|
Patch reliability is unclear. Unless you have an immediate, pressing need to install a specific patch, don't do it. |
Patch Lady here with paranoia of day 11. Have you ever checked to see if your password has been discovered by attackers and is known by them? There
[See the full post at: Patch Lady – 31 days of paranoia – day 11]
Susan Bradley Patch Lady/Prudent patcher
My first thought when visiting that site was, “Do I really want to give my eMail address to someone on the other end of this?”
I didn’t. Knowing wouldn’t have changed my already thoughtful password management strategy.
-Noel
Agree with Neal…thought the same thing when the site came out years ago….save this fellow is quite well known, and trusted by Krebs and others in his arena. The FAQ looks pretty tight, but the founder is Troy Hunt, a Microsoft Regional Director.
You have his word that nothing is retained on his site; but there are all sorts of attacks that could go down with “man in the middle”…
And password managers? What if your only PC goes down, and takes that with it? Backups, of course, but resetting everything including routers, etc can be a real pain in that scenario, if you are lucky enough to have another machine.
No, I use very basic, but effective methods for passwords, which I will only infer here, and give Douglas Adams credit:
Written down in a Sumerian script, in the 3rd sub cellar of three different locations, in the janitor’s closet behind a door marked “Beware The Leopard.”
For coming up with them, or actually writing them down, obscure foreign languages that use script other than Roman are very useful too. How’s your Thai or Javanese?
Code cyphers for further password obfuscation are great too. So many to choose from! 😉
And never, never use the same PWD twice.
Ouija Boards, anyone?
Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
--
"The more kinks you put in the plumbing, the easier it is to stop up the pipes." -Scotty
And password managers? What if your only PC goes down, and takes that with it? Backups, of course, but resetting everything including routers, etc can be a real pain in that scenario, if you are lucky enough to have another machine.
I have lots of ‘another’ machines! I have six of them that are relatively current (dual core or better), and nine in total if we count the not-so-current ones. My password store is synced (manually, SneakerNet) between the most commonly used PCs (my main desktop, my two newer laptops, and my Core 2 Duo laptop that still holds its own despite its age), and is protected by strong encryption and passwords at each endpoint.
If any of these PCs goes down, I fix it with replacement parts (in the case of my desktop PCs and my Core 2 Duo laptop) or remove its SSD (Acer Swift) or micro SD card (Dell Inspiron) and send it in for warranty service, then reinstall everything when it comes back (in the Swift, it’s as easy as popping the SSD back in; on the Dell, I would have to restore the OS to the internal eMMC drive and pop the MicroSD back in). There are no private or sensitive files located on any non-removable storage like internal eMMCs. Linux does not insist on putting user profiles on the boot drive, so it’s quite easy to ensure that the boot device contains no personal data.
I have backups for all of my devices in multiple places. If it’s the drive on any of these ‘puters that has failed, I replace it (under warranty, probably; most of my drives are still warranteed) and restore the backup.
When the Swift and Inspiron are out of warranty, I’d add them to the “fix with replacement parts” category. Good used motherboards are available at good prices on eBay for both. All of my computers can be opened with simple hand tools and are not glued together, so replacing the motherboard is really not very hard.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
@m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
It’s worth checking this out:
https://howsecureismypassword.net/
Cute, though a bit meaningless. How long will it take next year’s model? Next decade’s quantum model? The sliding scale of technological advancement is why 128 bit keys are now laughably weak, even though the predictions back just a few decades ago were that it would take millions of years to crack them.
People should not have to juggle ever increasing, human-meaningless passwords in order to stay in control of their private data. Their tech needs to work harder for them and ONLY them (and NOT for some company who feels THEY should be in control).
-Noel
P.S., please don’t even CONSIDER typing your real passwords into that site.
Just to complete your thought to make it glaringly obvious.
Typing an active password would expose that supersecure, only known to two entities on the entire planet, absurdly long multicharcacterset string to a THIRD entity. It might as well be added to the list of known passwords.
