Question of the day (Updated)
Tuesday, Oct 15, 2024 - Posted by Rich Miller
* ABC 7…
Tech experts at the website Hostingadvice.com say a new study shows that 43% of Americans have had their password hacked or compromised.
The reason? Mostly laziness. Experts say that more than 25% of people use the password 1,2,3,4 and almost a third of people don’t change passwords when they are prompted.
Always use strong, original passwords with numbers and characters.
Find a sentence that is special to you and add characters.
* The Question: Have any of your passwords ever been hacked? Tell us about it.
…Adding… Yikes…
- lake county democrat - Tuesday, Oct 15, 24 @ 9:21 am:
Only once - Spotify - and for a couple of months afterwards Spotify kept recommending foreign hip-hop songs to me!
- OneMan - Tuesday, Oct 15, 24 @ 9:22 am:
Netflix, of all things, the way I found out was some strangeness in my viewing history (someone was watching shows in Italian). Easy enough to fix.
- @misterjayem - Tuesday, Oct 15, 24 @ 9:33 am:
“Have any of your passwords ever been hacked?”
The only times when a password of mine has been compromised was when the security of the websites was breached by hackers.
It’s happened many, many times and regardless of the strength of my passwords, there’s nothing that I can do about it.
(That our passwords are compromised in this way makes perfect sense — it’s much more efficient for cyber criminals to invest their efforts in cracking the security of a business’ servers (containing thousands of passwords and other personal data) than it is to try to crack my individual password. Success in the latter case yields a single victim, success in the former yields thousands. tl;dr- hacking is a volume business)
– MrJM
- Huh? - Tuesday, Oct 15, 24 @ 9:41 am:
Not that I am aware of. However, when I received a new PIN for my debit card, it was 1234. Called up the bank to reset the PIN. They thought it was funny.
- Anyone Remember - Tuesday, Oct 15, 24 @ 9:50 am:
MrJM - Same here. When working, the IT people said for 8 character passwords (CMS / DoIT RACF character limit I used in most of my passwords), mine were incredibly safe, but advised me about website hacks.
- ChrisB - Tuesday, Oct 15, 24 @ 9:53 am:
Probably.
But maybe it’s not the end users fault. Maybe its the proliferation of apps that companies, schools, kids activities, etc. require me to sign up for just to order pizza or see what time their game is. Maybe it’s because I have no less than 15 different logins to various single purpose apps, that I can’t possibly design a unique password for each and every one of them.
I’m so tired of being asked to download an app to do anything I used to do without a phone. If large corporations, who have entire teams dedicated to developing and maintaining an app, get hacked, how can I trust the little restaurant down the street to keep my data safe? It’s unsustainable.
/rant off
- Fav human - Tuesday, Oct 15, 24 @ 10:02 am:
I use a password manager.
I also use virtual credit cards for all online purchases, and turn them off
after the purchase.
So I’m reasonably safe.
- Friendly Bob Adams - Tuesday, Oct 15, 24 @ 10:11 am:
MrJM- Completely agree. Someone stole my personal email password by hacking the host company. So it wasn’t a case that my password didn’t meet a standard for complexity. They just stole everybody’s passwords.
- Ron - In Texas - Tuesday, Oct 15, 24 @ 10:16 am:
There are users that dont get the tech threats out there today. Also our password concept is broken. It was actually designed (mostly) by some NIST types 30+ years ago (you know 8 characters, upper, lower, a number, a special chrctr, etc).
Then change every X days.
We do it by sheer momentum. Password managers are great (most people dont use them) and the folks setting policies should really go to things like Pass Phrases, with longer durations “Mycatdoesntlikewheniringthedoorbell” for a year is actually way better than Pass,123 changed every 90 days to Ron,1234, then some other simple thing.
this is why you see so much two-factor auth (you sign in and it sends a text code to your phone) BEcause they KNOW the password system today is weak, but no one will really do anything about it, so they snap in this other stuff.
Sorry, just an IT Guy Ranting.
