UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions.

Reply
 
LinkBack Thread Tools Search this Thread Display Modes
  #41   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Chris Green" wrote in message
...
Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer
I
have to return a phone code.


MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe and
not
require signing in subsequently.

So if someone nicks your computer they get access?!


Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.

  #42   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Dave Liquorice" wrote in message
idual.net...
On Mon, 20 Jul 2020 09:51:07 +0100, Scott wrote:

I generate long, random, password sequences for each Internet

account
created. They're a pain to type in, ...


Or use a "formula" to generate passwords unique to each site. Based
say on part of the company name. Load of things you can do to make
the password pretty secure, Upper/lowercase given character
position(s), letter/number substitute, both either as an inposition
substitution or an insert before or after the position. Pre/app-pend
and short string (containing symbols, numbers, upper/lowercase).

Even if you forget what a password is for a site you can work it out
by applying your formula. The only slight gotcha is those sites that
object to symbols in a passord.

but I keep a stack of pieces of paper with the new ones printed on

it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form.


Bits of paper work... One would also assume that the information is
also obscurated and not a simple plain text "site password" list
and also contains old, invalid, information or even completely bogus
information.

What happens if someone breaks into your house and steals the pieces of
paper? Mine uses military security and allows you to view, cut and paste
the passwords as required.


Assuming the device with your passwords on hasn't also been
nicked or even simply died. Lightning strike, power surge?


Both are trivially avoided by using an iphone with fingerprint
or facial recognition. Even if it gets smashed completely or
say dropped over the side of a boat etc, its trivial to replace
it and carry on regardless.

Just as likely as a tea leaf taking the bit's of paper.
You can't even have a go at trying to workout
what any passwords are.



  #43   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,904
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 15:58:27 +1000, "%%" wrote:



"Scott" wrote in message
.. .
On Mon, 20 Jul 2020 18:48:49 +0100, John Rumm
wrote:

On 20/07/2020 10:28, Scott wrote:
On 20 Jul 2020 09:04:01 GMT, Tim Streater
wrote:

On 20 Jul 2020 at 09:51:07 BST, Scott
wrote:

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper?

Drat yes, I hope the scrote doesn't notice the book on the bookshelf
with the
word "Passwords" embossed on the spine in gold. I expect such a scrote
would
have a little "Lone Ranger" mask, wear a black-and white striped
jersey, and
carry a bag marked "Swag" over his shoulder.

Thanks for our insightful advice. I'll stop locking my front door -
obviously unnecessary as crime is fake news.

I think you may have missed the point Tim was making. i.e. Just because
you have a file of passwords recorded, it does not have to be obvious or
even intelligible to to someone else if the details are obfuscated, or
simply hidden in lots of other data.


Sorry, I must have been distracted by all the verbiage about scrotes,
lone rangers and swag.

I prefer to hold the passwords in an encrypted form that can be cut
and pasted when needed


I prefer a proper password manager that keeps the passwords
and other routinely provided stuff like you address and the
username etc in a fully encrypted database and automatically
fills in the form you are looking at and which allows you to
select from a list of sites that you log into routinely so you
can go there just by clicking that link. And which automatically
collects the stuff you fill in with a new site and offers to add it
to the database,

than in a disguised form on bits of paper that
needs to be painstakingly typed in each time.
Everyone makes their own choices of course.


We're thinking along the same lines. You are going a step further,
which is good.
  #44   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,904
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 16:15:58 +1000, "%%" wrote:



"Chris Green" wrote in message
...
Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer
I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe and
not
require signing in subsequently.

So if someone nicks your computer they get access?!


Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.


I worry that if I were mugged in the street it would be very easy for
the mugger to access the phone simply by pressing my finger against
the screen. Is that how it works?
  #45   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 14,085
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 16:24:16 +1000, %% wrote:

What happens if someone breaks into your house and steals the

pieces
of paper? Mine uses military security and allows you to view, cut

and
paste the passwords as required.


Assuming the device with your passwords on hasn't also been
nicked or even simply died. Lightning strike, power surge?


Both are trivially avoided by using an iphone with fingerprint
or facial recognition. Even if it gets smashed completely or
say dropped over the side of a boat etc, its trivial to replace
it and carry on regardless.


1) Assuming you like the iPhone enviroment. I don't.
2) Assuming you trust a 3rd party "cloud" with your data. I don't.
3) Using a phone for 'net access is a PITA compared to a desk top.

--
Cheers
Dave.





