Woody Leonhard's no-bull news, tips and help for Windows, Office and more… Please disable your ad blocker – our (polite!) ads help keep AskWoody going!
Home icon Home icon Home icon Email icon RSS icon
  • Patch Lady – 31 days of paranoia – day 11

    Posted on Susan Bradley Comment on the AskWoody Lounge

    Home Forums AskWoody blog Patch Lady – 31 days of paranoia – day 11

    This topic contains 28 replies, has 13 voices, and was last updated by  rc primak 1 month, 4 weeks ago.

    • Author
      Posts
    • #224002 Reply

      Susan Bradley
      AskWoody MVP

      Patch Lady here with paranoia of day 11.  Have you ever checked to see if your password has been discovered by attackers and is known by them?  There
      [See the full post at: Patch Lady – 31 days of paranoia – day 11]

      Susan Bradley Patch Lady

      4 users thanked author for this post.
    • #224004 Reply

      anonymous

      “Help, help, my account is listed on haveibeenpwned!”, said no-one, too embarrassed to speak up.

      I wonder just how many people tell others when they appear on that site.

      It must be quite the conundrum to announce that your account was up there (and a call to get hammered by people’s questions if you use KeePass or not).

      Just a reminder and not a hammering: please use a password manager that automatically generates passwords and saves them encrypted on your drive.

      If you used it and you’re on havibeenpwned, your password you lost wouldn’t’ve mattered! It would have leaked something that looks like NI)EWh032gvh2t804*)#GTFew and nobody would have even thought twice.

    • #224007 Reply

      Noel Carboni
      AskWoody MVP

      My first thought when visiting that site was, “Do I really want to give my eMail address to someone on the other end of this?”

      I didn’t. Knowing wouldn’t have changed my already thoughtful password management strategy.

      -Noel

      2 users thanked author for this post.
    • #224008 Reply

      anonymous

      I agree with Noel Carboni. I’m loathe to give my email adress to anyone, company or website.

    • #224024 Reply

      Nibbled To Death By Ducks
      AskWoody Lounger

      Agree with Neal…thought the same thing when the site came out years ago….save this fellow is quite well known, and trusted by Krebs and others in his arena. The FAQ looks pretty tight, but the founder is Troy Hunt, a Microsoft Regional Director.

      You have his word that nothing is retained on his site; but there are all sorts of attacks that could go down with “man in the middle”…

      And password managers? What if your only PC goes down, and takes that with it?  Backups, of course, but resetting everything including routers, etc can be a real pain in that scenario, if you are lucky enough to have another machine.

      No, I use very basic, but effective methods for passwords, which I will only infer here, and give Douglas Adams credit:

      Written down in a Sumerian script, in the 3rd sub cellar of three different locations, in the janitor’s closet behind a door marked “Beware The Leopard.”

      For coming up with them, or actually writing them down, obscure foreign languages that use script other than Roman are very useful too. How’s your Thai or Javanese?

      Code cyphers for further password obfuscation are great too. So many to choose from! 😉

      And never, never use the same PWD twice.

      Ouija Boards, anyone?

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", Group "A/B [negative] :)", Multiple Air-Gapped backup drives in different locations, "Notify but do not download or install without asking."

      --

      "The more kinks you put in the plumbing, the easier it is to stop up the pipes!" -Scotty

      2 users thanked author for this post.
      • #224041 Reply

        Ascaris
        AskWoody MVP

        And password managers? What if your only PC goes down, and takes that with it? Backups, of course, but resetting everything including routers, etc can be a real pain in that scenario, if you are lucky enough to have another machine.

        I have lots of ‘another’ machines!  I have six of them that are relatively current (dual core or better), and nine in total if we count the not-so-current ones.  My password store is synced (manually, SneakerNet) between the most commonly used PCs (my main desktop, my two newer laptops, and my Core 2 Duo laptop that still holds its own despite its age), and is protected by strong encryption and passwords at each endpoint.

