Beware of EBAY and PAYPAL!

[@Lee]

....and pray, please do tell just HOW exactly you are supposed to remember that without actually writing it down?

and what exactly is the problem with writing down a password on a bit of paper? Unless your bit of paper's connected to the internet, it's unhackable to the nth

[Welsh_kai_boy]

I use password safe as it has a very handy 12 character generator built in to it.

[VWD]

I'm now retired ,but when working, we used our current account for cash /debit card in known safe locations, and we operated a savings account .I worked at odd hours and in odd locations, and if I wanted cash, I'd use telephone banking to transfer say £10 to the savings account , then withdraw that from the savings account leaving only pence in the savings account. Reason - I never felt comfortable using ATM in strange places ,so if my savings card was cloned there'd be zilch in it ,for any more than a few minutes for anyone to get at and sums like £10 wouldn't make anyone rich. These days we work in reverse. All income is fed to the savings account, where it's drawn out at trusted locations. If I use paypal or debit card, I transfer from the savings account to current account as needed, so little cash is available for any length of time in the current account, and as the debit card is Visa, I;ll also get a request to verify by Visa using digits from a nine alpha/numeric password with few chances of mistake before the password is cancelled.I've done it once and it's a pain ( but security efficient ) to reset the password.  All trusted websites have a bank security scan software enabled to protect information on those sites .

With e bay and paypal,I use seperate e mail accounts with different passwords for both. Passwords are stored on a flash drive, with a backup on a HDD, which sits out of PC ,and either are only connected when off line.

[BJM]

and what exactly is the problem with writing down a password on a bit of paper? Unless your bit of paper's connected to the internet, it's unhackable to the nth

Precisely.

In a multi-user environment such as an office where the piece of paper can easily be compromised (and no, sellotaping it to the underside of a locked desk drawer does not constitute secure storage) it's obviously not acceptable, but at home?

Who is going to access it - if you are concerned about SWMBO or you kids finding it out I suggest you have far greater issues in your life than remembering passwords.

Oh, and don't write it on a bit of paper and keep it in your wallet with your PIN codes.

[GentleGiant]

I used to keep my pin numbers hidden in plain sight, some of the phone numbers in my mobile are actually fakes, the last 4 digits are the pin numbers for my cards.

[TheWanderer]

The only problem I've had with PayPal is they kept locking the account whilst I was doing research into a tablet from either HK or USA and because I was checking which would provide me with the best price/deal (It was HK), it thought I was a fraudster so locked the account and it did this not once, but twice.

 

That was to say the least irritating as it meant having to phone them twice to get my account reactivated, but in a way I was quite glad that the computers thought I was up to no good & locked it, because I now know that the account's being monitored.

[vindaloo]

In general a,longer password is better than a shorter one. A reasonable way is to use a password manager software. You have to be dilligent in backing up your hard drives though! As you no longer know the passwords it would be just a tad inconvenient if your PC died and you lost the lot.

[HotRod]

In general a,longer password is better than a shorter one. A reasonable way is to use a password manager software. You have to be dilligent in backing up your hard drives though! As you no longer know the passwords it would be just a tad inconvenient if your PC died and you lost the lot.

 

Ensure your primary email address is secured to the hilt - that way it's only a time inconvenience to reset all your passwords by sending reset codes to your email address.  Needless to say you should back up anyway.

 

It's stupid - and getting worse.. At work I asked if I could use a password safe for all the passwords as email, paper, notepad.exe wasn't classed as secure (even though I needed my login credentials to get to 66% of them).  This was denied as anyone seeing me type my keysafe password, would have access to all the passwords.

 

As a result, the only way I can remember them is to set all my passwords to the same one - which is even more insecure but follows protocols - Bloody stupid if you ask me..  With a password change enforced every month, EVERYONE (and I do mean everyone) just adds a number to the end of it.  So if it's known now - it will be known in 3 months time..

 

But - this is enforced policy so we have to deal with it - I somehow have to remember about 30 completely random usernames and passwords.

 

 

On a personal note.. Passwords can be memorable - You need to find a long enough key and use this for all your passwords..

 

To that key you add something unique to that to application..

 

e.g.

 

Unique key = QW£RTY$

 

Website = Briskoda

 

Use the first 3 every other character from the site (b i k) and prepend this to the key = gives you bikQW£RTY$

 

Now take some random characters from your username and stick them on the end (Hotrod using the same every other letter would give you H t o)

 

Append these onto the end gives you bikQE£RTY$Hto which is 13 characters in length (more than the 8 which is considered secure) - it's pretty random, and consists of uppercase, lowercase and symbols.

 

So your Gmail account (assuming your email address is [email protected]) would be galQW£RTY$fe.

 

If you have differing levels of key - I have about 5 from Internet banking (Level 1) down to websites I don't care if someone hacks (Level 5).  Level 1 are about 20+ characters in length down to about 8 for low level passwords.

 

If you want to be really secure - you can check out how long it will take to break a password at https://howsecureismypassword.net/

 

My banking password will take 7 Septillion years to crack.