  #46   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 14,085
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 08:49:49 +0100, Scott wrote:

I worry that if I were mugged in the street it would be very easy for
the mugger to access the phone simply by pressing my finger against
the screen. Is that how it works?


Finger print sensor but yes that's how it works, they would have to
use one of the fingers the device knows about though. A good guess
would be the 1st or maybe index finger on either hand.

They would then have to make sure the device couldn't go back into
lock mode, unless they took your finger with them...

My Android takes quite a few scan attempts (more than I'd like)
before getting stroppy and wanting another form of authentification.
It'll also ask for that "out of the blue" as well.

--
Cheers
Dave.



  #47   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 16:15:58 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile asshole's latest troll**** unread
  #48   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 39,563
Default O/T: internet security question (leaked details)

On 21/07/2020 07:15, %% wrote:


"Chris Green" wrote in message
...
Pamela wrote:
On 12:00* 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21* 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent* secure system if as has been
mentioned servers with customer data can be just sold to any tom
dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder
if he
also used it for his password manager allowing hackers to scoop up
any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not
require signing in subsequently.

So if someone nicks your computer they get access?!


Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.


I do nothing important on my mobile. I don't even bother to lock it.
If someone were to steal it I would change my passwords for email and
linux logins more or less instantly. I think that would solve 97% of
what is stored on it.

Its an innately insecure device. Live with it


--
But what a weak barrier is truth when it stands in the way of an
hypothesis!

Mary Wollstonecraft
  #49   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 15:58:27 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile asshole's latest troll**** unread

--
John addressing the senile Australian pest:
"You are a complete idiot. But you make me larf. LOL"
MID:
  #50   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 16:24:16 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:


FLUSH the trolling senile asshole's latest troll**** unread

--
Bod addressing abnormal senile quarreller Rot:
"Do you practice arguing with yourself in an empty room?"
MID:


  #51   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Scott" wrote in message
news
On Tue, 21 Jul 2020 16:15:58 +1000, "%%" wrote:



"Chris Green" wrote in message
...
Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has
been
mentioned servers with customer data can be just sold to any tom
dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if
he
also used it for his password manager allowing hackers to scoop up
any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer
I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and
not
require signing in subsequently.

So if someone nicks your computer they get access?!


That's why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesn't allow anyone to use it.


I worry that if I were mugged in the street it would be very easy for
the mugger to access the phone simply by pressing my finger against
the screen. Is that how it works?


That wont work when you register a non obvious finger.

And only one of the latest iphones uses fingerprints anyway,
the others use facial recognition which is much harder to
monster the victim into supplying the normal face print with

  #52   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Dave Liquorice" wrote in message
idual.net...
On Tue, 21 Jul 2020 16:24:16 +1000, %% wrote:

What happens if someone breaks into your house and steals the

pieces
of paper? Mine uses military security and allows you to view, cut

and
paste the passwords as required.

Assuming the device with your passwords on hasn't also been
nicked or even simply died. Lightning strike, power surge?


Both are trivially avoided by using an iphone with fingerprint
or facial recognition. Even if it gets smashed completely or
say dropped over the side of a boat etc, its trivial to replace
it and carry on regardless.


1) Assuming you like the iPhone enviroment. I don't.


It isnt the only smartphone with a reliable fingerprint or
facial recognition system that cant be fooled by a thief.

2) Assuming you trust a 3rd party "cloud" with your data. I don't.


Doesn't have to be a 2rd party backup.

3) Using a phone for 'net access is a PITA compared to a desk top.


Its actually much easier because the fingerprint or facial recognition
is vasty easier to use than a username/password combination.

  #53   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Dave Liquorice" wrote in message
idual.net...
On Tue, 21 Jul 2020 08:49:49 +0100, Scott wrote:

I worry that if I were mugged in the street it would be very easy for
the mugger to access the phone simply by pressing my finger against
the screen. Is that how it works?


Finger print sensor but yes that's how it works, they would have to
use one of the fingers the device knows about though. A good guess
would be the 1st or maybe index finger on either hand.

They would then have to make sure the device couldn't go back into
lock mode, unless they took your finger with them...


And with the best systems, it has to be a live finger.

My Android takes quite a few scan attempts (more than I'd like)
before getting stroppy and wanting another form of authentification.
It'll also ask for that "out of the blue" as well.


Trivial to use a better system which doesn't.

  #54   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"The Natural Philosopher" wrote in message
...
On 21/07/2020 07:15, %% wrote:


"Chris Green" wrote in message
...
Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has
been
mentioned servers with customer data can be just sold to any tom
dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder
if he
also used it for his password manager allowing hackers to scoop up
any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not
require signing in subsequently.

