Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.

wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it. Only one site had a security issue -
the company went bankrupt, and we heard later the
servers they had were sold without being sanitized.
(All the account info left the building intact,
destination unknown.)

If you're using the same password for all of them,
well, stop doing that :-) Or, uh... Oh. It already
happened.

Paul

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

They are always telling us that we should use a password manager of cours.
However there is no 100 percent secure system if as has been mentioned
servers with customer data can be just sold to any tom dick or Serge.

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.
The hackers know about exploiting apis these days as people use these off
the shelf like a way to stop having to write new ones, but if they don't
use them properly often a breach is created bigger than the brain of Marvin.
Brian

--
----- --
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please
Note this Signature is meaningless.!
"Paul" wrote in message
...
wrote:
Five days ago, I placed an online order with a company that I have used
many times, over the years. It's an online supplier of vitamins and
nutritional supplements. My account with that company has login details
(email address and password) that I used to use for pretty much
everything, until various companies enforced changes, to improve
security.

Two days ago I got an email from Spotify, reporting a login from Germany.
I set up my Spotify account in 2012 and haven't used it since then, so I
was curious. On checking, the login email address and password is the
same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login.
Sure enough, my Amazon account uses the old email address and password
(all registered credit cards recently expired, so no possibility of rogue
purchases).

In the small hours of this morning, I got an email from Netflix, warning
of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow
leaked out into the ether. The question is: how? I can't help but notice
the coincidence of my recent order with the vitamin company and hot on
the heels of that, rogue logins to various services. Does anyone have a
view on the most likely explanation? Could it be a weakness in the
vitamin company's systems/web page, dishonesty of an employee at the
company, or is it more likely to be something at my end (e.g. keystroke
logging malware)? I run Macaffee on my laptop and use Google Chrome
browser with Win 7.

Thanks. Ant.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it. Only one site had a security issue -
the company went bankrupt, and we heard later the
servers they had were sold without being sanitized.
(All the account info left the building intact,
destination unknown.)

If you're using the same password for all of them,
well, stop doing that :-) Or, uh... Oh. It already
happened.

Paul

Stick the email address in he
https://haveibeenpwned.com

Ah, that shows LinkedIn as an affected site for a data breach associated with the email address in question. I just realised that my LinkedIn account also used the old favourite email/password combo, so the recent activity could all be down to the LinkedIn breach.

https://haveibeenpwned.com says that while the LinkedIn breach was in 2016, it was 4 years later that the data began appearing on the dark web market. Maybe the vitamin supplier transaction was not at fault (still could be, though).

Cheers.

Ant.

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper? Mine uses military
security and allows you to view, cut and paste the passwords as
required.

On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

Four breaches, only one makes any sense and you have to subscribe to
find out more details. Looks like a con to me.

In any case, if the breach only amounts to my email address (which is
pretty widely circulated anyway) and the specific password for the
compromised site (which has presumably reset the passwords anyway), I
don't see a problem.

On 20/07/2020 08:17, Richard wrote:

Stick the email address in he
https://haveibeenpwned.com

While that may help to see if your data is already compromised why would
anyone set up an account with them to generate passwords? It seems
against any sensible security to give personal details and then let a
third party generate a password on their web site.

--
mailto : news {at} admac {dot} myzen {dot} co {dot} uk

On 20/07/2020 09:42, wrote:
Stick the email address in he
https://haveibeenpwned.com

Ah, that shows LinkedIn as an affected site for a data breach associated with the email address in question. I just realised that my LinkedIn account also used the old favourite email/password combo, so the recent activity could all be down to the LinkedIn breach.

https://haveibeenpwned.com says that while the LinkedIn breach was in 2016, it was 4 years later that the data began appearing on the dark web market. Maybe the vitamin supplier transaction was not at fault (still could be, though).

Cheers.

Ant.


Also check that after you get these warning emails that you don't use
the link in the same email to go to the site to change your password.


--
mailto : news {at} admac {dot} myzen {dot} co {dot} uk

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

Four breaches, only one makes any sense and you have to subscribe to
find out more details. Looks like a con to me.

It is not a con. It is not a "subscription".


In any case, if the breach only amounts to my email address (which is
pretty widely circulated anyway) and the specific password for the
compromised site (which has presumably reset the passwords anyway), I
don't see a problem.