        If any of these PCs goes down, I fix it with replacement parts (in the case of my desktop PCs and my Core 2 Duo laptop) or remove its SSD (Acer Swift) or micro SD card (Dell Inspiron) and send it in for warranty service, then reinstall everything when it comes back (in the Swift, it’s as easy as popping the SSD back in; on the Dell, I would have to restore the OS to the internal eMMC drive and pop the MicroSD back in).  There are no private or sensitive files located on any non-removable storage like internal eMMCs.  Linux does not insist on putting user profiles on the boot drive, so it’s quite easy to ensure that the boot device contains no personal data.

        I have backups for all of my devices in multiple places.  If it’s the drive on any of these ‘puters that has failed, I replace it (under warranty, probably; most of my drives are still warranteed) and restore the backup.

        When the Swift and Inspiron are out of warranty, I’d add them to the “fix with replacement parts” category.  Good used motherboards are available at good prices on eBay for both.  All of my computers can be opened with simple hand tools and are not glued together, so replacing the motherboard is really not very hard.

        Group L (Linux): KDE Neon User Edition 5.14.4 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

        1 user thanked author for this post.
    • #224026 Reply

      anonymous

      haveibeenpwned has listed my email as being compromised in relation to yahoo, ever since that famous yahoo breach. Thing is, I have never done anything yahoo related beyond mentioning it here. Maybe yahoo handled posting on a website I made a comment on at some point, but no matter what I do I can’t get yahoo to send me an email to reset the password. IIRC, yahoo deleted everyone’s passwords after (they announced) the breach, so it’s pretty much a moot point.

      I’m not worried about it, all my passwords are long strings of gibberish, all different for each site.

      • #224212 Reply

        anonymous

        I may be misunderstanding you. If you have no other reasons for concern in your cyber life then I would simply chalk this up to coincidence and not think much about it.

        But if there are other things you notice and cannot quite get a handle on why these things are happening, then you need to consider that someone else has made an account with what you consider your username. This can also be innocent enough. In real life my combination of given name and surname are shared by at least nine other people in the US, several are nearly the same age. Even if you have been creative with a username, other creative types may arrive there independently.

        Yahoo is not convinced that you are the owner of the account. So they are refusing to give private information to a stranger. This is good policy, even though it is inconvenient for you.

        • #224284 Reply

          anonymous

          My bad, it was one of my gmail accounts listed as breached by yahoo, yet yahoo won’t send me a new password when I try to log in with that gmail, which they shouldn’t. It’s a bit of runaround, and pointless as I don’t know where to use the login if there was a password. It was a few years ago, it was a junk gmail account, whatever.

          I haven’t checked in years, but as of now haveibeenpwned.com only lists that same email address as having been compromised on DISQUS as of almost exactly one year ago, no mention of the previous yahoo breach. Regardless, I still don’t care, it’s a throw away email with a (different) throw away password used only for forum posts. I wasn’t phished on that account AFAIK, it was just another social media site mass breach; I wasn’t financially or emotionally invested so I stopped using DISQUS, but the irony of that site name hasn’t been lost on me. Next stop, reddit?

          Most important, never respond to emails saying things like “did you just try to login to your account from *whatever* location? Please login with your full account details and password here [*insert innocuous-looking link*]”.

    • #224036 Reply

      Kirsty
      AskWoody MVP

      @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
      It’s worth checking this out:
      https://howsecureismypassword.net/

      howsecureismypassword

      2 users thanked author for this post.
      • #224147 Reply

        Noel Carboni
        AskWoody MVP

        Cute, though a bit meaningless. How long will it take next year’s model? Next decade’s quantum model? The sliding scale of technological advancement is why 128 bit keys are now laughably weak, even though the predictions back just a few decades ago were that it would take millions of years to crack them.

        People should not have to juggle ever increasing, human-meaningless passwords in order to stay in control of their private data. Their tech needs to work harder for them and ONLY them (and NOT for some company who feels THEY should be in control).

        -Noel

        P.S., please don’t even CONSIDER typing your real passwords into that site.

