Time to re-think your online security?

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
Are you someone who uses weak passwords on websites? If so, it's probably time to review your practise.

In recent months there have been attacks and breaches on the likes of Tesco Bank and Yahoo! In the past sites like Adobe and Dropbox have suffered from breaches. Today the National Lottery announced that hackers had accessed the accounts of around 26,500 of its 9.5 million online players. The email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.

Compromises on some websites can cause real issues if passwords have been reused elsewhere. You can see if you have an account on a site that has suffered from a data breach by using this site:

https://haveibeenpwned.com/

BTW that site is completely legitimate and was created Troy Hunt, a Microsoft Regional Director and Most Valuable Professional awardee for Developer Security, blogger at troyhunt.com, international speaker on web security and the author of many top-rating security courses for web developers on Pluralsight.


So, what do you do about making things more secure? I'll borrow some words used by XenForo who raised this issue due to some of their customers using weak/reused passwords on their own websites that they run, even though they are admins!


Avoid Password Reuse
These days, many account compromises happen through password reuse. Billions of user records have been compromised on a variety of sites and this data is available to anyone who wants to go looking for it. In many of these cases, it's possible to look up a user by username or email and find their plain text password. To give you an idea of the extent of compromised data, try looking up your email on Have I Been Pwned?. If you reuse a password from a compromised site, your account is not secure. Ideally, you would use a unique password on each site.

Use a Strong Password
Coming up with passwords is hard. If you're choosing your own password, chances are it's not going to be that strong. There are techniques to help you generate stronger passwords, but unfortunately, many memorable passwords are simply not strong enough to hold up to password cracking tools (such as would be used when someone downloads a compromised database). Wikipedia has an extensive page discussing password strength: https://en.wikipedia.org/wiki/Password_strength

The strongest passwords are literally random strings. As these are far from memorable, you will need a tool to store (and generate) these passwords. These are known as password managers. With them, you choose one (very strong) master password and then have it generate unique passwords for every site. This means the site only receive a strong password that is unique to it, solving both the strength and reuse issues.

There are a variety of password managers to choose from. A few include:


Enable Two-Step Verification
Whenever you have the option, you should enable two-step verification (also known as two-factor authentication). Should your password ever be compromised (either through a compromised site or something like a keylogger), two-step verification can help keep an attacker from logging into your account.

If possible, you should do two-step verification through your phone using an app such as Authy (or some other hardward-based method). This would generally require an attacker to physically have your phone/your token to complete the two-step verification. Other methods (such as email verification) provide some benefit but are not as safe as using a separate device for verification.

Enforce Protection of High Value Accounts
Your accounts on different sites may have varying levels of "importance" based on the information they protect. You should be absolutely sure that you are taking as many steps as possible to protect high value accounts. Generally speaking, this would include any email account (as password reset mechanisms mean email accounts are master keys) and financial accounts (banks, PayPal, etc).

More specifically though, as forum owners, this includes accounts of your admins, moderators and other staff. These users may have access to functionality that can compromise other users/the entire site or remove whole swathes of data. If they are compromised, you may need to restore from a backup to fully recovery. While forcing others to not reuse passwords is difficult, we strongly recommend that you require your forum staff to enable two-step verification on their accounts. This helps mitigate any accidental password reuse issues.



Password Managers are a great solution (@HaloJ and I use one). Several are paid-for options, like 1Password. Others are free, like LastPass (which now syncs across multiple devices at no cost) and KeyPass. It's definitely worth considering one of these solutions if you have many passwords - I didn't realise how many website logins I have until I got a password manager and discovered that it's over 100!!

BTW, here on Senior Gamers we offer Two-Step Verification - if you want to use it, you can find it in your account.

So do consider changing your security practises if you are a password re-user or use weak passwords to ensure that you aren't caught out in any existing or future data breaches.
 

Plaxinator

Wino extraordinaire
Staff member
Senior Citizen
Joined
30 Jun 2012
Messages
3,188
Reaction score
2,361
Points
1,790
How do you know that these password safes won't in turn get hacked and ALL your passwords stolen? I don't like the idea of keeping all my eggs in one basket.
 

