Home | Webstore
Latest News: OOTP 26 Available - FHM 11 Available - OOTP Go! Available

Out of the Park Baseball 26 Buy Now!

  

Go Back   OOTP Developments Forums > Out of the Park Developments > General Discussions

General Discussions Discuss Out of the Park Developments' games, web site, downloads, research and anything else related to OOTP Developments.

Reply
 
Thread Tools
Old 02-01-2023, 09:07 AM   #1
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Don't Get Hacked: Practice Better Password Management, Please

Occassionally we see long-term legit user accounts start posting spam out of nowhere and I have to imagine it's due to poor password practice. We then have to ban these accounts. You might say, just email them to reset their password. Well, that might work, but oftentimes the spammer will replace all the user's data with spam links so we have no way to contact the user. And even if the email is still legit, we can't wait for them to maybe respond and let the spammer spam more.

Anyway, if you don't want your account to be at risk of being hacked, please make sure you are practicing good password management. There are plenty of sites out there listing what you should do and not do, but here's a list off the top of my head:
  • don't use too easy of a password, like password or 12345678
  • don't use the same password for different sites
  • the longer the better, consider passphrases (I find that 13 characters often gets me the green strength bar)
  • don't just use alphanumerics, use special characters too
  • use multifactor authentication (MFA) where possible (I imagine a lot of people choose not to use it as it can be a pain, but one day it might save you a huge headache)
  • use phone app authenticators, like Google Authenticator
  • if something is really important, change at least part of that password every once in awhile (sometimes a site will force you to change a password every 90 days, but once a year or two is better than never)
  • use a password manager, like BitWarden or an alternative, to keep randomly generated passwords for sites that wouldn't be a huge headache even if they did get hacked
  • and for those most important of passwords, it's probably best to only keep them in your head, with a hints file somewhere, if necessary, that would only make sense to you

EDIT: Actually, maybe don't use MFA / 2FA, read this.

Last edited by kq76; 07-18-2024 at 12:05 PM. Reason: replaced LastPass with BitWarden and added note about keeping some only in your head
kq76 is offline   Reply With Quote
Old 02-01-2023, 11:13 AM   #2
eriqjaffe
Hall Of Famer
 
eriqjaffe's Avatar
 
Join Date: May 2003
Location: Under The Christmas Fish
Posts: 7,629
This is all very, very good information.

Quote:
Originally Posted by kq76 View Post
use a password manager, like lastpass.com or an alternative
I would advise against LastPass, as they've had a number of data leaks and breaches over the years.

https://www.cnet.com/tech/services-a...eir-passwords/

Personally, I'm a fan of BitWarden which is also free. For the more technically inclined there is KeePass, which is more secure since it doesn't store your data in the cloud, but the tradeoff is that the cloud-based services are a heck of a lot more convenient.

If you opt for a cloud-based password manager I would also strongly suggest enabling MFA (multi-factor authentication) on it. And, honesty, I'd enable MFA everywhere that supports it.
__________________

Last edited by eriqjaffe; 02-01-2023 at 11:14 AM.
eriqjaffe is offline   Reply With Quote
Old 02-01-2023, 11:30 AM   #3
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Thanks, eriq! You're right, I should switch. Thanks for recommending BitWarden. I saw some headlines awhile ago about LP and figured I should look into others, but didn't for whatever reason. I'll try BitWarden now.
kq76 is offline   Reply With Quote
Old 02-01-2023, 12:22 PM   #4
Déjà Bru
Hall Of Famer
 
Déjà Bru's Avatar
 
Join Date: Apr 2009
Location: Long Island
Posts: 11,283
Here's the deal with those online password managers: They are accessible to hackers who are just as good at what they do as the security programmers.

So my preference is for Password Safe, for this reason: I control the data file. The program makes an encrypted file of all of your passwords so that you only have to remember one master password. Mine is 18 characters and I could type it out in my sleep.

But the crucial difference is, unless some professional hacks into my laptop, finds this file, and solves an 18-character password, there is little chance of chicanery. Being a small fry, I doubt anyone will take the time and effort in my case.

"Whoa, buster. That's fine for your laptop. What about your phone?"

Well, it so happens that another kind soul, and again for free, has designed an app for Password Safe. The only trick is, when I update my passwords file on my laptop, I must remember to copy the file to my Google Drive. Then I download it from my drive to my phone, overwriting the old file. Of course, the file on Google Drive is immediately and permanently trashed.