So if someone nicks your computer they get access?!


Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.


I do nothing important on my mobile. I don't even bother to lock it.
If someone were to steal it I would change my passwords for email and
linux logins more or less instantly. I think that would solve 97% of what
is stored on it.

Its an innately insecure device. Live with it


Bull**** it is with the best fingerprint and facial recognition systems.


--
But what a weak barrier is truth when it stands in the way of an
hypothesis!

Mary Wollstonecraft


  #55   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 19:45:53 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile pest's latest troll**** unread

--
JimK addressing senile Rodent Speed:
"I really feel the quality of your trolling has dropped in the last few
months..."
MID:


  #56   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 19:38:22 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:


FLUSH the trolling senile asshole's latest troll**** unread

--
The Natural Philosopher about senile Rodent:
"Rod speed is not a Brexiteer. He is an Australian troll and arsehole."
Message-ID:
  #57   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Tue, 21 Jul 2020 19:48:09 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile asshole's latest troll**** unread

--
FredXX to Rodent Speed:
"You are still an idiot and an embarrassment to your country. No wonder
we shipped the likes of you out of the British Isles. Perhaps stupidity
and criminality is inherited after all?"
Message-ID:
  #58   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default Lonely Obnoxious Cantankerous Auto-contradicting Senile Ozzie Troll Alert!

On Tue, 21 Jul 2020 19:42:27 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile asshole's latest troll**** unread

--
Marland revealing the senile sociopath's pathology:
"You have mentioned Alexa in a couple of threads recently, it is not a real
woman you know even if it is the only thing with a female name that stays
around around while you talk it to it.
Poor sad git who has to resort to Usenet and electronic devices for any
interaction as all real people run a mile to get away from you boring them
to death."
MID:
  #59   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

Pamela wrote:
On 12:25 20 Jul 2020, Chris Green said:

Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has
been mentioned servers with customer data can be just sold to any
tom dick or Serge.

Judging by the OP's habit of reusing the same password, I wonder if
he also used it for his password manager allowing hackers to scoop
up any passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not require signing in subsequently.

So if someone nicks your computer they get access?!


Two factor authentication is in addition to your usual account name and
password. The idea is that some Russian hacker can't access your account
without also having physical access to the PC to generate required
passkeys.

Nowadays banks are doing this or something similar, such as sending a
text.

If someone nicks your computer with the authenticator app then you go to
another computer and access the authenticator with your special password
to remove the stolen device from authenticator account.

Yes, but the original I was replying to says:-

"...remembered as safe and not require signing in subsequently."

which says to me that access from a particular computer (or smartphone
maybe) is automatic, without any sort of authentication.

--
Chris Green
·
  #60   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

The Natural Philosopher wrote:
On 21/07/2020 07:15, %% wrote:


"Chris Green" wrote in message
...
Pamela wrote:
On 12:00* 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21* 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent* secure system if as has been
mentioned servers with customer data can be just sold to any tom
dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder
if he
also used it for his password manager allowing hackers to scoop up
any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not
require signing in subsequently.

So if someone nicks your computer they get access?!


Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.


I do nothing important on my mobile. I don't even bother to lock it.
If someone were to steal it I would change my passwords for email and
linux logins more or less instantly. I think that would solve 97% of
what is stored on it.

Exactly! :-) Much easier to use to make phone calls (which is what I
use mine for, strangely) if there's no lock at all on it. It's a
pay-as-you-go phone so there's only maximum of £10 or so of credit for
someone to 'steal'.

--
Chris Green
·


  #61   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.


A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable because otherwise you
have to have a written copy somewhere that someone else can find. A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.

--
Chris Green
·
  #62   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 21/07/2020 11:28, Chris Green wrote:
John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.


A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable


Alas the days when passwords of adequate complexity being memorable are
long since gone for most users. Yes you can probably deal with a few
that are ok, but for hundreds of unique passwords for all the things
that need a password?

because otherwise you
have to have a written copy somewhere that someone else can find.


For certain values of "written" - yes they could be on paper, but
equally in a password manager or some other form of encrypted storage.

(actually we are quite good at keeping safe small amounts of paper -
like stuff in your wallet)


A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.


However it does get past a few of the issues, since you probably can
remember one really good password that gets you into the manager[1].

If you link that to 2FA then you have less chance of it being
compromised as well as a recovery mechanism.

