News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Extortion Emails with my Askwoody password

    Home Forums Code Red – Security/Privacy advisories Extortion Emails with my Askwoody password

    This topic contains 44 replies, has 19 voices, and was last updated by  wavy 2 months, 1 week ago.

    • Author
      Posts
    • #1922274 Reply

      Sparky
      AskWoody Plus

      Recently I received a flurry of Extortion Emails sent to the email address that I used to registered with on Askwoody.com. The extortion email included the password that I was using on Askwoody.com. I immediately changed the old password to a new password. I also was using the same password on couple other forum sites, I have changed those passwords.

      I think I have a hunch which site was compromised, the site could be Malwarebytes it was hacked back in 2014. The information source is from the “Have I been pwned” website  https://haveibeenpwned.com/

      I have recently seen couple of these emails before, but this is the first time the email came with a currently used password.

      After a little research some people say to, contact the police and or the FBI.
      Some say to just mark the emails as phishing and delete them ?
      Should I contact my email account provider ?

      The main question is,
      What is the correct course of action with these types of emails?

      Everything on my machine is patched with the latest patches including the browser.

      Thanks,

      Sparky

      HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

      1 user thanked author for this post.
    • #1922323 Reply

      woody
      Da Boss

      I’d be surprised if you got a response from any law enforcement agencies.

      Most important move is what you just did – change any accounts that have the same password. I would add that if you have any financial or other sensitive accounts with the same password, you should try to change both the email address and the password on those accounts.

      (By the way, we use the default WordPress salting and hashing algorithm. In layman’s terms, even if someone could see the salted and encrypted passwords we store here, it would take for-e-ver to figure out the original password.)

      4 users thanked author for this post.
      • #1922454 Reply

        Sparky
        AskWoody Plus

        Woody,

        Just to clarify that was Malwarebytes forums. I hardly ever used it.

        The accounts were from online forums. No financial or other sensitive accounts.

        Thanks,

        Sparky

        HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

        1 user thanked author for this post.
    • #1922367 Reply

      Microfix
      Da Boss

      Not really a good idea to re-use passwords on different fora or any sites IMO not only that, using different passwords makes tracking down the issue a bit easier if a password is compromised (you know where it has originated from). Best to use a mixture of 12 or more characters/alpha numericals and symbols where possible.
      When was the last time you done a full system virus/malware scan on your system?
      Is there any way to check via your webmail (if you have one) for IP’s accessing your account?

      ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

      1 user thanked author for this post.
      • #1922511 Reply

        Sparky
        AskWoody Plus

        Microfix,

        Don’t re-use passwords on different fora or any sites.
        I won’t make the same mistake twice.

        When was the last time you done a full system virus/malware scan on your system? About a month ago,  Doing one right now.

        Is there any way to check via your webmail (if you have one) for IP’s accessing your account? Someone was trying to access 15 times starting on  8/8/19 thru 8/25/19 from place throughout the world.  Automatic sync (what ever that means),  Result were unsuccessful Sync. Protocol: IMAP, All the IP’s are different.

        This is kind of strange, when I posted this Thread I received an Adult Dating email at the exact same time. 11:46 am.

        Thanks,

        Sparky

        HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

    • #1922391 Reply

      cyberSAR
      AskWoody Plus

      I’d be surprised if you got a response from any law enforcement agencies.

      Don’t even get me started! Last year my little brother’s Home Depot account was hacked. They changed his delivery address and CC info and placed a $500 order. Found out due to an extra email that was forwarded to him.

      Changed his password, deleted his credit card info and notified Home Depot immediately. Called the local PD since the stolen CC billing info was in the same jurisdiction. They didn’t even take a report, or check with the stolen CC holder.

      I tracked her down in about 5 minutes (with no special access), phoned her and explained the situation. Sure enough she had the Home Depot charge on her account and phoned Visa to block it. Notified the local PD and Home Depot of the new info. Neither cared.

      Home Depot actually shipped the order to the delivery location 2 days later and sent the delivery email to my little brother!!!

      Wonder why costs of products and interest rates are so high? In my old LEO days we would have handled it and probably caught someone picking up the delivery. Who knows… I’m sure they did more than just this one fraudulent purchase.