ColSonders

A.W.O.L.
Senior Citizen
Joined
26 Jun 2012
Messages
2,394
Reaction score
933
Points
1,524
How do you know that these password safes won't in turn get hacked and ALL your passwords stolen? I don't like the idea of keeping all my eggs in one basket.
Seems like an obvious target.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
How do you know that these password safes won't in turn get hacked and ALL your passwords stolen? I don't like the idea of keeping all my eggs in one basket.
That is a very good question and one that you should rightly ask when considering any password management service that stores your passwords online. I asked the exact same question.

Firstly, not all password managers store passwords online. 1Password has a licensed model where you buy the program/app and you don't have to keep anything online, it's all stored on your device (though there is the option to use a cloud service such as Dropbox or iCloud to allow you to sync passwords across devices). Keypass works in a similar fashion.

So what about when the passwords are stored online through 1Password subscription service, LastPass or using Dropbox or iCloud? Could all your precious data be stolen? It's probably unlikely with the server security set up by services but unfortunately you can never say that it's impossible to steal it (Dropbox did have a data breach this year though it was account details that were taken, not actual data stored in people's Dropbox accounts). Whilst this might sound like it's an issue, it actually isn't. These services use AES-256 encryption and PBKDF2 that ensures that all of your data is secure. This type of encryption hasn't been cracked and is used by the likes of the NSA to secure their data. There's some more information about AES on Wikipedia and 1Password also wrote a nice article about it a few years ago when they moved to AES-256:

Guess why we're moving to 256-bit AES keys

So, your data stored on the cloud, even if stolen, would be fully encrypted and pretty much impossible to crack.

If there is a weak point in a password manager, it's in the master password that a user uses to unlock it. That is why it's important to pick a strong master password (so something like password123 isn't good ;) ). So, how do you choose a good master password?



Whilst a long password with a mix of letters, numbers & symbols is strong, it's hard to remember. Password phrases using random words are much easier to remember and are strong. 1Password wrote a couple of articles about this:

Toward Better Master Passwords
Do a little dance, make a Master Password

Whilst I won't tell you my master password, I will say that it's over 60 characters long (possibly a little long) - hard to crack but easy for me to remember.

Master passwords aren't stored anywhere online, only you have them, so in the unlikely event of a data theft, thieves aren't going to be able to break the encryption, nor are they going to be able to open your data as they don't have the master password.

In addition, LastPass also offers 2 Factor Authentication (2-step verification) for accessing your account. 1Password works slightly differently - with them you get a randomly generated account key. You need the account key as well as your master password to authorise any device that you use and the account key is also used to encrypt your data even further, making the encryption even stronger. You can read more about it here: About the Account Key - 1Password Support


I hope this clarifies things further regarding password managers. I had these same concerns and more before I started using one. I looked at all of this information and more besides before determining that they were a good thing to use and certainly far better than re-using password across multiple sites and using weak passwords.
 

Plaxinator

Wino extraordinaire
Staff member
Senior Citizen
Joined
30 Jun 2012
Messages
3,188
Reaction score
2,361
Points
1,790
Might read up on it further. I'm quite bad at using the same password or variation of the same password for sites that I don't keep any particular personal details on (but vary which email I use). If they get "hacked" it'll be annoying but not life altering. Got completely different ones for things like my bank and Paypal etc though.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
Might read up on it further. I'm quite bad at using the same password or variation of the same password for sites that I don't keep any particular personal details on (but vary which email I use). If they get "hacked" it'll be annoying but not life altering. Got completely different ones for things like my bank and Paypal etc though.
I was the same. I had a weak password that I'd use on a certain set of sites. I had another password that I used on shopping type sites. I had a completely different password for my email. My bank account and credit card both have something different still (and they aren't in my password manager at all as I have them memorised). It was the concern that, if one of these passwords was discovered, suddenly a whole bunch of my online accounts could be accessible.

Also when I read up on password strength, it became apparent that the passwords I used weren't as strong as I thought they were. I typically used what many do of choosing a word and replacing common letters with numbers (e.g. 3 for e, 0 for o etc) and adding a capital letter or two in there for good measure. Sometimes I'd use a symbol too. Strong, I thought, but they weren't anywhere near what I thought. There's a website that is sponsored by Dashlane (another password manager) that will tell you how strong a password is: How Secure Is My Password? . It says that they don't store any passwords tested but just to be safe, don't put in any actual passwords you currently use. Anyway, I have tested some of the passwords that I used to use. Two of them could be cracked in 2 hours! That's just on a typical home computer cracking set-up, on more powerful computers it would be a heck of a lot quicker. With the very strong passwords I now use via my password manager, many would now take 6 Quinquatrigintillion years to crack. I now have a unique password for every login that I have (which as I said, is over 100).

