Capitol Fax.com - Your Illinois News Radar » Question of the day (Updated)
SUBSCRIBE to Capitol Fax      Advertise Here      About     Exclusive Subscriber Content     Updated Posts    Contact Rich Miller
CapitolFax.com
To subscribe to Capitol Fax, click here.
Question of the day (Updated)

Tuesday, Oct 15, 2024 - Posted by Rich Miller

* ABC 7

Tech experts at the website Hostingadvice.com say a new study shows that 43% of Americans have had their password hacked or compromised.

The reason? Mostly laziness. Experts say that more than 25% of people use the password 1,2,3,4 and almost a third of people don’t change passwords when they are prompted.

Always use strong, original passwords with numbers and characters.

Find a sentence that is special to you and add characters.

* The Question: Have any of your passwords ever been hacked? Tell us about it.

…Adding… Yikes…

       

21 Comments
  1. - lake county democrat - Tuesday, Oct 15, 24 @ 9:21 am:

    Only once - Spotify - and for a couple of months afterwards Spotify kept recommending foreign hip-hop songs to me!


  2. - OneMan - Tuesday, Oct 15, 24 @ 9:22 am:

    Netflix, of all things, the way I found out was some strangeness in my viewing history (someone was watching shows in Italian). Easy enough to fix.


  3. - @misterjayem - Tuesday, Oct 15, 24 @ 9:33 am:

    “Have any of your passwords ever been hacked?”

    The only times when a password of mine has been compromised was when the security of the websites was breached by hackers.

    It’s happened many, many times and regardless of the strength of my passwords, there’s nothing that I can do about it.

    (That our passwords are compromised in this way makes perfect sense — it’s much more efficient for cyber criminals to invest their efforts in cracking the security of a business’ servers (containing thousands of passwords and other personal data) than it is to try to crack my individual password. Success in the latter case yields a single victim, success in the former yields thousands. tl;dr- hacking is a volume business)

    – MrJM


  4. - Huh? - Tuesday, Oct 15, 24 @ 9:41 am:

    Not that I am aware of. However, when I received a new PIN for my debit card, it was 1234. Called up the bank to reset the PIN. They thought it was funny.


  5. - Anyone Remember - Tuesday, Oct 15, 24 @ 9:50 am:

    MrJM - Same here. When working, the IT people said for 8 character passwords (CMS / DoIT RACF character limit I used in most of my passwords), mine were incredibly safe, but advised me about website hacks.


  6. - ChrisB - Tuesday, Oct 15, 24 @ 9:53 am:

    Probably.

    But maybe it’s not the end users fault. Maybe its the proliferation of apps that companies, schools, kids activities, etc. require me to sign up for just to order pizza or see what time their game is. Maybe it’s because I have no less than 15 different logins to various single purpose apps, that I can’t possibly design a unique password for each and every one of them.

    I’m so tired of being asked to download an app to do anything I used to do without a phone. If large corporations, who have entire teams dedicated to developing and maintaining an app, get hacked, how can I trust the little restaurant down the street to keep my data safe? It’s unsustainable.

    /rant off


  7. - Fav human - Tuesday, Oct 15, 24 @ 10:02 am:

    I use a password manager.

    I also use virtual credit cards for all online purchases, and turn them off
    after the purchase.

    So I’m reasonably safe.


  8. - Friendly Bob Adams - Tuesday, Oct 15, 24 @ 10:11 am:

    MrJM- Completely agree. Someone stole my personal email password by hacking the host company. So it wasn’t a case that my password didn’t meet a standard for complexity. They just stole everybody’s passwords.


  9. - Ron - In Texas - Tuesday, Oct 15, 24 @ 10:16 am:

    There are users that dont get the tech threats out there today. Also our password concept is broken. It was actually designed (mostly) by some NIST types 30+ years ago (you know 8 characters, upper, lower, a number, a special chrctr, etc).
    Then change every X days.