(and good password managers don't store plaintext passwords online - any
encryption / decryption being done only at point of use)

[1] and if you can't, then you write that down in an obfuscated/hidden
form on paper and put that in your wallet.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #63   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

Jethro_uk wrote:
If someone nicks your computer with the authenticator app then you go
to another computer and access the authenticator with your special
password to remove the stolen device from authenticator account.

Yes, but the original I was replying to says:-

"...remembered as safe and not require signing in subsequently."

which says to me that access from a particular computer (or smartphone
maybe) is automatic, without any sort of authentication.


But that can be revoked, or still subject to re-authentication in certain
circumstances.


Still not very secure IMHO, someone steals your laptop or smartphone
and, until you notice and do something about it, they have access to
whatever is automatically allowed because your laptop/smartphone is
'secure'.

Any sort of system that makes it 'easier' for you to use complex
security will make it less secure. It's swings and roundabouts, a
simple system may not be so secure but one is much less likely to
bypass it routinely.

--
Chris Green
·
  #64   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

John Rumm wrote:
On 21/07/2020 11:28, Chris Green wrote:
John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable


Alas the days when passwords of adequate complexity being memorable are
long since gone for most users. Yes you can probably deal with a few
that are ok, but for hundreds of unique passwords for all the things
that need a password?

You (anyway I) don't need hundreds of secure, unique, passwords. I
need lots of insecure passwords but only half a dozen or so really
secure ones. All those web forums and shops (as long as you don't
give them your credit card details) don't need secure passwords, what
do you lose if someone breaks one of them?


because otherwise you
have to have a written copy somewhere that someone else can find.


For certain values of "written" - yes they could be on paper, but
equally in a password manager or some other form of encrypted storage.

Er, but the password manager needs a password/key.


(actually we are quite good at keeping safe small amounts of paper -
like stuff in your wallet)


A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.


However it does get past a few of the issues, since you probably can
remember one really good password that gets you into the manager[1].

.... and when you're out and about and need access to your bank
account, or your money transfer system, or whatever and you don't have
the password manager with you?


If you link that to 2FA then you have less chance of it being
compromised as well as a recovery mechanism.

(and good password managers don't store plaintext passwords online - any
encryption / decryption being done only at point of use)

To my mind good password managers don't store your passwords anywhere
that isn't 'yours'! :-) The one thing I have considered for this
sort of thing is a memory stick with the program and password storage
on it. You could even have a stick with Linux and Windows and Mac
softwre to decrypt the password so can stick it in a friend's computer
if necessary.

--
Chris Green
·
  #65   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,970
Default O/T: internet security question (leaked details)

Jethro_uk wrote:
On Tue, 21 Jul 2020 11:28:00 +0100, Chris Green wrote:

John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too
hard, nobody can remember it, if its too simply people can guess it,
and of courrse many devices that use a cloud storage system
actually store it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable because otherwise you
have to have a written copy somewhere that someone else can find.


Unless you have a memorable *algorithm* to generate a password for a
given site ? Even it it's just "ROT13 the URL"


That's what I do for relatively insecure/unimportant passwords (not
ROT13, but a 'algorithm' that allows me to derive the password from
the web site name).


--
Chris Green
·


  #66   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 21/07/2020 15:02, Chris Green wrote:
John Rumm wrote:
On 21/07/2020 11:28, Chris Green wrote:
John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable


Alas the days when passwords of adequate complexity being memorable are
long since gone for most users. Yes you can probably deal with a few
that are ok, but for hundreds of unique passwords for all the things
that need a password?

You (anyway I) don't need hundreds of secure, unique, passwords. I
need lots of insecure passwords but only half a dozen or so really
secure ones. All those web forums and shops (as long as you don't
give them your credit card details) don't need secure passwords, what
do you lose if someone breaks one of them?


A working set of credentials that may work on other sites. Lots of bits
of "low grade" information that when taken as a whole may add up to
enough to be used for social engineering attacks on other more values
sites.


Basically its not worth trying to second guess the capabilities of the
bad guys, just make everything decently secure (randomly generated 16+
character alphanumeric passwords with symbols) and you have far less to
worry about. If you are going to find a mechanism that works for the
"important" sites, then why not use it for all

because otherwise you
have to have a written copy somewhere that someone else can find.


For certain values of "written" - yes they could be on paper, but
equally in a password manager or some other form of encrypted storage.

Er, but the password manager needs a password/key.


See below...

