topic Re: What should I do in SmorgasBoard

What should I do

Anonymous — Tue, 16 Apr 2019 15:37:31 GMT

I don't know if this is the place for this? Apparently I was just hacked, and I am actually shaking right now. My gmail is attached to everything (maybe that was really dumb?) and I am sitting at work waiting for a call so I am on my phone. I suddenly get 5 alerts, my bank password was changed, my gmail was changed, etc. I think I noticed it before they got anything serious (although my bank password is pretty serious). My password is VERY secure, so I use it for everything. (I actually have no clue how they even got my password, it doesn't make sense) I have sorted my bank, fixed my gmail password, and I am going through and changing every single password right now.

I am not sure what I should do, do you think it is enough to change all my passwords? I am trying not to overreact here, but one of the things logged into was my phone provider, so I feel like I need to change everything. Is it overreacting to change my phone number and throw away my gmail account. (I have had this account and phone number for 10 years) What about my bank account, I have had that for 10 years as well.

*hopefully this isn't inappropriate content, I just needed to spill my thoughts and get advice on what I should do.

Re: What should I do

LakeLife — Tue, 16 Apr 2019 19:19:04 GMT

Wow, that is scary. That's a huge drawback of using a common password among several sites. If I were in your shoes I think one additional thing I would look into is some sort of identity monitoring service from this point forward. I'd change every password conceivable as well. Consider using an application such as LastPass to keep track of your passwords and use a different one for each site. LastPass will even create passwords for you. Not sure if changing your phone number would be helpful or not. Good luck.

Re: What should I do

Anonymous — Tue, 16 Apr 2019 20:16:02 GMT

@LakeLife wrote:
Wow, that is scary. That's a huge drawback of using a common password among several sites. If I were in your shoes I think one additional thing I would look into is some sort of identity monitoring service from this point forward. I'd change every password conceivable as well. Consider using an application such as LastPass to keep track of your passwords and use a different one for each site. LastPass will even create passwords for you. Not sure if changing your phone number would be helpful or not. Good luck.

I need to look into that service more and services that are like it. I have never actually thought about something like that service, and I am surprised it is a thing. I think it is very interesting, I definitely want to look into it, but I can't help but be concerned about your passwords being hacked if the service was hacked. As for my password, my general view on passwords has always been they need to be really strong. I used to use "rainbow123" or "Ilikepigs" but that was 12 years ago when I first was introduced to a computer.I use REALLY advanced passwords, working at centurylink they require very strong passwords. My password was the same across 50+ accounts and I can see now that might have been a mistake, (I believe the total is 57 currently) but I thought it was strong so I could use it on all of them. I had 5 numbers, 2 symbols, spacing, and upper and lower case letters. I thought that was enough. In addition, gmail really let me down, I had 2 step on, but they still got in? Not sure how that works, I thought they had to enter a code.

As for identity monitoring, I think I will sign up for the discover one. They tell me about it every time I log, so I might as well finally get it. I was really stressed this morning when I typed that up, it was so distressing to me, but I am hopeful that they didn't get anything. (fingers crossed) They only had access to my bank and email for 23 minutes before I got the security from gmail, so they didn't have a lot of time in my account do much I don't think.

Re: What should I do

kerplunk — Tue, 16 Apr 2019 21:27:12 GMT

Change all of your passwords. Use this as your password generator, preferrably 16+ characters: https://lastpass.com/password-generator

Do not use the same password for any site.

Change your security questions for your Gmail account to something no one could guess, even if they knew the real answers.

Use KeePassXC (or some other trusted password manager) to store all of your new passwords.

Re: What should I do

Anonymous — Tue, 16 Apr 2019 23:53:53 GMT

Does anyone have any idea why my 2 step verification with google did not work, also what would be the best password manager to use? (If I were to use one not sure if they are good yet) I do see there are a lot of them to choose from.

Re: What should I do

calyx — Wed, 17 Apr 2019 15:09:05 GMT

@Anonymous wrote:
Does anyone have any idea why my 2 step verification with google did not work, also what would be the best password manager to use? (If I were to use one not sure if they are good yet) I do see there are a lot of them to choose from.

I like LastPass, and most of my friends either use LastPass or 1Password.

What's really nice about a password manager is that I just have to keep that one password updated in my Durable Power of Attorney - whoever has to pay my bills if I'm incapacitated just has to log in there to get to everything.

Re: What should I do

Anonymous — Tue, 23 Apr 2019 15:10:04 GMT

Can someone explain this picture to me? I see for the non-mobile sessions it says ID (which is obviously Idaho), and then it has 2 other sessions on mobile that show UT. I am honestly confused on that, because when I am home and I use my computer it shows ID non-mobile, if I am at home on my phone it shows ID mobile. So I don't understand what UT means in the photo, does anyone know?

