News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised

    Home Forums AskWoody blog Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised

    This topic contains 52 replies, has 22 voices, and was last updated by

     rc primak 2 days, 20 hours ago.

    • Author
      Posts
    • #322512 Reply

      woody
      Da Boss

      Fred’s at it again. His latest Langa.com article talks about a new Chrome extension that specifically checks to see if the password you’re entering ha
      [See the full post at: Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised]

      4 users thanked author for this post.
    • #322553 Reply

      Seff
      AskWoody Plus

      I don’t personally like those sites/apps where you have to hand them your email address and password to see if they’ve been compromised – it’s so easy for that process to go horribly wrong.

      As for this particular process, I guess much depends on how much trust you place in Google!

      • This reply was modified 1 week, 4 days ago by
         Seff.
      5 users thanked author for this post.
    • #322574 Reply

      bobcat5536
      AskWoody Plus

      I agree….that info is best kept, and not given out to anyone. Who knows where it could end up at.

      1 user thanked author for this post.
    • #322575 Reply

      liamZ
      AskWoody Lounger

      What does it mean a password is compromised?

      • #322637 Reply

        Steve S.
        AskWoody Plus

        It means the password has been exposed to hackers at some point – usually through a major data breach of a website.

        Win7 Pro x64 (Group B), Win10 1709, Linux Mint + a cat with 'tortitude'.

    • #322594 Reply

      CADesertRat
      AskWoody Plus

      I just installed it and it say’s that none of my passwords have turned up in any Breaches. As to trusting Google, I use “Save Passwords” for certain sites so there’s already a certain amount of trust involved and it’s nice to know that none of those saved passwords are compromised.

      Don't take yourself so seriously, no one else does 🙂
      Grp. A with 2 Win 7 Pro, also 2 Win 10 Pro currently 1803 (1 Desktop, 1 Laptop).

    • #322631 Reply

      Steve S.
      AskWoody Plus

      I don’t use any browser password manager. Passwords stored in browsers just seem too vulnerable to hacking. I use KeePass 2.x only. It may not be as convenient as a browser password manager but it is a smaller attack surface.

      As for checking passwords against breach databases, I use a plug-in for KeePass 2.x called HIBP Offline Check. See gHacks: https://www.ghacks.net/2019/01/18/check-all-keepass-passwords-against-the-have-i-been-pwned-database-locally/

      I keep a watch for updates to the breach database, download updated database and check all my passwords LOCALLY.

      I just don’t trust Google. They’ve broken trust one too many times. https://www.msn.com/en-us/news/technology/google-has-quietly-dropped-ban-on-personally-identifiable-web-tracking/ar-BBTdBQR

      Win7 Pro x64 (Group B), Win10 1709, Linux Mint + a cat with 'tortitude'.

      7 users thanked author for this post.
    • #322652 Reply

      Philomene123
      AskWoody Plus

      I am too paranoid to use those tools… i change my pw, here and there,  I can’t trust nobody!  But I do use  the email feature, HaveIbeenhacked.

      1 user thanked author for this post.
    • #322671 Reply

      anonymous

      Thanks for the comments, guys!

      I understand the uneasiness of asking a Google product to explicitly examine your passwords. But if Google wanted that information, they could get it from Chrome, the password manager, auto-fill, page caching and prediction, the Google DNS service, etc etc etc…

      I just don’t see any special, additional hazard in this service; and there is a potential benefit.

      2 users thanked author for this post.
      • #322680 Reply

        Seff
        AskWoody Plus

        Thanks.

        Has it ever been established how secure extensions are as compared with the base browser? Do browser updates include security updates to your extensions or only to the browser?

        • #322834 Reply

          rc primak
          AskWoody_MVP

          It varies by the type of extension, who wrote the extension and when, and how up to date your browser is. Among many other factors. Bottom line is, many, many times over the years, big purges have had to happen in Chrome Extensions to weed out truly malicious extensions. The Store is simply not that well curated and vetted. I do not trust Chrome extensions with any personal info. In fact, I use one extension, Click and Clean (HotCleaner) to remove all traces which can be removed easily, every time I close Chrome. I store nothing, absolutely NOTHING in my browsers on purpose.