(actually we are quite good at keeping safe small amounts of paper -
like stuff in your wallet)


A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.


However it does get past a few of the issues, since you probably can
remember one really good password that gets you into the manager[1].

.... and when you're out and about and need access to your bank
account, or your money transfer system, or whatever and you don't have
the password manager with you?


Look at the paper version in your wallet, or look in the contacts on
your phone...

The person stealing your phone does not know that among the hundreds f
contacts you have, the one for Aunt Maud in Hove actually conceals the
master password for your manager comprised of the first 4 digits of her
phone number, her post code, and the middle 5 characters of the street
name, and the name of the dog you casually mention by name in a note to
yourself.

(and if anal, use a real post code, and matching street address, with a
phone number in the right dialling code area!)

If you link that to 2FA then you have less chance of it being
compromised as well as a recovery mechanism.

(and good password managers don't store plaintext passwords online - any
encryption / decryption being done only at point of use)

To my mind good password managers don't store your passwords anywhere
that isn't 'yours'! :-)


Well in an ideal world that may be true, but the implications of that
are that you are either now responsible for providing secure hosting of
"your" database, or secure remote access to your computer and all that
entails.

Second best is allowing someone with a vested interest in not getting
hacked to look after the encrypted version. (which if done right will be
computationally secure for an adequate period)

The one thing I have considered for this
sort of thing is a memory stick with the program and password storage
on it. You could even have a stick with Linux and Windows and Mac
softwre to decrypt the password so can stick it in a friend's computer
if necessary.


How do you remember the login password for the account on the that
installation of Windows/Linux etc? You are always going to come back to
the same basic problems...




--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #67   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 21/07/2020 14:15, Jethro_uk wrote:
On Tue, 21 Jul 2020 11:28:00 +0100, Chris Green wrote:

John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too
hard, nobody can remember it, if its too simply people can guess it,
and of courrse many devices that use a cloud storage system
actually store it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable because otherwise you
have to have a written copy somewhere that someone else can find.


Unless you have a memorable *algorithm* to generate a password for a
given site ? Even it it's just "ROT13 the URL"


Might be worth testing your generated passwords against known breaches,
just in case you are not the only one to have thought about it...

Also how confident are you given access to enough real credentials
generated with your algorithm, it can't be deduced?

(i.e. the usually warnings about the fact that most engineers can device
a crypto algorithm that they themselves could not break, but that does
not mean its actually any good)

A
password manager doesn't get over this issue because you have to have a
memorable password for the password manager.


See above ...



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #68   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:



Stick the email address in he https://haveibeenpwned.com


Four breaches, only one makes any sense and you have to subscribe to
find out more details.


There is no subscription as such unless you wish to purchase API lvel
access.

Looks like a con to me.


Which just demonstrates that you should not rely on your intuition in
these matters :-)

(go do some research on Troy Hunt)

In any case, if the breach only amounts to my email address (which
is pretty widely circulated anyway) and the specific password for
the compromised site (which has presumably reset the passwords
anyway), I don't see a problem.


If that were all that was available, then there would be a massive
problem... however in reality it is *much* worse!

Have a look through some of the names in he

https://haveibeenpwned.com/PwnedWebsites


e.g.


Experian

In September 2015, the US based credit bureau and consumer data broker
Experian suffered a data breach that impacted 15 million customers who

[snip]

Breach date: 16 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 7,196,890
Compromised data: Credit status information, Dates of birth, Email
addresses, Ethnicities, Family structure, Genders, Home ownership
statuses, Income levels, IP addresses, Names, Phone numbers, Physical
addresses, Purchasing habits



Vodafone

In November 2013, Vodafone in Iceland suffered an attack attributed to
the Turkish hacker collective "Maxn3y". The data was consequently
publicly exposed and included user names, email addresses, social
security numbers, SMS message, server logs and passwords from a variety
of different internal sources.

Breach date: 30 November 2013
Date added to HIBP: 30 November 2013
Compromised accounts: 56,021
Compromised data: Credit cards, Email addresses, Government issued IDs,
IP addresses, Names, Passwords, Phone numbers, Physical addresses,
Purchases, SMS messages, Usernames





--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #69   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 20/07/2020 12:59, Scott wrote:
On 20 Jul 2020 12:35:40 +0100 (BST), Theo
wrote:

Scott wrote:
It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

out of context
That's an ad for 1Password, which is a password manager. Have I Been Pwned
is a separate thing and has a 'notify me' function which will mail you if
your email or domain shows up in other breaches. It's free, and the link is
at the top of the screen.