Good for you.

On 20/07/2020 09:58, alan_m wrote:
On 20/07/2020 08:17, Richard wrote:

Stick the email address in he
https://haveibeenpwned.com

While that may help to see if your data is already compromised why would
anyone set up an account with them to generate passwords?Â* It seems
against any sensible security to give personal details and then let a
third party generate a password on their web site.


You do not have to set up an account to generate passwords.
The OP asked a question which *could* be answered by using the site.


This is the report for one of my email addresses:

Adobe logo
Adobe: In October 2013, 153 million Adobe accounts were breached with
each containing an internal ID, username, email, encrypted password and
a password hint in plain text. The password cryptography was poorly done
and many were quickly resolved back to plain text. The unencrypted hints
also disclosed much about the passwords adding further to the risk that
hundreds of millions of Adobe customers already faced.

Compromised data: Email addresses, Password hints, Passwords, Usernames

Onliner Spambot logo
Onliner Spambot (spam list): In August 2017, a spambot by the name of
Onliner Spambot was identified by security researcher Benkow moÊžuÆŽq. The
malicious software contained a server-based component located on an IP
address in the Netherlands which exposed a large number of files
containing personal information. In total, there were 711 million unique
email addresses, many of which were also accompanied by corresponding
passwords. A full write-up on what data was found is in the blog post
titled Inside the Massive 711 Million Record Onliner Spambot Dump.

Compromised data: Email addresses, Passwords

River City Media Spam List logo
River City Media Spam List (spam list): In January 2017, a massive trove
of data from River City Media was found exposed online. The data was
found to contain almost 1.4 billion records including email and IP
addresses, names and physical addresses, all of which was used as part
of an enormous spam operation. Once de-duplicated, there were 393
million unique email addresses within the exposed data.

On 20 Jul 2020 09:04:01 GMT, Tim Streater
wrote:

On 20 Jul 2020 at 09:51:07 BST, Scott wrote:

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper?

Drat yes, I hope the scrote doesn't notice the book on the bookshelf with the
word "Passwords" embossed on the spine in gold. I expect such a scrote would
have a little "Lone Ranger" mask, wear a black-and white striped jersey, and
carry a bag marked "Swag" over his shoulder.

Thanks for our insightful advice. I'll stop locking my front door -
obviously unnecessary as crime is fake news.

On Mon, 20 Jul 2020 10:12:31 +0100, Richard
wrote:

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

Four breaches, only one makes any sense and you have to subscribe to
find out more details. Looks like a con to me.

It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

In any case, if the breach only amounts to my email address (which is
pretty widely circulated anyway) and the specific password for the
compromised site (which has presumably reset the passwords anyway), I
don't see a problem.

Good for you.

Good for you if you hand out money every time you see the word
'security'.

In message ,
writes
Clearly, my old, well used email address and password combo has somehow
leaked out into the ether. The question is: how? I can't help but
notice the coincidence of my recent order with the vitamin company and
hot on the heels of that, rogue logins to various services. Does anyone
have a view on the most likely explanation? Could it be a weakness in
the vitamin company's systems/web page, dishonesty of an employee at
the company, or is it more likely to be something at my end (e.g.
keystroke logging malware)? I run Macaffee on my laptop and use Google
Chrome browser with Win 7.


I've have my own domain, so (like many others), almost every company I
deal with gets its own email address (generally company@mydomain). From
that I can track where spam(*) comes from. In many cases it is sent to
the address that I've given to various small businesses, rarely the
large ones, leading me to the conclusion (possibly wrongly) that some
small businesses (or more likely their outsourced systems) have had some
poor IT security. In only one case has a business been in touch to
admit that they've been compromised, and that was by an activist group
whose name I forget.

(*) spam also cover phishing attempts, and those odd emails from the
person telling me that they've hacked my (non-existent) webcam.

Adrian
--
To Reply :
replace "diy" with "news" and reverse the domain

If you are reading this from a web interface eg DIY Banter,
DIY Forum or Google Groups, please be aware this is NOT a forum, and
you are merely using a web portal to a USENET group. Many people block
posters coming from web portals due to perceieved SPAM or inaneness.
For a better method of access, please see:

http://wiki.diyfaq.org.uk/index.php?title=Usenet

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe and not
require signing in subsequently.

