Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 06-09-2016, 10:17 PM   #81
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by ejman View Post
So, there is another electronic "door" to the account other than the logon I have to use that limits me to 3 tries before shutting down so the limitation doesn't apply and they get to try millions of combinations?
Another electronic door does not exist if there is excellent institutional security. We can only hope for the best and employ best practices ourselves.

I guess all bets are off if there is a cyber war. Individual accounts are pretty well protected as long as there are only a few attacks. But should it get massive ... who knows. Now I'm moving into the paranoid realm.
__________________

__________________
Lsbcal is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 06-09-2016, 10:21 PM   #82
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,264
Quote:
Originally Posted by davef View Post
...
Password Updates - I do not agree that password updates are a myth. Hacking is an algorithm which means that longer and non-patterned passwords take more time to break. And changing them, forces a hacker to start all over. Putting time and difficulty on your side is a good idea. ...
I'm not following this. The hacker does not know if I changed it or not. They are trying one after another. I don't see how changing my PW in the middle of their attempt changes the odds at all.

Let's say they are half way through their attempt, they have not hit my PW yet, and I change it. Maybe I changed it to one they already tried - OK, but what are the odds (it probably means I changed it from a complex one to a simpler one)? If they didn't already get it (they would stop anyhow), that means my current PW is either not something they ever will try, or they just didn't hit it yet. So if I change my PW now, odds are it's another one they won't try, or just another one in their algorithm, and they will eventually hit the new one.

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
__________________

__________________
ERD50 is offline   Reply With Quote
Old 06-09-2016, 10:40 PM   #83
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by ERD50 View Post
...

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
For myself, I agree that having a strong PW is good enough. No need to constantly change it. That would be for the individuals like us who just have bank accounts to protect.

For someone involved in the kind of activities that could be useful to monitor (stealing information but leaving no trace), it is easy to see that frequent PW changes would close the door on the nefarious activity. I'm thinking of limiting corporate espionage, political espionage, etc. But in such an environment they might use biometric methods in addition to PW's? Anyone from the CIA here to tell us?
__________________
Lsbcal is offline   Reply With Quote
Old 06-10-2016, 12:14 AM   #84
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,717
Quote:
Originally Posted by ERD50 View Post
I'm not following this. The hacker does not know if I changed it or not. They are trying one after another. I don't see how changing my PW in the middle of their attempt changes the odds at all.

Let's say they are half way through their attempt, they have not hit my PW yet, and I change it. Maybe I changed it to one they already tried - OK, but what are the odds (it probably means I changed it from a complex one to a simpler one)? If they didn't already get it (they would stop anyhow), that means my current PW is either not something they ever will try, or they just didn't hit it yet. So if I change my PW now, odds are it's another one they won't try, or just another one in their algorithm, and they will eventually hit the new one.

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.-ERD50
A lot of hacks involve stealing the entire database, all they need is one admin password login and they have millions of user's information.
Now either they want to use it themselves or they sell the database or portions of it on the dark net.
So assuming the database is encrypted (some are not).
The buyer then can run programs against the encrypted passwords to break them.
Once broken they have your login, password, etc...

If you changed your password every 30 days, they would probably never be able to get access to your account as they would always have an old password.
Real life is nobody is going to do this, so it's important to change the password once you hear of a hack. (even if company says the database was not touched.).
__________________
Sunset is offline   Reply With Quote
Old 06-10-2016, 12:21 AM   #85
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,717
The worst thing is some sites do not encrypt your data, even the passwords.
It would be small sites not banks.

Once I forgot my password and clicked on the "forgot password" link.
The site sent me my password in the email, which means it's not encrypted in any secure way.
Either it was stored as plain text, or they could decrypt it with a key, and you can be sure they use the same key for all accounts, so it was useless as a security effort.
__________________
Sunset is offline   Reply With Quote
Old 06-10-2016, 07:19 AM   #86
Thinks s/he gets paid by the post
zinger1457's Avatar
 
Join Date: Jul 2007
Posts: 1,452
Quote:
Originally Posted by ERD50 View Post

I just don't see how changing a PW (assuming equivalent strengths) does anything for me.

-ERD50
Hackers have been known to break into a web site database then offer off up the list of user names and passwords for sale. I just found out from a monitoring agency that I'm signed up with that my user account (email address) and password showed up on one such list. Who knows if my other user account names are showing up on such list, they aren't being tracked. Makes me think that having strong unique passwords and changing frequently is worthwhile.
__________________
zinger1457 is offline   Reply With Quote
Old 06-10-2016, 10:09 AM   #87
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
HFWR's Avatar
 
Join Date: May 2005
Location: Lawn chair in Texas
Posts: 12,964
Quote:
Originally Posted by Alan View Post
So, if I start doing lots of weird normal things here then my account has probably been hacked.