- Homebody - Tuesday, Oct 15, 24 @ 10:18 am:
Only once, when I was making a gag account on a message board and left it with a default “admin” password because I was distracted when setting it up. So again, laziness, as found by the article.
I use unique passwords for most services now, and just rely on the password saver on my physical computer to keep them safe.
It is funny how technology changes though. 20 years ago, if you left a password written down at your desk you’d be concerned someone could sneak into your office and steal it. These days, keeping your passwords written on a piece of paper in your office may be the safest way to maintain them.
- Mason County - Tuesday, Oct 15, 24 @ 10:55 am:
@ChrisB,
You summed it up perfectly for me!
- Suburban Mom - Tuesday, Oct 15, 24 @ 10:55 am:
Here’s my best advice: Think of a poem or a song or a prayer that you really like (or a joke, or whatever). So I’ll this hymn as an example:
All things bright and beautiful,
all creatures great and small,
all things wise and wonderful:
the Lord God made them all.
I’m going to take the last two lines, and use the first letter of each word, and I’m going to throw in capital letters where I feel like (usually for nouns or stress in the poem or similar):
atWaWtLGmta
Now I’m going to throw in a couple of characters:
atW&WtLGmt4
(4 being A in old leet speak). That’s a hard password to crack but very easy for you to remember because you just recite the verse to yourself as you type each character. Make sure to choose a verse or song or poem or joke that you’ll like to recite to yourself every single day.
- RNUG - Tuesday, Oct 15, 24 @ 11:07 am:
== can’t possibly design a unique password for each and every one of them. ==
== keeping your passwords written on a piece of paper in your office may be the safest way to maintain them. ==
You can, and I do use unique ones for each site / app. Tears ago, when it was just a few passwords, I’d use old girlfriends nams. No longer, too many sites. Today I tend to use phrases, sometimes nonsensical ones.
But it’s a real pain. You have to write them all down in an organized manner. An address book helps keep that organized.
As to having been hacked, the only times I’m aware of have been when the so-called secure corporate web servers were breached. Had that happen with a debit card pin 40 years ago; they cracked a bank server. Just this past month, I’ve received multiple notices from financial and health records companies that my data (and lots of others) was breached. Ironically, I first received notice from a privacy manager that found my SSN on the dark web. Not much you can do personally when the data is being stolen from the corporations. While it’s a pain, what you can do is put two factor authorization on your financial stuff and have text notifications to your smart phone for every transaction. Then you can at least react quickly.
And I will admit at least the financial institutions are trying to combat fraud because it accounts for big losses to them. They do flag suspicious activity. I’ve even had them flag legit transactions as questionable.
You just have to be vigilant.
- Give Us Barabbas - Tuesday, Oct 15, 24 @ 11:24 am:
I generate passphrases by picking a favorite song and using the first letter of each word in the chorus or a verse. I find this way easier to recall than a random string of letters and numbers, yet I can make the passphrase very long.
I am driven crazy however by all the passwords and two factor authentication required to stream football on my TV; it’s more complicated than launching nuclear missiles.
- Leap Day William - Tuesday, Oct 15, 24 @ 11:49 am:
You can and should have unique passwords for each and every account you have. Use a password manager. They’re plug-and-play into most browsers these days. Mine has over 300-some accounts from every website I’ve encountered in the past almost decade.
Run your email address through haveibeenpwned.com to see what compromises are out there you aren’t aware of. Your account being compromised on one site often leads to it being compromised elsewhere when you use the same password. It’s called credential stuffing and happens pretty regularly.
Use two factor authentication on every possible account that supports it, so even if the password ends up compromised they still can’t get in without that code. Do it for everything, not just financial stuff.
My dad recently lost his facebook account (”lost” being used quite liberally here, I happen to think it’s a net gain for him, but anyway…) because of credential stuffing and not having 2FA turned on, despite me repeatedly trying to get him to change his habits.
Assume your SSN is already compromised, because it most definitely is, and do a freeze on your credit reports.
- bhartbanjo - Tuesday, Oct 15, 24 @ 12:31 pm:
I’ve been wondering about the Historical Society.
