" and then repeating one of the characters enough times (say, 10--15) should make a brute-force attack awfully slow.

See this blog post for more details, or search under the keywords "password haystack".
Reply With Quote
  #4  
Old 05-09-2012, 05:14 PM
Noelq Noelq is offline
Charter Member
 
Join Date: Nov 2000
Location: Sacramento, CA
Posts: 719
To make things easy for various relatives of mine, I taught them the following password rules that makes a secure password, strong enough for 99% of the sites.

1. Use name.
2. Then an At symbol (@).
3. Then the website location.
4. Then either the 4 digits of your phone, or 4 other digits you like.

For example, for Google, "John Smith" would use a password of "John@Google1234".

Its unique to each website, easy for people to remember, and very secure.
Reply With Quote
  #5  
Old 05-09-2012, 05:18 PM
filmore filmore is offline
Guest
 
Join Date: Aug 2002
The most important thing is to make sure you don't use a normal word. Hackers already have tables of all the dictionary words pre-encrypted called a Rainbow Table. When they steal the password table from a website, they compare the encrypted passwords with the passwords in their rainbow table to find the original password. All these goofy password rules are to make sure you're not typing a regular word as a password.

But some enterprising hackers have created rainbow tables of all 8 character and less lowercase passwords. So it doesn't matter if your password is 'password' or 'adieiqoq', it's just as easy for that hacker to break. By adding capital letters, numbers and symbols, you're making the hacker's job harder since the table has to get so big to account for all options.

So at this point, ccmmyykk is not really a secure password. Add some special characters in there so it can't be reversed so easily.

But the most important thing about passwords is: DO NOT USE THE SAME PASSWORD ON MULTIPLE SITES!!! If you have unique passwords, then the worst thing is that the hacker could login to the site he hacked. But if you have common passwords, then the hacker can try the same login on other sites like facebook, gmail, etrade, banks, etc.

Some sites don't even encrypt the password. Whatever you type in is stored in the database. When the hacker steals the database, they have your login, email, and password in the clear. So even if you have a super complicated password like '$Ia)0192w1=', a hacker may discover it from a site with poor security.

So this means you need unique, goofy passwords for each site. Try to come up with passwords that incorporate part of the domain and user name. Figure out some pattern that works for you. So my password for this site could be something like f1ilst2r. On CNN it might be f1ilcn2n, etc.
Reply With Quote
  #6  
Old 05-09-2012, 07:46 PM
tellyworth tellyworth is offline
Guest
 
Join Date: Dec 2009
Quote:
Originally Posted by filmore View Post
But the most important thing about passwords is: DO NOT USE THE SAME PASSWORD ON MULTIPLE SITES!!!
Quoting for emphasis. I see this happen all the time - accounts with otherwise strong passwords get hacked, because someone reused the same password on a site that was compromised.
Reply With Quote
  #7  
Old 05-09-2012, 08:17 PM
Darth Panda Darth Panda is offline
Guest
 
Join Date: Mar 2010
I use made up names from characters I had in role-playing games when I was a kid. They're nonsense words, completely meaningless to anyone else, but really memorable to me. Then I just tack on some numbers that have a meaning to me, but aren't a birthday or anything obvious.

Here's an example:

Character name (never had this, just made it up now): Varindal
Ex-girlfriend's street address: 1538

Password: Varindal1538

Last edited by Darth Panda; 05-09-2012 at 08:19 PM..
Reply With Quote
  #8  
Old 05-09-2012, 08:24 PM
Gagundathar Gagundathar is offline
Guest
 
Join Date: Jan 2010
One of the early programs I coded (back in the 1970s, believe it or not) was a password generator. It was limited to 8 alphanumeric characters but so was the target OS. I created about 20 of these passwords and still use them with significant variations (extending the length and adding nonalphanumerics). So far, so good.

Really, if your password is Dog@P0N33#H0r2e, it is going to be a bit of a challenge to crack it.
The real trick is to make it difficult enough to crack that the infiltrating agent is unwilling to spend the time to brute-force it. If the system has a timeout/lockout provision setup for failed password attempts, then brute-force becomes less of a problem.