However after I run a file cleaner which removes stuff like cookies and site
storage, I have to go through the whole Amazon login.

I have found only Google might get sniffy about users logging in from
different devices --- even ones attached to the same wifi.

On Mon, 20 Jul 2020 12:16:43 +0100, Pamela
wrote:

On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe and not
require signing in subsequently.

However after I run a file cleaner which removes stuff like cookies and site
storage, I have to go through the whole Amazon login.

CCleaner gives you the option of selecting the cookies you want to
keep.

Pamela wrote:
On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick or
Serge.

Judging by the OP's habit of reusing the same password, I wonder if he also
used it for his password manager allowing hackers to scoop up any passwords
which are different.

It's crazy to re-use a password for a site like Amazon where the financial
loss could become substantial.

Yes, I use a simple 'algorithm' to generate passwords for "don't care"
web sites that require a password. This is mostly for places that I
buy on-line but *don't* save any credit card details or club and
forum sites. I really don't care that much if someone breaks into my
account, all they could do is impersonate me on the forum (so what?)
and see what I have bought from some supplier or other.

Where I have credit card details or other similarly sensitive
information I use much stronger passwords, though as far as possible I
don't allow sites to save credit card details.

--
Chris Green
·

Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe and not
require signing in subsequently.

So if someone nicks your computer they get access?!

--
Chris Green
·

Scott wrote:
It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

That's an ad for 1Password, which is a password manager. Have I Been Pwned
is a separate thing and has a 'notify me' function which will mail you if
your email or domain shows up in other breaches. It's free, and the link is
at the top of the screen.

Theo

On Mon, 20 Jul 2020 09:51:07 +0100, Scott wrote:

I generate long, random, password sequences for each Internet
account
created. They're a pain to type in, ...

Or use a "formula" to generate passwords unique to each site. Based
say on part of the company name. Load of things you can do to make
the password pretty secure, Upper/lowercase given character
position(s), letter/number substitute, both either as an inposition
substitution or an insert before or after the position. Pre/app-pend
and short string (containing symbols, numbers, upper/lowercase).

Even if you forget what a password is for a site you can work it out
by applying your formula. The only slight gotcha is those sites that
object to symbols in a passord.

but I keep a stack of pieces of paper with the new ones printed on
it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form.

Bits of paper work... One would also assume that the information is
also obscurated and not a simple plain text "site password" list
and also contains old, invalid, information or even completely bogus
information.

What happens if someone breaks into your house and steals the pieces of
paper? Mine uses military security and allows you to view, cut and paste
the passwords as required.

Assuming the device with your passwords on hasn't also been nicked or
even simply died. Lightning strike, power surge? Just as likely as a
tea leaf taking the bit's of paper. You can't even have a go at
trying to workout what any passwords are.

--
Cheers
Dave.

On Mon, 20 Jul 2020 12:43:02 +0100 (BST), "Dave Liquorice"
wrote:

On Mon, 20 Jul 2020 09:51:07 +0100, Scott wrote:

I generate long, random, password sequences for each Internet
account
created. They're a pain to type in, ...

Or use a "formula" to generate passwords unique to each site. Based
say on part of the company name. Load of things you can do to make
the password pretty secure, Upper/lowercase given character
position(s), letter/number substitute, both either as an inposition
substitution or an insert before or after the position. Pre/app-pend
and short string (containing symbols, numbers, upper/lowercase).

Even if you forget what a password is for a site you can work it out
by applying your formula. The only slight gotcha is those sites that
object to symbols in a passord.

but I keep a stack of pieces of paper with the new ones printed on
it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form.

Bits of paper work... One would also assume that the information is
also obscurated and not a simple plain text "site password" list
and also contains old, invalid, information or even completely bogus
information.

What happens if someone breaks into your house and steals the pieces of
paper? Mine uses military security and allows you to view, cut and paste
the passwords as required.

Assuming the device with your passwords on hasn't also been nicked or
even simply died. Lightning strike, power surge? Just as likely as a
tea leaf taking the bit's of paper. You can't even have a go at
trying to workout what any passwords are.

Ever heard of backups?

On 20 Jul 2020 12:35:40 +0100 (BST), Theo
wrote:

Scott wrote:
It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.
out of context
That's an ad for 1Password, which is a password manager. Have I Been Pwned
is a separate thing and has a 'notify me' function which will mail you if
your email or domain shows up in other breaches. It's free, and the link is
at the top of the screen.