I can assume that my SSN is out there. I was one of the many who had unemployment claims done in my name back about 4 years ago. I have frozen my credit reports ever since.
- twowaystreet - Tuesday, Oct 15, 24 @ 12:37 pm:
I have multiple times. It was all recently, in a month span.
Netflix twice and Disney + another time. I will say, they were really good about alerting me to the logins so I could reset my passwords and block the person.
Also, ChrisB I relate deeply to your exhaustion. I refuse to download any new apps or create accounts these days. Every company big or small has an app to just for the sake of having an app. Just give me a punch card or I’ll forgo the discounts.
I’ve been trying to limit my phone usage to calls/texts these days. Unless I need to check something on the go, I try to force myself to use a computer. I can’t say I’m always successful but I am trying to be more thoughtful about it.
- Candy Dogood - Tuesday, Oct 15, 24 @ 12:54 pm:
===Have any of your passwords ever been hacked? Tell us about it. ===
I have misgivings about using the term hacked in this kind of instance because in most cases my passwords and corresponding email addresses have been compromised by the website or service provider failing to have adequate security protocols and in some cases — any — security protocols. I believe this is largely due to the lack of meaningful consequences for neglect of basic security protocols.
In addition to having credit card information stolen and used for unauthorized purchases, I have also had at streaming account hijacked for a few weeks before I was able to take the time to recover it.
Two factor authentication is an imperative.
===The reason? Mostly laziness.===
I also reject the implication that the fault be placed on the user. My accounts have still been compromised. My information and email addresses have still wound up for sale on the dark web. My credit card and other financial and biometric data is for sale on the dark web and it isn’t because I am lazy.
It is the for profit companies that in many instances have just let a malicious actor do the technological equivalent of walk in the front door and carry out all of their files.
This narrative that it is the end users fault is victim blaming to distract from who is actually responsible for why troves of personal information is available online.
Change the law so that people wind up in prison or companies pay serious fines when they decide to let user information be easily stolen.
It’s a lot easier to compromise someone’s account if they use the same password over, and over, and over again — but maybe to problem is how their password and email got out there the first time, or the 2nd time, or the 3rd time.
Also — no amount of password uniqueness is going to stop a phising attach from working. Only 2 factor authentication will.
- The Dude Abides - Tuesday, Oct 15, 24 @ 2:05 pm:
To the people advocating for MFA using a text message - you are just as short-sighted as the people who repeat passwords.
Bad actors can easily both compromise the password and intercept the verification text.
I too utilize a PW manager for the hundreds of websites and apps I utilize. Been using it for almost a decade, and to this day would not be able to get by without it.
- thechampaignlife - Tuesday, Oct 15, 24 @ 4:32 pm:
A relative had their Facebook account stolen because they shared the MFA code with the scammer and had an old email address assigned to the account. Despite our best efforts to recover the account, we ended up in a loop where the only recovery method that worked was to send an email to either the current scammer account or the old non-working email address. Their post history has changed into some spammy filth, and no amount of others reporting the account was able to shut it down despite a clear difference in posts, photos, and login locations.
I really think the solution to all this data getting breached everywhere is a virtualized data service similar to a virtual credit card number. My utility company does not need my actual SSN 99% of the time. They may need it to sue me if I am late on payments, but otherwise they just need a unique identifier to prove that I am a real person. So, I just need a PayPal-type service where I prove to them who I am and they vouch for me to the various companies who need to know I am a real person.
Same goes for email addresses. Most businesses should not actually possess my email address. I should be able to generate a unique virtual email address for each company who wants to send me information and have it routed to my actual email account. If that virtual email address is compromised in a breach, I can simply replace it with a new one without affecting email coming from any other source or subjecting me to tons of spam.
Same goes for mailing address. Amazon does not need to store my mailing address. They can store a unique identifier which they use to pull my address at checkout so I can confirm the delivery address and they can print the label. So the actual address is only on their server for maybe 15 minutes, I get my product, and they don’t have to worry about a breach affecting millions of customers.
- Demoralized - Tuesday, Oct 15, 24 @ 4:49 pm:
Star Wars is great history. Just sayin’.