But, many online sites don't use timeout/lockout because that requires active systems administration and when your site has millions of users, then that becomes something of a challenge.
Reply With Quote
  #9  
Old 05-09-2012, 08:55 PM
RealityChuck RealityChuck is offline
Charter Member
 
Join Date: Apr 1999
Location: Schenectady, NY, USA
Posts: 35,677
I use many methods, but currently am going with song lyrics -- taking the initial letter of each word and using a few numbers and special characters. Thus PamtimI1mow&t uses the first line of "Sympathy for the Devil."

Bonus -- you get to hear the song whenever you log in.
__________________
"East is east and west is west and if you take cranberries and stew them like applesauce they taste much more like prunes than rhubarb does."
Purveyor of fine science fiction since 1982.
Reply With Quote
  #10  
Old 05-09-2012, 09:52 PM
Rysdad Rysdad is offline
Guest
 
Join Date: Sep 1999
Quote:
Originally Posted by Noelq View Post
To make things easy for various relatives of mine, I taught them the following password rules that makes a secure password, strong enough for 99% of the sites.

1. Use name.
2. Then an At symbol (@).
3. Then the website location.
4. Then either the 4 digits of your phone, or 4 other digits you like.

For example, for Google, "John Smith" would use a password of "John@Google1234".

Its unique to each website, easy for people to remember, and very secure.
I do something similar:

I use the first three letters of whatever the website is that I'm logging into, plus a string of characters that only make sense to me. For example, if I'm logging in to Facebook, the login would be: Fac7321!Dar!

Easy peasy.
Reply With Quote
  #11  
Old 05-09-2012, 10:36 PM
pulykamell pulykamell is online now
Charter Member
 
Join Date: May 2000
Location: SW Side, Chicago
Posts: 31,016
Quote:
Originally Posted by Noelq View Post
To make things easy for various relatives of mine, I taught them the following password rules that makes a secure password, strong enough for 99% of the sites.

1. Use name.
2. Then an At symbol (@).
3. Then the website location.
4. Then either the 4 digits of your phone, or 4 other digits you like.

For example, for Google, "John Smith" would use a password of "John@Google1234".

Its unique to each website, easy for people to remember, and very secure.
That's fine, but consider this: if one of your passwords gets out for whatever reason, if you follow this formula religiously, the person who found your password can pretty easily figure out the password to every other website you use. Maybe nobody will hack into Google or Amazon, but what about a messageboard or similar site where the security may not be up to snuff? Were I a hacker and I saw a password like John@MessageBoard1234, my first instinct would be to go to eBay, Amazon, Facebook, whatever and try the username with John@ebay1234, John@amazon1234, john@facebook1234. That formula of making a password is fairly common, and an experienced hacker, I would think, should recognize it. Really, in my opinion, this is only marginally better than using the same password for every website you use.

Last edited by pulykamell; 05-09-2012 at 10:36 PM..
Reply With Quote
  #12  
Old 05-10-2012, 12:52 AM
Chronos Chronos is online now
Charter Member
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 55,201
To really do it right, you want something such that, even if the attacker knows your method and a sample password from a different site, they still can't get your password for a different site in any sane amount of time. Like, with the OP's method, if I know that he's using a dictionary word with each letter doubled, then I can code up something quickly that will do that, and get in after a number of tries equal to the number of words in the dictionary.
__________________
Time travels in divers paces with divers persons.
--As You Like It, III:ii:328
Reply With Quote
  #13  
Old 05-10-2012, 01:52 AM
septimus septimus is online now
Guest
 
Join Date: Dec 2009
Quote:
Originally Posted by Chronos View Post
To really do it right, you want something such that, even if the attacker knows your method ... they still can't get your password ...
Like, with the OP's method, if I know that he's using a dictionary word with each letter doubled, then I can code up something quickly that will do that, and get in after a number of tries equal to the number of words in the dictionary.
This is a key point. Note that a password of Noelq's straight method can be cracked with just 10,000 probes. (How many probes do such crackers usually try?)

