Thank you ensigmatic. I just changed mine.

Some sites want 8 characters max, others 6 to 9, some want special characters and a number, others dont.

Too many to remember them all and my company won't let you use a password manager. So my super secret method is a piece of paper with all my passwords on it.

^^^^ so long as that piece of paper is folded.
And inserted into a book of some dubious history and storyline.

lol.

quote:

Originally posted by cjevans:
^^^^ so long as that piece of paper is folded.
And inserted into a book of some dubious history and storyline.

lol.

It's written in reverse Klingon with infra red ink and in a secret vault....

Or maybe just sitting on my desk

quote:

Originally posted by PowerSurge:
Thank you ensigmatic. I just changed mine.

+1
A good reminder as I now take care of a few of my mother's online accounts and they needed some PW updates.

quote:

Originally posted by 12131:
Yeah, I was wondering if average Q like me would know at all. Well, that kind of sucks, because you want to be preventive, not wait until the dam is already breached. Thanks.

You're welcome, but not to worry. Seriously

Your best defense, again, is having a strong password. Look at it this way: I know this is going on. Heck, I can watch it in real time if I want. And I'm doing nothing other than monitoring it (*). I don't need to do anything, because my passwords are strong.

Changing an otherwise strong password when you know you're under attack boots nothing. To what would you change it? You have no idea what the attacker's using for a guessing algorithm. You could well change it to something he's just about to try.

quote:

Originally posted by cjevans:
What ensig is saying - if you haven't changed your password of late, now is the time to do so.

Not exactly. What I'm saying is if your password is weak, now is the time to change it to a strong one.

I've had "strong" passwords that were as little as eight characters long, used on services exposed to the Internet for nigh on twenty years, never get cracked. That's in part because brute-forcing passwords by network-connection-after-tediously-slow-network-connection is exceedingly inefficient. (Yes, there's the xkbd example, above. That's an extreme, not impossible, but extreme example.)

(N.B.: I would never consider using such a short password in this day and age.)

quote:

Originally posted by cjevans:
Now is a really a great time to review ...

It is. Ensure your passwords are strong and make sure you're not sharing them on any two or more sites.

(*) Ok, I lied. The one on the Irish network annoyed me so I dumped the entire netblock of 1024 IP addresses into router blocks

^^^ all good with the above, thanks ensig!

Apologies, I shouldn't let this thread drift in this direction ... moving the entire Irish IP address allocation is a good step, next a VPN?

Hello!

Fascinating topic! Another question - sorry I hope it’s ok.

Does using a paid mail service - like proton mail - offer any added security?

Thank you for sharing your knowledge!

Jim

quote:

Originally posted by Jim1970:
Hello!

Fascinating topic! Another question - sorry I hope it’s ok.

Does using a paid mail service - like proton mail - offer any added security?

I'm sorry, but I don't know anything about Proton Mail in particular.

In the context of my warning and recommendations: This is pretty much on you, the end-user.

Sure, if Proton Mail's staff is keeping an eye on this kind of thing, and I've no reason to believe they're not, they might take measures to mitigate against the attacks if they deem it necessary.

As I noted: As attacks go: So far this is very low-level stuff. I don't feel it cause for alarm. I only mentioned it because I saw an increase.

quote:

Originally posted by Jim1970:
Thank you for sharing your knowledge!

You're welcome.

Also to the others of you who've extended me thanks: You're likewise welcome.

quote:

Originally posted by Lord Vaalic:

my super secret method is a piece of paper with all my passwords on it.

Post-It note, stuck on the side of your monitor.

I use "password" as my password for all my accounts. It's so simple know one would ever guess it.

quote:

Originally posted by Fenris:
I use "password" as my password for all my accounts. It's so simple know one would ever guess it.

Dude, you gotta capitalize the P. Everyone knows that...

Thanks for posting this thread. I originally read it and planned to select a 'KeyRing' program and start using it. I had done most of the reading I was going to do and settled on LastPass. I just hadn't done it yet.