 

Crap - better change my password now 

[billy dorney]

hello fellows, not an Octavia problem, but.....

 

just to spread the word, i spent an hour on the phone to my bank, and paypal earier,

after noticing my online banking had a very high value of pending transactions.

Turns out my card details and or paypal account was hacked, and some turd bought 2 laptops with my money online and delivered in london.

 

Paypal are sorting it and refunding the money, but i learned after that chat about the "Heartbleed" attack on server systems.

through an article on it i found this link to test for vulnerability

 

http://filippo.io/Heartbleed/#www.paypal.com

 

as you can see from my test content paypal is vulnerable, and apparently ebay may not be fully sorted yet either....

 

so, after burning my cards and reporting them stolen, once im refunded, i think paypal shall be going bye bye...

 

worth using this to check out any other sites you use, and check your paypal accounts -

the laptops were bought on monday and yesterday, but werent on my paypal transaction history,

though the company could find them on their system.

thanks for the heads up,**** thing to happen to anyone

[Macdemon]

All my PIN numbers are **** and my passwords are *************  

[Soot1e]

The good thing is Paypal and your bank do know someone has compromised your account and are willing to re-imburse you.  This is the same for all on line banking or no one would ever trade over the internet.  Buying over the phone using a bank/credit card is just as insecure as you are divulging your card number & 3 digit secure numbers.

[grr666]

^^^ Words of reason

[Aspman]

We advise people to write down their passwords.

 

With a few caveats.

 

1. Don't write down the whole thing, miss out a known character
2. Put it in your wallet not on the desk
3. Don't write the username or function with the password

 

It's not practical to remember the quantity of passwords and pass codes needed now.

To get into my credit card online account I need to have 3 separate codes.

 

2 Factor is the way to go in the future but that costs money so the banks and merchants don't want to do it.

Edited 20 May, 2014 by Aspman

[mac11irl]

well, it took a good bit longer than they said it would, but Paypal did eventually refund both purchases into my bank account,

and i got my new cards from the bank.

something i wasnt really aware of though, is that one shouldnt use debit cards for online purchases,

tha credit cards are better, as the credit card is fully insured by the card issuer.

so if it is compromised, or your goods fail to be delivered, or even your wedding venue burns down,

the credit card company will refund you through their insurance.

Not the case with debit cards....

[Huwcymru]

I've posted this before but thought it might fit in here:

Creating a password.

Cabbage

Sorry the password must be more than 8 characters.

boiled cabbage

Sorry the password must contain one numerical character.

1 boiled cabbage

Sorry the password cannot have blank spaces.

50bloodyboiledcabbage

Sorry the password must contain at least one upper case character.

50BLOODYboiledcabbages

Sorry the password cannot contain more than one upper case character consecutively.

50BloodyBoiledCabbages,StuckWhereYouWon'tLikeIt,GimmeAccessNow

Sorry the password cannot contain punctuation.

NowIAmGettingReally****edOff50BloodyBoiledCabbagesStuckWhereYouWon'tLikeItIfYouDontGimmeAccessNow

Sorry that password is already in use.

[Scribbler]

Any password can be cracked using brute force this method basically tries all names and commonly used words first (which is why its best not to use these)

and then it tries to alpha numerically go through the entire range of possible outcomes. Clearly using this approach the number of characters incrementally impacts the duration it takes for a BF method keygen to guess the password. This is why for years the American military prevented Intel from releasing the most fastest processors for public consumption it was believed that this would inhibit the ability of rogue states to crack military passwords and encryption.

However with the advent of quantum computing that works at sub atomic level super cooled so they can run at incomprehensible speeds compared to conventional processors, all passwords are now irrelevant. You could get a 32 character password which most people can't remember cracked in less than 48hours theoretically so what's the point? In the future we will need some sort of cypher algorithm that looks at a persons dna data and encrypts it so you might have to provide a spit sample to log into your computer (watch this space) Its not as far fetched as you may think. In fact I might patent the idea. Although technically I typed it on a public forum so I now hold the rights to its intellectual property lol.

[io1901]

I've posted this before but thought it might fit in here:

Creating a password.

Cabbage

Sorry the password must be more than 8 characters.

boiled cabbage

Sorry the password must contain one numerical character.

1 boiled cabbage

Sorry the password cannot have blank spaces.

50bloodyboiledcabbage

Sorry the password must contain at least one upper case character.

50BLOODYboiledcabbages

 

NowIAmGettingReally****edOff50BloodyBoiledCabbagesStuckWhereYouWon'tLikeItIfYouDontGimmeAccessNow

Sorry that password is already in use.

 

or you will need  to change your password every 30 days and you can not use any past passwords.

[Soot1e]

Any password can be cracked using brute force this method basically tries all names and commonly used words first (which is why its best not to use these)

and then it tries to alpha numerically go through the entire range of possible outcomes. Clearly using this approach the number of characters incrementally impacts the duration it takes for a BF method keygen to guess the password. This is why for years the American military prevented Intel from releasing the most fastest processors for public consumption it was believed that this would inhibit the ability of rogue states to crack military passwords and encryption.