But there are many other ways in: packet sniffing, keyboard-sniffing Trojans, and, with so many stolen laptops and foolish security, I'd not be surprised to learn that many thousands of user passwords are for sale on the black markets!

I watched a friend log-in to his British bank using a challenge-response protocol that would be hard to crack. Do any American banks do that? (Mine doesn't.)
Reply With Quote
  #14  
Old 05-10-2012, 03:54 AM
cmyk cmyk is online now
Door-2-Door Wikipedia Salesman
Charter Member
 
Join Date: Mar 2001
Location: Detroit Yankee in Memphis
Posts: 11,565
Really great advise here, thanks folks.

I've so many accounts now, and I'm starting to feel a bit weary about the passwords I've been using, so I'm meaning to update most of my important passes with some kind of system; as mentioned, a unique pass for every account.

Some of the methods described in generating passwords and also in how hackers crack them has already inspired some good ideas for a new system. The point I seem to be hearing is devising a consistent method for generating passwords for myself, but impossible to decode the method even if one is directly exposed, and even if it's obviously generated using some method. Also that mixing in numerals or other acceptable non-alphanumeric characters helps to defy brute force probing.

Last edited by cmyk; 05-10-2012 at 03:56 AM..
Reply With Quote
  #15  
Old 05-10-2012, 07:54 AM
md2000 md2000 is online now
Guest
 
Join Date: Feb 2009
Back in the Pentium 150MHz days, L0phtcrack was taking (IIRC) about a week to try all possible 8-character combinations. Of course, in those days, Microsoft cleverly broke all passwords into 8-character chunks and stored them upper case to allow for logon to the old Windows networking as well.

I ran the program against the large corporate datase, and surprisingly (not?) it found about 1/3 of the passwords from the dictionary-plus-one attack (i.e. SNOWMAN7) - within half an hour.

Considering how much faster machines are today, a brute force attack can take very little time (days, weeks) if your password is short and they get the encrypted version.
Reply With Quote
  #16  
Old 05-10-2012, 08:42 AM
nudgenudge nudgenudge is offline
Guest
 
Join Date: Jan 2010
Quote:
Originally Posted by septimus View Post
I watched a friend log-in to his British bank using a challenge-response protocol that would be hard to crack. Do any American banks do that? (Mine doesn't.)
Could you explain what a challenge-response protocol is? I have several UK bank accounts, and what they typically do is ask you for, say, the 2nd, 5th and last characters of a secret phrase, I suppose to provide some protection against key loggers. Is that what you mean?
Reply With Quote
  #17  
Old 05-10-2012, 09:37 AM
md2000 md2000 is online now
Guest
 
Join Date: Feb 2009
Quote:
Originally Posted by cmyk View Post
Really great advise here, thanks folks.

I've so many accounts now, and I'm starting to feel a bit weary about the passwords I've been using, so I'm meaning to update most of my important passes with some kind of system; as mentioned, a unique pass for every account.

Some of the methods described in generating passwords and also in how hackers crack them has already inspired some good ideas for a new system. The point I seem to be hearing is devising a consistent method for generating passwords for myself, but impossible to decode the method even if one is directly exposed, and even if it's obviously generated using some method. Also that mixing in numerals or other acceptable non-alphanumeric characters helps to defy brute force probing.
Length helps defeat brute-force probing. Add one character and it can take (26x2)+10+15 or so times longer, depending on what punctuation is allowed.

The trick is to generate a long and complex password while making it easy for you to remember long term and reproduce, and also not making too process to obvious (i.e. site name in password). If it's harder to shoulder-surf, so much the better. Hence the "Sympathy for the Devil" trick above.

What's annoying while convenient is the sites that need your email as userid and send a verification to there, thus ensuring that half your credentials are fairly obvious.

