Does Amazon or Merrill Lynch know my account password? More generally, do the various entities I deal with have the ability to figure out my password, or are they encrypted such that they can’t be decrypted by anyone? I believe there have been some high-profile computer breaches where customer passwords were stolen, but I’m not sure how anyone can do that if they are properly encrypted.
If they are doing things properly, they never store your unencrypted password. There’s no good reason for them to do so. Lots of places don’t follow proper security protocols, and that’s where passwords are stolen.
Here’s an article about some organisations that got this badly wrong (includes some big names): https://www.howtogeek.com/434930/why-are-companies-still-storing-passwords-in-plain-text/#:~:text=Several%20Companies%20Have%20Improperly%20Stored,salting%20passwords%20for%20most%20users.
Better than encrypted – hashed, so there is no “decryption key” stored by anyone anywhere. And salted, so if someone else has the same password as you, that can’t be seen from the hashes.
video on the topic: https://www.youtube.com/watch?v=yoMOAIzBSpY
(Of course many websites don’t do this correctly, but hopefully banks and such aspire to best practices).
When the news talks of passwords being stolen, there’s one of two things they could mean: First, it could mean that the site was incompetent in how they implemented security, and they do have your passwords in the clear, and someone stole those cleartext passwords. I don’t expect that Amazon would do this, but bad security like this is much more common than it should be.
Second, it could mean that the passwords were properly encrypted, but that someone got ahold of the file of encrypted passwords. This is still bad news, but not nearly as bad: It means that the bad guys can now go to work trying to crack all of those passwords on their own time, using their own equipment. A truly good password will still be safe even in this case, but most passwords aren’t actually that good (most of the advice you’ll find online for how to generate strong passwords doesn’t actually generate strong-enough passwords). And then, of course, there are plenty of people out there whose passwords aren’t strong at all, the likes of “password” or “swordfish”, or “letmein”, or “123456”, and the bad guys are sure to get all of those instantly.
Of course, those weak passwords were still a risk even before the file theft, but not as much of one, because the secure site still controls access to the password system: They’ll have security measures like locking someone out after they try three wrong passwords, or limiting login attempts from any one account, and the like. Once the encrypted file is stolen, however, most of that extra security is lost.
Plus of course that once the bad guys know that the user named “Joe.Blow@someplace.com” used password “letmein” at one crappy website they’ll try that same username and password at potentially more lucrative sites like banks, brokerages, Amazon, GMail, etc.
Since each site is only going to be hit once, that won’t arouse most of those sites to notify Joe.Blow. Part of why some finance sites now send you an email every time you flub a PW is precisely so that if some bad guys do try your name at a dozen banks once each, you’ll get a flood of a dozen emails warning that somebody is trying to be you.
Ignorance fought. Thanks, everyone.
Yep, that’s also a reason why the ‘password system’ that people sometimes proudly say they have, may be a really bad thing. Often the passwords people generate with the system in their heads aren’t really unique in a useful way; I’ve seen people suggest memorising a complex-looking string, then using that same string everywhere, appended with a few meaningful characters based on the site - for example something like:
YgWVNbaF3cQ3_AM for Amazon
YgWVNbaF3cQ3_EB for eBay
YgWVNbaF3cQ3_SD for the SDMB…
Such systems often give people the illusion that they’re doing something safe, without any of the actual safety or benefits; Anything that’s easier to figure out for remembering is also easier to figure out and break.
I’d argue that although not perfect, it actually does provide a significant level of protection. Let’s pretend that LinkedIn is hacked and through a combination of circumstances the encryption key and salt are also stolen. The username/password list is unencrypted and 1,000,000 logins are sold on the Dark Web.
The buyer is not looking for “FinsToTheLeft”, they are looking for volume. They will likely have a distributed bot network that tries to use each user/pass to login to Amazon, eBay, and Walmart and log the live accounts. They can then either resell the live accounts, or use them to buy stuff before the account and/or linked credit card are shut down.
They are not saying “FinsToTheLeft” with password “MySecret-LinkedIn” didn’t work, so I will try “MySecret-EB” to try to get in to eBay. It will fail on the other targeted sites and they will just move on to “FinsToTheRight” or whatever the next account is.
The exception is if you are being specifically targeted by either criminals or state actors.
I did use this system for many years before moving to a password management system with unique passwords about a decade ago.
That perhaps holds true for information that is only bought and sold in bulk, but some breaches are just pasted in a public place for anyone to get hold of - including small time operators who may well sift through the data for meaning.
And how many people now use the password “correct horse battery staple”?
I use “incorrect horse battery staple”. They’ll never guess that!
Person woman man camera tv
I’m a software engineer with some cryptographic experience (but I’m in no way an expert in the field) and I completely agree with FinsToTheLeft. Outside of being explicitly targeted by some group there’s not much of a chance of someone’s passwords being stolen.
But that’s not “no chance”. There are ways that the pw scheme could be exploited; it’s just that the return will generally be too small for criminals to attempt. When people ask for my advice I usually say the pw scheme is fine for everything but financial sites.
Consider this a reminder to everyone to use a password manager if not already doing so.
IMO, and in my experience, doing something that’s good enough, but not as good as it could be is just a recipe for greater pain in the long run. Don’t do the minimum necessary to secure your accounts; do the maximum possible.
This is why I use a password generator. I use an offline one because of the single point of failure problem. (Yes, someone could get onto my computer and steal my passwords, but they’d have to come to my place to do so.)
Up until a few years ago, I tried to generate and memorize passwords that were “complicated enough” but, naturally, I ended up reusing some of them. “Have I Been Pwned” showed that a few had been “found out” although that was after I had changed all those passwords. That website shows the date of the leaks.
(Found out probably means someone has access to the encrypted passwords, it doesn’t mean they decrypted them or tried to hack any of my accounts.)
It’s slightly less secure, but most browsers now have password generators. I’ve never used one since I have an offline generator, but I think if we could get more people to use them, we would enhance the general level of security for most accounts.
It takes a super high IQ to remember a password like that!
I doubt very many people literally use “Correct Horse Battery Staple” as their password. The bigger problem comes from the people who “improve” on the scheme by picking words that form a sentence, so they’re easier to remember.
For passwords that I want to remember manually, I’m a fan of the Diceware approach. Randomly generate lists of unrelated words (your “correcthorsebatterystaple”) which are then easy to remember by creating a little story around them.
Generally, I’ll let my password manager handle things, but the master password for the password manager itself is a diceware-generated phrase.
Oh, and the aspiration is 2FA everywhere that supports it. I’m not 100% there yet, but important sites are covered.
Seconding this. MFA can cut password hacking by 1000x according to Microsoft research.