          -- rc primak

          1 user thanked author for this post.
      • #322735 Reply

        anonymous

        I don’t use Chrome. I don’t use Google Search. I do use NoScript and uBlock Origin to block all things Google (except in rare cases).  Plus I use several other privacy extensions and browser settings/tweaks. I don’t use browser password features or predictive searches or autofill. I don’t have an Android smartphone. Etc.

        For me, convenience is not worth paying for with surveillance. Understanding and due diligence are the best defenses, imperfect though they may be. Just because motivated burglars can break into your house in many different ways, doesn’t mean one should leave all the doors and windows unlocked.   😉   ymmv.

        1 user thanked author for this post.
    • #322684 Reply

      Bluetrix
      AskWoody Plus

      Ahem … call me paranoid, but to give google even more than they take from you now without your permission?  I think not. We as computer dummies (collectively) look to the likes of Woody, Fred et al, for guidance on how to prevent dissimulation of our personal information. I would think passwords fall into that category. Better mouse trap my foot, just another trap that when sprung they say, Ooops, sorry about that folks, won’t happen again.

      How many times have we been warned that once it’s out there, no do overs. Meanwhile WE suffer any possible consequences, and the clean up is left to the unwashed masses. I would have about as much trust/faith in this (expletive deleted) as I do in Microsoft’s Edge browser extension, NewsGuard. Yeah, right, laughed myself to sleep over that one.

      No thank you. Needless to say I don’t trust google. (but I will say it)
       
      ymmv, My guess is that people who read websites such as this already know how to manage their PW’s and know enough to change them often on data sensitive sites they visit, or they should.

      … but perhaps I should have posted this in the ‘rants’ section. Ooops, won’t happen again, I promise. 🙂

      4 users thanked author for this post.
      • #322710 Reply

        b
        AskWoody Plus

        Google doesn’t receive your passwords by means of this check extension, but I wonder why it needs a sign-in to a Google account?

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

        1 user thanked author for this post.
        • #322836 Reply

          rc primak
          AskWoody_MVP

          So that they can track you after you use their extension. That’s why. Among other reasons. None any prettier.

          Did you know that after you sign out of your account inside the Chrome browser, you are not really signed out? Not until you go through the obscure process of REMOVING your account from Chrome, and clear the cache.

          They make it so easy to be paranoid of them, don’t they?

          -- rc primak

          1 user thanked author for this post.
    • #322711 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      I’m really on the fence on this one, so I am going to wait, especially since Gungle admits this is “experimental”; I’m nobody’s beta tester, thank you!

      I’m just going to follow the old Zoroastrian rule: “If you think something you’re going to do might be wrong, don’t do it.”

      Or, put another way, a Native American once said, “If you think of doing a thing, think about it first for two days, then think about it again. If you’re still unsure, take another two days. If still uneasy, think a third time, then make your decision. Then you will at least know that you really thought about it, and you have less chance of a mistake.”

      (This does not apply in emergencies, like that flaming semi coming at you, the pedestrian. RUN!)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      1 user thanked author for this post.
    • #322712 Reply

      CADesertRat
      AskWoody Plus

      Google doesn’t receive your passwords by means of this check extension, but I wonder why it needs a sign-in to a Google account?

      Probably because you have to be signed in to install it as an extension to Chrome.

      Don't take yourself so seriously, no one else does 🙂
      Grp. A with 2 Win 7 Pro, also 2 Win 10 Pro currently 1803 (1 Desktop, 1 Laptop).

      • #322723 Reply

        b
        AskWoody Plus

        No, I was just able to install it without signing in. (I’m not sure I’ve ever had a Google account.)

        So Google’s instructions for this Password Checkup extension are deficient in more ways than one.

        (Why would they not make it explicitly obvious that your passwords are not sent to Google?)