        4 users thanked author for this post.
        • #224178 Reply

          anonymous

          Just to complete your thought to make it glaringly obvious.

          Typing an active password would expose that supersecure, only known to two entities on the entire planet, absurdly long multicharcacterset string to a THIRD entity. It might as well be added to the list of known passwords.

          2 users thanked author for this post.
        • #224249 Reply

          Kirsty
          AskWoody MVP

          Cute, though a bit meaningless. How long will it take next year’s model?

          My reference to complacency was the ability to check your current configuration, which may show it will currently take xx minutes – at which point you need to upgrade your passwords NOW. It gives a better indication of what isn’t a good concept for your passwords than mere confidence in your ability to create one 🙂

    • #224037 Reply

      Ascaris
      AskWoody MVP

      Recently Brian Krebs has had several stories about how phishing emails have been sent with old passwords being used in the email to frighten you into thinking the attackers had some information about you.

      The joke’s on them, then, as I’ve never seen 99% of my passwords!

      Group L (Linux): KDE Neon User Edition 5.14.4 (based on Ubuntu 18.04) + Windows 7 in Virtualbox VM

    • #224043 Reply

      Seff
      AskWoody Lounger

      If I was concerned about my email addresses being compromised, the last thing I’d do is enter them all on a site expressly designed to collect email addresses, no matter who was running the site and how trustworthy they may be – the sites any email addresses were compromised on in the first place are likely to have been run by equally eminent and trustworthy companies/people.

      1 user thanked author for this post.
    • #224098 Reply

      Peacelady
      AskWoody Lounger

      I did check haveibeenpwned — an old email came up from Linkedin.  All my current emails came up clean.  I am very paranoid but somehow felt comfortable giving my email address to haveibeen pwned because email addresses are “out there” anyway (e.g. one person sending a joke without bcc is enough to make my head spin).  I have five email addresses for different purposes (bank alerts, shopping, personal email, throw away, etc.)  Since they are all gmail accounts I can easily delete them and start fresh.  Even my personal email address has so few people in the address book that I can notify folks that I have changed my email address .  Yes, this is embarrassing to do but I have done it twice already for security reasons.

      As for my passwords, I don’t trust password managers and only use one desktop at home so I have a little book with all my passwords written in it (I only have the five passwords for the email accounts, the IMac password, and just a few others – probably only ten in all.  They are random and long with some caps some numbers some symbols, etc. and I change them from time to time.  (When I got my IMac a few months ago I had a computer man come to install it and he had never seen anyone go through typing the kind of passwords that I had — between my getting used to the feel of the magic keyboard and the length and complexity of my passwords — let’s just say he was here for quite awhile and he has not forgotten me!)

      I would not send my password into a website to find out if it was pawned.

      I have a Yubico key that I use for the gmail accounts and use two factor authentification wherever it is available.

      Ttthat’s All Folks!

      1 user thanked author for this post.
      • #224108 Reply

        AlexEiffel
        AskWoody MVP

        I always had similar intuitions. One thing I changed over the years though is to favor length over complexity for passwords. You need to make sure the web site doesn’t accept a long password but stores only a shorter version. Some will salt the password (add something) to the encrypted password file so it is harder to brute force hack it if it gets stolen. Of course 2FA is so much better when available and when used with a key or app (not an SMS).

        The diceware method is one way to generate long secure passwords.

        I use a method where I combine many words and change them a bit into not real words, plus add a few random numbers or special characters, not letters replacement like 3 for e. I will purposefully create words by combining two half bad spelled words to remember them easily or use foreign language mixed with English. Add a sentence turned into a word in the mix somewhere (see Schneier method below). This creates easy to remember and to type (important!) passwords, but very difficult to crack, much more than something like $%aue”eiDDop*(2!.