Last edited by md2000; 05-10-2012 at 09:37 AM..
Reply With Quote
  #18  
Old 05-10-2012, 10:44 AM
septimus septimus is online now
Guest
 
Join Date: Dec 2009
Quote:
Originally Posted by nudgenudge View Post
Could you explain what a challenge-response protocol is? I have several UK bank accounts, and what they typically do is ask you for, say, the 2nd, 5th and last characters of a secret phrase, I suppose to provide some protection against key loggers. Is that what you mean?
IIRC, my friend had a paper with several multi-digit numbers and had to enter a specified subset of them. Of course this could still be cracked if several login sessions were observed, but it seems likely any present-day automated sniffing system would be thwarted. This is good security.

Even better security is obtained if the challenge-response cycle involves client performing an irreversible calculation -- some USB "dongles" do that I think. This is better security. With the choice of good security or better security, it seems odd that some sites opt instead for bad security.

Is it true that UK banks generally do use challenge-response protocol to protect against sniffers? Is it true that US banks generally do not? If so, why the difference?
Reply With Quote
  #19  
Old 05-10-2012, 10:56 AM
nudgenudge nudgenudge is offline
Guest
 
Join Date: Jan 2010
Quote:
Originally Posted by septimus View Post
it true that UK banks generally do use challenge-response protocol to protect against sniffers? Is it true that US banks generally do not? If so, why the difference?
None of the half-dozen UK banks I use have that kind of security, but I think some other banks do provide their customers with dongles or token generators.
Reply With Quote
  #20  
Old 05-10-2012, 12:05 PM
Chronos Chronos is online now
Charter Member
 
Join Date: Jan 2000
Location: The Land of Cleves
Posts: 55,201
Quote:
Quoth md2000:

What's annoying while convenient is the sites that need your email as userid and send a verification to there, thus ensuring that half your credentials are fairly obvious.
That's not half of your credentials. That's none of your credentials. Your credential is your password, and that's it. If you're depending on your username providing any security at all, you're doing it wrong, because the whole point of the username is that it's the insecure part of your login.
Reply With Quote
  #21  
Old 05-10-2012, 01:34 PM
2sense 2sense is offline
Guest
 
Join Date: Mar 2000
How does brute forcing work these days? The websites I use only give you a very limited number of chances to enter a password before you are locked out. How do they get around that?
__________________
Just my 2sense
Reply With Quote
  #22  
Old 05-10-2012, 01:45 PM
md2000 md2000 is online now
Guest
 
Join Date: Feb 2009
Quote:
Originally Posted by Chronos View Post
That's not half of your credentials. That's none of your credentials. Your credential is your password, and that's it. If you're depending on your username providing any security at all, you're doing it wrong, because the whole point of the username is that it's the insecure part of your login.
But if the perp does not know or cannot easily verify your login username, that's a small bit more of a roadblock.

The more information that's not automatically available, the better.

But yes, you are right, relying on the fact the other person does not know your name is not a good start.

It's like whether the burglar knows you have a key hidden near your front door. If he burglar KNOWS you do, he will look harder and longer than if he simply suspects that there may be one.
Reply With Quote
  #23  
Old 05-10-2012, 02:12 PM
Northern Piper Northern Piper is online now
Charter Member
 
Join Date: Jun 1999
Location: Back in Riderville
Posts: 17,719
I'm not sure if I understood the "challenge-response" discussion.

To log onto my bank account, I have a password.

If I answer that correctly, I then have to answer a security question, which I made up myself. There are actually three security questions, which the bank site cycles through with each log- in. Is that a "challenge-response" system?
Reply With Quote
  #24  
Old 05-10-2012, 02:21 PM
Ruminator Ruminator is offline
Guest
 
Join Date: Dec 2007
Quote:
Originally Posted by Northern Piper View Post
If I answer that correctly, I then have to answer a security question, which I made up myself. There are actually three security questions, which the bank site cycles through with each log- in. Is that a "challenge-response" system?
To add to the confusion, I suspect some folks are using the terms "challenge/response" and "two-factor authentication" interchangeably.

Some banks and websites (PayPal, google gmail, etc) are also using 2-factor authentication (e.g. random digits texted to your cellphone.) Private companies have been doing this for employee remote access for a long time (e.g. SecurID number generators attached to the keychain.)

You could consider 2-factor authentication as a specific subset of "challenge/response"

I would say the "security question" is another form of challenge/response but it's not 2-factor.