       

      • This reply was modified 3 months, 1 week ago by  cyberSAR.
      7 users thanked author for this post.
    • #1922392 Reply

      Lars220
      AskWoody Lounger

      If you are in the USA, you may want to take a look at the FBI Internet Crime Complaint Center IC3 website, near the top is a link to File a Complaint:

      https://www.ic3.gov/crimeschemes.aspx

      Also the The Guardian has an informative article with link for UK police reporting:

      https://www.theguardian.com/technology/askjack/2019/jan/17/phishing-email-blackmail-sextortion-webcam

      Hope This Helps

      6 users thanked author for this post.
      • #1922664 Reply

        wavy
        AskWoody Plus

        I tracked her down in about 5 minutes (with no special access), phoned her and explained the situation. Sure enough she had the Home Depot charge on her account and phoned Visa to block it. Notified the local PD and Home Depot of the new info.

        Just not following whom ‘she’ is.

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        • #1922666 Reply

          cyberSAR
          AskWoody Plus

          Sorry, “she” was the owner of the credit card that was compromised. They replaced my brother’s CC info with the compromised card info.

    • #1922524 Reply

      Wasn’t there just an Outlook 2010 – 365? patch for a Preview Pane exploit (Aug)?

      Keep your browser locked up tight you alls.  wordpress redirects?  who knows… lots of variables

    • #1922572 Reply

      ScotchJohn
      AskWoody Plus

      Also the The Guardian has an informative article with link for UK police reporting:

      https://www.theguardian.com/technology/askjack/2019/jan/17/phishing-email-blackmail-sextortion-webcam

      More recently, The Times has exposed Action Fraud, after getting their own man into AF’s call centre, outsourced to a company run by US firm Concentrix.  This makes pretty reading:

      See this, paywall unfortunately

      One would hope that other jurisdictions take reporting of online fraud more seriously.

      Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

      1 user thanked author for this post.
    • #1922712 Reply

      anonymous

      Hi Sparky, in your original post you mention a flurry of emails. I presume each was from a unique and barely readable user and domain. Then further on you say “The information source is from the “Have I been pwned” website”. I wasn’t sure if you meant the fraudulent emails claimed to have used that source, or that you had consulted that source after reading the attempted extortion notes.

      Would you please clarify if there was any pattern among the fraudulent senders? And whether it was you or the senders that consulted haveibeenpwned?

      Thanks for posting the event. It is a breadcrumb for the rest of us in case we see more of them. My input on your main question, “What is the correct course of action with these types of emails?” is that I never would have read them at all. Unrecognized addresses are trashed on sight. When I have time to spare or feel an unusual burst of curiosity I may look at the sender domain. But I cannot remember the last time that revealed anything I wanted to follow up.

      Since you did read them, changing your passwords was exactly the right thing to do. The real con would begin if you actually corresponded by replying to the extortion attempt. Just ignore it.

    • #1922854 Reply

      Sparky
      AskWoody Plus

      Would you please clarify if there was any pattern among the fraudulent senders? The pattern that stands out most is they all have the same, From: Name, And the subject line had my old password in it.

      And whether it was you or the senders that consulted haveibeenpwned? It was me that consulted havebeenpwned, after researching about email extortion, havebeenpwned site came up a couple times.

      Thanks,

      Sparky

      HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

    • #1922879 Reply

      Geo
      AskWoody Plus

      In the “Search the Lounge”  type in “pwned” and there are a number of articles on the subject prior to your question.  It includes your posts.

      • This reply was modified 3 months, 1 week ago by  Geo.
    • #1932261 Reply

      BigBadSteve
      AskWoody Plus

      As well as changing the password, and any others which are guessable based on it, at all pertinent websites, change all your security questions at those websites (for those sites which use them), as the answers may well have been accessed by the hacker, and could be used to steal back accounts from you, perhaps irretrievably.

      And of course run scans for both viruses and malware with an assortment of scanner programs. And of course always have your realtime antivirus program of choice updated and turned on. And of course never open any email attachment or download from a non-known-safe source.

      Ensure all account recovery email addresses and phones etc. on all pertinent websites are correct and up-to-date.

