stolen passwords

What should I do if my passwords are stolen by a cracker or a group of crackers?
LVL 1
superquestionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MiguelSilvestreCommented:
Hi superquestions,

What passwords are you talking.

In the most cases the first step is to change the passwords.

Miguel
superquestionsAuthor Commented:
Passwords for:

1. message boards
2. banks
3. affiliate programs
4. registered softwares
5. message boards
6. e-mails
7. instant messengers
8. social networkings
9. web hostings
MiguelSilvestreCommented:
Hi superquestions,

The most rapid thing to do is change all the passwords ....

Miguel
Why Diversity in Tech Matters

Kesha Williams, certified professional and software developer, explores the imbalance of diversity in the world of technology -- especially when it comes to hiring women. She showcases ways she's making a difference through the Colors of STEM program.

superquestionsAuthor Commented:
I asked the question wrongly. I am worried about having any of my passwords stolen, not all of them at the same time. By the way, how am I going to change passwords without being able to log-in?
masnrockCommented:
Change your passwords first.... then clean your machine of any trojans, viruses, spyware, etc. (Depending on how bad it is, just do a total system refresh)
MiguelSilvestreCommented:
Hi superquestions,

it's relative ... but in all the case you can do a reset pasword or in write an e-mail to site admins or similar ....

And .... about social enginearing ....

A - Don´t reveal your access codes
B - Strong Passwords

Miguel
dutch7773Commented:
Superquestions,

Most of this comes down to prevention:
1) Never write down passwords on paper or in files that are not encrypted. Don't trust MS encryption. There are plenty password vaults out there that will encrypt using AES 128bit encryption (minimum). If you have one place where you store your passwords you only have to remember one password, and in all likeliness the quality of your passwords will go up too :)
2) Make sure your passwords are 8 or more characters, use digits and extended characters. Pass phrases are even better. Never use words that can be found easily in dictionaries.
3) Change your passwords regularly. Couple of advantages, one you minimize the risk of exposure, two, you find out whether your account was compromised :)

When your passwords are compromised:
1) Check your system for any spyware/keyloggers/rootkits (look for any of this on Google)
2) Change your passwords immediately

It is very unlikely that all your passwords will be compromised. If you do your due care and install a firewall (Zonealarm, Agnitum Outpost), anti-spyware (spybot S&D, Webroot, AdAware), anti-virus (AVG), you don't have to fear a lot. There are millions out there that are easier targets, so they will go after them first. It is very unlikely that a thief is out on one PC only and your data. There are better targets out there. So chill and protect yourself as best as you can.

--dutch
superquestionsAuthor Commented:
"1) Never write down passwords on paper or in files that are not encrypted."

What cryptography software do you recommend me to use?
Rich RumbleSecurity SamuraiCommented:
Try this password safe, also feel free to write down passwords, just keep them protected from others. http://www.schneier.com/passsafe.html
http://www.schneier.com/blog/archives/2005/06/write_down_your.html http://www.schneier.com/blog/archives/2005/06/password_safe.html

The trouble with telling someon that "you should use varying cases, special characters, numbers, and no password should be under X amount of chars..." is that often there are limits to what your passwords can be. I've used plenty of sites that are very reputable, however the limit my password to only alpha numeric characters and limit the maximum length the password can be. VNC is an application for instance that limits the password to 8 chars. M$'s LM limits the passwords to 14 chars, anything over that make the password hash "null" AAD3B435B51404EEAAD3B435B51404E <--- null password which is actually two 7 char halves. NTLM limits passwords to 127 chars, more than enough.

Now you have to learn how your passwords can be stolen, and try to mitigate against it. Email like SMTP is plain-text, your username and passwords are sent very very plain-text and it is possible for someone to sniff them, depending on where your accessing email from, the likelihood of someone doing so goes up or down. On a Corporate lan it's easier for someone in the office to sniff your pass than it would be for someone using the same ISP as you, unless they work at the ISP. IM is another plain-text prtocol (90% of them are, AIM, MSN, YIM...) while the passwords aren't plaintext, the username and the conversations are. GoogleTalk is encrypted, TLS.

Sniffing is one way, phishing is another, key logging is another, then you also have the risk you can do nothing about, a compromise of the service itself, your passwords are probably safe, however your data isn't.
I'd  pick up a book or two, and read about best practices: http://xinn.org/win_bestpractices.html
Bruce Schneier is one of the foremost recognized security minds of our time, and his books and articles are very very good: http://www.schneier.com/books.html (secrets and lies, as well as Beyond fear for this toipic)
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html phishers are getting far more clever...
-rich
masnrockCommented:
Here are two decent products:

PGP - http://www.pgp.com (you have to search kinda hard for the freeware... currently the trial version). Free or retail your pick.

GNU Privacy Guard - http://www.gnupg.org/
dutch7773Commented:
Richrumble: glad I could feed the conversation here :)
There is sure much more to what I said. But I don't think this thread will be long enough to go into detail to all the intrincacies of passwords and the security thereof.

I like your addition on the length of passwords and above all the addition of the clear-text transport mechanisms we still have and can't seem to get rid of in this day and age.

Superquestions: I personally use Flexwallet from WebIS, but that's because I use my PDA to store my passwords so I have them with me all the time. This program workst good for me because it has a Desktop interface as well so I don't have to enter everything on the PDA.

PGP is a great product and if you download the 30-day trial version from www.pgp.com I believe it will go to the 'freeware' version which has less functionality than the professional or home edition.

