Hello,
Today, I got a message, staring: Hey, I know your password is ........
and asking for money.
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
Thanks.
=========================================================================== Patrick DUPRÉ | | email: pdupre@gmx.com Laboratoire interdisciplinaire Carnot de Bourgogne 9 Avenue Alain Savary, BP 47870, 21078 DIJON Cedex FRANCE Tel: +33 (0)380395988 ===========================================================================
Hi,
On Mon, 2 Sep 2019, Patrick Dupre wrote:
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
You can't!
The leak is not your fault but it, probably, comes from one of the several data theft companies―as Facebook, Google, Linkedin, ...―more or less recently suffered. Look at
https://en.wikipedia.org/wiki/List_of_data_breaches
for a list more or less complete.
The only feasible trick you can adopt is to use a different password for every internet service you use so that if one is compromised all the other are still safe. Also change password often could help.
My 2¢
Walter
--
On 9/2/19 3:53 PM, Patrick Dupre wrote:
Today, I got a message, staring: Hey, I know your password is ........
and asking for money.
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
"You" cannot prevent your password being stolen from sites which store passwords in an insecure manner. Unfortunately you can't predict which sites use poor procedures.
The best thing you can do is change your passwords often for sites of valure and don't reuse passwords. Also, use different passwords for "important" sites than for "unimportant" sites. The "unimportant" sites would include those which don't store your CC# or other personal data.
Whenever possible, and practical, use 2 factor authentication.
FWIW, I've gotten that sort of email. In my case it is a password that I've not used in more than a year.
Am 2019-09-02 10:28, schrieb Walter Cazzola:
Hi,
On Mon, 2 Sep 2019, Patrick Dupre wrote:
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
You can't!
The leak is not your fault but it, probably, comes from one of the several data theft companies―as Facebook, Google, Linkedin, ...―more or less recently suffered. Look at
https://en.wikipedia.org/wiki/List_of_data_breachesfor a list more or less complete.
The only feasible trick you can adopt is to use a different password for every internet service you use so that if one is compromised all the other are still safe. Also change password often could help.
My 2¢
Walter
Beside the other possible ways of credential theft that is a likely way.
Hint: https://haveibeenpwned.com/
Alexander
On Mon, 2019-09-02 at 16:31 +0800, Ed Greshko wrote:
On 9/2/19 3:53 PM, Patrick Dupre wrote:
Today, I got a message, staring: Hey, I know your password is ........
and asking for money.
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
"You" cannot prevent your password being stolen from sites which store passwords in an insecure manner. Unfortunately you can't predict which sites use poor procedures.
The best thing you can do is change your passwords often for sites of valure and don't reuse passwords. Also, use different passwords for "important" sites than for "unimportant" sites. The "unimportant" sites would include those which don't store your CC# or other personal data.
The best way to do that is with a password manager.
Whenever possible, and practical, use 2 factor authentication.
+1, when available, which is not always. For example Amazon (at least in Europe) doesn't offer this.
poc
On 02Sep2019 09:53, Patrick Dupre pdupre@gmx.com wrote:
Today, I got a message, staring: Hey, I know your password is ........
and asking for money.
Do they cite accurately the service for which the password is used?
The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?
As mentioned, this is largely in the hands of those who have stored your password.
There are a few ways for your password to leak:
- the service for which the password is used has had a breach.
No reputable service should be storing your actual password, they should be using some kind of salted hash of your password; the service shouldn't be _able_ to leak you password, they just need to be able to check that whatvere passwordyou supply hashes the same way.
Note that a lot of mailing list software does keep the raw password.
Also, bad logging might record passwords in a log file.
With a hash, if someone obtains the service's records, they can only get your password by trying passwords against the hash. However, if your password is one you invented then that might be a smaller search space than you think.
- the password was intercepted between you and the service
With https and ssl this should not be possible. The traffic between you and it should be properly encrypted, and if the service certificate is valid then there should not be a man-in-the-middle.
- your local machine was attacked
Hopefully not.
The best defense with passwords is to have a different one for every service. There are password management tools which help with this: they will keep your passwords in encrypted form, and also generate strong random passwords for you.
The advantage here is that if one service is comprimised, your other services are not.
Note that your email is critical - it is the common avenue for "forgot password" mechanisms. So someone with access to your email might then do the reset-password process for some service and intercept any validation stuff sent to your email.
So your email is an often ngelected common weak point.
Anyway:
Get a password management tool.
Cheers, Cameron Simpson cs@cskk.id.au
On 09/02/2019 02:33 AM, Alexander Dalloz wrote:
I took a look using my main email address. I wasn't surprised at all to find that it's in several data breaches containing millions of email addresses. However, unless there's any evidence that anybody's using it, I see no reason to be concerned. Just to check, I submitted a phony address at my own vanity domain, to see if it were actually checking, or just returning positives for everything in an attempt to sell some service, and it came up negative as it should.
Alexander Dalloz wrote:
Joe Zeff:
I took a look using my main email address. I wasn't surprised at all to find that it's in several data breaches containing millions of email addresses. However, unless there's any evidence that anybody's using it, I see no reason to be concerned.
Generally speaking, that's the way to treat it. Some of those databases say when your data was stolen, and if you've changed your password since then, you're probably okay (until the next breach). If you haven't changed it since then, change it now.
Some time ago Yahoo forced password changes on me, without really saying why (other than a generic for your own security sort of thing), as far as I remember. Looking on one of those databases, I see Yahoo was breached not too long before the forced password change. Since *I* haven't been compromised through my email details in the meantime, I'll assume that my data was either stolen but not yet sold, or not used before the password reset.
My guess would be that hackers would try your email details against other things that they have breaches with (banks, etc), looking for sets of data they can use together.
Take a look at:
https://www.grc.com/sqrl/sqrl.htm