I need to vent......

[cpaharley2008]

Maybe it is just me, but lately, I have been swamped with password requests on various websites, or mail requests to change such due to "new software". First off, it would seem to me that any new software, regardless of where, should be able to utilize an old password until updated. But it seems the government/nor third party entities do not have this common sense approach and denies access until US mail confirms your identity.
At least I'm glad my signon here on the forum has remained constant, let's hope it remains that way.
rant over......

[hugh]

As someone who works in the software industry, I can say that a big part of the problem is the rapidly evolving threat profiles and attack vectors. What were thought to be state-of-the-art security practices even a few years ago, now look naive at best.


And yes, unfortunately that means that new software often implements things in ways that are incompatible with older systems. With passwords specifically, the actual password is almost never stored anywhere in the system. (That would be an incredibly poor design). That often means that when moving to a new system, there is no way to copy the passwords from the old system in to the new.


So, all these password changes are a pain, but take it as a sign that the companies are (usually) trying to do the right things, in terms of security.

[rbryan4]

There's a very simple fix Jim. Get a decent password manager such as Keeper, LastPass or 1Password. It can take care of generating complex and secure passwords, and it can change them without you having to remember any of them. The only password you have to remember is the master password - which is just to log in to the password manager platform itself. All the site passwords are kept in an encrypted vault. You can view them to see what they are, but there's really no need because the password manager enters them into the appropriate field when needed.

[Fender]

Quote:

Originally Posted by rbryan4

There's a very simple fix Jim. Get a decent password manager such as Keeper, LastPass or 1Password. It can take care of generating complex and secure passwords, and it can change them without you having to remember any of them. The only password you have to remember is the master password - which is just to log in to the password manager platform itself. All the site passwords are kept in an encrypted vault. You can view them to see what they are, but there's really no need because the password manager enters them into the appropriate field when needed.

I've been wondering about this service. Haven't there been issues though with the password manager being hacked?

[cpaharley2008]

Thanks for the update. I'm glad there are some solutions to my frustration out there.....

[emers382]

One thing for certain is NOT to keep your passwords in a spreadsheet on your computer!

My sister and husband were recently visiting family and friends in Montreal when their Honda CRV was stolen. It's very popular car to steal there and police told them it's likely in a container on the way to Africa. Unfortunately they were leaving for home that morning and had taken only overnight stuff into their friends' so lost their big suitcase, shoes, coats, and that computer where the passwords were stored in a spreadsheet. They had to cancel all their bank cards credit cards, etc. It's been a very unnerving experience.

[Mike G]

Any time you need to vent, you have a choice.
.
Maxx fan or hood fan.

[Mike Lewis]

Some browsers, e.g. Firefox, have password generators as well.

[Chasing Trials]

Quote:

Originally Posted by emers382

One thing for certain is NOT to keep your passwords in a spreadsheet on your computer!

My sister and husband were recently visiting family and friends in Montreal when their Honda CRV was stolen. It's very popular car to steal there and police told them it's likely in a container on the way to Africa. Unfortunately they were leaving for home that morning and had taken only overnight stuff into their friends' so lost their big suitcase, shoes, coats, and that computer where the passwords were stored in a spreadsheet. They had to cancel all their bank cards credit cards, etc. It's been a very unnerving experience.

Until someone REALLY goes after these people. I don't trust the internet. Do very little online, no smartphone. I don't create log in accounts, only 2 things linked to my bank account(small local bank, watch things like a hawk, & call me on a LOT, sometimes too much!, but, better safe than sorry). Use amazon once in a blue moon(I usually do research there, but track down the small company, & order direct(as a guest) for 2 reasons(hate amazon). Frozen credit, never filed efile(so never had to worry IRS's hack) My passwords are in my head, or hidden. Only one credit card, lives on me when traveling, money belt, cash in shoes. etc. I don't hand out my cell#(or answer unknown #s), don't give doctors my SS#, some are still asking for it on forms? (it sits there are all "help" to get at down the road). I'm on Medicare now, no need. So many use on "stuff" that can/does get hacked all the time.

[DT6]

I'll second what George is saying - get a good password manager app. I spent some time coordinating some cyber security training the last couple of years I was in the Pentagon and the experts recommended three things:

1. Use a Password Manager
2. Create a separate email account for your on-line banking, and ONLY use that account for your bank and nothing else.
3. Stay away from FaceBook.

After I started working with these guys, it did not take me long to just want to go home and unplug everything and hide under the bed. Maybe a bit dramatic, but the idea is that it is really a lot worse out there in terms of cyber security than we realize.

I personally use LastPass, and it syncs well with all of our devices so when you create a password and account on one device, it gets shared to your other devices.

[Mike Lewis]

My computer security training was in the late 1980s and it involved enterprise-level systems, but some of the principles still apply to us. One thing we were taught was that data logging is good, but sooner or later the logs have to be read by a human.

How this applies to us is that you need to monitor your financial accounts to make sure everything is right. Don't ignore them for weeks on end. This is a rough analogy to data logging but I think it holds.

[Centex]

For the security experts: Curious to know your thoughts on using the "save username / password' capability built into most browsers?

I never used that with the Edge browser on my windows machine, but admit it's tempting on the MacBook/Safari browser I now use where touching the fingerprint reader (or entering the machine password) is required on a per-site basis for that to work.