  • The absolute best solution of course is to have long, strong passwords that you memorise. If you have only 5 or 6 passwords, this is entirely possible but not practical if you have many passwords and don't have a photographic memory.
  • The next best solution is to have long, strong passwords that are written down and stored in a safe location. The problem with this is that you can't really carry these around with you (your purse/wallet or handbag/manbag isn't secure) and neither is your house (burglary is always possible) even if you have a safe to put it in (and even then, it becomes less practical when you want to log into various websites)
  • A reasonable compromise it to use a password manager
  • The worst solution is using weak passwords, some of which are re-used across multiple sites

Gizmodo did an article on this a while back which basically says the same thing:

http://gizmodo.com/am-i-an-idiot-for-still-using-a-password-manager-1711673486

Their advice also is to enable 2-factor authentication (2-step verification). Whilst you may not think it's worth enabling it on Senior Gamers (I have, though I am an admin of course) it's certainly worth enabling for important logins such as email and PayPal.


The main thing is, if you are currently using bad practises, do think about what you are doing and what you can do to change it. It's something that you should address sooner rather than later. Cyber thefts are on the increase as we have seen in recent breaches and if anything they will only get worse in the future on systems that aren't secure - effectively Cyber theft is the modern equivalent of bank/shop robbery. It's a wake-up call to websites that don't have good security in place as well as to users who use weak passwords and re-use passwords across multiple sites.
 

ColSonders

A.W.O.L.
Senior Citizen
Joined
26 Jun 2012
Messages
2,394
Reaction score
933
Points
1,524
Very informative as ever @Martok

I'm another that is lazy, although my passwords aren't particularly weak I do have a tendancy to re-use the same ones.

Maybe it's time I stepped up my game and started making properly strong passwords and having unique passwords for everything.

Realistically you only need to be able to remember a small handful of passwords if you have a password manager so it's a good idea for me to catch up with the times.


But then again....refer back to my "lazy" comment
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
I'm another that is lazy, although my passwords aren't particularly weak I do have a tendancy to re-use the same ones.
It's worth checking either your passwords, or at least something similar to your passwords, on the password checker link in my last post. As I said I thought my passwords were relatively good but seeing some could be cracked in 2 hours on a standard PC set-up (with the right cracking software) was a surprise.

Realistically you only need to be able to remember a small handful of passwords if you have a password manager so it's a good idea for me to catch up with the times.
With a password manager you only need to remember your master password, you don't need to remember any others. I don't know any of my 100+ passwords. I only remember my master password. That's why it's important that the master password is strong but easy for you to remember (using something like the system in my earlier post).

I was lazy too. I didn't do anything about it for a couple of years or so. I thought about it, briefly looked at options, then did nothing. It was only with the more recent security breaches with Dropbox and Yahoo! and the post on XenForo (that I quoted from) about password security that I decided to do something about it.
 

ColSonders

A.W.O.L.
Senior Citizen
Joined
26 Jun 2012
Messages
2,394
Reaction score
933
Points
1,524
You'd need a couple of other passwords that you can actually remember though, as you say, for banking.....I would also require something I can remember on the playstation store too.....and my passwords at work....which are easily crackable as I use a single word with the obvious numerical substitutions, a capital letter and a couple of numbers on the end....not that I care about my work stuff.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
You'd need a couple of other passwords that you can actually remember though, as you say, for banking.....I would also require something I can remember on the playstation store too.....and my passwords at work....which are easily crackable as I use a single word with the obvious numerical substitutions, a capital letter and a couple of numbers on the end....not that I care about my work stuff.
True. I do have ones for bank & credit card (which also use 2FA) that I have memorised through using so often. Currently my PS Store one is memorised but I may change it to make it stronger. With the password manager I use, I can generate passwords that are made up of several words. This makes them strong (see the cartoon strip from my earlier post) but also easy to type, so I could look them up in my password manager and then type it into the PS Store on the PS4. For occasions when you can't use your password manager to autofill the login for you (as all of these can do) then these 'password phrases' of words are useful rather than a long password or random letters/numbers/symbols. When you can use the password manager to autofill (which can be done on all devices you can install the program/app on) then the random character password is fine to use.
 