However with the advent of quantum computing that works at sub atomic level super cooled so they can run at incomprehensible speeds compared to conventional processors, all passwords are now irrelevant. You could get a 32 character password which most people can't remember cracked in less than 48hours theoretically so what's the point? In the future we will need some sort of cypher algorithm that looks at a persons dna data and encrypts it so you might have to provide a spit sample to log into your computer (watch this space) Its not as far fetched as you may think. In fact I might patent the idea. Although technically I typed it on a public forum so I now hold the rights to its intellectual property lol.

You can't endlessly try different passwords to access an account, there must be a limit to the number off attempts. 

[gadgetman]

It would/should flag alerts if a lot of attempts are made on one or multiple accounts from the same location or at a similar time.

Most of the time though pro hackers have accounts with major sites so get a password dump and crack the encryption until their own details show correctly which then gives the whole list.

Most will then sell this on rather than use themselves.

[Clunkclick]

There's a surprise.

 

Public official announcement about security flaws/breach followed by loads of e-mails (With convenient embedded return clickies to phoney web sites), claiming to be from E-bay and pay-pal, informing/inspiring me on anything from "Your account has been limited" to please "Re-set your password" .

 

Best responded to with one of the following:-

 

 " From site maintenance: There's a water leak in the toilet block of Peoples Liberation Army, building No 1, Shenzheng. Please immediately turn off all electricity . . . til further notice" .

 

"Urgent: Investment opportunity in Eastern European donkeys"

 

 

Nick

Edited 25 May, 2014 by Clunkclick

[gadgetman]

If you use an email client there are plenty of add ons that verify emails from big corps like PayPal or eBay.

Iconix is one.

[gadgetman]

Actually I think iconix also have a browser plug in which works with most webmail

[FlintstoneR1]

Always suspected Fleabay was a bit risky on the security front, so had used a PW there that was totally different to those I use in other more critical places.  Out of interest my BriSkoda PW is similarly unique to that login.  Not that I don't trust you guys, just that experience says Forums are ripe places to attract hackers.  (I used to belong to a Renault Scenic forum that got seriously swamped by spammers and had to close down as a result). 

 

More interestingly, using Fleabay over the w/e, they had a temporary login requirement to change your PW and a banner page headline, exhorting the same. Isn't that a bit "closing the stable door after the horse has bolted" though?  Wouldn't hackers be trying to use your Fleabay PW on other sites by now?  Suppose it might stop them logging into Fleabay as you? 

 

Hope PayPal is a bit more difficult for them? Or is that equally risky?

 

The one that worries me is Google - as they force you to have one PW for all accounts and areas of logins. Gmail, Google itself, etc.

 

Anyone in here have experience of RoboForm as a PW remembering and generating overlay?

 

Cheers    

Edited 26 May, 2014 by FlintstoneR1

[Aspman]

You can't endlessly try different passwords to access an account, there must be a limit to the number off attempts. 

 

No usually if the site is coded properly you can't bang on the door endlessly. So you do something more sophisticated to intercept the passwords or you hack the company through email and gain access to the whole database.

 

If you've got that even if it is encrypted (and they're often not) you can take your leisure at breaking it.

 

There is a technique using something called rainbow tables which compares pre-encrypted passwords against the database. The same password will always encrypt to the same hash (using the same method) so rather than trying to do the difficult job guessing which password you have. Instead in advance you create every password for a length (say up  to 10 characters) encrypt them, then just do a simple comparison of the unknowns against your list of knowns. Each match will give you the real password.

 

Offload this onto a really fast graphic card (yup they're reprogrammable for other tasks now and are much faster than your general purpose CPU) or even rent computing power in the cloud.

 

A CPU can do ALL 8 character passwords in 195 years, a GPU can do it in 3.4 days (2011 figures).

 

The guys that cracked the Playstation network rented processing power from Amazon's EC2 cloud to do it.

 

Never assume the hackers are spotty faced yoofs. The ones defacing websites and doing hacktivism probably are but the guys going for cold hard cash are sophisticated, intelligent professionals.

Edited 26 May, 2014 by Aspman

[cheezemonkhai]

Any password can be cracked using brute force this method basically tries all names and commonly used words first (which is why its best not to use these)

and then it tries to alpha numerically go through the entire range of possible outcomes. Clearly using this approach the number of characters incrementally impacts the duration it takes for a BF method keygen to guess the password. This is why for years the American military prevented Intel from releasing the most fastest processors for public consumption it was believed that this would inhibit the ability of rogue states to crack military passwords and encryption.

However with the advent of quantum computing that works at sub atomic level super cooled so they can run at incomprehensible speeds compared to conventional processors, all passwords are now irrelevant. You could get a 32 character password which most people can't remember cracked in less than 48hours theoretically so what's the point? In the future we will need some sort of cypher algorithm that looks at a persons dna data and encrypts it so you might have to provide a spit sample to log into your computer (watch this space) Its not as far fetched as you may think. In fact I might patent the idea. Although technically I typed it on a public forum so I now hold the rights to its intellectual property lol.

I'll let you know if the quantum computer actually works for that use case in a few weeks.