Okay, it's an attempt to con then, not a con. It is quite clear they
are trying to induce you into clicking 'Start using 1Password.com'.

On 20/07/2020 05:59, Paul wrote:
wrote:
Five days ago, I placed an online order with a company that I have
used many times, over the years. It's an online supplier of vitamins
and nutritional supplements. My account with that company has login
details (email address and password) that I used to use for pretty
much everything, until various companies enforced changes, to improve
security.

Two days ago I got an email from Spotify, reporting a login from
Germany. I set up my Spotify account in 2012 and haven't used it since
then, so I was curious. On checking, the login email address and
password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious
login. Sure enough, my Amazon account uses the old email address and
password (all registered credit cards recently expired, so no
possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix,
warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has
somehow leaked out into the ether. The question is: how? I can't help
but notice the coincidence of my recent order with the vitamin company
and hot on the heels of that, rogue logins to various services. Does
anyone have a view on the most likely explanation? Could it be a
weakness in the vitamin company's systems/web page, dishonesty of an
employee at the company, or is it more likely to be something at my
end (e.g. keystroke logging malware)? I run Macaffee on my laptop and
use Google Chrome browser with Win 7.

Thanks. Ant.

Personally I don't trust McCaffee as far as I can throw it but YMMV.
Their main claim to fame seems to be large corporate discounts.

I think it's pretty safe to assume some aspect
of this "small company" website is compromised.

Although a keylogger on your home PC cannot be ruled out.
Malwarebytes is a pretty reliable zapper for such things.

We also don't know the integrity of the password used.

If it was Pa55w0rd or qwerty or in any dictionary then all bets are off.

Small companies rent everything. They can't even
rent a clue.

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it. Only one site had a security issue -
the company went bankrupt, and we heard later the
servers they had were sold without being sanitized.
(All the account info left the building intact,
destination unknown.)

If you're using the same password for all of them,
well, stop doing that :-) Or, uh... Oh. It already
happened.

It is never a good idea to use the same password login on multiple
sites. Sites vary massively in their ability to keep things securely.

At a minimum even on toy sites that insist you have a password include
two random words and the year you first opened it in between. A random
capitalisation (not the first letters) makes it a bit more secure and an
unusual character also helps. Beware when they "upgrade" software I have
had my choice of unusual password character declared illegal once.

Noddy sites get fairly weak passwords. Banks get high entropy rule based
passwords that even someone who has seen it written down will not be
able to remember unless they know the generating rule.

--
Regards,
Martin Brown

On 20/07/2020 10:35, Scott wrote:
On Mon, 20 Jul 2020 10:12:31 +0100, Richard
wrote:

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

Four breaches, only one makes any sense and you have to subscribe to
find out more details. Looks like a con to me.

It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

In any case, if the breach only amounts to my email address (which is
pretty widely circulated anyway) and the specific password for the
compromised site (which has presumably reset the passwords anyway), I
don't see a problem.

Good for you.

Good for you if you hand out money every time you see the word
'security'.

I don't, and I'm not paranoid.

On Mon, 20 Jul 2020 12:55:24 +0100, Scott wrote:

Ever heard of backups?

No much use without a working device to transfer the backup to for
use.

--
Cheers
Dave.

On Mon, 20 Jul 2020 14:07:09 +0100 (BST), "Dave Liquorice"
wrote:

On Mon, 20 Jul 2020 12:55:24 +0100, Scott wrote:

Assuming the device with your passwords on hasn't also been nicked or
even simply died. Lightning strike, power surge? Just as likely as a
tea leaf taking the bit's of paper. You can't even have a go at
trying to workout what any passwords are.

Ever heard of backups?

No much use without a working device to transfer the backup to for
use.

Very true, whereas bits of paper with passwords would be enormously
useful to anyone without a working computer.

In article ,
Scott wrote:
On Mon, 20 Jul 2020 14:07:09 +0100 (BST), "Dave Liquorice"
wrote:

On Mon, 20 Jul 2020 12:55:24 +0100, Scott wrote:

Assuming the device with your passwords on hasn't also been nicked or
even simply died. Lightning strike, power surge? Just as likely as a
tea leaf taking the bit's of paper. You can't even have a go at
trying to workout what any passwords are.