Last night before going to bed, I checked email and, in the spam folder is one titled:
Your Name: your password
Except it was my name and a password I used extensively 15-20 years ago (yes, multiple sites) and is still present on some forums I don't visit anymore. I didn't open it. But I just installed LastPass and will be adding entries as fast as possible.

Any other actions you would take or advise?

quote:

Originally posted by 83v45magna:
Any other actions you would take or advise?

Yes: Begin using "tagged" (aka: "plussed") email addresses where you can, if your email service provider supports them.

This is where you give on-line vendors and forums such as SF an email address such as "jdoe+something@example.com", where:

"jdoe" is the regular username portion of your email address
"something" is a string unique to that site
"example.com" is your email provider's domain

What modern, Internet-standard email systems do, when receiving email directed to such addresses is strip the "+something" and deliver to the remainder. Thus email sent to "jdoe+something@example.com" will be delivered to "jdoe@example.com".

Doing this has several advantages:

• Bad actors have to guess not only your password, but what you used for an email address
  
• If an email address is compromised at one site, it's not compromised at all of them
  
• When you're sent email purporting to be sent from a vendor or site, if it wasn't sent to the tagged address you used there, odds are high it's a spoof
  
• If you start receiving spam or scam email to that tagged address you know either the site to which you gave it sold or gave away your information, or they were compromised and their database stolen.
  
• You can whitelist and automatically file email based on the tagged address to which it's sent
  

N.B.: Some email service providers may not properly support delivery to tagged addresses. Gmail and Apple mail do. The common email server software used by Unix/Linux systems do. Last time I checked, Microsoft did not. Further: Many (broken) on-line order and fulfillment systems software will not allow the use of a "+" in an email address.

If in doubt you can test it by having somebody send an email to you using a made up tagged email address.

Thanks for the quick replay Ensigmatic.

THAT. tagged addresses is what I was looking for. I remember reading it in another thread maybe. Thanks for all your help.

I am going through and revisiting (as I am with all site) any sites that might still use that password and change it/place it in the vault or just delete my accounts from them.

The email I accessed through Gmail but it very likely was POP forwarded from one of two hotmail accounts. Not sure how to see without opening it. I already changed all my different email account passwords to 25 digit random ones generated by the LastPass PW generator. They were the first into my KeyRing.

Ultimately I will delete it, but is there anything info I should try to glean from the spam message beforehand?

quote:

Originally posted by 83v45magna:
Thanks for the quick replay Ensigmatic.
The email I accessed through Gmail but it very likely was POP forwarded from one of two hotmail accounts. Not sure how to see without opening it. ...

Ultimately I will delete it, but is there anything info I should try to glean from the spam message beforehand?

Depends upon what you're using for an email client application. Many of them allow you to see "full email headers" with either a menu option or a hotkey (often Ctrl-H while displaying the email in question.)

What you're looking for are the "Received:" headers, with the last one first, first one last. One-or-more will be added for each server through which the email passed.

Other than that: There's no way to tell.

Yeah it looks like you can't without opening the email when using the Gmail webpage. I don't use Outlook or anything else.

Can't help you with that. I never use web mail. Clunky interface and the browser leaves one open to browser bug vulnerabilities via email.

 
I always use 31 character alpha/numeric/special character passwords, where permitted, because my password manager makes it easy (1Password).
 
Using Postbox (on a Mac), which is a Thunderbird knockoff, or even TB itself, it is just a keystroke combo to view the actual source content of an email (all headers plus content in the original text form it was transmitted in). Any email I am suspicious of, and which is not obviously spam, I view source to see just where it originated. I get ones occasionally "from" Netflix, Apple, and others that look on the surface to be legitimate, at least from the visible From: and Subject:. Seeing that it comes from a server in .jp, no thanks and I never even open it. I wish other clients made it so easy to view source. On Apple Mail, you actually have to open the email before you can view source, for example.