Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 01-24-2012, 09:45 AM   #21
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,695
Quote:
Originally Posted by Katsmeow View Post
...(snip)...
1. For sites that are non-sensitive (forum log ons, logs on things like the New York Times, etc), for ease of use I do tend to use similar easy to remember passwords (they are easy for me to remember but they aren't things that are easily guessed). I have 2 or 3 of these passwords and I don't use them anywhere that is financially sensitive.
...
I think for even non-sensitive (non-financial) sites the passwords should be unique. Then if that non-sensitive site is hacked you only can be affected there.

You can do this by inserting a site specific ID into the "generic" strong password. Example:
1) Say you use the following non-sensitive site password: StGhMn45;;
2) For the New York Times web site your password gets revised to insert the letters "nyt"
3) The new password = StGhnytMn45;;
4) For your Yahoo account the new password would be StGhyahMn45;;
__________________

__________________
Lsbcal is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 01-24-2012, 10:16 AM   #22
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 2,370
Quote:
Originally Posted by Nords View Post
It's surprising how many networks still allow dictionary attacks. You would think that the login module would lock out an IP address after the first 10 attempts.
Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.
__________________

__________________
GrayHare is offline   Reply With Quote
Old 01-24-2012, 10:32 AM   #23
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,288
Quote:
Originally Posted by GrayHare View Post
Quote:
Originally Posted by Nords View Post
... You would think that the login module would lock out an IP address after the first 10 attempts.
Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.
That makes sense to me, but I've wondered if this is how the 'bad guys' work?

Seems to me, they are not targeting anyone in particular, they just want to get in anywhere they can. So instead of a netbot hitting my account 1,000,000 times in a row in an attempt to guess my PW, I would think (putting on my 'bad guy' hat), that they would hit 1,000,000 different accounts, and then cycle back through them.

That way, there would not be a lot of activity on any one account, it would look like someone may have just mistyped their logon, and tried to legitimately get into their account. That must happen a zillion times a day.


I'm not fully caffeinated yet, but aren't the odds the same for them? They could even use random passwords if they kept a database of which PW was tried on which account, so they aren't just doing simple ones first. That's not hard at all. Not sure if it is an advantage or not to mix up the PW, but it's easily done.


-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 01-24-2012, 10:38 AM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Brat's Avatar
 
Join Date: Feb 2004
Location: Portland, Oregon
Posts: 5,914
This happened to me earlier this month too.

We use myhosting.com to host. Years ago I did consulting so we created our own domain name, since retiring several years ago we just use it for e-mail. Our individual e-mail passwords and our account password was the same all digit password (btw, the same that I use for this forum). Myhosting blamed our passwords and changing that stopped the hack. Humm, I had no idea that the hosting provider may have not done all that it should have to protect our account.
__________________
Duck bjorn.
Brat is offline   Reply With Quote
Old 01-24-2012, 11:26 AM   #25
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,896
On passwords..

I remember two passwords. One for my password keeper and one for my email accounts. All other passwords, I use a random generator by my password keeper to create secure passwords. Also, now even with my user ids, a portion of that is randomly generated for safety.

For me, trying to remember password combinations that are safe is just too taxing on the brain when some require special characters, and some do not, and once you have one in memory, the password may expire.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 01-24-2012, 11:51 AM   #26
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 3,399
Quote:
Originally Posted by easysurfer View Post
On passwords..

I remember two passwords. One for my password keeper and one for my email accounts. All other passwords, I use a random generator by my password keeper to create secure passwords. Also, now even with my user ids, a portion of that is randomly generated for safety.

For me, trying to remember password combinations that are safe is just too taxing on the brain when some require special characters, and some do not, and once you have one in memory, the password may expire.
The thing that has been stopping me from using the password generator is that I don't always want to look at passwords from my home computer. I may log in from my office notebook or from my own notebook when I leave town.

Roboform is nice and I use the one that can be used on one computer. They have a couple of other options. You can get Roboform everywhere which you can use on any computer since the password info is uploaded. DH and I both feel uncomfortable with our passwords being uploaded somewhere although maybe we are being unreasonable.

You can also get Roboform 2Go which lets you put the Roboform data on a USB drive and then you plug that into any computer you use. What I don't like about that (beyond buying a new program) is what if you lose the USB drive? On the other hand, it isn't useful to anyone if they don't have your master password. So...just not sure which way to go on that.
__________________
Katsmeow is offline   Reply With Quote
Old 01-24-2012, 12:28 PM   #27
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,896
Quote:
Originally Posted by Katsmeow View Post
The thing that has been stopping me from using the password generator is that I don't always want to look at passwords from my home computer. I may log in from my office notebook or from my own notebook when I leave town.

