Password Strength

[vienna]

Quote:

Originally Posted by Rockstar

I do, but I don't use words found in any dictionary. Just random use of no less than a combination of 12 (more the better) letters, special characters and numbers with a 2FA or two step verification. If your credit/debit cards get compromised its usually because people just aren't paying attention or save them in an online retailer provided wallet. Rather than attack individuals hackers will hack through a retailers security to get your and a lot of others information. I also shop online but never save credit card numbers as retailers try to convince us 'for your convenience'.


Should add too, my bank allows me to freeze and unfreeze my card between use. I also set up alerts and receive a text every time a card is used for a purchase by me or anyone, very convenient. That and I only browse using HTTPS only mode helps too.

Well, the gist of this thread has suddenly become relevant to me. I subscribe to a service the USPS offers where they email me a scan of any mail they process for my address; I usually use this to decide if I'll bother to go and retrieve my mail from the mailbox or leave it for a bit, sort of 'if its junk mail, it can wait'; last Friday, the scan showed a piece of junk mail and a letter from the insurer who administers my Medicare/Medi-Cal health insurance coverage; I thought it was just another of the monthly summaries of what was expended by the plan on my behalf, some thing which does not normally require me t respond in any way, so I left it there in the box; Saturday, the scan showed no new mail, so I also left the box untouched; yesterday night, Sunday, on the way home, I took the mail from my mailbox, but did not open it; today. I opened what I expected to be the usual monthly summary form the insurance company and found out I was being notified there had been a breach of patient records and that my data was part of the breach; the insurance company stated the breach had been a hack of a third -party service they contracted with to provide interface between the various entities involved in my coverage; so far, it seems the extent of the data is minimal and will not necessarily affect me financially; the insurer also stated they had terminated the third-party service (Duh!!) and offered me one year of cyber-security coverage for free for continued monitoring of any of my other accounts; like not a few of the others on this forum, I also have had a dim view of putting out too much info of websites and also have kept any financial dealings down to a very bare minimum (I don't even have credit cards), so I really doubt I am currently at much risk, but the incident does underscore just how tenuous the security of our data really is and how, even though one might have a degree of confidence in the security efforts of the entities we primarily deal with, we really have little to no knowledge of, or control over, the third-party contractor with whom they do business or with whom they contract and allow to access our data...







<O>

[Rockstar]

When OPM got hacked I got a free year of cyber security too. Of course that year ended a long time ago and now I'm paying for it. Since then I've had two credit cards compromised. But thanks to instant bank notifications and the ability to freeze the cards until I need them. The thieves got nothing. However I think they must have gotten them by breaking into a major retail data bank rather than my computer.

Passwords are important. The people who hacked your information may not have gotten any passwords to break into and immediately see any of your sensitive data. But they may have seen your name and the length of your password. How far they can go depends on the length and complexity of that password.

Back in the day an 8 character password was considered strong and very effective. Not today though. Today's desktop computers with a good hack program can take an 8 character password with upper and lower case letters and crack it by brute force in less than 9 minutes. Adding numbers and special characters to it and only takes them 2.5 hours to hack.

And DO NOT ever ever use dictionary words in a password no matter how long you make them. Hack programs have and search through every imaginable word and variance Moon*Rocks or M0-0nRock$* it doesn't matter. Those kind of passwords will be brute forced instantly

Today it is mandatory your password is no less than 12 RANDOM characters. Simply using 12 random upper and lower case letters increases the time to brute force to 123 years (390 quintillion probabilities). Add special characters and numbers to it and you increase the time to hack to over 8,500 years (26 sextillion probabilities)


Tighten up those passwords!


I use five 12 to 16 random character passwords comprised of upper, lower case letters, number and special characters. I never save them on my PC and I couldn't remember them if I tried, I have to write them down. So as an additional security measure should anyone find the list, I run them together in one long string. Only thing I have to commit to memory is where the breaks are that separates them and what they go too.

[Rockstar]

I forgot, just a few days ago I submitted a SPAM report. That's another thing you need to watch out for and be careful with a type of hack called Social Engineering. They can be found in emails, message boards or blogs. The hacker posts what looked like everyday spam, a small well written paragraph that made what he was selling look interesting, useful, increasing your curiosity. Made ya want to click on that link to see what it was.


DON'T EVER FALL FOR IT. It could be more than just a spammer trying to sell you something. That link could actually be malicious and lead to a security breach without you ever knowing about it until its too late.


Instead let the cursor hover over link to see the entire url first before you click on it. Better yet just ignore it

[Skybird]

Maintain two systems, and never ever mix their content. One simple one with non-Windows and only meant for banking or trusted shopping, very sensible emailing with adresses you never share with just anybody, the other system for surfing, gaming, working, whatever.

I do so since years.

And never ever have email adresses, emailing, shopping, paying, banking installed on your cellphone. NEVER. Nothing personal on your smartphone. NOTHING expect your google account data.

Needless to say: keep your google account empty and tidy, do not use their services requesting you to have GPS and tracking on, personal profiling on, personal data sharing on, cloud computing on, all that beeping, blinkling sweet candy-kind of glamour child's play-stuff.

Think of all that as refined white sugar or glucose sirup. Its sweet, it makes many things taste better, its offered everywhere, all the time, in everything, the temptation is omnipresent. But your health is better off without it. Even more, your health will NEVER EVER benefit from it in any way if you consume it.