Last edited by Ruminator; 05-10-2012 at 02:23 PM..
Reply With Quote
  #25  
Old 05-10-2012, 02:46 PM
Rick Rick is offline
Charter Member
 
Join Date: Aug 1999
Posts: 15,697
Quote:
Originally Posted by RealityChuck View Post
I use many methods, but currently am going with song lyrics -- taking the initial letter of each word and using a few numbers and special characters. Thus PamtimI1mow&t uses the first line of "Sympathy for the Devil."

Bonus -- you get to hear the song whenever you log in.
[nitpick] you forgot the a between the 1 and the m. [/nitpick]. :-)
This is pretty much what I do except I capitalize the first letter of each line in the song. Using the Star Spangled Banner gives OscysBtdelWspwh
__________________
Remember this motto to live by: Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather one should aim to skid in sideways, chocolate in one hand, glass of Scotch in the other, your body thoroughly used up, totally worn out and screaming "WOO HOO! Man, what a ride!"
Reply With Quote
  #26  
Old 05-10-2012, 04:15 PM
Blaster Master Blaster Master is offline
Guest
 
Join Date: Feb 2006
The xkcd method was mentioned up thread, and the method I've been using is more or less an implementation of that. I use what is often just called a passphrase rather than just choosing random words, I'll take a concept that I associate with the site and make a sentence out of it and that becomes the password. As long as I can remember that association, I can remember the password.

Let's take the Dope as an example. I could pick a particular forum and have a comment about that or I could have a comment about a particular doper or something related to a thread I remember or whatever. I'll have no problem remembering it. So even if they do figure out that my bank password is TheEntireBankingSystemIsCorrupt! that won't give them any clue that my Dope password is DoperXIsATroll.

I would strongly recommend against using a standard pattern because it's only half a step better than just using the same password for both sites. As mentioned upthread, if someone sees that I have a password for Facebook like Password123@Facebook then someone would be able to try likely permutations at banking or email sites. The absolutely most important rule is to make sure that at least the major sites like email and banking don't share the password with anything else. I actually have two-factor authentication on my email precisely because it's the keys to the kingdom as far as online identity goes.
Reply With Quote
  #27  
Old 05-10-2012, 05:18 PM
tellyworth tellyworth is offline
Guest
 
Join Date: Dec 2009
Quote:
Originally Posted by 2sense View Post
How does brute forcing work these days? The websites I use only give you a very limited number of chances to enter a password before you are locked out. How do they get around that?
Most web sites don't do that. It opens a trivial DoS attack where you can prevent a given user from logging in.

They hack a web site and obtain a full list of users and hashed passwords. They brute-force those hashes on their own machines. Then they try the same user/pass combinations (and variations) on other web sites.
Reply With Quote
  #28  
Old 05-11-2012, 10:26 AM
md2000 md2000 is online now
Guest
 
Join Date: Feb 2009
Quote:
Originally Posted by tellyworth View Post
Most web sites don't do that. It opens a trivial DoS attack where you can prevent a given user from logging in.

They hack a web site and obtain a full list of users and hashed passwords. They brute-force those hashes on their own machines. Then they try the same user/pass combinations (and variations) on other web sites.
Ys, to run L0phtcrack I needed admin privilege in order to copy the "SAM" or security database. Microsoft had no "levels of secrity" at the time, so a remote site administrator was a full administrator of everything, there were probably 20 or 30 admin level people in the large enterprise.

Similarly, one of the network admins had software that would take the garble in the Cisco device configurations and decode it into a valid password.

Another suggestion that I have heard, but not read an actual case of, is the password passes over the network between client and authentication server encrypted; the same applies, the hacker intercepts the transmission and compares the encryption of the entire dictionary to the captured encrypted password looking for a match. Then checks a, aa, aaa, aaaa, etc. ab, abaaa, etc. A few weeks ater, if the password is not too long, he may find a match.

You can see why it is simpler to create a fake logon screen site, or otherwise trick the user with social engineering, rather than try to hack the increasingly more robust transmission and server infrastructure. You are the weakest link!