    We do it by sheer momentum. Password managers are great (most people dont use them) and the folks setting policies should really go to things like Pass Phrases, with longer durations “Mycatdoesntlikewheniringthedoorbell” for a year is actually way better than Pass,123 changed every 90 days to Ron,1234, then some other simple thing.

    this is why you see so much two-factor auth (you sign in and it sends a text code to your phone) BEcause they KNOW the password system today is weak, but no one will really do anything about it, so they snap in this other stuff.

    Sorry, just an IT Guy Ranting.


  10. - Homebody - Tuesday, Oct 15, 24 @ 10:18 am:

    Only once, when I was making a gag account on a message board and left it with a default “admin” password because I was distracted when setting it up. So again, laziness, as found by the article.

    I use unique passwords for most services now, and just rely on the password saver on my physical computer to keep them safe.

    It is funny how technology changes though. 20 years ago, if you left a password written down at your desk you’d be concerned someone could sneak into your office and steal it. These days, keeping your passwords written on a piece of paper in your office may be the safest way to maintain them.


  11. - Mason County - Tuesday, Oct 15, 24 @ 10:55 am:

    @ChrisB,

    You summed it up perfectly for me!


  12. - Suburban Mom - Tuesday, Oct 15, 24 @ 10:55 am:

    Here’s my best advice: Think of a poem or a song or a prayer that you really like (or a joke, or whatever). So I’ll this hymn as an example:

    All things bright and beautiful,
    all creatures great and small,
    all things wise and wonderful:
    the Lord God made them all.

    I’m going to take the last two lines, and use the first letter of each word, and I’m going to throw in capital letters where I feel like (usually for nouns or stress in the poem or similar):

    atWaWtLGmta

    Now I’m going to throw in a couple of characters:
    atW&WtLGmt4

    (4 being A in old leet speak). That’s a hard password to crack but very easy for you to remember because you just recite the verse to yourself as you type each character. Make sure to choose a verse or song or poem or joke that you’ll like to recite to yourself every single day.


  13. - RNUG - Tuesday, Oct 15, 24 @ 11:07 am:

    == can’t possibly design a unique password for each and every one of them. ==

    == keeping your passwords written on a piece of paper in your office may be the safest way to maintain them. ==

    You can, and I do use unique ones for each site / app. Tears ago, when it was just a few passwords, I’d use old girlfriends nams. No longer, too many sites. Today I tend to use phrases, sometimes nonsensical ones.

    But it’s a real pain. You have to write them all down in an organized manner. An address book helps keep that organized.

    As to having been hacked, the only times I’m aware of have been when the so-called secure corporate web servers were breached. Had that happen with a debit card pin 40 years ago; they cracked a bank server. Just this past month, I’ve received multiple notices from financial and health records companies that my data (and lots of others) was breached. Ironically, I first received notice from a privacy manager that found my SSN on the dark web. Not much you can do personally when the data is being stolen from the corporations. While it’s a pain, what you can do is put two factor authorization on your financial stuff and have text notifications to your smart phone for every transaction. Then you can at least react quickly.

    And I will admit at least the financial institutions are trying to combat fraud because it accounts for big losses to them. They do flag suspicious activity. I’ve even had them flag legit transactions as questionable.

    You just have to be vigilant.


  14. - Give Us Barabbas - Tuesday, Oct 15, 24 @ 11:24 am:

    I generate passphrases by picking a favorite song and using the first letter of each word in the chorus or a verse. I find this way easier to recall than a random string of letters and numbers, yet I can make the passphrase very long.

    I am driven crazy however by all the passwords and two factor authentication required to stream football on my TV; it’s more complicated than launching nuclear missiles.


  15. - Leap Day William - Tuesday, Oct 15, 24 @ 11:49 am:

    You can and should have unique passwords for each and every account you have. Use a password manager. They’re plug-and-play into most browsers these days. Mine has over 300-some accounts from every website I’ve encountered in the past almost decade.

    Run your email address through haveibeenpwned.com to see what compromises are out there you aren’t aware of. Your account being compromised on one site often leads to it being compromised elsewhere when you use the same password. It’s called credential stuffing and happens pretty regularly.

    Use two factor authentication on every possible account that supports it, so even if the password ends up compromised they still can’t get in without that code. Do it for everything, not just financial stuff.