[Rockstar]

Think about all the links people post on subsim to confirm our bias. Anyone of us could instead post a malicious url. Thankfully most of us have enough problems just trying to figure out how to turn our computers on let alone hacking one.


But start practicing good security habits keeping things in mind like Skybird suggests strong passwords, isolated, neat, and tidy systems, VPNs, 2FA. Know what a malicious address might look like and learn to float the cursor over the link to see the complete url before clicking on it.

I'm pretty sure the 5 Eyes Alliance has the means to see everything anyway. But I use protonmail end to end encryption, Norton anti-virus and VPN to give me an even greater illusion of security against everyone else

[Rockstar]

Anyone of heard of or use CylancePROTECT? From what I understand it could be described as a proactive antivirus program. Where it detects and prevents virus/malware BEFORE it gets installed on your hardware. Whereas the one like I use and most others use react to the installation of malware.


Guess its been around for a few years already but I just ran across it when I saw it was partly funded by In-Q-Tell. Which happens to be conected to some high up government mucky mucks and the CIA.

[vienna]

A couple of years ago, in the SubSim PC Hardware/Software forum, I posted a link to a free service offered by Firefox for finding out if your particular email address has been compromised in a data breach; you don't have to be a Firefox user to use the service; you simply input your email address(es) and the service scans for any mention of that address in any known data breach(es); I thought reposting the link might be of some use in regards to this topic...


Firefox Monitor:

https://monitor.firefox.com/


This is the link to the underlying service used by Firefox for its Monitor; if you wish, you can go directly to this link and search your address(es); this link does give a bit more detail on the breaches, if any, associated with your email address...


Have i been pwned?

https://haveibeenpwned.com/




<O>

[Rockstar]

Kewl link, I ran both my emails, proton was good. I do have a gmail account that isnt linked to anything important. About a year ago Google warned BILLIONS of their accounts had been breached. Of course the pwned link showed my gmail account was among them. Doubt they could brute force. I changed strong passwords several times since


In Google account management you can also see all of your linked devices. If you dont recognize a device on that list sign it out and delete it and immediatly change your password.

[vienna]

The reason I included the Pwned link was because that link actually gives a bit more detail about any breaches a person may have suffered, including the source of the breach, and the nature/extent of the breach; I had one account that showed up as breached, but it was an account I used as a "scratch" account, one that I would give to sites or correspondents I was unsure of or suspicious of; the account was used mainly for one-offs and as a receptacle for junk emails and the profile used a false name, no phone number (it was required when I first opened the account), no contact info or other personally identifying info; I also made it a practice of deleting and mail I was through with, emptying the trash, and never forwarding out of or into that account from any of my other accounts; so, of some baddie wanted to mine that account for possible leads, all he'd really find is mostly a scant few junk emails that didn't stay around for very long...


[Edit]: I ran my main gmail account though Pwned, and it came back with no breach; I guess I must not have been one of the unfortunate billions who got hit...




<O>

[Rockstar]

I tracked down my breach. By the looks of the language on the website used to sell the stolen data they were Russian.


I read the other day the FBI was accessing private computers to remove Hafnium malware. Of course the conspiracy theories and government intrusion accusation take off. But I figure if the FBI has to go in and remove this malware. I'm thinking it must be pretty nasty that even Norton or McAfee isn't able to remove it.

[Moonlight]

That sounds a bit far fetched to me, how do the FBI know which PC is infected with this malware? and if this tool can remove it why haven't they given it to some of their so-called "trusted partners"?.

[vienna]

Actually, the FBI effort is not aimed at individual PCs, but at selected servers and has been given a go-ahead by a Federal Judge in Texas:


FBI launches operation to remove malware from computers in US --

https://thehill.com/policy/cybersecu...e-on-computers


So, y'all can rest easy: the FBI ain't hacking your PCs and there is little chance they're gonna see you collection of nekkid torpedo pix...




<O>

[Moonlight]

Finally, something that is believable.

[Rockstar]

Quote:

Originally Posted by vienna

Actually, the FBI effort is not aimed at individual PCs, but at selected servers and has been given a go-ahead by a Federal Judge in Texas:


FBI launches operation to remove malware from computers in US --

https://thehill.com/policy/cybersecu...e-on-computers


So, y'all can rest easy: the FBI ain't hacking your PCs and there is little chance they're gonna see you collection of nekkid torpedo pix...




<O>

No the FBI isn't hacking your computers, they can, but they're not, really. A web shell gives hackers remote access to PCs which allows them run arbitrary commands from their secret lair. I'm not exactly sure how it works but the malware got through hacked Microsoft Exchange Servers. The FBI got a warrant which allowed them to run a security program through the server to users infected computers unbeknownst to the owners. They are attempting to notify the owners of those systems that Kilroy was here.




edit: For windows, check Control Panel, System and Security, Allow Remote Access. Make sure allow remote access is NOT selected. Might help, if anything, you're now aware of it.

[Moonlight]

^Some of these settings posted above have been moved to the Settings app on my PC, to find that info, go to Settings\Update & Security\For developers and scroll down to the Remote Desktop section.
On the, (Change settings to allow remote connections to this computer) click on the blue Show settings tab. On the system properties tab that appears you might decide you don't need any assistance at all so you'll need to uncheck (Allow Remote Assistance connections to this computer), and also check the (Don't allow Remote connections to this computer) one as well and click apply, for the brain dead forum members the last step (click apply) is extremely important.