Roboform is nice and I use the one that can be used on one computer. They have a couple of other options. You can get Roboform everywhere which you can use on any computer since the password info is uploaded. DH and I both feel uncomfortable with our passwords being uploaded somewhere although maybe we are being unreasonable.

You can also get Roboform 2Go which lets you put the Roboform data on a USB drive and then you plug that into any computer you use. What I don't like about that (beyond buying a new program) is what if you lose the USB drive? On the other hand, it isn't useful to anyone if they don't have your master password. So...just not sure which way to go on that.
I guess either solution is still not ideal. When I travel, I do have to bring my password file (encrypted) on a USB drive, similar to like what you describe for Roboform 2Go.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 01-24-2012, 02:19 PM   #28
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,646
Quote:
Originally Posted by Nords
... You would think that the login module would lock out an IP address after the first 10 attempts.
Quote:

Agree there should always be some sort of quantity limit. When I've designed password systems, I've generally incorporated a timer such that any password entered within X seconds of a prior failed entry is automatically rejected.
I doubt many, if any, sites are susceptible to direct brute force attacks. They will lock out after a few tries. Dictionary and other brute force attacks are made against encrypted password files in possession of the attackers. Then the attackers use the decrypted IDs and passwords to logon to the account. The attackers use various methods to compromise the parent server to gain access to the password file.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 01-24-2012, 05:52 PM   #29
Moderator
MBAustin's Avatar
 
Join Date: Jul 2010
Posts: 4,162
Quote:
Originally Posted by easysurfer View Post
I guess either solution is still not ideal. When I travel, I do have to bring my password file (encrypted) on a USB drive, similar to like what you describe for Roboform 2Go.
I've been using Passpack for several years, it's free and can be used just through a web browser. I was initially concerned about the security but read up on their encryption strategy and was satisfied it was strong enough. Just for paranoia, I don't store the URLs or actual name of financial institutions. It has a strong random password generator built in as well.

I also put a printout of the access information in our safe deposit box for DH.
__________________
"One of the funny things about the stock market is that every time one person buys, another sells, and both think they are astute." William Feather
----------------------------------
ER'd Oct. 2010 at 53. Life is good.
MBAustin is offline   Reply With Quote
Old 01-24-2012, 09:07 PM   #30
Recycles dryer sheets
Rowdy's Avatar
 
Join Date: Jul 2011
Posts: 105
One more piece of software that may be helpful, free from download.com. I have been using KeyScrambler for the last few years. Here's the description of how it works:

"The advanced key-encryption method keeps your keystrokes scrambled and indecipherable while they travel from your keyboard to the destination app."
__________________
Rowdy is offline   Reply With Quote
Old 01-24-2012, 10:33 PM   #31
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,896
I also use KeyScrambler along with software called "SnoopFree Privacy Shield" for an extra measure of security. The first to scramble my keystrokes and the latter to flag any. SnoopFree only works up to XP (not Win 7). I'm not sure about KeyScrambler.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is offline   Reply With Quote
Old 01-24-2012, 10:33 PM   #32
Moderator Emeritus
Nords's Avatar
 
Join Date: Dec 2002
Location: Oahu
Posts: 26,620
As usual, XKCD has the answer:
__________________
*
*

The book written on E-R.org, "The Military Guide to Financial Independence and Retirement", on sale now! For more info see "About Me" in my profile.
I don't spend much time here anymore, so please send me a PM. Thanks.
Nords is offline   Reply With Quote
Old 01-25-2012, 12:00 PM   #33
Thinks s/he gets paid by the post
 
Join Date: Jan 2004
Posts: 2,049
Quote:
Originally Posted by Avalon View Post
Might a keylogger show up on a netstat -b run, or am I thinking wrong?
It probably would, yes, if there was a continuous connection. If the upload is at specific times, then you'd have to get lucky to run netstat at the same time as the upload.
__________________
eridanus is offline   Reply With Quote
Old 01-25-2012, 01:19 PM   #34
Thinks s/he gets paid by the post
Rustward's Avatar
 
Join Date: Apr 2006
Posts: 1,573
Have not used it in several years, but I believe the Zone Alarm firewall could help with this.
__________________
Rustward is offline   Reply With Quote
Old 01-25-2012, 01:24 PM   #35
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,288
Quote:
Originally Posted by eridanus View Post
It probably would, yes, if there was a continuous connection. If the upload is at specific times, then you'd have to get lucky to run netstat at the same time as the upload.
Little Snitch will do this on the Mac - not sure if there is an equivalent for Windows/Linux.

