Site passwords & login changes

[ColinD]

Hi,

 

This is a general information update, concerning our login process and your passwords. 

 

-- Password Advice --

In general I hope you are not using the same password over multiple websites. It's a well known fact this does occur, but you really must think about using different passwords per site. If you feel it's to hard, there are plenty of password managers out there for windows linux and mac osx.

 

Passwords should I think be like the castles of old, strong and well guarded.  Your email password must be the absolute strongest password you can manage to remember or manage in a tool. Why? With your email compromised, all your accounts on any site/service is vulnerable. So your email password must be your strong room in the inner keep.

 

From there you may relax your passwords, the inner walls, and on to outer walls and the outlying forts if you like. Low risk sites, ones you don't mind for can be left on the same password if you must, it's a balance between work now and work later.

 

Here, we store your passwords encrypted, but thats not to say they are impossible to be read, with the right tools, time and inclination, most things are possible.

 

When we're aware of security issues, we try our utmost to protect the site, but we cannot ever be 100% sure about it. The software we use is a popular one and a natural target for attempted break ins. One plus for this is patches are quickly developed and thus applied.

 

Currently the risk is ever present, however I'm going to be changing the login methods soon.

 

-- Login Changes --

The current login asks you for your username or password. This will change to be email only!

 

Preceding this change you will be taken to a secure login page, this change will be happening soon.

 

Any questions, or comments, please feel free to add below.

[gadgetman]

Hacks are generally automated (via malware phishing etc)

Once they're into one of your accounts, the username /password combination is added to a list to try on every site they target.

Each hacker has different goals. To get to your financials, to infect associates with malware, to sell on working account details to others to abuse.

Hence Colin's sound advice above

[MartynVRS]

All sound advice. Panicked when I couldn't see a login button for a moment. Thought I'd been banned for something 

[Scribbler]

All sound advice. Panicked when I couldn't see a login button for a moment. Thought I'd been banned for something 

 

me too lol

[ColinD]

Hopefully that won't block anything now... should be above all elements.

[Coops]

That https link still lets me login with my username? Should it?

 

Do I need to update any links in my favourites - because I don't login in everytime I visit.

[ColinD]

It's ok with username at the moment, but it will change to email only. Wanted to make people aware before flipping it over and having to reply to lots of emails.

 

Login link is the same, once moved over to forced secure it will redirect, so no action required on bookmarks.

[FlintstoneR1]

I've got so many different user/password combinations it makes my head hurt. But I do have some I ONLY use for forums like this one, just to reduce the risk. And then the user/pw combo is unique in each. Even if the same user re-used elsewhere.

 

What's the view on password storage and automated login utilities such as Norton 360 or RoboForm?  Are they any good, or present a greater risk?

 

Fred

[Scribbler]

this has just struck a chord in my mind Colin, I use the same password for more than one site, some more sensitive (financials etc), I guess this makes me vulnerable if one site were to be hacked it would be a good assumption by any hacker to try the same password for the email address for webmail too, I think I need to rethink my strategy on passwords.

I know this has no relevance to this thread, so apologies, but I guess your point has worked on me, I need to change the way I think about the Internet..

 

Might I suggest this post gets removed for the users safety. Only needs a script kiddy with a skoda to have a crack at getting this account credentials now its been confirmed that financials are the same. Its unlikely but possible with brute force attack and enough time etc. They could even packet sniff the wifi given that they can probably get his location from a photo of the number plate etc. Suggest you change passwords pronto Pal.

[ColinD]

Acted upon suggestion, TeflonTom, hid your post to protect you, good call from Scribbler

[gac]

What's the view on password storage and automated login utilities such as Norton 360 or RoboForm?  Are they any good, or present a greater risk?

As an IT bod with a bit of a privacy/security kick, I use LastPass. HOWEVER! My email password and cloud storage password aren't in there, for exactly the reasons Colin mentioned - they're my two most important, most personal things. Someone could theoretically get access to LastPass and my Briskoda inbox and hurl abuse at Colin and mods leading to a ban, I don't care. They still can't touch my genuinely private stuff, just be a nuisance on about 150 websites.