      Never, ever use the same password on multiple websites, or variations which are guessable if one of the passwords is known.

      You can report the email, or multiple emails if you have the time and inclination, but basically IMHO the FBI will probably do nothing, unless the specific hack is very, very widespread or the hacker hits a government department.

      No authority can’t protect people against all scams/hacks and know it, nor do they have the resources to even attempt to bring the probably tens of thousands in total of perpetrators every year to justice.

      It’s up to the individual to learn and practice safe computing procedures, no authority can save all the unprepared. Many hackers/scammers these days ar part of e.g. Russian criminal gangs, or work on public internet cafe computers in some African etc. countries, so tracing them can be immensely time consuming and often impossible.

      I personally report some spam and all scam emails with Spamcop.net – for which you need to ascertain how to copy/paste the full email text, including full headers.
      https://www.spamcop.net

      Doing so will not generally achieve much, but hey every bit helps. Currently I’m getting 10-20-ish spams a day. I report one per day via spamcop.net. I mark them all as Junk Mail (in my case via Windows Live Mail, it’s a Microsoft email account), which means my email provider will afaik basically do what I do with spamcop.net, but for all of them. You can do similar with any email account via webmail in your browser, and probably with some other email clients (programs) too. This ‘marking as junk’ or ‘moving to the Junk Mail folder’ enables the email provider to then fine their blacklists, and over a long period even trace, sue and shutdown a small number of the biggest spammers.

      • This reply was modified 3 months ago by  BigBadSteve.
      1 user thanked author for this post.
    • #1932768 Reply

      GoneToPlaid
      AskWoody Plus

      Hi Sparky (and everyone else),

      For Sparky…

      What are the threats and demands within the extortion emails which you are receiving? For example, I occasionally receive extortion emails in which the sender “claims” to have recorded compromising webcam video of me. They then threaten to share “compromising video of me” with everyone on my list of email recipients unless I pay an extortion demand in Bitcoin. The hilarious thing about this threat is that I do not have a webcam which is either built-in or attached to my computer!

      Did HaveIBeenPwned indicate that your email address was compromised on any other websites for which you are using your current password?

      Have you previously used your current password at any time in the past? I ask since one should never reuse a password twice — not ever! This is a [edited] since it means that you have to keep a list for every password which you have ever used, and for what you used each password, and then check your list whenever you create a new password.

      For Sparky and everyone else…

      Never respond to any extortion email, even to say that “You are full of ****,” since in doing so, you reveal your computer’s IP address. Never [edited] a hacker since they have no morals and since they will try to extract vengeance.

      Are you using strong passwords? By this, I mean passwords which have both upper and lower case letters, intermixed with digits and at least a few special characters such as “_” and “#”, et cetera? Also, passwords which are 14 characters or longer presently and supposedly are impossible to crack, yet with caveats. THIS 14 CHARACTER OR LONGER PASSWORD REQUIREMENT APPLIES TO EVERYONE FOR THEIR WINDOWS OS PASSWORD. IF YOU USE 14 CHARACTERS OR LONGER, THEN SUPPOSEDLY YOU CAN USE A PASSWORD PHRASE WITH A COUPLE OF SPECIAL CHARACTERS. YET BE CAREFUL TO MAKE SURE THAT THE PHRASE LITERALLY DOES NOT MAKE SENSE AND THAT AT LEAST TWO WORDS IN THE PASSWORD PHRASE CONTAINS AN INSERTED SPECIAL CHARACTER, AND THAT SPECIAL CHARACTERS ARE USED AT LEAST TWICE IN BETWEEN WORDS. DO NOT USE COMMON PHRASES SUCH AS “OhBeAFineGirl” (astronomers will know that this mnemonic refers to star classifications on the Hertzsprung-Russell diagram diagram). The idea here is to completely defeat Rainbow Tables. Google Rainbow Tables if you do not know what these are.

      Never use an online password generator, unless the online password generator is a feature which is provided by your internet service provider, for example, to create passwords for new email addresses. I inherently do not trust any other third party online password generators since they know the password which you generated by using their online password generator.