        The Chrome web store does a little better:

        Wherever you sign-in, if you enter a username and password that is no longer safe due to appearing in a data breach known to Google, you’ll receive an alert. Please reset your password. If you use the same username and password for any other accounts, please reset your password there as well.

        Password Checkup was built with privacy in mind. It never reports any identifying information about your accounts, passwords, or device. We do report anonymous information about the number of lookups that surface an unsafe credential, whether an alert leads to a password change, and the domain involved for improving site coverage. You can learn more about how Password Checkup works at https://support.google.com/accounts?p=password-checkup. (NOT!)

        Password Checkup (Offered by: google.com)

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

        1 user thanked author for this post.
        • #322837 Reply

          rc primak
          AskWoody_MVP

          See my previous comment about not really being signed out.

          -- rc primak

          • #322844 Reply

            b
            AskWoody Plus

            I didn’t have to sign in to use Password Checkup either.

            Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

            1 user thanked author for this post.
    • #322716 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      Thanks. Has it ever been established how secure extensions are as compared with the base browser? Do browser updates include security updates to your extensions or only to the browser?

      Yes!  I’d like to know this too….although my suspicion is is that updates to extensions are not…I could be wrong. Input?

      In the meantime, my passwords are written in Coptic, and stored in a basement in a closet behind the sign “Beware the Leopard.” (Tip of the hat to Douglas Adams)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      • #322838 Reply

        rc primak
        AskWoody_MVP

        See my previous comment. It ain’t a pretty picture!

        -- rc primak

    • #322755 Reply

      OscarCP
      AskWoody Plus

      I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way.

      I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

      2 users thanked author for this post.
      • #322758 Reply

        Kirsty
        Da Boss

        Some sites still don’t permit pasting passwords, despite it being considered far safer than typing them.

        4 users thanked author for this post.
        • #322765 Reply

          Bluetrix
          AskWoody Plus

          Some sites still don’t permit pasting passwords, despite it being considered far safer than typing them.

          Perfect example of bio-metrics at work. I will not go into a long explanation on how bio-metrics works, but suffice to say the time you take to enter a PW can and is being measured. That’s only one facet and example of how bio-metrics are used by many institutions. What can be discerned from the time it takes to enter a PW, and how you enter a PW, as in pauses between keystrokes says a lot. NYT isn’t my 1st choice for news, but this article is probably spot on. Read a bit here:

          https://www.nytimes.com/2018/08/13/business/behavioral-biometrics-banks-security.html

          Scary eh?

          2 users thanked author for this post.
      • #322767 Reply

        Fred
        AskWoody Lounger

        I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way. I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

        This is brrr, scary ….

        https://isc.sans.edu/forums/diary/Phishing+Kit+with+JavaScript+Keylogger/24622/

        .

        2 users thanked author for this post.
        • #322776 Reply

          OscarCP
          AskWoody Plus

          Twice, in recent days, I have received the same email, allegedly from Verizon, looking quite like something Verizon, my ISP, would send me, to the effect that there was “currently an outage” in my area and they “apologized for the inconvenience while working to fix it.” Also, telling me that to see current information on this problem, I had to click the button underneath. Which, I imagine, would then require “logging in to your account”, with my Verizon email password. Which brings me to the topic of passwords security. None of the precautions I adopt, described earlier in my entry copied by fred above, would have protected me from the email password being stolen, had this been a phishing attempt and had I made myself its victim by trusting that either email was a legitimate message from the ISP and followed the instructions there.

          Preferring to stay ignorant rather than to be sorry, I deleted both emails. Obviously, right where I was, there was no Internet blackout in either occasion, given the fact that both emails did come through alright, and that I had no problems browsing sites on the Web, which I was doing both times this happened. Were these cleverly disguised phishing attempts, or were they “for real”?

          I’ll never know, but sometimes it’s true that ignorance can be bliss.

          • This reply was modified 1 week, 3 days ago by
             OscarCP.
          • #322781 Reply

            anonymous

            You can check whether links in email messages are genuine.

            Rather than click a link, I use right-click, get a copy of the link then paste in my browser’s URL bar where I examine it closely before making a decision whether or not to enter it.

