stolen passwords

Passwords for:

1. message boards
2. banks
3. affiliate programs
4. registered softwares
5. message boards
6. e-mails
7. instant messengers
8. social networkings
9. web hostings

Hi superquestions,

The most rapid thing to do is change all the passwords ....

Miguel

I asked the question wrongly. I am worried about having any of my passwords stolen, not all of them at the same time. By the way, how am I going to change passwords without being able to log-in?

Change your passwords first.... then clean your machine of any trojans, viruses, spyware, etc. (Depending on how bad it is, just do a total system refresh)

Hi superquestions,

it's relative ... but in all the case you can do a reset pasword or in write an e-mail to site admins or similar ....

And .... about social enginearing ....

A - Don´t reveal your access codes
B - Strong Passwords

Miguel

Superquestions,

Most of this comes down to prevention:
1) Never write down passwords on paper or in files that are not encrypted. Don't trust MS encryption. There are plenty password vaults out there that will encrypt using AES 128bit encryption (minimum). If you have one place where you store your passwords you only have to remember one password, and in all likeliness the quality of your passwords will go up too :)
2) Make sure your passwords are 8 or more characters, use digits and extended characters. Pass phrases are even better. Never use words that can be found easily in dictionaries.
3) Change your passwords regularly. Couple of advantages, one you minimize the risk of exposure, two, you find out whether your account was compromised :)

When your passwords are compromised:
1) Check your system for any spyware/keyloggers/rootkits (look for any of this on Google)
2) Change your passwords immediately

It is very unlikely that all your passwords will be compromised. If you do your due care and install a firewall (Zonealarm, Agnitum Outpost), anti-spyware (spybot S&D, Webroot, AdAware), anti-virus (AVG), you don't have to fear a lot. There are millions out there that are easier targets, so they will go after them first. It is very unlikely that a thief is out on one PC only and your data. There are better targets out there. So chill and protect yourself as best as you can.

--dutch

"1) Never write down passwords on paper or in files that are not encrypted."

What cryptography software do you recommend me to use?

Try this password safe, also feel free to write down passwords, just keep them protected from others. http://www.schneier.com/passsafe.html
http://www.schneier.com/blog/archives/2005/06/write_down_your.html http://www.schneier.com/blog/archives/2005/06/password_safe.html

The trouble with telling someon that "you should use varying cases, special characters, numbers, and no password should be under X amount of chars..." is that often there are limits to what your passwords can be. I've used plenty of sites that are very reputable, however the limit my password to only alpha numeric characters and limit the maximum length the password can be. VNC is an application for instance that limits the password to 8 chars. M$'s LM limits the passwords to 14 chars, anything over that make the password hash "null" AAD3B435B51404EEAAD3B435B51404E <--- null password which is actually two 7 char halves. NTLM limits passwords to 127 chars, more than enough.

Now you have to learn how your passwords can be stolen, and try to mitigate against it. Email like SMTP is plain-text, your username and passwords are sent very very plain-text and it is possible for someone to sniff them, depending on where your accessing email from, the likelihood of someone doing so goes up or down. On a Corporate lan it's easier for someone in the office to sniff your pass than it would be for someone using the same ISP as you, unless they work at the ISP. IM is another plain-text prtocol (90% of them are, AIM, MSN, YIM...) while the passwords aren't plaintext, the username and the conversations are. GoogleTalk is encrypted, TLS.

Sniffing is one way, phishing is another, key logging is another, then you also have the risk you can do nothing about, a compromise of the service itself, your passwords are probably safe, however your data isn't.
I'd  pick up a book or two, and read about best practices: http://xinn.org/win_bestpractices.html
Bruce Schneier is one of the foremost recognized security minds of our time, and his books and articles are very very good: http://www.schneier.com/books.html (secrets and lies, as well as Beyond fear for this toipic)
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html phishers are getting far more clever...
-rich

Here are two decent products:

PGP - http://www.pgp.com (you have to search kinda hard for the freeware... currently the trial version). Free or retail your pick.

GNU Privacy Guard - http://www.gnupg.org/

Richrumble: glad I could feed the conversation here :)
There is sure much more to what I said. But I don't think this thread will be long enough to go into detail to all the intrincacies of passwords and the security thereof.