My version...
__________________
Have Funds, Will Retire

...not doing anything of true substance...
HFWR is offline   Reply With Quote
Old 06-10-2016, 12:00 PM   #88
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
This thread is very interesting and informative. Seems like the consensus is that an 8 character length password is not longer adequate. Which begs the question, how many characters (in today's world) is considered safe? 10? 12? at least 16? I know the longer the more secure, but if I was to input a randomized password in a smartphone, for example, I'd much rather only enter what is adequately safe and not go to typo hell with a really long password.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-10-2016, 12:24 PM   #89
Thinks s/he gets paid by the post
Cobra9777's Avatar
 
Join Date: Jul 2012
Location: Texas
Posts: 1,132
Quote:
Originally Posted by easysurfer View Post
This thread is very interesting and informative. Seems like the consensus is that an 8 character length password is not longer adequate. Which begs the question, how many characters (in today's world) is considered safe? 10? 12? at least 16? I know the longer the more secure, but if I was to input a randomized password in a smartphone, for example, I'd much rather only enter what is adequately safe and not go to typo hell with a really long password.
I use the maximum length and complexity (symbols, etc) allowed by each site for both user IDs and passwords. I also use Password Safe which has an Android version which I use on my smartphone. So the only password I ever type out (PC or phone) is the global password for the Password Safe application. Inspired by this thread, I increased the global password from 6 characters (with no symbols) to 19. I wanted the max that I could remember and easily type, but still use a complex mix of letters, numbers, and symbols.

As suggested earlier in the thread, there are lots of websites where you can test the strength of your password. I would suggest entering something "similar" to your proposed password rather than the actual. According to the tests I did, 19 is probably overkill. But I'm OK with that.
__________________
Retired at 52 in July 2013. On to better things...
AA: 55% stock, 15% real estate, 27% bonds, 3% cash
WR: 2.0% SI: 2 pensions, some rental income, SS later
Cobra9777 is online now   Reply With Quote
Old 06-10-2016, 12:59 PM   #90
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,717
When a site allows 32 characters, I use all 32.
Naturally I use a password manager so even if it was 200 characters its no effort for me.
__________________
Sunset is offline   Reply With Quote
Old 06-10-2016, 01:51 PM   #91
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
Quote:
Originally Posted by Cobra9777 View Post
I use the maximum length and complexity (symbols, etc) allowed by each site for both user IDs and passwords. I also use Password Safe which has an Android version which I use on my smartphone. So the only password I ever type out (PC or phone) is the global password for the Password Safe application. Inspired by this thread, I increased the global password from 6 characters (with no symbols) to 19. I wanted the max that I could remember and easily type, but still use a complex mix of letters, numbers, and symbols.

As suggested earlier in the thread, there are lots of websites where you can test the strength of your password. I would suggest entering something "similar" to your proposed password rather than the actual. According to the tests I did, 19 is probably overkill. But I'm OK with that.
There's no phone app version of the password manager I used on my computer. So, I just keep a few passwords (like for Facebook) on a different password manager on my phone. Some websites look too tiny for me anyhow when viewing by the phone.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-10-2016, 02:24 PM   #92
Moderator
MichaelB's Avatar
 
Join Date: Jan 2008
Location: Rocky Inlets
Posts: 24,424
I use LastPass and am happy with it. In addition to synching across multiple devices, it is a convenient way to let a trusted family member access my accounts should I become impaired (that is, more impaired).
__________________
MichaelB is offline   Reply With Quote
Old 06-10-2016, 03:03 PM   #93
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,264
Quote:
Originally Posted by Sunset View Post
A lot of hacks involve stealing the entire database, all they need is one admin password login and they have millions of user's information.
Now either they want to use it themselves or they sell the database or portions of it on the dark net.
So assuming the database is encrypted (some are not).
The buyer then can run programs against the encrypted passwords to break them.
Once broken they have your login, password, etc...

If you changed your password every 30 days, they would probably never be able to get access to your account as they would always have an old password.
Real life is nobody is going to do this, so it's important to change the password once you hear of a hack. (even if company says the database was not touched.).
OK, but if that's the scenario, then changing even every 30 days won't help, will it? At the point they crack it, they would have an average of 15 days before you changed it on them. Something tells me that once they crack it, someone gets to work on it, they don't let it 'age'.

Now changing after you've been notified of a hack - I agree with that.

So I'm still thinking that "change your password 'often'" is just a feel-good action, with little actual benefit.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 06-10-2016, 10:07 PM   #94
Thinks s/he gets paid by the post
 
Join Date: Jun 2004
Location: E. Wash
Posts: 1,057
Can anyone tell me what level of security is being used when I allow a browser to save my log-in info. Both Firefox and Edge offer every time I need to log-in. For any meaningful website, I have not been willing to allow log-in to be saved in fear of being easily recovered by unauthorized access.
Thanks
Nwsteve
__________________
nwsteve is online now   Reply With Quote
Old 06-11-2016, 06:35 AM   #95
Thinks s/he gets paid by the post
 
Join Date: May 2014
Location: Utrecht
Posts: 2,211
As far as I know the browser locally encrypts your credentials in a password file.

So it's safe as long your PC is safe. If your computer gets infected with malware, all bets are off.

I wouldn't use it for important logins.
__________________

__________________
Totoro is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Passwords Hacked easysurfer Other topics 8 07-12-2012 06:57 PM
Keeping passwords safe summer2007 FIRE and Money 46 03-21-2008 12:34 PM
Default passwords cute fuzzy bunny Other topics 0 02-22-2006 11:13 AM
Website to Borrow Passwords? haha Other topics 9 06-23-2005 12:09 PM

 

 
All times are GMT -6. The time now is 09:53 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.