            This web page  explains things in more detail that I would. Obviously wrong links are easy but you need to be cautious that the link is not a slightly misspelled variation of what you may be expecting. If uncertain, research the top level domain.

            NOTE: You can check links in websites even more easily. Hover over ‘This web page’ above without clicking  and note what happens in the lower left-hand corner of your browser.

            1 user thanked author for this post.
            • #322832 Reply

              Seff
              AskWoody Plus

              A good rule is never to click on a link in an email. If you think that the email might be genuine, or even believe that it is, it is always safer to log in to the linked site by using your normal bookmark or googling it as appropriate.

              1 user thanked author for this post.
          • #323499 Reply

            Alex5723
            AskWoody Plus

            I got this mail (3 times) from “Google”

            Sent by :
            from: Final Notice <qbqkk@aulowcca.com>;
            reply-to: Google Security <Banana@pulpfiction.vip>;,
            Google Security <Raisin@shawshank.space>;,
            Google Security <Haddock@redemption19.xyz>;,
            Google Security <Partridge@inglourious.in>;,
            Google Security <Thyme@tomhanks.xyz>;,
            Google Security <Lime@edwardnorton.cc>;,
            Google Security <Donair@liamneeson.app>;,
            Google Security <arrowroot@jakegyllenhaal.club>;,
            Google Security <Pineapple@gclooney.xyz>;,
            Google Security <Pasta@johnny-depp.vip>;,
            Google Security <Pomelo@denzelwashington.info>;,
            Google Security <denjang@mattdamon.space>;,
            Google Security <king@gustaf.space>;,
            Google Security <Shank@tommyflanagan.club>;,
            Google Security <Monkfish@bestofmor.com>;

            Dear Gmail™ Customer,

            You submitted a request to terminate your Gmail mail account and the process has started by our Gmail™ Team, Please give us 3 working days to close your mail account.

            To cancel the termination request reply to this mail.

            All files on your Gmail mail including (Inbox, Sent, Spam, Trash, Draft) will be deleted and access to your Gmail™ mail account will be Denied.

            If you wish to Terminate your Email Address, you can Sign Up for a new Gmail™ account.

            For further help please contact by replying to this mail.

            Regards,
            Gmail™ Account Services

            Usually Google/Gmail is good with flagging spam mail but these passed as legitimate even though it was a fishing attempt.

            • This reply was modified 1 week ago by
               Alex5723.
            1 user thanked author for this post.
            • #323530 Reply

              ScotchJohn
              AskWoody Plus

              Alex – if you clicked on the blob in the message to terminate your Gmail account, I suspect that all that you may have done is to propogate this campaign towards this list of fifteen eMail addresses, when you could have ignored it.

              It’s best to check for this type of behaviour by hovering over the blob in the message, and the window will show what you might be about to do.

              Dell E5570 Latitude, Intel Core i5 6440@2.60 GHz, 8.00 GB - Win 10 Pro

      • #322780 Reply

        Seff
        AskWoody Plus

        I keep a hand-written note of my passwords. Mrs Seff assures me that they are entirely safe as nobody could ever read my writing…

        3 users thanked author for this post.
        • #322839 Reply

          rc primak
          AskWoody_MVP

          Just keep it away from the computer and away from prying eyes and you’ll be fine. This assumes you live alone, which obviously, you don’t.

          -- rc primak

    • #322764 Reply

      Fred
      AskWoody Lounger

      I am too paranoid to use those tools… i change my pw, here and there, I can’t trust nobody! But I do use the email feature, HaveIbeenhacked.

      Another 2 sites, can be useful

      ScatteredSecrets.Com
      HaveIbeenPowned.com
      HaveIBeenPwned.com

      .

      2 users thanked author for this post.
    • #322784 Reply

      anonymous

      People possibly know but it needs to be made crystal clear that the extension is nothing to do with how strong your password is or what method you use to manage it. Whether you store you password on a bit of paper, inside an encrypted document, local database or online database is irrelevant. If a hacker grabs it via MITM attack you may be in trouble.