      Use a different email address for web site signups. Use one or more different email addresses for all online purchases. Definitely use separate email addresses for all online banking, and separate email addresses for each online bank. Yeah, this is a bit of a pain to set up and to monitor. The benefit is not only that you have separated your primary email address from these online categories, but also that you have further and distinctly separated your email addresses and the associated online passwords from your other email addresses. The idea here is to create distinct roadblocks for further damaging compromise whenever any given website is breached.

      I think that the forum needs a sticky on the home page which is labeled “Best Online Security Practices”.

      Best regards,

      –GTP

      EDITED for language

      5 users thanked author for this post.
      • #1933008 Reply

        wavy
        AskWoody Plus

        Good advice

        Never use an online password generator, unless the online password generator is a feature which is provided by your internet service provider, for example, to create passwords for new email addresses. I inherently do not trust any other third party online password generators since they know the password which you generated by using their online password generator.

        BUT
        Why in the world would one trust one’s ISP??😯
        I use grc to generate mine, I trust Steve much much more than my ISP.
        Each to their own
        🙂

        🍻

        Just because you don't know where you are going doesn't mean any road will get you there.
        • This reply was modified 3 months ago by  wavy.
        • This reply was modified 3 months ago by  wavy.
        1 user thanked author for this post.
      • #1935835 Reply

        BigBadSteve
        AskWoody Plus

        Are you using strong passwords? By this, I mean passwords which have both upper and lower case letters, intermixed with digits and at least a few special characters such as “_” and “#”, et cetera?

        It’s of course ideally secure to do so, and some websites enforce the use of one or two special characters and digits. But many websites still won’t accept special characters in passwords at all. An aside: super annoyingly, many websites don’t tell you their password requirements, so sometimes you have to make like five attempts at entering a password for a new account because it didn’t have enough numerals or had too many special characters, etc. etc.

        While good security is definitely important, I choose not to waste my time and pointlessly acquire more grey hairs by being paranoid about it. Woah, so a password could be cracked with only a month’s processing time!?! Then guess what,no one’s going to dedicate their computer to cracking it. Unless you’re maybe a spy, American political party headquarters computer, or a known rich person. Hackers will isntead spend way less processing time per target by time trying to crack many people’s passwords, rather than wasting their computer resources on a single target of no particular worth to the hacker.

        Also, passwords which are 14 characters or longer presently and supposedly are impossible to crack
        }

        Nice when it can be done, though many websites still don’t accept that many characters in a password. But no need to fret, see above, re the amount of processing time a hacker is in reality prepared to spend cracking a single password. And as you say, the more special characters, mixed case etc., the harder to crack, thereby part-compensating for shorter passwords.

        THIS 14 CHARACTER OR LONGER PASSWORD REQUIREMENT APPLIES TO EVERYONE FOR THEIR WINDOWS OS PASSWORD… {etc. etc., many scary-looking caps

        Of course for anyone to crack your Windows OS password, they’d need, first of all, physical access to your computer, and enough time to run a crack program and get a result. And also, as editors on this website have stated, once a hacker has unsupervised physical access to your computer, you can’t rely on anything to save you. Personally I use a four digit PIN on Windows 10, which would keep e.g. any of my housesitters out (though I try to only hire more honest housesitters than that), as well as, say, the guy sitting next to me on the airplane when I go for a poop, who doesn’t look at all like a hacker but who knows maybe he is. I’ll certainly not be losing any sleep over those scenarios or bothering with a longer password which I’d then be obliged to type every time I boot an OS.

        DO NOT USE COMMON PHRASES SUCH AS “OhBeAFineGirl” (astronomers will know that this mnemonic refers to star classifications on the Hertzsprung-Russell diagram diagram).

        Seriously, that’s a common phrase? Maybe to an astronomer. (Beware the hacker astronomer!) And with thousands of words in the English language, wouldn’t there be an astronomical number of words combinations in passphrases of any length? A long, uncommon phrase is as secure as about anyone needs, in my opinion.

        Never use an online password generator, unless the online password generator is a feature which is provided by your internet service provider, for example, to create passwords for new email addresses.