I do NOT allow browsers to remember by login data. That's asking for trouble. Yes, it's a minor hassle to need to open Password Safe and copy over the data (it does have a nifty, customizeable auto-type feature, though) but I would rather do that than cleaning up after a data breach. Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

I come across discussions like this in various places. I am surprised that Password Safe gets so little mention. Why is that? Because of the extra little work that is involved. Sad, really.


Name:  th-1347467168.jpg
Views: 1323
Size:  11.6 KB
__________________

- Bru


Déjà Bru is offline   Reply With Quote
Old 02-01-2023, 12:51 PM   #5
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Quote:
Originally Posted by Déjà Bru View Post
Over the long run, you think BitWarden is going to be any better than LastPass in that regard?
Maybe, maybe not. The way I look at it is password managers are another level of security and if you're using one you're probably doing at least better than you would if you didn't use one or better as you can easily have them remember long complex passwords that you couldn't and wouldn't want to bother remembering. Is it full proof? No, of course not, but I think using them is a lot better than using passwords that can be easily brute-forced.

I don't use them for everything however. For example, my banking passwords I only use long passphrases that are only in my head. I have a hints file somewhere to remind me what they are in case I forget, but only I would be able to make sense of the hints. And on top of it I change part of them every once in awhile. I think those are pretty full proof, but with how many things we need passwords for now (I probably have well over 100 in lastpass) there's no way I would want to do that for everything.

And while your solution sounds great for you, I don't think it would work for everyone. It does sound like it's a bit more work than most people are willing to put in, but if you are willing to put in that extra effort then great. It's like how I use a program VeraCrypt to encrypt some files on my computer. It's great, but I think it's something many wouldn't want to bother with.

My opening post was more meant for those people who aren't past using really simple passwords and using the same password for most of the sites they visit. The user I banned this morning posted in a thread 2 years ago that his steam account got hacked. And maybe he was employing some good password practices, but I'd say it's more likely that he wasn't.
kq76 is offline   Reply With Quote
Old 02-02-2023, 11:39 AM   #6
Cod
All Star Starter
 
Cod's Avatar
 
Join Date: Nov 2009
Location: Fort Worth, TX
Posts: 1,088
Quote:
Originally Posted by Déjà Bru View Post
Over the long run, you think BitWarden is going to be any better than LastPass in that regard?
I think BitWarden is much better because you can host your own instance locally without any connection to the outside world. Even if you wanted access, you could setup Mac filtering along with other safety mechanisms to avoid potential issues.

Another option is KeePass, which you can keep on a USB stick and store until you need to use again.
Cod is offline   Reply With Quote
Old 02-02-2023, 04:06 PM   #7
Pelican
Hall Of Famer
 
Pelican's Avatar
 
Join Date: Mar 2021
Location: Wilmington, Delaware
Posts: 2,886
The key here should not be on ranking the best password managers; but recognizing the risks. For many years, I used the same or similar passwords, carrying them around in my head. Then there were enough for me to have to write them down. But that list only helped at home. When away, I could be locked out. And the passwords were still way too simple. After I migrated to Apple products, I eventually discovered Keychain. This is a simple way to store the passwords I choose, accesible on all my devices, with a reasonable degree of security. Now I can use the suggested seventeen-character passwords, and never have to worry about remembering or inputting them. Of course, this amps up the importance of my Apple password - the one I have to remember. But now I can set my phone for facial ID, and my ipad for fingerprint (which works less well). No, I don’t worry over thieves forcing me to access my phone, or cutting off my thumbs. It’s the hidden hackers I’m trying to beat.
__________________
Pelican
OOTP 2020-?
”Hard to believe, Harry.”
Pelican is offline   Reply With Quote
Old 02-03-2023, 11:19 AM   #8
The Game
Hall Of Famer
 
The Game's Avatar
 
Join Date: Feb 2012
Location: Inside The Game
Posts: 30,937
"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.
__________________
Go today don't wait for tomorrow
It isn't promised, all the time you get borrowed
Don't live your life for other people
Don't bottle your emotions till they crack and fill a couple just sorrows
Take your mind and refocus go get a paper write your goals out
Throw your middle fingers to all your haters


"Stay Strong"


The Game is offline   Reply With Quote
Old 02-04-2023, 01:48 PM   #9
pauwoo
Hall Of Famer
 
pauwoo's Avatar
 
Join Date: Oct 2014
Location: Seattle
Posts: 2,255
Quote:
Originally Posted by The Game View Post
"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.
Yes! Best reply ever.
__________________
Be excellent to each other.