      The way I read it, Password Checker extension is about receiving notification IF your username AND password is hacked (or otherwise obtained), IF the problem is detected, and IF the Google Password Checker system finds it. After that, preventing problems becomes a matter of you receiving notification in time to change your password, shutting the door on the hacker or whoever buys the data from the hacker.

      Unlike Password Checker extension, haveibeenpwned is about whether you email address logon (i.e. not email and password, just email) has been hacked.

      Theoretically, use both you are better covered for receipt of notification if you use both. In practice, Googles Password Checker has not yet proven itself.

      • #323502 Reply

        Alex5723
        AskWoody Plus

        HACKERS ARE PASSING AROUND A MEGALEAK OF 2.2 BILLION RECORDS

        Earlier this month, security researcher Troy Hunt identified the first tranche of that mega-dump, named Collection #1 by its anonymous creator, a patched-together set of breached databases Hunt said represented 773 million unique usernames and passwords. Now other researchers have obtained and analyzed an additional vast database called Collections #2–5, which amounts to 845 gigabytes of stolen data and 25 billion records in all…

        https:// www. wired. com/ story/collection-leak-usernames-passwords-billions/

        You can check for hacked mail/password here too : https://sec.hpi.de/ilc/search

        • This reply was modified 1 week ago by
           Alex5723.
    • #322783 Reply

      anonymous

      People possibly know but it needs to be made crystal clear that the extension is nothing to do with how strong your password is or what method you use to manage it. Whether you store you password on a bit of paper, inside an encrypted document, local database or online database is irrelevant. If a hacker grabs it via MITM attack you may be in trouble.

      The way I read it, Password Checker extension is about receiving notification IF your username AND password is hacked (or otherwise obtained), IF the problem is detected, and IF the Google Password Checker system finds it. After that, preventing problems becomes a matter of you receiving notification in time to change your password, shutting the door on the hacker or whoever buys the data from the hacker.

      Unlike Password Checker extension, haveibeenpwned is about whether you email address logon (i.e. not email and password, just email) has been hacked.

      Theoretically, use both you are better covered for receipt of notification if you use both. In practice, Googles Password Checker has not yet proven itself.

      1 user thanked author for this post.
    • #322794 Reply

      Microfix
      AskWoody MVP

      Well I’m somewhat bemused and untrusting of ANY online password checker, I’ve got them written down in an age old little book from around 1993 and stored digitally offline. The book reads like egyptian heiroglyphs even the websites are coded so useless to anyone else.

      | W10 Pro x64 1803 | W8.1 Pro x64 | Linux x64 Hybrids | W7/ XP Pro x64 O/L
        Can't see the wood for the trees? Look again!
      3 users thanked author for this post.
      • #322840 Reply

        rc primak
        AskWoody_MVP

        Password strength can be checked online. Password managers also do this service. Some sites will  show you how strong your password is as you create it.

        -- rc primak

      • #322900 Reply

        willygirl
        AskWoody Plus

        My stepdad used auto fill for all sites and to top it off the password for everything was his birthday. I bought a hard bound note book changing all sign in info plus PWs. Put the pen next to the book and told him that was his bible and to cherish it. He’s gone now sadly, and I miss teasing him.

        Win7 SP1 Home 64-bit; Office 2010; GrpA, when all is said, done and fixed, Mac OSX to help me sleep at night.

      • #322911 Reply

        Bluetrix
        AskWoody Plus

        Well I’m somewhat bemused and untrusting of ANY online password checker.

        Yeah, what he said. I think recommending  *new and/or improved* security add-on’s are actually doing a disservice to users. Many will believe everything they are told or read. After all, it was on the internet so it has to be true, yes?  I venture that most readers of this and other sites like it have a clue as to what can be believed from the get go, and what to raise an eyebrow to.