My assumption has been that the data files on the computer supporting that feature are well-encrypted, but a motivated bad actor could breech that if they get hold of the machine (or maybe even remotely??).

Yeah, data risk management, an ever-moving target it seems, with few if any absolute guarantees.

[Mike Lewis]

Quote:

Originally Posted by Centex

For the security experts: Curious to know your thoughts on using the "save username / password' capability built into most browsers?

This is what I was referring to in Firefox's password generator. It will accept your username and generate a string of bytes for a password, which it stores in an encrypted form. I use it on everyday stuff but I haven't been able to bring myself to use it on sensitive sites like banks. But I could be overly cautious.

Quote:

Yeah, data risk management, an ever-moving target it seems, with few if any absolute guarantees.

This is why accounts need to be monitored by the user.

[MyronL]

Last week I got an email from a "person" claiming to have approved my "purchase" of the latest new Norton software. Said they would be charging me $499.00 and all I had to do was click on a provided hot link. Total bogus of course but the point is your first impulse, after a momentary freak-out, is to try and deny it all to them. Of course, that's all they want you to do, and then they got you.
Only safe solution is to ignore temptation and immediately delete the email.

[rbryan4]

Quote:

Originally Posted by Fender

I've been wondering about this service. Haven't there been issues though with the password manager being hacked?

The master password for your typical password manager is very long and complex. A dictionary attack won't work, nor will a brute force. If you go at it with a random hash generator, it'd likely take many years to hit the correct combination, if at all. And, if you want to set up a password manager correctly, you also would enable multi-factor authentication. Even if the password was somehow hacked, without the multifactor auth from the legitimate user's phone, etc, the login would fail.

Hackers don't usually waste their time with that. They go for the much softer targets. The sad truth is that most people have very bad cybersecurity habits that make bad actors jobs much easier. Or I guess you could say it's a happy truth in my case - since it keeps me gainfully employed.

[UncleTim]

Quote:

Originally Posted by Fender

I've been wondering about this service. Haven't there been issues though with the password manager being hacked?

Yes, everything out on the net can be hacked.

I have been using these programs for well over 30 years. Absolutely essential.

Do not use one that puts your data in the cloud. Keep it only on your desktop. Use programs that use 256 bit encryption at least.

I have 20 years worth of client data on these programs. Not one problem in all those years. It's the safest place to store data on your pc.

[DT6]

Quote:

Originally Posted by Centex

For the security experts: Curious to know your thoughts on using the "save username / password' capability built into most browsers?

I never used that with the Edge browser on my windows machine, but admit it's tempting on the MacBook/Safari browser I now use where touching the fingerprint reader (or entering the machine password) is required on a per-site basis for that to work.

My assumption has been that the data files on the computer supporting that feature are well-encrypted, but a motivated bad actor could breech that if they get hold of the machine (or maybe even remotely??).

Yeah, data risk management, an ever-moving target it seems, with few if any absolute guarantees.

You can use Safari to store your passwords, just like a password manager and it is secure. I use LastPass and I also store passwords on Safari. At least that was the advice I received from the Cyber team at GerogiaTech the last time I spoke with them before I retired 4 years ago.

Also, I have some difficulty with the one comment about keeping your data off the cloud. Just about the time I retired we were working on a Cloud contract for DOD with Amazon or Microsoft. The CIA has been using the Cloud for years to store data.

The only way to stay completely safe is to unplug your computer from the internet. But then you would not be able to participate in great Forums like this one!

[MVA]

I have been reading this thread and decided to comment on a couple of thoughts. First premise is assuming your DOB and SS# are fully obtainable; they are. From that data someone can open accounts, potentially obtain access to your bank, etc. This is true even if you don't use Amazon, online purchases, etc. In addition, using smaller online companies in the hope that you are less of a target is a concern since a small business does not have the resources to have a robust computer security system; my dentist was hacked! My recommendations (YMMV):

- Use password length of 16.
- Assume your personal information is "out there". Lock down your credit with the three bureaus (it is free) and use 2FA. You will not be able to open new credit without unlocking your credit bureau account, but no one else will also.
- Use 2FA everywhere you can on all accounts. When possible, use 2FA with a code generator (like Google Authenticator) not your phone number or email. Phone numbers are easily compromised with a copy of your SIM card and your email can also be compromised.
- Lock down your SS account (for USA members). Setup account with password and use 2FA.
- Use Informed Delivery for USPS (for USA members). It is free and you will know what 1st class mail is expected to be delivered in case it is intercepted.
- Have your financial institutions send you a notification (text, email) anytime the account is accessed.
- No free "fun" apps, no free VPNs, etc., on your phone.
- Don't trust browsers to store passwords. Another treasure trove for theft.

2 cents

[cpaharley2008]

I have already had my identity stolen and have ID theft insurance in place. What a shame we have to pay to protect our privacy.....

[MVA]

Quote:

Originally Posted by cpaharley2008

I have already had my identity stolen and have ID theft insurance in place. What a shame we have to pay to protect our privacy.....

That is terrible. Did you lock down your credit with the three bureaus or did you rely on the ID theft insurance to do so? Many times, these ID theft companies just monitor if credit is opened in your name.