=][= Recent fake emails - notice =][=

[WarriorFish]

For those that may not be aware, there is a round of emails going about making threats and demanding bitcoins (even we have a topic on it). In most cases you can dismiss these threats as such things are not that uncommon online. For some it's more of an issue as they're more explicit, with passwords and such.

This is almost certainly a result from this big data breach, which dropped this month. Before anyone asks, there is the possibility that the B&C may have been part of that before I sorted the mongo bits. Some checks I have performed suggest not, there's no way of knowing for sure but that's how it goes.

So, first of all don't panic. That's why they come with threats to try and make you react poorly and make bad decisions You can check to see if your email has been part of a compromise with this handy link. If your email appears, again, don't panic. With the number of online service providers and such we must sign up for in modern life it's probably going to happen at some point so the older your email address is the greater this chance becomes.

If your email appears (or if it doesn't) you can check compromised passwords here, if your password appears change it immediately for the site you use it on. It is just one site, right? If not, give yourself a slap because you're making yourself vulnerable, making the lives of these scammers much easier and worst of all making the job harder for people like me.

Never use the same password across multiple accounts unless you don't care about them.

Passwords should always be unique, if that's a pain to manage (and it probably is unless you're an online hermit) then a password manager is the tool you need. With unique passwords if one should ever be compromised it's just a matter of recovering that particular account, so even if you do appear in such a leak it's a simple matter to resolve it with the affected site and all your other accounts are safe. Your email account itself should have a strong password and a backup email account associated with it so you can recover it should the worst happen.

Ordinarily this isn't the sort of thing we cover, but with some discussion on it and the nature of the recent leak we've made this exception. Bad password use and reuse is one of the major problems with online security, and why these cretins are after them. If you need to change your B&C password you can do so from your settings, and selecting "Email & Password":

Online security isn't that difficult, so long as you're willing to put up with a few minor inconveniences For those who will read this and then do nothing - because I know many will - you've only yourself to blame!

[Dosjetka]

Cheers for the info and heads-up, WarriorFish. :tu:

 

Suffer not the weak password to live!

[Sete]

Bollocks. Time to change my qwerty password.

[Panzer]

I want to repeat how useful password tools like KeePass etc are.

It lets you create random passwords and saves them (complete with a link to the website you use it on and the username etc.). That way you can have a complicate and unique password for each of your accounts. KeePass itself can and should be made secure by a separate password. That way you only have to remember one password (the one for KeePass) to get access to all your other passwords. Best part of it is that KeePass is an offline tool so the data is stored locally only (unless you put it on a dropbox or similar ... don't!) so as long as you have your device secure your passwords are secure.

[Quixus]

Bollocks. Time to change my qwerty password.

I suggest 1234 or password. ;)

[Carlson793]

 

Bollocks. Time to change my qwerty password.

I suggest 1234 or password.

 

1 2 3 4!!... Oh, wait... no 5... my luggage is still secure.

[Brother-serpent Tylydox]

My email is in the database, but then again, it's an email address I use to register everywhere where I do my online shopping so it was bound to happen since not too many online companies have top-notch security design.

 

I want to repeat how useful password tools like KeePass etc are.

It lets you create random passwords and saves them (complete with a link to the website you use it on and the username etc.). That way you can have a complicate and unique password for each of your accounts. KeePass itself can and should be made secure by a separate password. That way you only have to remember one password (the one for KeePass) to get access to all your other passwords. Best part of it is that KeePass is an offline tool so the data is stored locally only (unless you put it on a dropbox or similar ... don't!) so as long as you have your device secure your passwords are secure.

 

Or you can create a random password manually yourself and write it down, it's not that difficult.  This way you will eliminate the threat of your Master Password software being hacked or that it would send your information to NSA on a regular basis as hidden design feature.

[Brother Tyler]

Note that the site won't send you a confirmation email when you have completed your password change (see here). However, the site is accepting password changes, so you will be able to sign out and immediately sign in using the new password without a confirmation email, administrator approval, etc.

[Arkhanist]

 

Or you can create a random password manually yourself and write it down, it's not that difficult.  This way you will eliminate the threat of your Master Password software being hacked or that it would send your information to NSA on a regular basis as hidden design feature.

 

If this works for you and is convenient enough, that's cool and keep doing it. Won't particularly protect you from the 3 letter agencies though. They just pull the information directly from the source organisation, off the wire if it's not encrypted, or direct off the device you're using to put the password in if they're interested in you personally.

 

I do use lastpass. The db is stored encrypted, and they never get the master pw to decrypt it - it's always decrypted on your local device with slow decryption making it infeasible to brute force anything but the shortest master password even should a bad guy get the master db (and lastpass are extremely paranoid about potential breaches). Each new site (and all my old ones) get a unique long password, and if/when that site gets breached, it gets a new one. I use multiple computers during the day, so using only an offline db would be too impractical, and password sync between browsers is significantly less secure.

 

I've had my email address long enough that it's in 15 leaks on 'have i been pwned', though several of those are in the 'combo' leaks. None of them were any particular concern as I was able to change the relevant password within hours of being notified, and even if they got into one service because they were laggardly notifying of the breach, it wouldn't have got them into anything else.

 

More important than that though, I use 2-factor authentication on every single site that matters - my email, and anything with sensitive personal or financial data in it. Strong unique passwords are important, but it only gets you so far. 2-factor makes a massive difference in protecting what I care about.

 

It doesn't protect me from three-letter agencies - Snowden showed us how MUCH data they vacuum up, and by how many means - but it means its strong enough that I don't resort to using a single password repeatedly for convenience and protects me from anyone but the most dedicated/well resourced attacker.

 

Hackers are after your bitcoin, they're after your verified card/bank details. And your email account, to send spam, to get people to cough up the previous. Protect the former with the strongest tools you can, and ignore the spam, and you're about as safe as its practical to be.

[Marshal Rohr]

So you’re telling me p@ssw0rd wasn’t as strong as 17 year old me thought it was