superquestions
asked on
stolen passwords
What should I do if my passwords are stolen by a cracker or a group of crackers?
ASKER
Passwords for:
1. message boards
2. banks
3. affiliate programs
4. registered softwares
5. message boards
6. e-mails
7. instant messengers
8. social networkings
9. web hostings
1. message boards
2. banks
3. affiliate programs
4. registered softwares
5. message boards
6. e-mails
7. instant messengers
8. social networkings
9. web hostings
Hi superquestions,
The most rapid thing to do is change all the passwords ....
Miguel
The most rapid thing to do is change all the passwords ....
Miguel
ASKER
I asked the question wrongly. I am worried about having any of my passwords stolen, not all of them at the same time. By the way, how am I going to change passwords without being able to log-in?
Change your passwords first.... then clean your machine of any trojans, viruses, spyware, etc. (Depending on how bad it is, just do a total system refresh)
Hi superquestions,
it's relative ... but in all the case you can do a reset pasword or in write an e-mail to site admins or similar ....
And .... about social enginearing ....
A - Don´t reveal your access codes
B - Strong Passwords
Miguel
it's relative ... but in all the case you can do a reset pasword or in write an e-mail to site admins or similar ....
And .... about social enginearing ....
A - Don´t reveal your access codes
B - Strong Passwords
Miguel
Superquestions,
Most of this comes down to prevention:
1) Never write down passwords on paper or in files that are not encrypted. Don't trust MS encryption. There are plenty password vaults out there that will encrypt using AES 128bit encryption (minimum). If you have one place where you store your passwords you only have to remember one password, and in all likeliness the quality of your passwords will go up too :)
2) Make sure your passwords are 8 or more characters, use digits and extended characters. Pass phrases are even better. Never use words that can be found easily in dictionaries.
3) Change your passwords regularly. Couple of advantages, one you minimize the risk of exposure, two, you find out whether your account was compromised :)
When your passwords are compromised:
1) Check your system for any spyware/keyloggers/rootkit
2) Change your passwords immediately
It is very unlikely that all your passwords will be compromised. If you do your due care and install a firewall (Zonealarm, Agnitum Outpost), anti-spyware (spybot S&D, Webroot, AdAware), anti-virus (AVG), you don't have to fear a lot. There are millions out there that are easier targets, so they will go after them first. It is very unlikely that a thief is out on one PC only and your data. There are better targets out there. So chill and protect yourself as best as you can.
--dutch
Most of this comes down to prevention:
1) Never write down passwords on paper or in files that are not encrypted. Don't trust MS encryption. There are plenty password vaults out there that will encrypt using AES 128bit encryption (minimum). If you have one place where you store your passwords you only have to remember one password, and in all likeliness the quality of your passwords will go up too :)
2) Make sure your passwords are 8 or more characters, use digits and extended characters. Pass phrases are even better. Never use words that can be found easily in dictionaries.
3) Change your passwords regularly. Couple of advantages, one you minimize the risk of exposure, two, you find out whether your account was compromised :)
When your passwords are compromised:
1) Check your system for any spyware/keyloggers/rootkit
2) Change your passwords immediately
It is very unlikely that all your passwords will be compromised. If you do your due care and install a firewall (Zonealarm, Agnitum Outpost), anti-spyware (spybot S&D, Webroot, AdAware), anti-virus (AVG), you don't have to fear a lot. There are millions out there that are easier targets, so they will go after them first. It is very unlikely that a thief is out on one PC only and your data. There are better targets out there. So chill and protect yourself as best as you can.
--dutch
ASKER
"1) Never write down passwords on paper or in files that are not encrypted."
What cryptography software do you recommend me to use?
What cryptography software do you recommend me to use?