Of course, intercepting communications is a lot less trivial with switched ethernet; and many conversations are completely encryptd. FTP used to be a royal gift, because it allowed for no encryption, the password was passed in the clear across the nework. That's why generally it is used mainly for public distributions and low-security material.
Reply With Quote
  #29  
Old 05-11-2012, 11:34 AM
yabob yabob is online now
Charter Member
 
Join Date: Mar 2000
Posts: 7,252
I used to get ingenious and make up rebuses with punctuation marks and so on, but these days I use a password safe (KeePass) and randomly generate one for sites that I really care about security on. If I'm going to use it a lot, I'll eventually memorize the random string. If I don't use it that often, it isn't that big a deal to retrieve it from the password safe.
Reply With Quote
  #30  
Old 05-11-2012, 11:56 AM
Donnerwetter Donnerwetter is offline
Guest
 
Join Date: Apr 2012
Dropbox allows you to test if your password is any good:

http://dl.dropbox.com/u/209/zxcvbn/test/index.html

and provides information on how long it would take an attacker to crack it. (The test site is open to the public, you don't need a Dropbox account).
Reply With Quote
  #31  
Old 05-12-2012, 03:20 PM
Duarf Duarf is offline
Guest
 
Join Date: May 2012
Always having a complicated password for every different online account is almost impossible. Just in email accounts I have several accounts that I use regularly and then add in banking, credit cards, social media,etc… and then to have different passwords for all of them is a pain, but necessary. However one of the first things I look for when setting up an account is if they offer 2FA (two-factor authentication) where I can telesign into my account. This gives me the confidence that my account won't get hacked and my personal information isn't vulnerable. Personally I think if you are just relying on your passwords to protect your info you will pay the price sooner or later.
Reply With Quote
  #32  
Old 07-06-2012, 10:11 AM
Steve MB Steve MB is offline
Charter Member
 
Join Date: Mar 2002
Location: Northern VA
Posts: 9,382
Quote:
Originally Posted by Duarf View Post
Always having a complicated password for every different online account is almost impossible.
It's simple if you use a password manager.
__________________
The Internet: Nobody knows if you're a dog. Everybody knows if you're a jackass.
Reply With Quote
  #33  
Old 07-06-2012, 10:57 AM
Procrustus Procrustus is offline
Member
 
Join Date: Jun 2007
Location: Pacific NW.
Posts: 4,955
The only place I wouldn't want to be hacked in my bank. If somone breaks into my linkedin account and changes by work history, I don't really care. So, if they get my password and I use the same one everywhere, (which I do) how would the hacker even know which bank I use or what my username is there? Is there really some hacker out there thinking, "Today I'll see if I can find a way into Procrutus' bank account."
Reply With Quote
  #34  
Old 07-06-2012, 11:25 AM
filmore filmore is offline
Guest
 
Join Date: Aug 2002
Quote:
Originally Posted by Procrustus View Post
The only place I wouldn't want to be hacked in my bank. If somone breaks into my linkedin account and changes by work history, I don't really care. So, if they get my password and I use the same one everywhere, (which I do) how would the hacker even know which bank I use or what my username is there? Is there really some hacker out there thinking, "Today I'll see if I can find a way into Procrutus' bank account."

Here's how they do it:

1. Break into LinkedIn and steal their user/pw database. From the user information they get your contact email.

2. They attempt to log into your email account with the pw you used on LinkedIn. If it's the same, they're in.

3. They download your inbox and find all the emails your bank has sent you. They scan those emails looking for your user id for the bank's website

4. They attempt to log into the bank's website using that id and the pw from the LinkedIn website.

Many websites use your email address as your user id (facebook, netflix, amazon, etc). Once the hacker has your email/pw, he may try it on all the other websites which use the email address as the login.

Many people use the same userid across different websites. The hacker may just try the same userid/pw combination in all the bank websites. He doesn't need to know that you bank at Chase. He tries all the bank websites to see if he can find a match.