Re: What should I do

Anonymous — Tue, 23 Apr 2019 15:13:15 GMT

@calyx wrote:
@Anonymous wrote:
Does anyone have any idea why my 2 step verification with google did not work, also what would be the best password manager to use? (If I were to use one not sure if they are good yet) I do see there are a lot of them to choose from.
I like LastPass, and most of my friends either use LastPass or 1Password.

What's really nice about a password manager is that I just have to keep that one password updated in my Durable Power of Attorney - whoever has to pay my bills if I'm incapacitated just has to log in there to get to everything.

I have been researching password managers, and maybe I am just paranoid, but they seem very unsafe. I want to use one because it's not smart to use the same password for everything, but I don't know if that is any safer?

Re: What should I do

kerplunk — Tue, 23 Apr 2019 17:45:25 GMT

@Anonymous wrote:
Can someone explain this picture to me? I see for the non-mobile sessions it says ID (which is obviously Idaho), and then it has 2 other sessions on mobile that show UT. I am honestly confused on that, because when I am home and I use my computer it shows ID non-mobile, if I am at home on my phone it shows ID mobile. So I don't understand what UT means in the photo, does anyone know?

UT means Utah. The address that you didn't cross out is an IPv6 address. It is very uncommon, but it is the future of Internet addresses. Today, we use IPv4.

I looked up the IPv6 address via ARIN and it says it belongs to Sprint in Cheyenne, WY. It is rumored that Spring Mobile is using IPv6 addresses for some of their users. Possibly, that's what it's from. If you use Sprint for your mobile phone, then it's probably you and there's nothing to worry about.

As far as it saying Utah, well, IP geolocation isn't always accurate.

Re: What should I do

Anonymous — Tue, 23 Apr 2019 17:48:35 GMT

@kerplunk wrote:
@Anonymous wrote:
Can someone explain this picture to me? I see for the non-mobile sessions it says ID (which is obviously Idaho), and then it has 2 other sessions on mobile that show UT. I am honestly confused on that, because when I am home and I use my computer it shows ID non-mobile, if I am at home on my phone it shows ID mobile. So I don't understand what UT means in the photo, does anyone know?
UT means Utah. The address that you didn't cross out is an IPv6 address. It is very uncommon. In layman's terms, only people who are very skilled in computer networking would use have access to an IPv6 address. Even more scary, to me, is that the IPv6 address begins with "2600" which may or may not be a coincidence, but 2600 is commonly associated with hacking.

https://en.wikipedia.org/wiki/2600

Change your Gmail password and security questions. At this point, I think you need an IT professional to assist you as your PC may be compromised in some way.

Edit: I looked up the IPv6 address via ARIN and it says it belongs to Sprint Cheyenne POP. It is rumored that Spring Mobile is using IPv6 addresses. Possibly, that's what it's from. If you use Sprint for your mobile phone, then it's probably you and there's nothing to worry about.

I don't think I use sprint, I use metropcs which is tmobile I believe. So do I not need to worry about it then? I am only concerned about it because the location and those weird numbers are the exact ones from when my email was hacked. I don't know at this point, I am really considering getting rid of this email and changing phone numbers.

Re: What should I do

calyx — Tue, 23 Apr 2019 18:11:42 GMT

@Anonymous wrote:
@calyx wrote:
@Anonymous wrote:
Does anyone have any idea why my 2 step verification with google did not work, also what would be the best password manager to use? (If I were to use one not sure if they are good yet) I do see there are a lot of them to choose from.
I like LastPass, and most of my friends either use LastPass or 1Password.

What's really nice about a password manager is that I just have to keep that one password updated in my Durable Power of Attorney - whoever has to pay my bills if I'm incapacitated just has to log in there to get to everything.
I have been researching password managers, and maybe I am just paranoid, but they seem very unsafe. I want to use one because it's not smart to use the same password for everything, but I don't know if that is any safer?

Honestly, I suppose it would be 'safer' to keep a list of passwords in a journal locked in a safe at home and manually enter everything. But I think that you can look at password managers and decide if you think it's worth the risk. I am sufficiently happy with LastPass's security itself to use it. I also periodically change my LastPass password itself (actually, every 90 days, when my workplace prompts me to change my work PW).