Okay, it's an attempt to con then, not a con. It is quite clear they
are trying to induce you into clicking 'Start using 1Password.com'.


Perhaps you had better check how ad networks serve content...



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #70   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 14,085
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 15:02:41 +0100, Chris Green wrote:

.... and when you're out and about and need access to your bank
account, or your money transfer system, or whatever and you don't have
the password manager with you?


Which is where having a "formula" to generate passwords scores. You
don't have to remember any passwords, you can work them out where
ever you are for use on any device.

And yes I have had to do this. Probably the most important was when a
CC got skimed in Rio.

--
Cheers
Dave.





  #71   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,904
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 17:15:17 +0100, John Rumm
wrote:

On 20/07/2020 12:59, Scott wrote:
On 20 Jul 2020 12:35:40 +0100 (BST), Theo
wrote:

Scott wrote:
It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

out of context
That's an ad for 1Password, which is a password manager. Have I Been Pwned
is a separate thing and has a 'notify me' function which will mail you if
your email or domain shows up in other breaches. It's free, and the link is
at the top of the screen.

Okay, it's an attempt to con then, not a con. It is quite clear they
are trying to induce you into clicking 'Start using 1Password.com'.


Perhaps you had better check how ad networks serve content...


I don't really see any need. As soon as I see the word 'subscribe' or
anyone asks for money I'm out.
  #72   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 1,904
Default O/T: internet security question (leaked details)

On Tue, 21 Jul 2020 17:13:44 +0100, John Rumm
wrote:

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:



Stick the email address in he https://haveibeenpwned.com


Four breaches, only one makes any sense and you have to subscribe to
find out more details.


There is no subscription as such unless you wish to purchase API lvel
access.

Looks like a con to me.


Which just demonstrates that you should not rely on your intuition in
these matters :-)

(go do some research on Troy Hunt)

In any case, if the breach only amounts to my email address (which
is pretty widely circulated anyway) and the specific password for
the compromised site (which has presumably reset the passwords
anyway), I don't see a problem.


If that were all that was available, then there would be a massive
problem... however in reality it is *much* worse!

Have a look through some of the names in he

https://haveibeenpwned.com/PwnedWebsites


e.g.


Experian

In September 2015, the US based credit bureau and consumer data broker
Experian suffered a data breach that impacted 15 million customers who

[snip]

Breach date: 16 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 7,196,890
Compromised data: Credit status information, Dates of birth, Email
addresses, Ethnicities, Family structure, Genders, Home ownership
statuses, Income levels, IP addresses, Names, Phone numbers, Physical
addresses, Purchasing habits



Vodafone

In November 2013, Vodafone in Iceland suffered an attack attributed to
the Turkish hacker collective "Maxn3y". The data was consequently
publicly exposed and included user names, email addresses, social
security numbers, SMS message, server logs and passwords from a variety
of different internal sources.

Breach date: 30 November 2013
Date added to HIBP: 30 November 2013
Compromised accounts: 56,021
Compromised data: Credit cards, Email addresses, Government issued IDs,
IP addresses, Names, Passwords, Phone numbers, Physical addresses,
Purchases, SMS messages, Usernames


Would each of these sites not require to make customers aware at the
time? I'm sure Experian did.
  #73   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Chris Green" wrote in message
...
The Natural Philosopher wrote:
On 21/07/2020 07:15, %% wrote:


"Chris Green" wrote in message
...
Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager
of
cours. However there is no 100 percent secure system if as has
been
mentioned servers with customer data can be just sold to any tom
dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder
if he
also used it for his password manager allowing hackers to scoop up
any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not
require signing in subsequently.

So if someone nicks your computer they get access?!

Thats why I do that stuff on the iphone with fingerprint or
facial recognition, nicking it doesnt allow anyone to use it.


I do nothing important on my mobile. I don't even bother to lock it.
If someone were to steal it I would change my passwords for email and
linux logins more or less instantly. I think that would solve 97% of
what is stored on it.


Exactly! :-) Much easier to use to make phone calls (which
is what I use mine for, strangely) if there's no lock at all on it.


Thats wrong when the unlock is as trivial as putting your finger
on the fingerprint sensor or letting it see your face with instant
recognition of either one. Or getting even more radical and
telling the phone who to call and having it do that.

It's a pay-as-you-go phone so there's only maximum
of £10 or so of credit for someone to 'steal'.


But it makes more sense to do the stuff like net banking
on the phone which has much better and much easier
to use security using the fingerprint or facial recognition.