Little Snitch - Wikipedia, the free encyclopedia

Quote:
If an application or process attempts to establish an outgoing internet connection Little Snitch prevents the connection. A dialog is presented which allows one to deny or permit the connection on a one-time or permanent basis. The dialog allows one to restrict the parameters of the connection, restricting it to a specific port, protocol or domain. An integral network monitor allows one to see ongoing traffic in real time with domain names and traffic direction displayed.
-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 01-25-2012, 03:44 PM   #36
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,646
Quote:
Originally Posted by ERD50 View Post
Little Snitch will do this on the Mac - not sure if there is an equivalent for Windows/Linux.

Little Snitch - Wikipedia, the free encyclopedia



-ERD50
Yeah, but does any of this prevent a trojan communicating over port 80 (http) or 443 (https)? I think that is how most malware phones home to the mother ship.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 01-25-2012, 03:47 PM   #37
Thinks s/he gets paid by the post
Rustward's Avatar
 
Join Date: Apr 2006
Posts: 1,573
Quote:
Originally Posted by donheff View Post
Yeah, but does any of this prevent a trojan communicating over port 80 (http) or 443 (https)? I think that is how most malware phones home to the mother ship.
According to ERD50's quote, it does.

Zone Alarm does. By default, no applications are allowed out. You must enable each one. Zone Alarm remembers the settings, and also gives you a "starter set" of known well-behaved applications at install time.
__________________
Rustward is offline   Reply With Quote
Old 01-25-2012, 03:59 PM   #38
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,646
Quote:
Originally Posted by Rustward View Post
According to ERD50's quote, it does.

Zone Alarm does. By default, no applications are allowed out. You must enable each one. Zone Alarm remembers the settings, and also gives you a "starter set" of known well-behaved applications at install time.
I used zone alarm many years ago and IIRC you OK outbound connections from your PC on 80 and 443 because you do it all the time. What ZA prevented was communications on other ports which used to be a problem. But all the bad guys have found nifty tricks to establish two way communication over port 80. The trojan phones home and picks up its instructions over the permitted/expected return packets at preset high ports. It may be that some of these firewalls can be pretty sophisticated about what apps as going out on port 80 but, if so, the trojan writers would simply mimick internet Explorer connections. If you are not going to open ports 80 and 443 outbound why have an Internet connection at all?
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 01-25-2012, 05:46 PM   #39
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,288
Quote:
Originally Posted by donheff View Post
I used zone alarm many years ago and IIRC you OK outbound connections from your PC on 80 and 443 because you do it all the time. ... but, if so, the trojan writers would simply mimick internet Explorer connections. If you are not going to open ports 80 and 443 outbound why have an Internet connection at all?
I don't know enough about how computers use these ports to say. But at least on the Mac, with 'Little Snitch', I wonder how easy it is for some malware to get installed and mimic the installed browser?

Perhaps M Paquette could comment on this, he had some interesting insight on how the Mac OS had some very tough protection against key loggers.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 01-25-2012, 07:34 PM   #40
Moderator Emeritus
 
Join Date: Oct 2007
Posts: 4,929
Quote:
Originally Posted by ERD50

I don't know enough about how computers use these ports to say. But at least on the Mac, with 'Little Snitch', I wonder how easy it is for some malware to get installed and mimic the installed browser?

Perhaps M Paquette could comment on this, he had some interesting insight on how the Mac OS had some very tough protection against key loggers.

-ERD50
It's fairly hard to do. The system uses both signed applications, a means of cryptographically verifying that an application is what it says it is and is uncorrupted, and a thing called the Application Firewall in addition to the standard IP firewall.

http://support.apple.com/kb/HT1810

Little Snitch sits atop the built in firewalls, and programs the firewalls per your settings. It uses the firewall triggers to produce its reports.
__________________

__________________
M Paquette is offline   Reply With Quote
Reply

Tags
email, techonology


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Instant email notification not working? ERD50 Forum Admin 20 01-13-2012 12:23 AM
Posting of dividends in brokerage account lowflyer FIRE and Money 5 09-30-2011 09:24 PM
Autopay via CC or Checking Account TromboneAl FIRE and Money 36 09-14-2011 12:33 PM
Bond fund in taxable account? joecaf53 FIRE and Money 1 07-09-2011 03:48 PM

 

 
All times are GMT -6. The time now is 12:23 AM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.