One thing that I've heard suggested is to use something you can easily remember, like using the first letters of a memorable sentence, and then alter that password as needed.
Like - "I like pickled avocados and rocky mountain oysters" (seriously, I just made that up, please don't think badly of me, haha) - ILPAARMO - so for your Gmail account, you might use ILPAARMOGmail1! and then for amazon ILPAARMOAmazon1! etc (or whatever, I threw the 1! in there for those that need a numeric and special character). Different, but long enough.

Re: What should I do

Anonymous — Sun, 05 May 2019 13:48:11 GMT

I have been thinking about a password manager for 3 weeks now I think, and my password was compromised AGAIN 6 days ago during that time. Which to be fair was my fault, I am not going to pretend like I made my password different, all I did was add 3 numbers to my compromised password. (which I thought would be sufficient) I have come to the conclusion I am way to mistrusting, and I can not use a password manager. I was playing around on word the day my account got hacked the 1st time, and I took my hands and simply mashed them on the keyboard. In the end it was 22 characters in length. It is extremely complex, and I have spent the last 3 weeks studying this password trying to memorize it. I finally memorized it this morning, I have this password ingrained in my memory.

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though?

Re: What should I do

iced — Mon, 06 May 2019 15:36:23 GMT

@Anonymous wrote:

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though?

No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.

Re: What should I do

Anonymous — Mon, 06 May 2019 15:58:36 GMT

@iced wrote:
@Anonymous wrote:

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though?
No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

Am I reading that wrong, if that is the case then it doesn't matter what my password is, I am screwed either way?

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

Is this 2 step verification or something else? If it is 2 step then I already have that. Google completely failed 2 step verifcation twice now. Wells fargo seems to be the only one with 2 step that works for me (I don't use it on many things, just google and now my bank)

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.

I don't know, I might use a password manager, I still need to think about it I guess. In reality, the only 2 things I truly care about are secure now, I recently turned on 2 step for my bank and amazon. (I have to enter a code everysingle time I log in) I would LOVE for my gmail to be secure as well, however google doensn't want that for me obviously, otherwise I would not only be promptly alerted someone has hacked me but 2 step would also work.

Side note, I think the main problem I have with password managers is the ones recommended in this thread have been compromised in the past according to google when I look them up. If they are supposed to be so secure, why are they having that problem? Also is there anything I can do to actually make my gmail secure?

Re: What should I do

iced — Mon, 06 May 2019 16:24:38 GMT

@Anonymous wrote:
@iced wrote:
@Anonymous wrote:

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though?
No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

Am I reading that wrong, if that is the case then it doesn't matter what my password is, I am screwed either way?

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

Is this 2 step verification or something else? If it is 2 step then I already have that. Google completely failed 2 step verifcation twice now. Wells fargo seems to be the only one with 2 step that works for me (I don't use it on many things, just google and now my bank)

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.
I don't know, I might use a password manager, I still need to think about it I guess. In reality, the only 2 things I truly care about are secure now, I recently turned on 2 step for my bank and amazon. (I have to enter a code everysingle time I log in) I would LOVE for my gmail to be secure as well, however google doensn't want that for me obviously, otherwise I would not only be promptly alerted someone has hacked me but 2 step would also work.

Side note, I think the main problem I have with password managers is the ones recommended in this thread have been compromised in the past according to google when I look them up. If they are supposed to be so secure, why are they having that problem? Also is there anything I can do to actually make my gmail secure?

You are not reading that wrong. Some systems store passwords in a reversible hash (bad) that can be broken/reversed. Some systems store the password in the clear on a DB (really bad) so breaking into the DB leaks all the passwords. Sometimes, it's even something more obscure, like a cookie holding a password for automatic login or the password being stored in volatile memory and malware on your host is reading the memory and extracting the password. Keyloggers can get passwords out of people who enter them manually rather than copy/paste. There's a lot of ways to get at data.

Two-step verification is arguably a form of MFA, provided it's doing something like texting you an access code. Simply asking you for two passwords or asking two questions isn't true MFA. Without going into the weeds on it, there's three general factors of access:

1. Something you know (passwords)

2. Something you have (tokens/phone PINs)

3. Something you are (biometrics/TouchID)

Whether you should use it or not is a matter of personal risk assessment.

As for GMail, they do have MFA options. Check out https://myaccount.google.com/security after you've logged in to see what you can do.

Lastly, before it gets lost in all this - just because there are ways to get around even the most complex password doesn't mean one shouldn't strive for that. Keep your passwords complex. Change them often (several times a year at a minimum for sensitive/financial accounts). Don't re-use passwords across sensitive accounts, but even as a security person I'll give a pass to those who want to use one password for all their forums. If you want to break into my MF account so you can log in and post on FT, be my guest, but don't expect that to get into my email, bank accounts, or credit cards.