  #74   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Chris Green" wrote in message
...
John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store
it,
supposedly encrypted.


A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable because otherwise you
have to have a written copy somewhere that someone else can find. A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.


But just the one in the case of the password manager and with a well
implemented system which only allows a few tries before locking out
the password entry, it doesnt have to be complicated so it can be
trivial to remember.

  #75   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 21/07/2020 18:46, Scott wrote:
On Tue, 21 Jul 2020 17:15:17 +0100, John Rumm
wrote:

On 20/07/2020 12:59, Scott wrote:
On 20 Jul 2020 12:35:40 +0100 (BST), Theo
wrote:

Scott wrote:
It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.
out of context
That's an ad for 1Password, which is a password manager. Have I Been Pwned
is a separate thing and has a 'notify me' function which will mail you if
your email or domain shows up in other breaches. It's free, and the link is
at the top of the screen.

Okay, it's an attempt to con then, not a con. It is quite clear they
are trying to induce you into clicking 'Start using 1Password.com'.


Perhaps you had better check how ad networks serve content...


I don't really see any need. As soon as I see the word 'subscribe' or
anyone asks for money I'm out.


Even when its in an add that is not selected by the site that hosts it,
for a service not even sold by the site?




--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/


  #76   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Chris Green" wrote in message
...
Jethro_uk wrote:
If someone nicks your computer with the authenticator app then you go
to another computer and access the authenticator with your special
password to remove the stolen device from authenticator account.

Yes, but the original I was replying to says:-

"...remembered as safe and not require signing in subsequently."

which says to me that access from a particular computer (or smartphone
maybe) is automatic, without any sort of authentication.


But that can be revoked, or still subject to re-authentication in certain
circumstances.


Still not very secure IMHO, someone steals your laptop or smartphone
and, until you notice and do something about it, they have access to
whatever is automatically allowed because your laptop/smartphone is
'secure'.


Any sort of system that makes it 'easier' for you to use complex
security will make it less secure.


Thats wrong with reliable fingerprint and facial recognition.

Most obviously with payment at the checkout using a smartphone
where both are much easier to use than a pin or password and
are vastly more secure. No one can even watch you enter the
pin or password and steal it that way.

Payment using a smartphone is also vastly more secure
in the sense that even the merchant never gets anything
that can be used again after you have left the store either
and there is no risk of crooked employee or owner adding
a skimming mechanism to grab your card details either.

It's swings and roundabouts, a simple system may not be so
secure but one is much less likely to bypass it routinely.


See above.

  #77   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 566
Default O/T: internet security question (leaked details)



"Chris Green" wrote in message
...
John Rumm wrote:
On 21/07/2020 11:28, Chris Green wrote:
John Rumm wrote:

I mean, another thing to look at is wifi password. Now if its too
hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store
it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

Surely a decent password *has* to be memorable


Alas the days when passwords of adequate complexity being memorable are
long since gone for most users. Yes you can probably deal with a few
that are ok, but for hundreds of unique passwords for all the things
that need a password?

You (anyway I) don't need hundreds of secure, unique, passwords. I
need lots of insecure passwords but only half a dozen or so really
secure ones. All those web forums and shops (as long as you don't
give them your credit card details) don't need secure passwords, what
do you lose if someone breaks one of them?


because otherwise you
have to have a written copy somewhere that someone else can find.


For certain values of "written" - yes they could be on paper, but
equally in a password manager or some other form of encrypted storage.

Er, but the password manager needs a password/key.


But just the one to remember.

(actually we are quite good at keeping safe small amounts of paper -
like stuff in your wallet)


A
password manager doesn't get over this issue because you have to have
a memorable password for the password manager.


However it does get past a few of the issues, since you probably can
remember one really good password that gets you into the manager[1].

... and when you're out and about and need access to your bank
account, or your money transfer system, or whatever and you don't have
the password manager with you?


It always is because its on the smartphone used to do the transactions.

If you link that to 2FA then you have less chance of it being
compromised as well as a recovery mechanism.

(and good password managers don't store plaintext passwords online - any
encryption / decryption being done only at point of use)


To my mind good password managers don't store your passwords anywhere
that isn't 'yours'! :-)


Doesnt matter if the encryption is bulletproof.

The one thing I have considered for this
sort of thing is a memory stick with the program and password storage
on it. You could even have a stick with Linux and Windows and Mac
softwre to decrypt the password so can stick it in a friend's computer
if necessary.