the Portland Pioneers | the Los Angeles Leopards
pauwoo is offline   Reply With Quote
Old 10-12-2023, 11:00 AM   #10
Patsy Tebeau
All Star Starter
 
Patsy Tebeau's Avatar
 
Join Date: Aug 2023
Location: Wilkes-Barre, PA
Posts: 1,031
Who has enough free time to care enough to hack someone's ootp forum account lol
__________________

They say follow your heart
Follow it through
But how can you
When you're split in two?
Patsy Tebeau is online now   Reply With Quote
Old 01-06-2024, 11:51 AM   #11
Cod
All Star Starter
 
Cod's Avatar
 
Join Date: Nov 2009
Location: Fort Worth, TX
Posts: 1,088
Quote:
Originally Posted by gustav View Post
My problem is that I often forget my passwords
Use a password manager. Then you only have to remember one password.
Cod is offline   Reply With Quote
Old 01-07-2024, 04:02 AM   #12
The Game
Hall Of Famer
 
The Game's Avatar
 
Join Date: Feb 2012
Location: Inside The Game
Posts: 30,937
Quote:
Originally Posted by Cod View Post
Use a password manager. Then you only have to remember one password.
My sister is my password manger. Her ideas for passwords are great. of course i have to put them all on paper and my phone in case i get logged out. the passwords i create all revolve around players in my leagues. You would have to really follow my dynasty threads and know the backstory of the players i use passwords of.Only account i have ever had hacked was FB 10+ years ago and it was a simple PW.
__________________
Go today don't wait for tomorrow
It isn't promised, all the time you get borrowed
Don't live your life for other people
Don't bottle your emotions till they crack and fill a couple just sorrows
Take your mind and refocus go get a paper write your goals out
Throw your middle fingers to all your haters


"Stay Strong"


The Game is offline   Reply With Quote
Old 02-09-2024, 06:49 AM   #13
cake00
Bat Boy
 
Join Date: Jan 2024
Location: london
Posts: 5
Quote:
Originally Posted by Déjà Bru View Post
...
Your approach with Password Safe seems solid, especially with the emphasis on control and minimizing the attack surface. While online password managers have their conveniences, the trade-off with potential vulnerabilities is a real concern. Your method of managing the encrypted file locally and being mindful of syncing it to your phone via Google Drive provides a good balance of security and convenience. It's a bit more manual, but the added control might be worth the effort, especially for those who prioritize security over seamless integration. It's interesting how some effective solutions get less attention, possibly due to the extra steps involved, even though they offer a robust approach to password management.

Last edited by kq76; 02-21-2024 at 01:04 AM. Reason: removed quote
cake00 is offline   Reply With Quote
Old 02-21-2024, 12:25 AM   #14
oothomas
Bat Boy
 
Join Date: Feb 2024
Posts: 10
I'm also a long-time fan of Bitwarden, until I start to experience some bugs. I am now using the free version of Proton Pass, and I am pretty happy with it.
oothomas is offline   Reply With Quote
Old 07-18-2024, 10:42 AM   #15
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Recently I became aware of sim swap scams (it didn't happen to me, it just appeared in my youtube feed) and how they make MFA or 2FA not as safe as we once thought. Anyway, if you don't know about them, I highly recommend you look into them. I watched multiple videos on the topic and the best by far was, surprisingly, this one by a librarian.
kq76 is offline   Reply With Quote
Old 07-18-2024, 01:08 PM   #16
Syd Thrift
Hall Of Famer
 
Syd Thrift's Avatar
 
Join Date: May 2004
Posts: 10,607
It’s still a significant extra step. Like no, it doesn’t make an account unhackable -nothing does that - but most security centers not so much around making an organization impervious to hacking attempts so much as it does around it being so laborious to try that all but the most dedicated hackers are dissuaded (which of course is a constantly escalating issue itself, since if one dedicated hacker writes a script that overcomes a hurdle quickly, that is no longer much of a hurdle anymore).
__________________
Quote:
Originally Posted by Markus Heinsohn
You bastard....
The Great American Baseball Thrift Book - Like reading the Sporting News from back in the day, only with fake players. REAL LIFE DRAMA THOUGH maybe not
Syd Thrift is offline   Reply With Quote
Old 07-18-2024, 01:16 PM   #17
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Quote:
Originally Posted by Syd Thrift View Post
It’s still a significant extra step. Like no, it doesn’t make an account unhackable -nothing does that - but most security centers not so much around making an organization impervious to hacking attempts so much as it does around it being so laborious to try that all but the most dedicated hackers are dissuaded (which of course is a constantly escalating issue itself, since if one dedicated hacker writes a script that overcomes a hurdle quickly, that is no longer much of a hurdle anymore).
Are you talking about MFA / 2FA wrt sim swap scams or the better password management topic in general? Because for me, I honestly thought MFA was maybe the pinnacle of security, but now it sure sounds like if they're successfully able to swap your sim card and you rely on MFA, then you're screwed. Am I mistaken? I get it, to be safe you should follow the steps on the placard she holds up at 9:31, but I still find it scary and makes me think I should disable MFA at least for my banking.