It's interesting you mentioned LinkedIn. Did you know their password database was recently stolen? Hackers have decrypted many of the passwords and published them on the web. Supposedly they only got the passwords and not the user accounts.
Reply With Quote
  #35  
Old 07-06-2012, 11:38 AM
gazpacho gazpacho is offline
Charter Member
 
Join Date: Oct 1999
Posts: 5,118
Once they have access to your linked in account. They probably know you primary email account. If you share passwords they have access to you email account. If you do on line banking they now know what bank you bank at. Given your real name they can make some good guesses as to your account name. Given access to your email they can go to your bank and say they forgot you account name and the bank will send an email to your account with that information. They can read an delete the message with very little risk you will see the message.

You should have different passwords for your email, banks and credit cards. The same one, but different from email and banking, for linked in, facebook, straight dope etc is not really a big deal.
Reply With Quote
  #36  
Old 07-06-2012, 11:39 AM
Procrustus Procrustus is offline
Member
 
Join Date: Jun 2007
Location: Pacific NW.
Posts: 4,955
Thanks Filmore. And, yes, that's why I mentioned LinkedIn.
Reply With Quote
  #37  
Old 07-06-2012, 11:43 AM
Procrustus Procrustus is offline
Member
 
Join Date: Jun 2007
Location: Pacific NW.
Posts: 4,955
Quote:
Originally Posted by Steve MB View Post
It's simple if you use a password manager.
how can we know we're not handing over all our passwords through a scam password manager?
Reply With Quote
  #38  
Old 07-06-2012, 11:46 AM
Tastes of Chocolate Tastes of Chocolate is offline
Charter Member
 
Join Date: Aug 2003
Location: slightly north of center
Posts: 4,264
Quote:
Originally Posted by filmore View Post
Many websites use your email address as your user id (facebook, netflix, amazon, etc). Once the hacker has your email/pw, he may try it on all the other websites which use the email address as the login.
I've been noticing more and more of this, and I hate it. Let's go back to not using my email address as the user ID. If there are 2 pieces of information that a hacker doesn't know about me (ID and password), it makes it much harder to hack my accounts.
Reply With Quote
  #39  
Old 07-06-2012, 11:48 AM
Procrustus Procrustus is offline
Member
 
Join Date: Jun 2007
Location: Pacific NW.
Posts: 4,955
Quote:
Originally Posted by Steve MB View Post
It's simple if you use a password manager.
how can we know we're not handing over all our passwords through a scam password manager?
Reply With Quote
  #40  
Old 07-06-2012, 12:20 PM
Steve MB Steve MB is offline
Charter Member
 
Join Date: Mar 2002
Location: Northern VA
Posts: 9,382
Quote:
Originally Posted by Procrustus View Post
The only place I wouldn't want to be hacked in my bank. If somone breaks into my linkedin account and changes by work history, I don't really care. So, if they get my password and I use the same one everywhere, (which I do) how would the hacker even know which bank I use or what my username is there?
There aren't that many banks; a hacker who manages to collect a large database of passwords can just try them all. As for the username -- er, are you using different hard-to-guess usernames at different sites while recycling one password?

Quote:
Originally Posted by Procrustus View Post
how can we know we're not handing over all our passwords through a scam password manager?
Ideally, use one with open source code like KeePass. Alternatively, a traffic sniffer can test for such shenanigans; presumably the various malware/antivirus companies check for that when updating their threat databases.
__________________
The Internet: Nobody knows if you're a dog. Everybody knows if you're a jackass.
Reply With Quote
  #41  
Old 07-06-2012, 02:42 PM
Jamicat Jamicat is offline
Guest
 
Join Date: Dec 2008
I use the uniqueness of the website name as the primer of the password plus a little more stuff.

I am the only one that knows the key.