        Below 12 characters, complexity doesn’t matter that much, it is still too easy to crack. As length grows, the difficulty of brute force hacking grows much more as long as there is no pattern that could be used easily in an automated fashion to try to guess it. 16 characters seems a good start.

        https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

        https://www.networkworld.com/article/3199607/linux/dealing-with-nists-about-face-on-password-complexity.html

        Outdated but still an interesting read although crackers have adapted to it:

        https://www.infoworld.com/article/2664379/security/password-cracking-challenge-update–second-password-revealed.html

        • This reply was modified 2 months ago by  AlexEiffel.
        1 user thanked author for this post.
    • #224099 Reply

      AlexEiffel
      AskWoody MVP

      I thought the same as you guys regarding giving away an email address, but out of curiosity…

      I tried it with a few email addresses of people I know and one old of mine which I knew were already in spamming databases. It came up with interesting results. Mostly, they were found stolen in places where there was data breaches like an antivirus forum, Myspace (not mine) or other similar places where you had to register to post a question that I used once or twice.

      To me, this is just a good reminder to never use the same password on different sites, even if you think those web sites are not really important to you. The information that could be gathered from different sites could sometimes be used against you on other more important services.

      2 users thanked author for this post.
      • #224119 Reply

        Peacelady
        AskWoody Lounger

        @alexeiffel
        This perplexes me that Schneier says:

        “Don’t bother updating your password regularly. Sites that require 90-day — or whatever — password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.”

        • #224225 Reply

          AlexEiffel
          AskWoody MVP

          It is what a lot of people said for a long time and that the NIST now approves.

          Expiring passwords are a huge annoyance and they create more issues than they solve. Maybe the only advantage of them is if a password is known and the attacker hasn’t already installed a backdoor or done damage, changing it might help lock him out.

          But the disadvantages are much more important. People are annoyed and asked to change passwords at inconvenient times, so they take the task less seriously. They don’t think about a good password every three months, so they will pick something bad or try to reuse something they already have (some programs check for variations of previous passwords but a lot are not very good at this and a cracking tool would easily guess the new password using the old one). That, not counting that a lot of password security checking tools are quite bad and allow passwords that are easily cracked using modern techniques. Users will also have to take a note of the password to not forget it because of some unnecessary requirements, so it ends up on a post-it in their office desk.

          Yes, some people might manage password changes well, but from experience I can tell you the majority of people are quite awful at picking passwords and asking them to regularly change them just adds to the security risk.

          1 user thanked author for this post.
          • #224245 Reply

            Peacelady
            AskWoody Lounger

            Thanks AlexEiffel. I saw other sites that also advised against changing passwords. My situation is a little different — I’m a home user of one desktop and from time to time voluntarily change a password and put a lot of thought into it. It makes me feel better — ignorance is bliss! 🙂

            1 user thanked author for this post.
            • #224388 Reply

              AlexEiffel
              AskWoody MVP

              In your specific case, I would tend to think it is a good idea to change your password regularly if you do it with such care. You might get lucky and change the password before it is misused in case of a breach. My trust in the ability of many online services to not get breached is quite low. 2FA is a real advantage there.

              Understanding the rule might end up giving you a good reason to break it. I broke the old rule for specific cases with my users until NIST changed their mind, you break the new rule and I think it makes sense.

              Today, I just got forced to add 3 non customizable security questions to access one service that seemed to realize they might have security issues and decided to do something that could actually lower security in my book instead of attaining their goal. Asking questions about personal things that are easy to guess and that might be reused on other website is not a very sound practice. Adding 2FA would have been a much better idea. So I invent weird responses when faced with such unprofessional handling of security and I make sure I have nothing of value in that service.

              1 user thanked author for this post.
    • #224148 Reply

      GoneToPlaid
      AskWoody Lounger

      I have been using HaveIBeenPwned for around two years. HaveIBeenPwned is a completely legitimate web site which was created by Troy Hunt who is a Microsoft Regional Director. Here is a fairly interesting 2015 Forbes article about how a Forbes staff writer and Troy verified that 000Webhost had been hacked:

      https://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/#5fcf1af96098

       

      2 users thanked author for this post.
      • #224185 Reply

        anonymous

        I’m not actually concerned about Troy Hunt’s integrity, his credentials are sparkling. My concern is the ne’er do wells that observe traffic coming to the honey pot. It may be true that no secure information can be seen in the transmission. But the fact that IP address such and such belonging to who and whom was suddenly interested in reviewing a hacked list may be useful information. Even the police notice who’s car is parked outside the local watering hole three or four times a week.