I'd love to get eriq's take on this too, and anyone else who's more knowledgeable than myself on this.

I also added the point about phone app authenticators to the OP. I knew about them before, but I didn't think to add the point and with some of the videos I recently watched it sounds like they're the pinnacle, not MFA.
kq76 is offline   Reply With Quote
Old 07-18-2024, 01:22 PM   #18
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
I should also point out that just this morning a regular user who was hacked a while ago got their account back. We unbanned it and deleted the posts that were made by the hacker. I don't want to out them in case they might be embarrassed by it. But yeah, if anyone doesn't think this happens, it definitely does.
kq76 is offline   Reply With Quote
Old 07-19-2024, 07:02 PM   #19
Syd Thrift
Hall Of Famer
 
Syd Thrift's Avatar
 
Join Date: May 2004
Posts: 10,607
Quote:
Originally Posted by kq76 View Post
Are you talking about MFA / 2FA wrt sim swap scams or the better password management topic in general? Because for me, I honestly thought MFA was maybe the pinnacle of security, but now it sure sounds like if they're successfully able to swap your sim card and you rely on MFA, then you're screwed. Am I mistaken? I get it, to be safe you should follow the steps on the placard she holds up at 9:31, but I still find it scary and makes me think I should disable MFA at least for my banking.

I'd love to get eriq's take on this too, and anyone else who's more knowledgeable than myself on this.

I also added the point about phone app authenticators to the OP. I knew about them before, but I didn't think to add the point and with some of the videos I recently watched it sounds like they're the pinnacle, not MFA.
I’m talking about sim swap scams. Yes, they mean MFA is not inviolable but it’s still a major step for a potential hacker to take and for the vast majority of users and companies that’s enough for them to not bother. If you’re Visa or the US gold reserve, sure, you need more. I’ve worked at multiple places who used a dongle and I think those are also hard (although I’m sure not impossible) to spoof or bypass.
__________________
Quote:
Originally Posted by Markus Heinsohn
You bastard....
The Great American Baseball Thrift Book - Like reading the Sporting News from back in the day, only with fake players. REAL LIFE DRAMA THOUGH maybe not
Syd Thrift is offline   Reply With Quote
Old 07-19-2024, 08:26 PM   #20
kq76
Global Moderator
 
kq76's Avatar
 
Join Date: Nov 2002
Posts: 11,695
Well, the thing about sim swap scams that scares me more than most is you don't even have to do anything stupid or fall for anything, the scammer simply needs to convince the phone company that they're you and that you got a new phone, theirs. Now yeah, they still need to be able to answer some private info questions, but how hard is that really? I remember at least one time I was on the phone with my bank trying to prove I was me and I couldn't remember the answers to their questions, but they lead me to the answer. Afterwards I thought to myself, "well, I'm glad I got this resolved, but they probably shouldn't have okayed me". I'd think that a phone company employee might be even less strict than a bank one. Hopefully they're all being trained well enough on this.
kq76 is offline   Reply With Quote
Reply

Bookmarks


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 10:10 PM.

 

Major League and Minor League Baseball trademarks and copyrights are used with permission of Major League Baseball. Visit MLB.com and MiLB.com.

Officially Licensed Product – MLB Players, Inc.

Out of the Park Baseball is a registered trademark of Out of the Park Developments GmbH & Co. KG

Google Play is a trademark of Google Inc.

Apple, iPhone, iPod touch and iPad are trademarks of Apple Inc., registered in the U.S. and other countries.

COPYRIGHT © 2023 OUT OF THE PARK DEVELOPMENTS. ALL RIGHTS RESERVED.

 

Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Copyright © 2024 Out of the Park Developments