Try this password safe, also feel free to write down passwords, just keep them protected from others. http://www.schneier.com/passsafe.html
http://www.schneier.com/blog/archives/2005/06/write_down_your.html http://www.schneier.com/blog/archives/2005/06/password_safe.html
The trouble with telling someon that "you should use varying cases, special characters, numbers, and no password should be under X amount of chars..." is that often there are limits to what your passwords can be. I've used plenty of sites that are very reputable, however the limit my password to only alpha numeric characters and limit the maximum length the password can be. VNC is an application for instance that limits the password to 8 chars. M$'s LM limits the passwords to 14 chars, anything over that make the password hash "null" AAD3B435B51404EEAAD3B435B5
Now you have to learn how your passwords can be stolen, and try to mitigate against it. Email like SMTP is plain-text, your username and passwords are sent very very plain-text and it is possible for someone to sniff them, depending on where your accessing email from, the likelihood of someone doing so goes up or down. On a Corporate lan it's easier for someone in the office to sniff your pass than it would be for someone using the same ISP as you, unless they work at the ISP. IM is another plain-text prtocol (90% of them are, AIM, MSN, YIM...) while the passwords aren't plaintext, the username and the conversations are. GoogleTalk is encrypted, TLS.
Sniffing is one way, phishing is another, key logging is another, then you also have the risk you can do nothing about, a compromise of the service itself, your passwords are probably safe, however your data isn't.
I'd pick up a book or two, and read about best practices: http://xinn.org/win_bestpractices.html
Bruce Schneier is one of the foremost recognized security minds of our time, and his books and articles are very very good: http://www.schneier.com/books.html (secrets and lies, as well as Beyond fear for this toipic)
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html phishers are getting far more clever...
-rich
http://www.schneier.com/blog/archives/2005/06/write_down_your.html http://www.schneier.com/blog/archives/2005/06/password_safe.html
The trouble with telling someon that "you should use varying cases, special characters, numbers, and no password should be under X amount of chars..." is that often there are limits to what your passwords can be. I've used plenty of sites that are very reputable, however the limit my password to only alpha numeric characters and limit the maximum length the password can be. VNC is an application for instance that limits the password to 8 chars. M$'s LM limits the passwords to 14 chars, anything over that make the password hash "null" AAD3B435B51404EEAAD3B435B5
Now you have to learn how your passwords can be stolen, and try to mitigate against it. Email like SMTP is plain-text, your username and passwords are sent very very plain-text and it is possible for someone to sniff them, depending on where your accessing email from, the likelihood of someone doing so goes up or down. On a Corporate lan it's easier for someone in the office to sniff your pass than it would be for someone using the same ISP as you, unless they work at the ISP. IM is another plain-text prtocol (90% of them are, AIM, MSN, YIM...) while the passwords aren't plaintext, the username and the conversations are. GoogleTalk is encrypted, TLS.
Sniffing is one way, phishing is another, key logging is another, then you also have the risk you can do nothing about, a compromise of the service itself, your passwords are probably safe, however your data isn't.
I'd pick up a book or two, and read about best practices: http://xinn.org/win_bestpractices.html
Bruce Schneier is one of the foremost recognized security minds of our time, and his books and articles are very very good: http://www.schneier.com/books.html (secrets and lies, as well as Beyond fear for this toipic)
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html phishers are getting far more clever...
-rich
Here are two decent products:
PGP - http://www.pgp.com (you have to search kinda hard for the freeware... currently the trial version). Free or retail your pick.
GNU Privacy Guard - http://www.gnupg.org/
PGP - http://www.pgp.com (you have to search kinda hard for the freeware... currently the trial version). Free or retail your pick.
GNU Privacy Guard - http://www.gnupg.org/
Richrumble: glad I could feed the conversation here :)
There is sure much more to what I said. But I don't think this thread will be long enough to go into detail to all the intrincacies of passwords and the security thereof.
I like your addition on the length of passwords and above all the addition of the clear-text transport mechanisms we still have and can't seem to get rid of in this day and age.
Superquestions: I personally use Flexwallet from WebIS, but that's because I use my PDA to store my passwords so I have them with me all the time. This program workst good for me because it has a Desktop interface as well so I don't have to enter everything on the PDA.
PGP is a great product and if you download the 30-day trial version from www.pgp.com I believe it will go to the 'freeware' version which has less functionality than the professional or home edition.
It all comes down to how much you want to spend to protect your stuff. There is a balance. Just make an assessment to what the protected assets are worth to you and protect them with appropriate measures. What is appropriate? I don't know, it all depends on what the value is to you, how much it would take to replace if possible at all, what is the likeness that your assets are compromised, what are the threats, and so on. Many parameters that will all add up to the level of protection you want to buy.
Heck, I might even start telling people to write down their passwords. This shows for me that I am so fixated on solutions and phrases/best practices that everyone has been yelling for so long. I need to get out of that box! thanks guys!