    My dad recently lost his facebook account (”lost” being used quite liberally here, I happen to think it’s a net gain for him, but anyway…) because of credential stuffing and not having 2FA turned on, despite me repeatedly trying to get him to change his habits.

    Assume your SSN is already compromised, because it most definitely is, and do a freeze on your credit reports.


  16. - bhartbanjo - Tuesday, Oct 15, 24 @ 12:31 pm:

    I’ve been wondering about the Historical Society.

    I can assume that my SSN is out there. I was one of the many who had unemployment claims done in my name back about 4 years ago. I have frozen my credit reports ever since.


  17. - twowaystreet - Tuesday, Oct 15, 24 @ 12:37 pm:

    I have multiple times. It was all recently, in a month span.

    Netflix twice and Disney + another time. I will say, they were really good about alerting me to the logins so I could reset my passwords and block the person.

    Also, ChrisB I relate deeply to your exhaustion. I refuse to download any new apps or create accounts these days. Every company big or small has an app to just for the sake of having an app. Just give me a punch card or I’ll forgo the discounts.

    I’ve been trying to limit my phone usage to calls/texts these days. Unless I need to check something on the go, I try to force myself to use a computer. I can’t say I’m always successful but I am trying to be more thoughtful about it.


  18. - Candy Dogood - Tuesday, Oct 15, 24 @ 12:54 pm:

    ===Have any of your passwords ever been hacked? Tell us about it. ===

    I have misgivings about using the term hacked in this kind of instance because in most cases my passwords and corresponding email addresses have been compromised by the website or service provider failing to have adequate security protocols and in some cases — any — security protocols. I believe this is largely due to the lack of meaningful consequences for neglect of basic security protocols.

    In addition to having credit card information stolen and used for unauthorized purchases, I have also had at streaming account hijacked for a few weeks before I was able to take the time to recover it.

    Two factor authentication is an imperative.

    ===The reason? Mostly laziness.===

    I also reject the implication that the fault be placed on the user. My accounts have still been compromised. My information and email addresses have still wound up for sale on the dark web. My credit card and other financial and biometric data is for sale on the dark web and it isn’t because I am lazy.

    It is the for profit companies that in many instances have just let a malicious actor do the technological equivalent of walk in the front door and carry out all of their files.

    This narrative that it is the end users fault is victim blaming to distract from who is actually responsible for why troves of personal information is available online.

    Change the law so that people wind up in prison or companies pay serious fines when they decide to let user information be easily stolen.

    It’s a lot easier to compromise someone’s account if they use the same password over, and over, and over again — but maybe to problem is how their password and email got out there the first time, or the 2nd time, or the 3rd time.

    Also — no amount of password uniqueness is going to stop a phising attach from working. Only 2 factor authentication will.


  19. - The Dude Abides - Tuesday, Oct 15, 24 @ 2:05 pm:

    To the people advocating for MFA using a text message - you are just as short-sighted as the people who repeat passwords.

    Bad actors can easily both compromise the password and intercept the verification text.

    I too utilize a PW manager for the hundreds of websites and apps I utilize. Been using it for almost a decade, and to this day would not be able to get by without it.


  20. - thechampaignlife - Tuesday, Oct 15, 24 @ 4:32 pm:

    A relative had their Facebook account stolen because they shared the MFA code with the scammer and had an old email address assigned to the account. Despite our best efforts to recover the account, we ended up in a loop where the only recovery method that worked was to send an email to either the current scammer account or the old non-working email address. Their post history has changed into some spammy filth, and no amount of others reporting the account was able to shut it down despite a clear difference in posts, photos, and login locations.

    I really think the solution to all this data getting breached everywhere is a virtualized data service similar to a virtual credit card number. My utility company does not need my actual SSN 99% of the time. They may need it to sue me if I am late on payments, but otherwise they just need a unique identifier to prove that I am a real person. So, I just need a PayPal-type service where I prove to them who I am and they vouch for me to the various companies who need to know I am a real person.