        What I find especially onerous about this PW checker is the false sense of security it may foster on unwitting users. Those users are, imho lazy, they rely on such inane fluff to protect them, when with just a tiny bit of understanding on what to do and what not to do it’s much safer to DIY. But they won’t go that far, rather they will let an  add-on dupe them into even more complacent computer use behavior. Online complacency can never be a good thing, it’s one reason sites such as AskWoody exist.

        This PW add-on may very well provide a sense of security, whether it’s a false sense or not, however it’s my belief that anytime a person surrenders private security information to a third party they put themselves at more risk, not less.

        3 users thanked author for this post.
    • #322841 Reply

      rc primak
      AskWoody_MVP

      What is missing from this discussion is that there are better alternatives to passwords.

      A hardware key like YubiKey is now being pushed by Google, Microsoft and other major tech players. Combined with biometrics of some sort and two-factor verification, this is better than a password system. Unless you lose the key or fail to report it stolen, you don’t need to remember anything else, not even a Master Password. And you can’t leave your eyeballs at home or somewhere by accident.

      -- rc primak

      1 user thanked author for this post.
      • #322977 Reply

        anonymous

        Why have none of the spyware paranoid people come up with the idea that a Yubikey may be a spy device. After all, each key has something that uniquely identifies it and you give your name and address when you buy it <eye roll>.

        2 users thanked author for this post.
        • #323058 Reply

          Bluetrix
          AskWoody Plus

          Why have none of the spyware paranoid people come up with the idea that a Yubikey may be a spy device. After all, each key has something that uniquely identifies it and you give your name and address when you buy it

          Perhaps because Yubikey isn’t as ubiquitous as a popular browser add-on offering. One has to actively seek Yubikey out. That seeking out activity is a conscious thought, something that many users fail to avail themselves of.

        • #327570 Reply

          rc primak
          AskWoody_MVP

          I used the YubiKey brand. I should have referenced the generic type. A USB key device can be made by other manufacturers, or even created by a company or an ambitious individual. So you don’t have to trust that this brand is not a spyware device. You can if you really want a project, create your own from scratch, then register its signed PGP Key yourself. Or get a tech-savvy friend to do this for you — if you trust that friend.

          -- rc primak

          1 user thanked author for this post.
    • #322927 Reply

      bbearren
      AskWoody MVP

      I don’t use Google (not directly, anyway) and I don’t use Chrome.  My passwords are in a password protected Excel spreadsheet, and no, the spreadsheet filename is not “passwords”.  My financial institution uses two-factor authentication if a logon is attempted from a PC that is not registered in their database.  When I restore a drive image, I have to go through the two-factor steps to re-register my PC.

      My OneDrive account is protected with two-factor authentication, as well.  Not much else is critical for me.  There isn’t much in the way of useful identity theft resources available on the sites I visit with any regularity.

      Create a fresh drive image before making system changes, in case you need to start over!
      "The problem is not the problem. The problem is your attitude about the problem. Savvy?"—Captain Jack Sparrow
      "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns

      "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      1 user thanked author for this post.
    • #322948 Reply

      dph853
      AskWoody Lounger

      Most passwords should be treated like toilet paper – used once and then flushed away.

      Super important accounts that can cause much grief if they get taken over by the bad guys such as banks, cell provider, online shopping sites etc should be protected by a password that is changed every few times you login or at least every couple of weeks. After you have been made poor or discover that replacement credit cards/purchases have been mailed to an unintended address is too late.

      A good password manager makes doing this a snap. A couple of clicks and you are done. Good passwords aren’t something you can remember and would be a tribulation to type each time. Click, click, click, new password and you never even need to know what the password is. Making it easy to generate a random 25 character password and recall it later might actually convince some to change their passwords just for the sheer joy of doing so.

      Changing your passwords often is much better security than worrying if a password has been compromised or for how long that stolen password will still work. The tools are there to use, you just have to change they way you have always done passwords and choose to use the tools to their potential.