--dutch
There is sure much more to what I said. But I don't think this thread will be long enough to go into detail to all the intrincacies of passwords and the security thereof.
I like your addition on the length of passwords and above all the addition of the clear-text transport mechanisms we still have and can't seem to get rid of in this day and age.
Superquestions: I personally use Flexwallet from WebIS, but that's because I use my PDA to store my passwords so I have them with me all the time. This program workst good for me because it has a Desktop interface as well so I don't have to enter everything on the PDA.
PGP is a great product and if you download the 30-day trial version from www.pgp.com I believe it will go to the 'freeware' version which has less functionality than the professional or home edition.
It all comes down to how much you want to spend to protect your stuff. There is a balance. Just make an assessment to what the protected assets are worth to you and protect them with appropriate measures. What is appropriate? I don't know, it all depends on what the value is to you, how much it would take to replace if possible at all, what is the likeness that your assets are compromised, what are the threats, and so on. Many parameters that will all add up to the level of protection you want to buy.
Heck, I might even start telling people to write down their passwords. This shows for me that I am so fixated on solutions and phrases/best practices that everyone has been yelling for so long. I need to get out of that box! thanks guys!
--dutch
Change your password(s) !
harbor235 ;}
harbor235 ;}
Best parctices are still paramount, and you must also understand your exposure. If you are not sure if your service, like Email, or banking site, is encrypted or not, write to their support, ask questions, do research as you are. Best practices with reguard to passwords still hold true, if you can, vary the case, use phrases and misspellings, numbers and characters. Choosing a random pass and having it written down really isn't much more secure than a well chosen rememberable passphrase, replace alpha chars with numeric and or symbols...
t1n*T!N=oneHUNDRED (ten times ten equals 100)
five^&*(ten!! (type five, hold shift and press the numbers 6,7,8,9 let go of shift, type ten, hold shift press numbers 11, your password is 5 6 7 8 9 10 11 five, six, seven, eight, nine, ten, eleven
EYEqui+l8rDOOD (I quit, later dude)
Other best practices are, change your passwords often, a good rule of thumb is every 90 days, there are lot's of ways to remind yourself.
Again you have to know your exposure risks, WIFI at starbucks or kinko's isn't encrypted with more than WEP, WEP is very very weak and easily cracked in minutes. Your own personal WIFI access point at home perhaps, should have a MAC address filter, WPA (ver2 if possible) and or use radius authentication.
To quote Mr. Schneier (I know I'm all upon his jock...) Security isn't a Program, it is a Process.
Operating your PC as an administrator for day-2-day activities is against best practices, as you could be hit by a 0-day virus, or unknow flaw/expolit, a phishing scam, IM virus etc... and when a program executes, and your logged in as admin, it also gets that privilege. So the keylogger that installed via an ActiveX control when you visited such and such .com, had no problem installing, you were running IE as an admin, for casual surfing. Or you played a new CD that had a root-kit on it, and you were an admin when listening to some music... http://xinn.org/Sony-DRM.html http://www.xinn.org/annoyance_spy-ware.html
IE is improving, but it needs to drop ActiveX and or create a second version that has backward compatibilty or something: http://www.schneier.com/blog/archives/2006/02/the_new_interne.html
http://www.schneier.com/blog/archives/2006/02/identity_theft_2.html (it's very hard to keep up with those that are out to defarud you... a new seceniro pop's up every day, mitigation, like best practices helps, but again nothing is 100%)
-rich
-rich
t1n*T!N=oneHUNDRED (ten times ten equals 100)
five^&*(ten!! (type five, hold shift and press the numbers 6,7,8,9 let go of shift, type ten, hold shift press numbers 11, your password is 5 6 7 8 9 10 11 five, six, seven, eight, nine, ten, eleven
EYEqui+l8rDOOD (I quit, later dude)
Other best practices are, change your passwords often, a good rule of thumb is every 90 days, there are lot's of ways to remind yourself.
Again you have to know your exposure risks, WIFI at starbucks or kinko's isn't encrypted with more than WEP, WEP is very very weak and easily cracked in minutes. Your own personal WIFI access point at home perhaps, should have a MAC address filter, WPA (ver2 if possible) and or use radius authentication.