Having said that, my ability to remember passwords is better than most. My current password is a large string of random text, the sort of stuff that would give xkcd a heart attack because it's not "correct horse battery staple", but equally I'd love to see anyone brute force it...

[MissPiggy]

will we still be able to login to here using our facebook sign ins?

[GTWaites]

Good advice about not using the same password for different sites, bearing in mind Lakeland had their website hacked recently and have warned customers that their details may have been compromised.

[ColinD]

Black banner will be re-purposed for *new* things. It may disappear, but generally it will remain for the forseeable future.

 

Facebook logins should still work. The only real issue is sites which block secure pages... (very few really)

[MartynVRS]

The banner will be good for site announcements like meets and things

[Dean-]

Tried using https however when I click "View new content" I get hardly any new threads. Guessing this is being worked on.

[ColinD]

Yes, the forum software likes to be one or the other. In theory there should not be any issues, it's the same end point server. So no cross domain issues, unless resources are not loading.

 

But for login, which is what I am most concerned over, https should be ok. I expect I'll begin the transistion to ssl only in a few days, and email soon afterwards.

[gadgetman]

Will everyone get logged out Colin, or is it business as usual until you log out or the device's cookies expire?

[bluebobx]

I've got so many different user/password combinations it makes my head hurt. But I do have some I ONLY use for forums like this one, just to reduce the risk. And then the user/pw combo is unique in each. Even if the same user re-used elsewhere.

 

What's the view on password storage and automated login utilities such as Norton 360 or RoboForm?  Are they any good, or present a greater risk?

 

Fred

 

I used to use the same username and one of a selection of about six passwords, but since all the hacks a couple of years ago I got a password manager and started migrating my passwords to use different ones. A change of job meant that I ended up with a shedload more passwords - in which case a password safe became a necessity. There's actually quite a few good ones available, some with a hardware component too. Things to look for are strong encryption on the data (obviously!), ideally coupled with some kind of self-destruct if someone tries to guess the password.

 

Norton (and the McAfee equivalent) don't get high marks in the reviews I've seen, but Roboform, LastPass and KeyPass all seem to do well. Heck, I know someone who uses a plain text file stored on a TrueCrypt container on a USB key. Seems longwinded to me - but he claims that TrueCrypt can have some really nasty encryption (even two factor) and he only needs to plug in the drive and mount it to be able to use his passwords. At home I'm using something called B-Folders, it's not strictly a password safe (it can store other stuff too), but it works very, very well with the combination of Windows, Linux and Android devices that I've got - with the ability to sync the data between two devices. Killer feature of that though is that you can right-click on the (obfuscated) password and it'll copy it into the paste buffer, so a quick Control-V and the password's in - all without revealing it to any sneaky shoulder surfer. Oh, and it'll also auto-generate (strong) passwords for you if you can't be bothered, e.g. "L+M$W7XLTq"

 

Failing that there's stuff like myIDkey and YubiKey. The former is, or rather was, a Kickstarter project and I'd signed on as a Platinum supporter so I've got two of those on order at a special price.

[Dean-]

I used to use the same username and one of a selection of about six passwords, but since all the hacks a couple of years ago I got a password manager and started migrating my passwords to use different ones. A change of job meant that I ended up with a shedload more passwords - in which case a password safe became a necessity. There's actually quite a few good ones available, some with a hardware component too. Things to look for are strong encryption on the data (obviously!), ideally coupled with some kind of self-destruct if someone tries to guess the password.

 

Norton (and the McAfee equivalent) don't get high marks in the reviews I've seen, but Roboform, LastPass and KeyPass all seem to do well. Heck, I know someone who uses a plain text file stored on a TrueCrypt container on a USB key. Seems longwinded to me - but he claims that TrueCrypt can have some really nasty encryption (even two factor) and he only needs to plug in the drive and mount it to be able to use his passwords. At home I'm using something called B-Folders, it's not strictly a password safe (it can store other stuff too), but it works very, very well with the combination of Windows, Linux and Android devices that I've got - with the ability to sync the data between two devices. Killer feature of that though is that you can right-click on the (obfuscated) password and it'll copy it into the paste buffer, so a quick Control-V and the password's in - all without revealing it to any sneaky shoulder surfer. Oh, and it'll also auto-generate (strong) passwords for you if you can't be bothered, e.g. "L+M$W7XLTq"

 

Failing that there's stuff like myIDkey and YubiKey. The former is, or rather was, a Kickstarter project and I'd signed on as a Platinum supporter so I've got two of those on order at a special price.