      2 users thanked author for this post.
    • #323142 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      I keep those kinds of information I like to keep private in a text document, encrypted and with the name of something totally unrelated to personal info, and make current hard copies in case something gets deleted by mistake when I am using it. When I need a password, I go and open the text document and copy the always long and complex password to its clipboard and then paste it in the appropriate field of the login box of a site I need to use at that moment. It can be a bit of a hassle, compared to, e.g., using a password manager. But I feel better protected this way. I don’t think this is 100% safe, because a site I am logging in might be compromised by infecting spyware. But in life I don’t believe that there is anything 100% safe, so everything is something of a gamble.

      Used to do that as well, until we had a fire, had to move, and the main workstation that the encrypted file was on was water damaged. (Yes, I had backups, but the incident gave me the spooks…what if the backups were corrupted? Then I moved to multiple backups in different locations.) Now I do both encrypted on-drive AND written down in a obscure ancient language in a notebook  that rests in a very secure area.

      But I trust Google about as far as I can throw a grand piano. (Sorry. Too much time spent pulling Android’s snooper-teeth on my phone.)

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      2 users thanked author for this post.
      • #323159 Reply

        OscarCP
        AskWoody Plus

        NTDBD, On your DIY alternative to third-party applications to secure one’s passwords:

        One might still have a problem in case of nuclear attack, but otherwise I cannot agree more with you. Certainly a fire is one of my worries, along with flooding, e.g. when air-conditioning moisture accumulated in the convector pipes connecting several apartments in successive floors where I live, start cascading into living rooms and bedrooms, after building up its volume in those pipes for weeks and weeks, thanks to something clogging up the pipes. Great fun with a mop and bucket ensues.

        I’m not sure about the need for an obscure language. Maybe Pig Latin could be put into service instead? Not many of the Twitter generation have fully mastered it, I imagine.

        Anyhow, one way to keep a hard copy safe is in a bank vault, such as the one where I keep already my most important documents. But the frequent need to update it due to frequent changes in passwords (as also recommended here, and a definitely good practice) makes keeping something in a bank vault a bit of a hassle. For example, it does reduce the time one has available to have a life.

         

    • #323148 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      A good rule is never to click on a link in an email. If you think that the email might be genuine, or even believe that it is, it is always safer to log in to the linked site by using your normal bookmark or googling it as appropriate.

      Absolutely.  If you must click on that link, some email programs like Thunderbird let you see what the link REALLY points to if you just hover your mouse/pointer/whatever over it.

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Don't check for updates-Full Manual Mode."
      --
      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      2 users thanked author for this post.
    • #323590 Reply

      anonymous

      For any unfortunate soul who uses this or any other password checking service, then finds their favorite password listed, the first piece of advice is to change your password. Does it require this extra step? If you feel the urge to install a password checker extension, or use an online service, just change your password. No one else need be involved. Job done.

      • #323595 Reply

        b
        AskWoody Plus

        For how many different sites and how often?

        The Password Checker extension checks for a breached username/password combination every time you log into a site through Chrome. Would you be prepared to change your password every time you use one?

        Cannon fodder Chump Daft glutton Idiot Sucker More intrepid Crazy/ignorant Toxic drinker "Saluted blockhead" (Group ASAP)

        • This reply was modified 1 week ago by
           b.
        2 users thanked author for this post.
    • #326046 Reply

      SteveTree
      AskWoody Lounger

      People may choose to use or not use the extension, depending on personal circumstances, needs and wants but they  should balance up their wish for privacy against against their need for security.

      To put it bluntly, it does not concern me if your choice is different to my choice. However, you should make and educated choice.  Here is one example why you might consider the extension a security advantage.

      For those who think haveibeenpwned will warn you about all detected account hacks, think again. The extension and haveibeenpwned work differently. Subject to a hack being detected, if you log onto a website using email address, haveibeenpwned can warn you. If you log on with a username it cannot warn you.

      While warnings can be helpful, you need to be open to discovering breaches via other methods. I discovered the 92,000,000 account MyHeritage hack via RSS feeds. However, hacks are happening all the time. Only big ones get the headlines.

       

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 32 Home portable

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Fred Langa: Use Google’s new Password Checker extension for Chrome to see if your passwords have been compromised

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.