    Same goes for email addresses. Most businesses should not actually possess my email address. I should be able to generate a unique virtual email address for each company who wants to send me information and have it routed to my actual email account. If that virtual email address is compromised in a breach, I can simply replace it with a new one without affecting email coming from any other source or subjecting me to tons of spam.

    Same goes for mailing address. Amazon does not need to store my mailing address. They can store a unique identifier which they use to pull my address at checkout so I can confirm the delivery address and they can print the label. So the actual address is only on their server for maybe 15 minutes, I get my product, and they don’t have to worry about a breach affecting millions of customers.


  21. - Demoralized - Tuesday, Oct 15, 24 @ 4:49 pm:

    Star Wars is great history. Just sayin’.


TrackBack URI

Sorry, comments for this post are now closed.


* Reader comments closed for the holidays
* And the winners are…
* SUBSCRIBERS ONLY - Update to previous editions
* Isabel’s afternoon roundup
* Report: Far-right Illinois billionaires may have skirted immigration rules
* Question of the day: Golden Horseshoe Awards (Updated)
* Energy Storage Brings Cheaper Electricity, Greater Reliability
* Open thread
* Isabel’s morning briefing
* SUBSCRIBERS ONLY - Today's edition of Capitol Fax (use all CAPS in password)
* Live coverage
* Selected press releases (Live updates)
* Yesterday's stories

Support CapitolFax.com
Visit our advertisers...

...............

...............

...............

...............

...............

...............

...............


Loading


Main Menu
Home
Illinois
YouTube
Pundit rankings
Obama
Subscriber Content
Durbin
Burris
Blagojevich Trial
Advertising
Updated Posts
Polls

Archives
December 2024
November 2024
October 2024
September 2024
August 2024
July 2024
June 2024
May 2024
April 2024
March 2024
February 2024
January 2024
December 2023
November 2023
October 2023
September 2023
August 2023
July 2023
June 2023
May 2023
April 2023
March 2023
February 2023
January 2023
December 2022
November 2022
October 2022
September 2022
August 2022
July 2022
June 2022
May 2022
April 2022
March 2022
February 2022
January 2022
December 2021
November 2021
October 2021
September 2021
August 2021
July 2021
June 2021
May 2021
April 2021
March 2021
February 2021
January 2021
December 2020
November 2020
October 2020
September 2020
August 2020
July 2020
June 2020
May 2020
April 2020
March 2020
February 2020
January 2020
December 2019
November 2019
October 2019
September 2019
August 2019
July 2019
June 2019
May 2019
April 2019
March 2019
February 2019
January 2019
December 2018
November 2018
October 2018
September 2018
August 2018
July 2018
June 2018
May 2018
April 2018
March 2018
February 2018
January 2018
December 2017
November 2017
October 2017
September 2017
August 2017
July 2017
June 2017
May 2017
April 2017
March 2017
February 2017
January 2017
December 2016
November 2016
October 2016
September 2016
August 2016
July 2016
June 2016
May 2016
April 2016
March 2016
February 2016
January 2016
December 2015
November 2015
October 2015
September 2015
August 2015
July 2015
June 2015
May 2015
April 2015
March 2015
February 2015
January 2015
December 2014
November 2014
October 2014
September 2014
August 2014
July 2014
June 2014
May 2014
April 2014
March 2014
February 2014
January 2014
December 2013
November 2013
October 2013
September 2013
August 2013
July 2013
June 2013
May 2013
April 2013
March 2013
February 2013
January 2013
December 2012
November 2012
October 2012
September 2012
August 2012
July 2012
June 2012
May 2012
April 2012
March 2012
February 2012
January 2012
December 2011
November 2011
October 2011
September 2011
August 2011
July 2011
June 2011
May 2011
April 2011
March 2011
February 2011
January 2011
December 2010
November 2010
October 2010
September 2010
August 2010
July 2010
June 2010
May 2010
April 2010
March 2010
February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004

Blog*Spot Archives
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005

Syndication

RSS Feed 2.0
Comments RSS 2.0




Hosted by MCS SUBSCRIBE to Capitol Fax Advertise Here Mobile Version Contact Rich Miller