        Of course, for a password generation site or webpage to use the created password to hack you, they’d need to know your other account login details as well. So it’s quite unlikely to happen. Unless a user is silly enough to create an account at a website of unknown reputation, log in there, and then create a password using website’s page. Otherwise, I suppose users with static IP’s might have a miniscule extra chance of this being an issue.

        Use a different email address for web site signups. Use one or more different email addresses for all online purchases.

        Seriously? Every time you buy something online you create another email address? How do you keep track of your hundreds of email addresses? (Maybe you don’t buy much online.) And isn’t doing that abusive to email providers and against their terms of service?

        But I do use spamgourmet.com:
        https://www.spamgourmet.com

        Spamgourmet.com allows one to create, basically, shell email accounts, one for each website one uses, which are optionally disposable. If any single website where you have an account gets hacked, or spams you, you can with a couple of clicks stop all emails from that website. Once you create an account they keep spam/scam emails ‘eaten’ stats, and looking at my account now, I see I’ve been saved from over 83,000 unwanted emails. And it’s free!

        Some large websites don’t allow spamgourmet emails of any sort to be used for any new account, including the other domains one can use to construct email addresses there. In which case I usually use my main email account. For not-known-safe websites (smaller, Russian, etc.), if I must create an account, I use a second email account (the same one every time). That’s all that’s needed, two email accounts and Spamgourmet.

        You use the same destination email address (outlook.com, gmail.com or whatever) for a single Spamgourmet account, so there isn’t any necessity to e.g. have your email client check a hundred email addresses for new mail, which would be in my opinion very silly.

        Definitely use separate email addresses for all online banking, and separate email addresses for each online bank. Yeah, this is a bit of a pain to set up and to monitor.

        I’ll say. And quite unnecessary, in my opinion. Email address are inherently insecure. Good passwords are secure. The passwords I use for banking and other financial sites are very unguessable even if my computer was stolen, being long and containing words and case mixes etc. which nothing anywhere on my computer anywhere gives any indication of.

        You’ll see that these are mostly less severe security bottom lines than you’ve suggested. Mine do make many logins etc. lot easier than your more extreme measures, and by practising them I have not been hacked in 20 years of frequent computer use. Of course it’s of course up to every individual to set their own personal computer security/internet/account/email boundaries, after sufficient research and taking their own lifestyle and computer setups etc. into account.

        • This reply was modified 3 months ago by  PKCano.
        • This reply was modified 3 months ago by  BigBadSteve.
        1 user thanked author for this post.
        • #1936222 Reply

          GoneToPlaid
          AskWoody Plus

          It is annoying that many websites do not mention the maximum length which they allow for a password, or what special characters they allow to be in a password.

          I agree that a long uncommon phrase, especially if worded to not quite make grammatical sense, should be very secure.

          An online password generation page could easily get your default email address and the cookies stored in your web browser to guess what website you are generating a password for.

          I don’t create a new email address for every website on which I do online purchases. I meant to say that I use a specific email address for such purposes. When a data breach occurs, I create a new email address for online purchases, then I change the email address and password for the breached website to the new email address and new password, then I change the email address to the new email address for the other online shopping websites which I use, and then I kill the old email address. The reason for doing so is simply to prevent spam emails being sent to the breached email address.

          Thanks for the info about spamgourmet.com.

        • #1936331 Reply

          wavy
          AskWoody Plus

          Steve Very Bad news
          http://spamgourmet will be shutting down soon
          The site operator is very sick 😥

          🍻

          Just because you don't know where you are going doesn't mean any road will get you there.
          1 user thanked author for this post.
      • #1937628 Reply

        Sparky
        AskWoody Plus

        Yes, same type of email. Like you, I also don’t have a webcam.

        Below are some interesting recent programs.

        August 31, 2019 Washington Journal C-span
        Jim Harper on Cryptocurrency and the Future of Money, 30 min.
        https://www.c-span.org/video/?463738-3/washington-journal-jim-harper-discusses-cryptocurrency-future-money

        August 31, 2019 Washington Journal C-span
        Kevin Rupy on Combating Illegal Robocalls, 30 min.
        https://www.c-span.org/video/?463738-5/washington-journal-kevin-rupy-discusses-combating-illegal-robocalls

        My electronic communication devices are consistently being harassed with bogus scams. I never knew I was that interesting of a person.