Ever heard of backups?

No much use without a working device to transfer the backup to for
use.

Very true, whereas bits of paper with passwords would be enormously
useful to anyone without a working computer.

and, you can write down the time on a piece of paper.

--
from KT24 in Surrey, England
"I'd rather die of exhaustion than die of boredom" Thomas Carlyle

On 20/07/2020 12:00, Smolley wrote:
On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

Interesting, since Mac addresses are not promulgated beyond the local
Network, and are easily spoofed.

And cannot be obtained without the user downloading and installing some
obvious software

https://stackoverflow.com/questions/...with-a-browser



--
"A point of view can be a dangerous luxury when substituted for insight
and understanding".

Marshall McLuhan

On Mon, 20 Jul 2020 13:44:59 +0100, Richard
wrote:

On 20/07/2020 10:35, Scott wrote:
On Mon, 20 Jul 2020 10:12:31 +0100, Richard
wrote:

On 20/07/2020 09:58, Scott wrote:
On Mon, 20 Jul 2020 08:17:42 +0100, Richard
wrote:

On 20/07/2020 05:24, wrote:
Five days ago, I placed an online order with a company that I have used many times, over the years. It's an online supplier of vitamins and nutritional supplements. My account with that company has login details (email address and password) that I used to use for pretty much everything, until various companies enforced changes, to improve security.

Two days ago I got an email from Spotify, reporting a login from Germany. I set up my Spotify account in 2012 and haven't used it since then, so I was curious. On checking, the login email address and password is the same old combo as for the vitamin co.

Yesterday I got an email from Amazon, warning of a new, suspicious login. Sure enough, my Amazon account uses the old email address and password (all registered credit cards recently expired, so no possibility of rogue purchases).

In the small hours of this morning, I got an email from Netflix, warning of a login in the USA. Same deal with email address and password.

Clearly, my old, well used email address and password combo has somehow leaked out into the ether. The question is: how? I can't help but notice the coincidence of my recent order with the vitamin company and hot on the heels of that, rogue logins to various services. Does anyone have a view on the most likely explanation? Could it be a weakness in the vitamin company's systems/web page, dishonesty of an employee at the company, or is it more likely to be something at my end (e.g. keystroke logging malware)? I run Macaffee on my laptop and use Google Chrome browser with Win 7.

Thanks. Ant.


Stick the email address in he
https://haveibeenpwned.com

Four breaches, only one makes any sense and you have to subscribe to
find out more details. Looks like a con to me.

It is not a con. It is not a "subscription".

Sorry, I read Step 3 ouot of context when it said 'Subscribe to
notifications for any other breaches. Then just change that unique
password'. It's a 30 day free trial then a subscription.

In any case, if the breach only amounts to my email address (which is
pretty widely circulated anyway) and the specific password for the
compromised site (which has presumably reset the passwords anyway), I
don't see a problem.

Good for you.

Good for you if you hand out money every time you see the word
'security'.

I don't, and I'm not paranoid.

Good for you.

On 20/07/2020 05:24, wrote:

Five days ago, I placed an online order with a company that I have
used many times, over the years. It's an online supplier of vitamins
and nutritional supplements. My account with that company has login
details (email address and password) that I used to use for pretty
much everything, until various companies enforced changes, to improve
security.

So as a matter of urgency you need to go and update passwords on *all*
of the sites you are registered with, and make sure than the same
credentials are never re-used.

Since when one a site is compromised, automated testing tools will
enable the crooks to check those credentials against 100s of thousands
of other web sites. So its a safe bet that all or most of your accounts
associated with those credentials are now compromised.

[snip]

Clearly, my old, well used email address and password combo has
somehow leaked out into the ether. The question is: how?

Lots of possibilities. If you go enter the relevant email address he

https://haveibeenpwned.com/

it will tell you which public database of hacked credentials it came
from and may give some indication of the source.

You can also test individual passwords he

https://haveibeenpwned.com/Passwords

I can't help
but notice the coincidence of my recent order with the vitamin
company and hot on the heels of that, rogue logins to various
services. Does anyone have a view on the most likely explanation?
Could it be a weakness in the vitamin company's systems/web page,

Could be - it might be the site itself, or often its a weakness in a
third party service that the company (and many others) use.