It all comes down to how much you want to spend to protect your stuff. There is a balance. Just make an assessment to what the protected assets are worth to you and protect them with appropriate measures. What is appropriate? I don't know, it all depends on what the value is to you, how much it would take to replace if possible at all,  what is the likeness that your assets are compromised, what are the threats, and so on. Many parameters that will all add up to the level of protection you want to buy.

Heck, I might even start telling people to write down their passwords. This shows for me that I am so fixated on solutions and phrases/best practices that everyone has been yelling for so long. I need to get out of that box! thanks guys!

--dutch
harbor235Commented:
Change your password(s) !

harbor235 ;}
Rich RumbleSecurity SamuraiCommented:
Best parctices are still paramount, and you must also understand your exposure. If you are not sure if your service, like Email, or banking site, is encrypted or not, write to their support, ask questions, do research as you are. Best practices with reguard to passwords still hold true, if you can, vary the case, use phrases and misspellings, numbers and characters. Choosing a random pass and having it written down really isn't much more secure than a well chosen rememberable passphrase, replace alpha chars with numeric and or symbols...
t1n*T!N=oneHUNDRED  (ten times ten equals 100)
five^&*(ten!!  (type five, hold shift and press the numbers 6,7,8,9 let go of shift, type ten, hold shift press numbers 11, your password is 5 6 7 8 9 10 11 five, six, seven, eight, nine, ten, eleven

EYEqui+l8rDOOD  (I quit, later dude)

Other best practices are, change your passwords often, a good rule of thumb is every 90 days, there are lot's of ways to remind yourself.

Again you have to know your exposure risks, WIFI at starbucks or kinko's isn't encrypted with more than WEP, WEP is very very weak and easily cracked in minutes. Your own personal WIFI access point at home perhaps, should have a MAC address filter, WPA (ver2 if possible) and or use radius authentication.

To quote Mr. Schneier (I know I'm all upon his jock...) Security isn't a Program, it is a Process.

Operating your PC as an administrator for day-2-day activities is against best practices, as you could be hit by a 0-day virus, or unknow flaw/expolit, a phishing scam, IM virus etc... and when a program executes, and your logged in as admin, it also gets that privilege. So the keylogger that installed via an ActiveX control when you visited such and such .com, had no problem installing, you were running IE as an admin, for casual surfing. Or you played a new CD that had a root-kit on it, and you were an admin when listening to some music... http://xinn.org/Sony-DRM.html  http://www.xinn.org/annoyance_spy-ware.html 
IE is improving, but it needs to drop ActiveX and or create a second version that has backward compatibilty or something: http://www.schneier.com/blog/archives/2006/02/the_new_interne.html
http://www.schneier.com/blog/archives/2006/02/identity_theft_2.html (it's very hard to keep up with those that are out to defarud you... a new seceniro pop's up every day, mitigation, like best practices helps, but again nothing is 100%)
-rich
-rich
dutch7773Commented:
Good stuff Rich. I don't mind the Schneier stuff as long as it makes sense :)

Oh yeah, .....don't use the passwords Rich mentioned, since those are public now :-p

H4ppy V4l3n+!n35 d00d5

Some more links for weekend reading fun...
http://www.sans.org/resources/policies/Password_Policy.pdf
http://www.securitydocs.com/library/1130
http://www.securitydocs.com/library/1005
superquestionsAuthor Commented:
Do you know of any software that adds Encrypt and Decrypt to the context menu that you get when you right-click file(s) or folder(s) and that is strong?
superquestionsAuthor Commented:
Back to the beginning...

What if my passwords are stolen by a thief and changed by the thief?
Rich RumbleSecurity SamuraiCommented:
PGP, TrueCrypt are the best and easiest to use. If you move to another PC or use another PC, your software will need to be installed on it as well... Steganos has a "self-encrypting and decrypting" feature thats very nice. You can send the file to someone and all they need is the password to unlock it, it automatically seals itself back up, however they will not be able to add or make changes to it. http://www.steganos.com/?product=safe8&language=en (for a few extra $$ you might as well get the entire suite, they are very good and solid tools)

#2, contact your bank, ISP, Email provider, the FBI, and or local government fraud centers. Contact webmasters, hostmasters, postmasters of the sites you think your passwords are compromised and or stolen from. You will need to prove who you are to them, and that's the tough part, and even then, it's iffy they can or will help you much more. Your basically forced to start over new with someone else... sad but true.  Keep encrypted backup's in a safe place, as well as making sure you back up regularly. If you have something of value that should be backed up, do it right then and there.
-rich

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
giltjrCommented:
If you don't have proof that you are who you say you are then you are $cr3w3d. :)

If you have proof, then contact the admins of the system that have been compromised and hope they beleive you.

Some systems will e-mail you when ever something in your profile has been changed.  If you received one of these e-mails it should have a address to reply to to say "hey I did not do this" and the system admin will then take action, normally locking out the account.

Is this just a generic question, or did you have your passwords stolen?
dutch7773Commented:
If you want to prove to others who you are you might want to consider Web of Trust from www.Thawte.com 

To get a trusted email certificate you have to show up in person at one or two of their notaries and show some ID. In how much this is accepted at ISPs, webhosts etc I don't know. You can always fax your PhotoID to them.

To go back to your initial question: "how am I going to change passwords without being able to log-in"
Most sites will have a "forgot password" link where you either will be challenged with your 'secret' question or you will get a temporary password emailed. So you will be able to logon and change your password afterwards.

Main thing, and I think you have enough ammo now, is to make sure your passwords are safe!

Interesting conversation and I think some of this is surely interesting enough for my filing :) thanks everyone for some really good contributions. And all of that for a 40 point questions :) You see, security is alive and some people get really excited about it including me :D

--dutch
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.