        Yes, “Have I been pwned” indicated Malwarebytes was hacked back in 2014. I have been registered on Malwarebytes forums, since before that year.

        Yes, I will not make the same mistake twice. “Pain in the butt” is a understatement.

        Thanks,

        Sparky

        HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

        • #1937905 Reply

          Sparky
          AskWoody Plus

          My above post was suppose to be directed to GoneToPlaid’s  POST. I was trying to quote his reply into sections but I must of taken out some block quotes and it ended up at the end of the thread. I’m still on the learn curve, stay home if I’m driving on the road. 🙂

          HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

        • #1938066 Reply

          GoneToPlaid
          AskWoody Plus

          The person sending those extortion emails to me seems to have stopped, after having sent around four or five of of those emails to me. If he sends another one, I will save it and post it here.

          If you saved your email from this extortionist, could you post it?

          • #1938075 Reply

            Paul T
            AskWoody MVP

            The spammer has probably not stopped, your email provider has worked out they are spammers and refuses the email.

            There is no need to post the spammers emails, knowing they exist is enough.

            cheers, Paul

            1 user thanked author for this post.
            • #1938217 Reply

              GoneToPlaid
              AskWoody Plus

              No. My ISP doesn’t block anything. Instead, they use MagicSpam and SpamAssassin which I have configured to not block, yet flag all emails as spam, which these two services detect and flag as spam.

              The upshot is that the extortionist simply gave up, at least for the time being.

            • #1938721 Reply

              Paul T
              AskWoody MVP

              Or were blocked by their ISP after complaints…

            • #1950467 Reply

              mn–
              AskWoody Lounger

              Non-accidental spammers aren’t even bothered by rejected mail… especially if they’re using a faked address or even a hijacked mailbox to send.

              Heh, it’s good for accidental spammers though. Like that one contractor at a former job whose mail system sent an out-of-office autoreply to each message on a very busy list… after calling them a few times didn’t do anything, I made a custom rule (with a specific SMTP extended status code) for those autoreplies, on the list server, so that it complained to the contractor’s mail server admin for each one.

              Because SMTP mail still falls back to a store-and-forward protocol automatically, it’s not very difficult to produce standard delivery status failure messages from unwanted mails already in a mailbox. It’s just, those go by the headers then, and if the sender in headers was faked or…

            • #1938792 Reply

              Microfix
              Da Boss

              ..or addresses were sold on to a.n.other to try on the shady web.

              ********** Win7 x64/x86 | Win8.1 x64 | Linux Hybrids x64 **********

          • #1939430 Reply

            Sparky
            AskWoody Plus

            The person sending those extortion emails to me seems to have stopped, after having sent around four or five of of those emails to me. If he sends another one, I will save it and post it here. If you saved your email from this extortionist, could you post it?

            After I starting this Thread and have read the recommendations, I have decided that the common sense course of action was to eliminate the extortion emails. I have contacted my email provider and since then the extortion emails have stopped for now.

            If they start again and per recommendations, you should not even open them, so I don’t know how a person would be able to copy and post them here.

            Thanks.

            Sparky

            HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

            1 user thanked author for this post.
        • #1949581 Reply

          GoneToPlaid
          AskWoody Plus

          Hi Sparky,

          I dug around in one of my email inboxes, and I found an extortion email which I did save instead of deleting it. The email contained the attached embedded image which is the extortion message. Is this what you also received?

          I am not posting the headers for the extortion email since I think that the person’s email account is hacked.

          Best regards,

          –GTP

           

          Attachments:
          • #1949738 Reply

            Sparky
            AskWoody Plus

            Is this what you also received?

            Yes, very similar.

            Since I think that the person’s email account is hacked.

            That is interesting. What is happening to the email account that makes you feel it is hacked?

            HP W7 Home Premium, SP1, 64-bit, AMD Phenom II, Group A

    • #1933179 Reply

      anonymous

      Making sure you do not repeat passwords is hard if, like me, you have registered in literally over 150 sites. That’s far too many to make memorizable passwords.  Instead. my password are created typing letter sequences on the qwerty keyboard along with some numbers.  As an example, 975WsEdRfTg. This is about as good as a password generator and importantly, easy to type. Because you can start anywhere on the keyboard the choice is almost unlimited. They are stored in a Word password-protected table document sorted by site on my desktop with all the passwords for quick reference.