Cute, though a bit meaningless. How long will it take next year’s model?
My reference to complacency was the ability to check your current configuration, which may show it will currently take xx minutes – at which point you need to upgrade your passwords NOW. It gives a better indication of what isn’t a good concept for your passwords than mere confidence in your ability to create one 🙂
If I was concerned about my email addresses being compromised, the last thing I’d do is enter them all on a site expressly designed to collect email addresses, no matter who was running the site and how trustworthy they may be – the sites any email addresses were compromised on in the first place are likely to have been run by equally eminent and trustworthy companies/people.
I did check haveibeenpwned — an old email came up from Linkedin. All my current emails came up clean. I am very paranoid but somehow felt comfortable giving my email address to haveibeen pwned because email addresses are “out there” anyway (e.g. one person sending a joke without bcc is enough to make my head spin). I have five email addresses for different purposes (bank alerts, shopping, personal email, throw away, etc.) Since they are all gmail accounts I can easily delete them and start fresh. Even my personal email address has so few people in the address book that I can notify folks that I have changed my email address . Yes, this is embarrassing to do but I have done it twice already for security reasons.
As for my passwords, I don’t trust password managers and only use one desktop at home so I have a little book with all my passwords written in it (I only have the five passwords for the email accounts, the IMac password, and just a few others – probably only ten in all. They are random and long with some caps some numbers some symbols, etc. and I change them from time to time. (When I got my IMac a few months ago I had a computer man come to install it and he had never seen anyone go through typing the kind of passwords that I had — between my getting used to the feel of the magic keyboard and the length and complexity of my passwords — let’s just say he was here for quite awhile and he has not forgotten me!)
I would not send my password into a website to find out if it was pawned.
I have a Yubico key that I use for the gmail accounts and use two factor authentification wherever it is available.
Ttthat’s All Folks!
I thought the same as you guys regarding giving away an email address, but out of curiosity…
I tried it with a few email addresses of people I know and one old of mine which I knew were already in spamming databases. It came up with interesting results. Mostly, they were found stolen in places where there was data breaches like an antivirus forum, Myspace (not mine) or other similar places where you had to register to post a question that I used once or twice.
To me, this is just a good reminder to never use the same password on different sites, even if you think those web sites are not really important to you. The information that could be gathered from different sites could sometimes be used against you on other more important services.
Thanks AlexEiffel. I saw other sites that also advised against changing passwords. My situation is a little different — I’m a home user of one desktop and from time to time voluntarily change a password and put a lot of thought into it. It makes me feel better — ignorance is bliss! 🙂
I have been using HaveIBeenPwned for around two years. HaveIBeenPwned is a completely legitimate web site which was created by Troy Hunt who is a Microsoft Regional Director. Here is a fairly interesting 2015 Forbes article about how a Forbes staff writer and Troy verified that 000Webhost had been hacked:
https://www.forbes.com/sites/thomasbrewster/2015/10/28/000webhost-database-leak/#5fcf1af96098
If I knew an active password of mine had been stolen, I don’t think I’d be posting to a public forum like this one about it. Just having been pwned can make you a target for further attacks. The fewer people who know about your misfortune, the safer you are. Just change the password, close the account if it’s unused or unimportant, and don’t go around sharing your experience, especially not details not yet known to everyone. The fewer breadcrumbs you leave, the less the risk someone else will pick up on the clues and pwn you again. The one thing you cannot change is a biological fact about yourself, known as biometrics. Once that is cloned or impersonated, you are truly pwned. This fact is one reason I don’t like the idea of using our actual DNA as a biometric.
It totally depends on what steps you have taken. For example and most importantly, and as told to me years ago by an FBI agent, never use your real name online.
There is interesting stuff in the news about DNA and about how it is now likely possible (50% or greater) that you can be identified — not by your own submitted DNA — but by DNA which was submitted for testing by family members. Yeah, it takes a lot of online digging, yet this is what recently published research paper showed. Ain’t that peachy? The upshot is that your relatives could unknowingly be undermining your online anonymity.
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