The Ticketmaster hack being a good example:

https://www.wired.co.uk/article/tick...-monzo-inbenta

dishonesty of an employee at the company,

Also possible - or a sub contracting company, data processor, or even
individual.

or is it more likely to be
something at my end (e.g. keystroke logging malware)?

Also possible but probably less likely - if that were the case you would
expect any interaction with a site that uses those credentials to have
triggered the unexpected logins.

However, I would suggest a sweep with the malwarebytes.org scanner.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 20/07/2020 08:21, Brian Gaff (Sofa) wrote:

They are always telling us that we should use a password manager of cours.
However there is no 100 percent secure system if as has been mentioned
servers with customer data can be just sold to any tom dick or Serge.

Nothing is 100% secure, but there is plenty you can do to limit the
damage when something goes wrong.

I mean, another thing to look at is wifi password. Now if its too hard,
nobody can remember it, if its too simply people can guess it, and of
courrse many devices that use a cloud storage system actually store it,
supposedly encrypted.

A decent password ought not be "memorable". If you need it, go look at
the written record of it (the plate on the back of the router if you
like), or use the WPS button for creating new connections.

The hackers know about exploiting apis these days as people use these off
the shelf like a way to stop having to write new ones, but if they don't
use them properly often a breach is created bigger than the brain of Marvin.




--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 20/07/2020 12:00, Smolley wrote:
On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

You IP address, various cookies and other "fingerprinting" they can do
on your browsers... unlikely to be a mac address directly unless you
have your PC plugged directly into their LAN!



--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 20/07/2020 10:04, Tim Streater wrote:

Drat yes, I hope the scrote doesn't notice the book on the bookshelf
with the word "Passwords" embossed on the spine in gold. I expect
such a scrote would have a little "Lone Ranger" mask, wear a
black-and white striped jersey, and carry a bag marked "Swag" over
his shoulder.

He probably won't be able to get a stock of new masks now :-)


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 20/07/2020 10:28, Scott wrote:
On 20 Jul 2020 09:04:01 GMT, Tim Streater
wrote:

On 20 Jul 2020 at 09:51:07 BST, Scott wrote:

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper?

Drat yes, I hope the scrote doesn't notice the book on the bookshelf with the
word "Passwords" embossed on the spine in gold. I expect such a scrote would
have a little "Lone Ranger" mask, wear a black-and white striped jersey, and
carry a bag marked "Swag" over his shoulder.

Thanks for our insightful advice. I'll stop locking my front door -
obviously unnecessary as crime is fake news.

I think you may have missed the point Tim was making. i.e. Just because
you have a file of passwords recorded, it does not have to be obvious or
even intelligible to to someone else if the details are obfuscated, or
simply hidden in lots of other data.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On Mon, 20 Jul 2020 18:44:13 +0100, John Rumm
wrote:

On 20/07/2020 12:00, Smolley wrote:
On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has been
mentioned servers with customer data can be just sold to any tom dick
or Serge.

Judging by the OP's habit of reusing the same password, I wonder if he
also used it for his password manager allowing hackers to scoop up any
passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another computer I
have to return a phone code.

You IP address, various cookies and other "fingerprinting" they can do
on your browsers... unlikely to be a mac address directly unless you
have your PC plugged directly into their LAN!

Maybe Smolley has an Apple Mac and is referring to its address.

On Mon, 20 Jul 2020 18:48:49 +0100, John Rumm
wrote:

On 20/07/2020 10:28, Scott wrote:
On 20 Jul 2020 09:04:01 GMT, Tim Streater
wrote:

On 20 Jul 2020 at 09:51:07 BST, Scott wrote:

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper?

Drat yes, I hope the scrote doesn't notice the book on the bookshelf with the
word "Passwords" embossed on the spine in gold. I expect such a scrote would
have a little "Lone Ranger" mask, wear a black-and white striped jersey, and
carry a bag marked "Swag" over his shoulder.

Thanks for our insightful advice. I'll stop locking my front door -
obviously unnecessary as crime is fake news.

I think you may have missed the point Tim was making. i.e. Just because
you have a file of passwords recorded, it does not have to be obvious or
even intelligible to to someone else if the details are obfuscated, or
simply hidden in lots of other data.