HERMAN_JELMET

Meatbag
Staff member
Senior Citizen
Joined
29 Jun 2012
Messages
2,824
Reaction score
1,856
Points
1,650
I tend to use long random words sometimes plural and then 4 digits at the end, I have all of my passwords archived in Google keep and a premium AVG antivirus subscription on my phone which comes with antitheft, I have the ability to password protect every app on my phone if I wish.
I also use logdog on my devices which scans my facebook, twitter Google etc for unrecognised account logins.
After reading @Martok post I installed Lastpass but not really sure how to use it.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
@HERMAN_JELMET your system for passwords is better than some, though depending on the words used and their length (if you're only using 1 word in a password) they can still be cracked. The security of Google Keep is going to very much depend on the strength of your Google account password and of course whether or not someone could get access to your device (phone or even logged-in PC). You do have a measure of security though depending on these factors.

If you have LastPass, then you should install the browser extension on your desktop devices and install the app on your phone. Once you have done this, you will be able to save logins to LastPass for the sites that you use and also use these logins to log into sites from your devices. Once you change passwords on sites (and save the changes in LastPass) which you can do with the random password generator that LastPass provides, you'll still be able to use these logins (with much stronger passwords) to log in to sites on all of your devices. I'd also recommend that you look at enabling 2 factor authentication in LastPass for extra security for your LastPass account.

I did trial LastPass but decided to go with 1Password. I do have a reasonable knowledge of LastPass though from my trial so if you have any questions, do let me know. :)
 

HERMAN_JELMET

Meatbag
Staff member
Senior Citizen
Joined
29 Jun 2012
Messages
2,824
Reaction score
1,856
Points
1,650
I installed Lastpass on my phone last night, opened the Facebook app, pulled down the notifications on my phone and used lastpass to save site but not sure what it does or if its right.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
There's a full guide about LastPass here:

User Manual

and here's the section specifically for Android:

Android | User Manual

If you've saved the login details in LastPass (you can check if you open the LastPass app) then the next time you need to log into the app, you can use the pop-up thingy on the phone (that will have identified that you have matching login details) to autofill your login details and log you in. You'll need to unlock first with your master password before you do this, of course.

You'll need to have a bit of a read of the guide, particularly the setting up of LastPass on your devices (as well as the basics of saving and autofilling) but once you have, it's pretty easy to use.
 

HERMAN_JELMET

Meatbag
Staff member
Senior Citizen
Joined
29 Jun 2012
Messages
2,824
Reaction score
1,856
Points
1,650
Well, last pass is absolutely horrible! The app works okish but the chrome extension is horrific, The syncing between the 2 took about an hour.
Since I started using it last night i've been locked out of my Google and Asda accounts.
I've now deleted all traces of lastpass from my life and I'll be going back to the way it was before.
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
Well, last pass is absolutely horrible! The app works okish but the chrome extension is horrific, The syncing between the 2 took about an hour.
Really? I didn't have any problems using it when I trialled it.

As I said, I personally preferred 1Password. It looks a lot better than LastPass, it has an actual program on desktop machines as well as the browser extension, and I prefer the app version (which does require you to switch keyboards temporarily to activate it) as I didn't like the LastPass helper always being there. It is a subscription service so there is a cost involved, but it's not a lot and as they say you get what you pay for.
 

HERMAN_JELMET

Meatbag
Staff member
Senior Citizen
Joined
29 Jun 2012
Messages
2,824
Reaction score
1,856
Points
1,650
May have a look at 1password.
 

HERMAN_JELMET

Meatbag
Staff member
Senior Citizen
Joined
29 Jun 2012
Messages
2,824
Reaction score
1,856
Points
1,650
That's not one of them the Playstation connects to is it?
 

Martok

Board Game Addict
Staff member
Senior Citizen
Joined
12 Mar 2012
Messages
5,179
Reaction score
3,181
Points
2,630
That's not one of them the Playstation connects to is it?
There is a PS4 app for Dailymotion and I believe you can broadcast to the service. No idea about direct connection with login, probably not seeing as most others like Facebook, Twitter and YouTube all require their own logins.
 
Top