      • #1934295 Reply

        Paul T
        AskWoody MVP

        Making sure you do not repeat passwords is hard if, like me, you have registered in literally over 150 sites

        Use a password manager. Then you can have a different password for every site and only need to remember one password to access all of them.

        cheers, Paul

        1 user thanked author for this post.
        • #1934479 Reply

          anonymous

          I concur with the suggestion of using a password manager, especially in conjunction with using a local (not online) password generator.  I know that KeePass has a generator bundled, but there are stand-alone tools such as PWGen, as well.

          The thing about password complexity is that there are different attack vectors and there’s no one “universal best” method for creating passwords.  If your opponent is using a brute-force attack, complexity (including non-alphanumeric and 8-bit characters) widens the window of possibilities significantly. However, that doesn’t necessarily help against dictionary-based attacks. And with dictionary attacks, it’s not hard to ferret out many common obfuscation tactics, such as token misspellings, replacements of letters with punctuation characters, backward spelling, and various patterns of typing on a QWERTY keyboard.

          The underlying problem is that it’s very difficult for humans to be truly random, and where modern computing power can easily identify what’s not random.

          Unfortunately, we’re now in an era where we have the worst of all worlds with password (or even passphrase) authentication — stuff that’s hard for a human to remember and at the same time, easy for a computer to decipher.

          Having good passwords won’t do anything to prevent services from leaking their caches of credentials, but they will definitely make easier to defend against cracking attempts.

          However, for the attackers who get caches of credentials, those are gold mines, because so many users recycle passwords, especially in conjunction with user IDs that are based on email addresses.

          Edit: HTML removal – Please use the ‘Text’ tab in the post entry box when you copy/paste

    • #1934191 Reply

      ibe98765
      AskWoody Plus

      I started getting extortion emails about 6 weeks ago, claiming they knew all my info.  I am confident that they didn’t.  When the emails kept up over the next few weeks, I began to get annoyed and decided to take a closer look at the emails.

      I knew the website they had hacked (or were collaborating with) because I use a separate, disposable email for every website registration via the spamex service.  The website was  https://www.deadfred.com/.  This is a website used in genealogical work.

      When I dug into the email headers, it was easy to find the source website that was sending the emails.  Guy wasn’t very good at masking his trail.  His website was hosted by Godaddy.  I then sent a complaint email to their abuse email address.  In about 24 hours, the emails stopped, so good on them for reacting professionally and quickly.  Hopefully they reported the website to the FTC.

    • #1936345 Reply

      wavy
      AskWoody Plus

      Some alternatives to spamgourmet

      https://bbs.spamgourmet.com/viewtopic.php?f=7&t=1786&sid=a6c292816277a2c9638f707e70c1df0f

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.
      • This reply was modified 3 months ago by  wavy.
      1 user thanked author for this post.
    • #1940038 Reply

      ScotchJohn
      AskWoody Plus

      whatismyipaddress.com have an email tracing page, where you can enter the header information from suspicious emails, and then report them

      NirSoft has IPNetInfo, which I use when SpamCop does not seem to be making reports.  That doesn’t deal with IP address spoofing, which I believe happens, though I don’t understand how it is done.

      Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

      • This reply was modified 3 months ago by  ScotchJohn. Reason: Spelling
    • #1950230 Reply

      Here I am, 6 days late and a dollar short,  “The Battle of Life,” having consumed me….just missed this Code Red. God, we created the Internet…like the Talking Heads verse, I often say,

      “My God, what have we (I) done?” Right along with Tim Berners-Lee, I imagine.

      Small password suggestion: Choose a nonsense phrase or peculiar word, have Google Translate it into some obscure language, and add odd characters, or “Squirrel noises”, ha-ha.

      I’m just lucky I had Classical and Church Latin, Ancient Greek and Coptic beaten into my head in grammar school. All passwords are written in Coptic, and the book is metaphorically in the basement  closet behind the sign, “Beware The Leopard”.