Much more convenient to have bulletproof encryption.

  #78   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 25,191
Default O/T: internet security question (leaked details)

On 21/07/2020 18:48, Scott wrote:
On Tue, 21 Jul 2020 17:13:44 +0100, John Rumm
wrote:

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:



Stick the email address in he https://haveibeenpwned.com


Four breaches, only one makes any sense and you have to subscribe to
find out more details.


There is no subscription as such unless you wish to purchase API lvel
access.

Looks like a con to me.


Which just demonstrates that you should not rely on your intuition in
these matters :-)

(go do some research on Troy Hunt)

In any case, if the breach only amounts to my email address (which
is pretty widely circulated anyway) and the specific password for
the compromised site (which has presumably reset the passwords
anyway), I don't see a problem.


If that were all that was available, then there would be a massive
problem... however in reality it is *much* worse!

Have a look through some of the names in he

https://haveibeenpwned.com/PwnedWebsites


e.g.


Experian

In September 2015, the US based credit bureau and consumer data broker
Experian suffered a data breach that impacted 15 million customers who

[snip]

Breach date: 16 September 2015
Date added to HIBP: 6 September 2016
Compromised accounts: 7,196,890
Compromised data: Credit status information, Dates of birth, Email
addresses, Ethnicities, Family structure, Genders, Home ownership
statuses, Income levels, IP addresses, Names, Phone numbers, Physical
addresses, Purchasing habits



Vodafone

In November 2013, Vodafone in Iceland suffered an attack attributed to
the Turkish hacker collective "Maxn3y". The data was consequently
publicly exposed and included user names, email addresses, social
security numbers, SMS message, server logs and passwords from a variety
of different internal sources.

Breach date: 30 November 2013
Date added to HIBP: 30 November 2013
Compromised accounts: 56,021
Compromised data: Credit cards, Email addresses, Government issued IDs,
IP addresses, Names, Passwords, Phone numbers, Physical addresses,
Purchases, SMS messages, Usernames


Would each of these sites not require to make customers aware at the
time? I'm sure Experian did.


After much foot dragging, and vastly underestimating the numbers
affected... (ISTR was something like 160+ million in the end including a
significant number in the UK).

Having Experian, come along and let you know that they have just handed
copious quantities of sensitive information to potential fraudsters,
does not do much to mitigate the damage. (They did offer a years free
access to their ID theft monitoring service - presumably reverting to
paid after that - so basically treating their cock-up as a marketing
opportunity!)

It illustrates that many of these breaches leak far more than just "only
amounts to my email address" ... "and the specific password for the
compromised site" as you put it.

Remember also that for many people affected by breaches, the leaked data
would lead to compromise of other unrelated sites due to re-use of
credentials.




--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/
  #79   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Wed, 22 Jul 2020 05:04:52 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:


FLUSH the trolling senile asshole's latest troll**** unread


--
Sqwertz to Rodent Speed:
"This is just a hunch, but I'm betting you're kinda an argumentative
asshole.
MID:
  #80   Report Post  
Posted to uk.d-i-y
external usenet poster
 
Posts: 15,560
Default More Heavy Trolling by Senile Nym-Shifting Rodent Speed!

On Wed, 22 Jul 2020 05:07:26 +1000, %%, better known as cantankerous
trolling senile geezer Rodent Speed, wrote:

FLUSH the trolling senile asshole's latest troll**** unread

--
Bill Wright to Rodent Speed:
"That confirms my opinion that you are a despicable little ****."
MID:
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Personal details of 200 million US voters leaked in 'largest exposure of its kind' BurfordTJustice[_4_] Home Repair 0 June 20th 17 01:07 PM
um im internet geld zu , internet surfen geld , top internetverdienstwie man im internet geld verdient , die 6 erfolgsfaktoren mit denen sie iminternet geld verdienen , wurzelimperium schnell geld , geld verdienen de ,online schnell geld verdie trude walkman Metalworking 0 August 27th 10 05:14 PM
A NEW INTERNET IS COMING! - Web 2.0 Full Internet Upgrade - ktwon73 Home Repair 0 April 24th 08 07:12 AM
do business on the internet . want buy much popular and inexpensiveprice go do business on the internet . want buy much popular and inexpensiveprice go [email protected] Home Repair 0 January 14th 08 08:39 PM


All times are GMT +1. The time now is 06:11 AM.

Powered by vBulletin® Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 DIYbanter.
The comments are property of their posters.
 

About Us

"It's about DIY & home improvement"