        Yes, VPN. Yes, I got skills. Yes to whatever makes you immune. Why take the additional risk?

    • #224211 Reply

      ax kramer
      AskWoody Lounger

      My experience suggests that scam emails are much less a threat than even one year ago. Now I get very few, and not even much email advertising. The “bad guys” have mostly shifted to the telephone for their “offerings”. Typically I get five or six a day, with health-related scams being the most common. The rest are mostly financial offers and political. That last category is increasing in frequency as anyone would expect.

    • #224224 Reply

      anonymous

      I warned my ~50 users about these new phishing emails with your real compromised username and password in them back in July.  Exactly 22 minutes after I sent the warning to my users I received the “Sextortion” scam email Susan linked to in my personal gmail with a 15-20 year old username and password as the subject.  Within a week I had seen multiple of these scams in my corporate SPAM filter and had multiple users report that they had received these scam emails at home.

    • #224268 Reply

      kiwigenie
      AskWoody Lounger

      I’ve gotten 4 notices so far.

      Have I been pwned?

      1 Mar 2017, one of 995,274 people pwned in the Bolt data breach
      7 Oct 2015 one of 30,741,620 people pwned in the Special K Data Feed Spam List data breach
      14 Apr 2015 one of 32,939,105 people pwned in the SC Daily Phone Spam List data breach
      1 Jul 2012 one of 68,648,009 people pwned in the Dropbox data breach

    • #224326 Reply

      rc primak
      AskWoody MVP

      If I knew an active password of mine had been stolen, I don’t think I’d be posting to a public forum like this one about it. Just having been pwned can make you a target for further attacks. The fewer people who know about your misfortune, the safer you are. Just change the password, close the account if it’s unused or unimportant, and don’t go around sharing your experience, especially not details not yet known to everyone. The fewer breadcrumbs you leave, the less the risk someone else will pick up on the clues and pwn you again.

      The one thing you cannot change is a biological fact about yourself, known as biometrics. Once that is cloned or impersonated, you are truly pwned. This fact is one reason I don’t like the idea of using our actual DNA as a biometric.

      -- rc primak

    • #224347 Reply

      GoneToPlaid
      AskWoody Lounger

      If I knew an active password of mine had been stolen, I don’t think I’d be posting to a public forum like this one about it. Just having been pwned can make you a target for further attacks. The fewer people who know about your misfortune, the safer you are. Just change the password, close the account if it’s unused or unimportant, and don’t go around sharing your experience, especially not details not yet known to everyone. The fewer breadcrumbs you leave, the less the risk someone else will pick up on the clues and pwn you again. The one thing you cannot change is a biological fact about yourself, known as biometrics. Once that is cloned or impersonated, you are truly pwned. This fact is one reason I don’t like the idea of using our actual DNA as a biometric.

      It totally depends on what steps you have taken. For example and most importantly, and as told to me years ago by an FBI agent, never use your real name online.

      There is interesting stuff in the news about DNA and about how it is now likely possible (50% or greater) that you can be identified — not by your own submitted DNA — but by DNA which was submitted for testing by family members. Yeah, it takes a lot of online digging, yet this is what recently published research paper showed. Ain’t that peachy? The upshot is that your relatives could unknowingly be undermining your online anonymity.

      3 users thanked author for this post.
      • #225330 Reply

        rc primak
        AskWoody MVP

        it is now likely possible (50% or greater) that you can be identified — not by your own submitted DNA — but by DNA which was submitted for testing by family members.

        Very true. In fact, two murders have recently been solved by police in this way.

        Yet another reason to avoid using public DNA databases for trivial tasks like genealogy research. Unless your life depends on it, keep your health data to yourself.

        -- rc primak

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Patch Lady – 31 days of paranoia – day 11

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Your information:


    Comments are closed.