Hi,

On Mon, 2 Sep 2019, Patrick Dupre wrote:

The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?

You can't!

The leak is not your fault but it, probably, comes from one of the several data theft companies―as Facebook, Google, Linkedin, ...―more or less recently suffered. Look at

https://en.wikipedia.org/wiki/List_of_data_breaches

for a list more or less complete.

The only feasible trick you can adopt is to use a different password for every internet service you use so that if one is compromised all the other are still safe. Also change password often could help.

My 2¢

Walter

--

Am 2019-09-02 10:28, schrieb Walter Cazzola:

Hi,

On Mon, 2 Sep 2019, Patrick Dupre wrote:

...

The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?

You can't!

The leak is not your fault but it, probably, comes from one of the several data theft companies―as Facebook, Google, Linkedin, ...―more or less recently suffered. Look at

         https://en.wikipedia.org/wiki/List_of_data_breaches

for a list more or less complete.

The only feasible trick you can adopt is to use a different password for every internet service you use so that if one is compromised all the other are still safe. Also change password often could help.

My 2¢

Walter

Beside the other possible ways of credential theft that is a likely way.

Hint: https://haveibeenpwned.com/

Alexander

On 02Sep2019 09:53, Patrick Dupre pdupre@gmx.com wrote:

Today, I got a message, staring: Hey, I know your password is ........

and asking for money.

Do they cite accurately the service for which the password is used?

The password is one of the password that I use. It is not one giving access to important accounts, but I am a bit wondering about other account. I am careful with my accounts and passwords. How can I prevent sort of password steal?

As mentioned, this is largely in the hands of those who have stored your password.

There are a few ways for your password to leak:

- the service for which the password is used has had a breach.

No reputable service should be storing your actual password, they should be using some kind of salted hash of your password; the service shouldn't be _able_ to leak you password, they just need to be able to check that whatvere passwordyou supply hashes the same way.

Note that a lot of mailing list software does keep the raw password.

Also, bad logging might record passwords in a log file.

With a hash, if someone obtains the service's records, they can only get your password by trying passwords against the hash. However, if your password is one you invented then that might be a smaller search space than you think.

- the password was intercepted between you and the service

With https and ssl this should not be possible. The traffic between you and it should be properly encrypted, and if the service certificate is valid then there should not be a man-in-the-middle.

- your local machine was attacked

Hopefully not.

The best defense with passwords is to have a different one for every service. There are password management tools which help with this: they will keep your passwords in encrypted form, and also generate strong random passwords for you.

The advantage here is that if one service is comprimised, your other services are not.

Note that your email is critical - it is the common avenue for "forgot password" mechanisms. So someone with access to your email might then do the reset-password process for some service and intercept any validation stuff sent to your email.

So your email is an often ngelected common weak point.

Anyway:

Get a password management tool.

Cheers, Cameron Simpson cs@cskk.id.au

Alexander Dalloz wrote:

...

Hint: https://haveibeenpwned.com/

Joe Zeff:

I took a look using my main email address. I wasn't surprised at all to find that it's in several data breaches containing millions of email addresses. However, unless there's any evidence that anybody's using it, I see no reason to be concerned.

Generally speaking, that's the way to treat it. Some of those databases say when your data was stolen, and if you've changed your password since then, you're probably okay (until the next breach). If you haven't changed it since then, change it now.

Some time ago Yahoo forced password changes on me, without really saying why (other than a generic for your own security sort of thing), as far as I remember. Looking on one of those databases, I see Yahoo was breached not too long before the forced password change. Since *I* haven't been compromised through my email details in the meantime, I'll assume that my data was either stolen but not yet sold, or not used before the password reset.

My guess would be that hackers would try your email details against other things that they have breaches with (banks, etc), looking for sets of data they can use together.