I have never forgotten a password since I adopted it.
Reply With Quote
  #42  
Old 07-06-2012, 03:14 PM
filmore filmore is offline
Guest
 
Join Date: Aug 2002
Quote:
Originally Posted by Tastes of Chocolate View Post
I've been noticing more and more of this, and I hate it. Let's go back to not using my email address as the user ID. If there are 2 pieces of information that a hacker doesn't know about me (ID and password), it makes it much harder to hack my accounts.
One way to address this vulnerability is to use unique email address for each web site. There are mail forwarding services like spamgourmet.com which allow you to create unlimited email address that are forwarded to your main address. For example, I might have my email on this site as sdmb.20.filmore@spamgourmet.com and facebook as facebook.20.filmore@spamgourmet.com. Mail addressed to either address will be forwarded to my main account.

Some email services allow you to create different versions of your address. For example, gmail will allow you to add +anything to your email address. For example, both filmore+sdmb@gmail.com and filmore+facebook@gmail.com are valid address for filmore@gmail.com.

Using techniques like these mean that you won't have the same email address across multiple websites. In addition, if you start getting spam addressed to one of your custom address, you can disable or direct that mail to go to the trash.
Reply With Quote
  #43  
Old 07-06-2012, 03:30 PM
zoid zoid is online now
Charter Member
 
Join Date: Sep 2001
Location: Chicago Il
Posts: 8,179
I pick a random object in my office and describe it.

BrownChairFourLegs was my last password.
Reply With Quote
  #44  
Old 07-06-2012, 04:39 PM
Ca3799 Ca3799 is offline
Guest
 
Join Date: Feb 2003
I use a sentence with a name and number. It's pretty easy to remember a sentence. For example "Brad Pitt is a 10 on the hotness scale" is "BPia10oths".
Reply With Quote
  #45  
Old 07-06-2012, 04:59 PM
ScarletNumber ScarletNumber is offline
BANNED
 
Join Date: Jul 2012
Posts: 161
Obligatory XKCD refer...

Oh, wait. Never mind.
Reply With Quote
  #46  
Old 07-06-2012, 05:27 PM
srzss05 srzss05 is offline
Guest
 
Join Date: Sep 2009
Quote:
Originally Posted by zoid View Post
I pick a random object in my office and describe it.

BrownChairFourLegs was my last password.
Quote:
Originally Posted by Ca3799 View Post
I use a sentence with a name and number. It's pretty easy to remember a sentence. For example "Brad Pitt is a 10 on the hotness scale" is "BPia10oths".
If you do that for every single password, you are eventually going to have to write them down. And if you have to write them down, then a simple system like that isn't any better than "true" random characters.
Reply With Quote
  #47  
Old 07-08-2012, 05:48 PM
Skald the Rhymer Skald the Rhymer is offline
Member
 
Join Date: Jul 2003
Posts: 24,349
Before I abandoned writing fiction, I would use a password based on the first sentence of whatever story I was working on, taking the first letter of each word and changing a few to @, $, 0, and so forth. Nowadays it's poems.
Reply With Quote
  #48  
Old 07-09-2012, 04:30 PM
iamthewalrus(:3= iamthewalrus(:3= is offline
Guest
 
Join Date: Jul 2000
Quote:
Originally Posted by filmore View Post
One way to address this vulnerability is to use unique email address for each web site. There are mail forwarding services like spamgourmet.com which allow you to create unlimited email address that are forwarded to your main address. For example, I might have my email on this site as sdmb.20.filmore@spamgourmet.com and facebook as facebook.20.filmore@spamgourmet.com. Mail addressed to either address will be forwarded to my main account.
This has the same problem that "user@website1234" as a password has. It's easily predictable, so it doesn't really give you any additional security if you use it in that predictable way. And user names are generally stored in cleartext in a bunch of places, so trying to add security to them is misguided.

The purpose of email forwarding sites like that is to figure out who might be selling your email address. Even then, it's of pretty limited utility, since spammers know that gmail can have "word+" appended to an email address, and they'll just strip that off before spamming you.

The way to have secure passwords is to use Keepass (or some other highly-regarded password safe), use it to generate long strong unique passwords for every site, and keep the keyfile protected with a good password. Anything else is a half-measure.
Reply With Quote
Reply



Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 10:18 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@chicagoreader.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Publishers - interested in subscribing to the Straight Dope?
Write to: sdsubscriptions@chicagoreader.com.

Copyright 2013 Sun-Times Media, LLC.