 

Use IP addresses with two letters on the end works well for me

[Dean-]

Use IP addresses with two letters on the end works well for me

 

Infact! Just thought this - do an nslookup on the site which gives u the password - then use your normal password.

 

..Before people tell me Hotmail etc uses different IP addresses - I mean for sites like this.

[vegit8]

I use Lastpass to store my passwords (except for my master email account) - but I have an additional strategy to ensure my email is safe.

As I own my own domain name I can have an unlimited number of account names (the bit to the left of the @ sign).

 

So the name that I use to collect my mail (the admin / master account) is never used as as sign on for any online shopping / forum etc.

I use a new email account for each place I sign up to. As those accounts do not have admin access to my email account proper if anyone cracks the password for that account its of restricted use to them.

My account here is briskoda@ with a strong 12 character randomised password generated by lastpass.

 

My email is set up to forward anything to the left of the @ to my master email address.

This does have the downside of making me more of a target for spam to random addresses at my domainname, but GMail is pretty good at dealing with all of that, and I rarely get any offers of blue pills in my inbox.

If some less scrupulous sites / disgruntled DB Admins decide to sell on my email address, I can easily block that address without affecting my email account for standard communications.

 

My master password for my email is a phrase - something like, "The registration number of my first car was RHR_633_H" - its not that by the way!

Throwing in deliberate spelling misatkes will also help.

Whilst its a handful to type its not something I am likely to forget. I am quite likely to miss type it, I just have to slow down a bit and concentrate.

 

I use a similar type phrase for my LastPass password.

[Scribbler]

Use IP addresses with two letters on the end works well for me

 

Why are people dying to give away there personal details. You only have to ping a few banks and try a few letters after the IP and your in. Alpha Numeric 2 Digit combination at the end of a known Static IP address only has a possible 1296 combinations. It wouldn't take a second to brute force that. Using the method you described is pretty safe but only if you don't tell people on an open forum about it. Its a bit like having the worlds most impregnable safe and then shouting on a mega phone where you hide the key.

[vegit8]

 Alpha Numeric 2 Digit combination at the end of a known Static IP address only has a possible 1296 combinations.

 

I agree with your sentiments but not your assumptions.

Using a full ASCii character set (basically anything you can type on a keyboard) would result in 9216 combinations for a 2bit code. Using 3 bits turns that figure into 884,736 combinations.

4 Digits gives 84,934,656.

 

This is why passwords containing a mix of numeric, upper and lower case chars, symbols and a minimum number of chars are becoming more and more of a requirement, forcing people to create ever stronger passwords.

However as you rightly say, brute force password breakers would still not take too long to crack a code of that length in a laboratory situation.

 

Website users are in a slightly better position as most sites prevent more than a certain number of attempts before they drop out to a password recovery mode.

 

Back in the late 90's I used to develop systems in Lotus Notes, their logon screen feature would double the delay after each failed attempt, so very quickly the wait between password attempts became impossibly long and would deter most automated password cracking systems.

[ColinD]

Back in the late 90's I used to develop systems in Lotus Notes, their logon screen feature would double the delay after each failed attempt, so very quickly the wait between password attempts became impossibly long and would deter most automated password cracking systems.

 

Small world! Don't suppose you know a bloke called Ray Davies? It's not me. I did some work for Ample in lotus notes... 

 

The last octet(s) of ip is an approach I've seen on a large defense contractor install. Just as the last line, it was a very long string everyone had to memorise, then add the last two octets iirc to the end of the box you were on trying to do something special.

 

Like all of those, once you got the first bit as it was a fixed in stone pattern, albeit a long one, the end part was easy.