To quote Mr. Schneier (I know I'm all upon his jock...) Security isn't a Program, it is a Process.
Operating your PC as an administrator for day-2-day activities is against best practices, as you could be hit by a 0-day virus, or unknow flaw/expolit, a phishing scam, IM virus etc... and when a program executes, and your logged in as admin, it also gets that privilege. So the keylogger that installed via an ActiveX control when you visited such and such .com, had no problem installing, you were running IE as an admin, for casual surfing. Or you played a new CD that had a root-kit on it, and you were an admin when listening to some music... http://xinn.org/Sony-DRM.html http://www.xinn.org/annoyance_spy-ware.html
IE is improving, but it needs to drop ActiveX and or create a second version that has backward compatibilty or something: http://www.schneier.com/blog/archives/2006/02/the_new_interne.html
http://www.schneier.com/blog/archives/2006/02/identity_theft_2.html (it's very hard to keep up with those that are out to defarud you... a new seceniro pop's up every day, mitigation, like best practices helps, but again nothing is 100%)
-rich
-rich
Good stuff Rich. I don't mind the Schneier stuff as long as it makes sense :)
Oh yeah, .....don't use the passwords Rich mentioned, since those are public now :-p
H4ppy V4l3n+!n35 d00d5
Some more links for weekend reading fun...
http://www.sans.org/resources/policies/Password_Policy.pdf
http://www.securitydocs.com/library/1130
http://www.securitydocs.com/library/1005
Oh yeah, .....don't use the passwords Rich mentioned, since those are public now :-p
H4ppy V4l3n+!n35 d00d5
Some more links for weekend reading fun...
http://www.sans.org/resources/policies/Password_Policy.pdf
http://www.securitydocs.com/library/1130
http://www.securitydocs.com/library/1005
ASKER
Do you know of any software that adds Encrypt and Decrypt to the context menu that you get when you right-click file(s) or folder(s) and that is strong?
ASKER
Back to the beginning...
What if my passwords are stolen by a thief and changed by the thief?
What if my passwords are stolen by a thief and changed by the thief?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you don't have proof that you are who you say you are then you are $cr3w3d. :)
If you have proof, then contact the admins of the system that have been compromised and hope they beleive you.
Some systems will e-mail you when ever something in your profile has been changed. If you received one of these e-mails it should have a address to reply to to say "hey I did not do this" and the system admin will then take action, normally locking out the account.
Is this just a generic question, or did you have your passwords stolen?
If you have proof, then contact the admins of the system that have been compromised and hope they beleive you.
Some systems will e-mail you when ever something in your profile has been changed. If you received one of these e-mails it should have a address to reply to to say "hey I did not do this" and the system admin will then take action, normally locking out the account.
Is this just a generic question, or did you have your passwords stolen?
If you want to prove to others who you are you might want to consider Web of Trust from www.Thawte.com
To get a trusted email certificate you have to show up in person at one or two of their notaries and show some ID. In how much this is accepted at ISPs, webhosts etc I don't know. You can always fax your PhotoID to them.
To go back to your initial question: "how am I going to change passwords without being able to log-in"
Most sites will have a "forgot password" link where you either will be challenged with your 'secret' question or you will get a temporary password emailed. So you will be able to logon and change your password afterwards.
Main thing, and I think you have enough ammo now, is to make sure your passwords are safe!
Interesting conversation and I think some of this is surely interesting enough for my filing :) thanks everyone for some really good contributions. And all of that for a 40 point questions :) You see, security is alive and some people get really excited about it including me :D
--dutch
To get a trusted email certificate you have to show up in person at one or two of their notaries and show some ID. In how much this is accepted at ISPs, webhosts etc I don't know. You can always fax your PhotoID to them.
To go back to your initial question: "how am I going to change passwords without being able to log-in"
Most sites will have a "forgot password" link where you either will be challenged with your 'secret' question or you will get a temporary password emailed. So you will be able to logon and change your password afterwards.
Main thing, and I think you have enough ammo now, is to make sure your passwords are safe!
Interesting conversation and I think some of this is surely interesting enough for my filing :) thanks everyone for some really good contributions. And all of that for a 40 point questions :) You see, security is alive and some people get really excited about it including me :D
--dutch
What passwords are you talking.
In the most cases the first step is to change the passwords.
Miguel