Sorry, I must have been distracted by all the verbiage about scrotes,
lone rangers and swag.

I prefer to hold the passwords in an encrypted form that can be cut
and pasted when needed than in a disguised form on bits of paper that
needs to be painstakingly typed in each time. Everyone makes their
own choices of course.

On Sun, 19 Jul 2020 21:24:35 -0700, anonymousrapscallion wrote:

Five days ago, I placed an online order with a company that I have used
many times, over the years. It's an online supplier of vitamins and
nutritional supplements. My account with that company has login details
(email address and password) that I used to use for pretty much
everything, until various companies enforced changes, to improve
security.

Those general details could span a number of health companies.

The one I use seems to retain expired credit card details, and I have
several times requested that they be removed. No luck so far, but they
have a new website so they wikll probably just hide them.



--
My posts are my copyright and if @diy_forums or Home Owners' Hub
wish to copy them they can pay me £1 a message.
Use the BIG mirror service in the UK: http://www.mirrorservice.org
*lightning surge protection* - a w_tom conductor

On 12:25 20 Jul 2020, Chris Green said:

Pamela wrote:
On 12:00 20 Jul 2020, Smolley said:

On Mon, 20 Jul 2020 11:04:58 +0100, Pamela wrote:

On 08:21 20 Jul 2020, Brian Gaff (Sofa) said:

They are always telling us that we should use a password manager of
cours. However there is no 100 percent secure system if as has
been mentioned servers with customer data can be just sold to any
tom dick or Serge.

Judging by the OP's habit of reusing the same password, I wonder if
he also used it for his password manager allowing hackers to scoop
up any passwords which are different.

It's crazy to re-use a password for a site like Amazon where the
financial loss could become substantial.

Amazon uses my mac address as verification, when I use another
computer I have to return a phone code.

MAC address or cookie?

I use two factor authentication (using the Authy app) for Amazon, who
provides an option for a particular computer to be remembered as safe
and not require signing in subsequently.

So if someone nicks your computer they get access?!

Two factor authentication is in addition to your usual account name and
password. The idea is that some Russian hacker can't access your account
without also having physical access to the PC to generate required
passkeys.

Nowadays banks are doing this or something similar, such as sending a
text.

If someone nicks your computer with the authenticator app then you go to
another computer and access the authenticator with your special password
to remove the stolen device from authenticator account.

I prefer this to getting texts with a passkey.

"Scott" wrote in message
...
On Mon, 20 Jul 2020 18:48:49 +0100, John Rumm
wrote:

On 20/07/2020 10:28, Scott wrote:
On 20 Jul 2020 09:04:01 GMT, Tim Streater
wrote:

On 20 Jul 2020 at 09:51:07 BST, Scott
wrote:

On Mon, 20 Jul 2020 00:59:43 -0400, Paul
wrote:

I generate long, random, password sequences for each
Internet account created. They're a pain to type in, but I
keep a stack of pieces of paper with the new ones
printed on it.

Why would you need pieces of paper? Can you not use a program that
saves passwords in an encrypted form. What happens if someone breaks
into your house and steals the pieces of paper?

Drat yes, I hope the scrote doesn't notice the book on the bookshelf
with the
word "Passwords" embossed on the spine in gold. I expect such a scrote
would
have a little "Lone Ranger" mask, wear a black-and white striped
jersey, and
carry a bag marked "Swag" over his shoulder.

Thanks for our insightful advice. I'll stop locking my front door -
obviously unnecessary as crime is fake news.

I think you may have missed the point Tim was making. i.e. Just because
you have a file of passwords recorded, it does not have to be obvious or
even intelligible to to someone else if the details are obfuscated, or
simply hidden in lots of other data.

Sorry, I must have been distracted by all the verbiage about scrotes,
lone rangers and swag.

I prefer to hold the passwords in an encrypted form that can be cut
and pasted when needed

I prefer a proper password manager that keeps the passwords
and other routinely provided stuff like you address and the
username etc in a fully encrypted database and automatically
fills in the form you are looking at and which allows you to
select from a list of sites that you log into routinely so you
can go there just by clicking that link. And which automatically
collects the stuff you fill in with a new site and offers to add it
to the database,

than in a disguised form on bits of paper that
needs to be painstakingly typed in each time.
Everyone makes their own choices of course.