      Or, as Zippy The Pinhead said, “Civilization is fun! Anyway, it sure keeps me busy!”

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "Wait for the all-clear", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "...All the people, all the time..." (Peter Ustinov ad-lib from "Logan's Run")

      • #1950452 Reply

        mn–
        AskWoody Lounger

        I’m just lucky I had Classical and Church Latin, Ancient Greek and Coptic beaten into my head in grammar school. All passwords are written in Coptic,

        Well yeah, that’ll help against people who don’t know about your schooling, but… how well is that supported nowadays? I mean, I’m still having problems with even simple modified Western characters (like ä), and Coptic is up there in UTF-8 “weird” space…? I mean, do password and PIN entry systems even do normalization between Epact and Roman numerals?

        (Glagolitic is up there too, for those who took Church Slavonic…)

        Oh and then there was the part where one of the kids’ friends wanted to type something in Traditional Chinese, using pinyin on a non-US keyboard. Fortunately that wasn’t a password but…

        • #1951313 Reply

          anonymous

          NTDBD HERE-Sorry, I meant written down in Coptic script in a notebook…the pwds themselves are in other languages, though. 🙂

    • #1965924 Reply

      dsliesse
      AskWoody Lounger

      Hmm… if I could figure out how to quote just a piece of a post…

      From BigBadSteve: “It’s of course ideally secure to do so, and some websites enforce the use of one or two special characters and digits. But many websites still won’t accept special characters in passwords at all. An aside: super annoyingly, many websites don’t tell you their password requirements, so sometimes you have to make like five attempts at entering a password for a new account because it didn’t have enough numerals or had too many special characters, etc. etc.”

      What’s really scary is how insecure some sites’ passwords are.  The Social Security Administration, for example, requires exactly 8 characters, letters and numerals only, and the letters are not case-sensitive!  How long would it take someone to hack those passwords, with 36 characters to choose from and the exact length known?

      Just as annoying as the websites that don’t tell you their requirements (at least until you try to create an invalid password) are the ones that tell you but are ambiguous.  One site requires “no words embedded in the password” — which, strictly speaking, would eliminate the letters a and i.  After some experimenting I figured out that they mean words of 3 letters or longer, but you’d think they could tell you that in the first place.

      1 user thanked author for this post.
      • #1965934 Reply

        CADesertRat
        AskWoody Plus

        Hmm… if I could figure out how to quote just a piece of a post…

        Click reply, highlight what you want to use in the post and click quote in the lower right hand corner and it will appear in your reply.

        Don't take yourself so seriously, no one else does 🙂
        4 Win 10 Pro currently 1809 (3 Desktops, 1 Laptop).

    • #1966168 Reply

      mn–
      AskWoody Lounger

      Just as annoying as the websites that don’t tell you their requirements (at least until you try to create an invalid password) are the ones that tell you but are ambiguous. 

      Or sometimes the stated requirements just don’t match what they actually require.

      Very few places have documented their password requirement accurately, these days. It can be quite bad with modern character sets like UTF-8 and UTF-16… heh, there was the time when I managed to put a “BELL” control character in a password. (Terminal bell / beep… hm, wonder if I could still find one with an actual bell in it)

      Of course that also requires a reliable input method for those.

      Then again it’s not just passwords where this is a problem.

      One site requires “no words embedded in the password” — which, strictly speaking, would eliminate the letters a and i.  After some experimenting I figured out that they mean words of 3 letters or longer, but you’d think they could tell you that in the first place.

      Yeah, those can be a bother. Especially with multiple languages, where they either block sequences the user doesn’t think of as words (single list of substrings that are blocked in all languages), or the list of blocked words changes based on user settings… oh and does the list apply before or after Unicode normalization and which version of that are they using?

      And the word lists are pretty much never really comprehensive and very rarely know about grammar…

    • #1966785 Reply

      wavy
      AskWoody Plus

      And of course ignore the recent fair advice to use pass phrases with a couple of alterations.

      🍻

      Just because you don't know where you are going doesn't mean any road will get you there.

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Extortion Emails with my Askwoody password

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.