I like your addition on the length of passwords and above all the addition of the clear-text transport mechanisms we still have and can't seem to get rid of in this day and age.

Superquestions: I personally use Flexwallet from WebIS, but that's because I use my PDA to store my passwords so I have them with me all the time. This program workst good for me because it has a Desktop interface as well so I don't have to enter everything on the PDA.

PGP is a great product and if you download the 30-day trial version from www.pgp.com I believe it will go to the 'freeware' version which has less functionality than the professional or home edition.

It all comes down to how much you want to spend to protect your stuff. There is a balance. Just make an assessment to what the protected assets are worth to you and protect them with appropriate measures. What is appropriate? I don't know, it all depends on what the value is to you, how much it would take to replace if possible at all,  what is the likeness that your assets are compromised, what are the threats, and so on. Many parameters that will all add up to the level of protection you want to buy.

Heck, I might even start telling people to write down their passwords. This shows for me that I am so fixated on solutions and phrases/best practices that everyone has been yelling for so long. I need to get out of that box! thanks guys!

--dutch

Change your password(s) !

harbor235 ;}

Best parctices are still paramount, and you must also understand your exposure. If you are not sure if your service, like Email, or banking site, is encrypted or not, write to their support, ask questions, do research as you are. Best practices with reguard to passwords still hold true, if you can, vary the case, use phrases and misspellings, numbers and characters. Choosing a random pass and having it written down really isn't much more secure than a well chosen rememberable passphrase, replace alpha chars with numeric and or symbols...
t1n*T!N=oneHUNDRED  (ten times ten equals 100)
five^&*(ten!!  (type five, hold shift and press the numbers 6,7,8,9 let go of shift, type ten, hold shift press numbers 11, your password is 5 6 7 8 9 10 11 five, six, seven, eight, nine, ten, eleven

EYEqui+l8rDOOD  (I quit, later dude)

Other best practices are, change your passwords often, a good rule of thumb is every 90 days, there are lot's of ways to remind yourself.

Again you have to know your exposure risks, WIFI at starbucks or kinko's isn't encrypted with more than WEP, WEP is very very weak and easily cracked in minutes. Your own personal WIFI access point at home perhaps, should have a MAC address filter, WPA (ver2 if possible) and or use radius authentication.

To quote Mr. Schneier (I know I'm all upon his jock...) Security isn't a Program, it is a Process.

Operating your PC as an administrator for day-2-day activities is against best practices, as you could be hit by a 0-day virus, or unknow flaw/expolit, a phishing scam, IM virus etc... and when a program executes, and your logged in as admin, it also gets that privilege. So the keylogger that installed via an ActiveX control when you visited such and such .com, had no problem installing, you were running IE as an admin, for casual surfing. Or you played a new CD that had a root-kit on it, and you were an admin when listening to some music... http://xinn.org/Sony-DRM.html  http://www.xinn.org/annoyance_spy-ware.html  
IE is improving, but it needs to drop ActiveX and or create a second version that has backward compatibilty or something: http://www.schneier.com/blog/archives/2006/02/the_new_interne.html
http://www.schneier.com/blog/archives/2006/02/identity_theft_2.html (it's very hard to keep up with those that are out to defarud you... a new seceniro pop's up every day, mitigation, like best practices helps, but again nothing is 100%)
-rich
-rich

Good stuff Rich. I don't mind the Schneier stuff as long as it makes sense :)

Oh yeah, .....don't use the passwords Rich mentioned, since those are public now :-p

H4ppy V4l3n+!n35 d00d5

Some more links for weekend reading fun...
http://www.sans.org/resources/policies/Password_Policy.pdf
http://www.securitydocs.com/library/1130
http://www.securitydocs.com/library/1005

Do you know of any software that adds Encrypt and Decrypt to the context menu that you get when you right-click file(s) or folder(s) and that is strong?

Back to the beginning...

What if my passwords are stolen by a thief and changed by the thief?

If you don't have proof that you are who you say you are then you are $cr3w3d. :)

If you have proof, then contact the admins of the system that have been compromised and hope they beleive you.

Some systems will e-mail you when ever something in your profile has been changed.  If you received one of these e-mails it should have a address to reply to to say "hey I did not do this" and the system admin will then take action, normally locking out the account.

Is this just a generic question, or did you have your passwords stolen?