Don't Get Hacked: Practice Better Password Management, Please

kq76 · 02-01-2023, 09:07 AM

Occassionally we see long-term legit user accounts start posting spam out of nowhere and I have to imagine it's due to poor password practice. We then have to ban these accounts. You might say, just email them to reset their password. Well, that might work, but oftentimes the spammer will replace all the user's data with spam links so we have no way to contact the user. And even if the email is still legit, we can't wait for them to maybe respond and let the spammer spam more.

Anyway, if you don't want your account to be at risk of being hacked, please make sure you are practicing good password management. There are plenty of sites out there listing what you should do and not do, but here's a list off the top of my head:

don't use too easy of a password, like password or 12345678
don't use the same password for different sites
the longer the better, consider passphrases (I find that 13 characters often gets me the green strength bar)
don't just use alphanumerics, use special characters too
use multifactor authentication (MFA) where possible (I imagine a lot of people choose not to use it as it can be a pain, but one day it might save you a huge headache)
use phone app authenticators, like Google Authenticator
if something is really important, change at least part of that password every once in awhile (sometimes a site will force you to change a password every 90 days, but once a year or two is better than never)
use a password manager, like BitWarden or an alternative, to keep randomly generated passwords for sites that wouldn't be a huge headache even if they did get hacked
and for those most important of passwords, it's probably best to only keep them in your head, with a hints file somewhere, if necessary, that would only make sense to you

EDIT: Actually, maybe don't use MFA / 2FA, read this.

eriqjaffe · 02-01-2023, 11:13 AM

This is all very, very good information.

Quote:

Originally Posted by kq76

use a password manager, like lastpass.com or an alternative

I would advise against LastPass, as they've had a number of data leaks and breaches over the years.

https://www.cnet.com/tech/services-a...eir-passwords/

Personally, I'm a fan of BitWarden which is also free. For the more technically inclined there is KeePass, which is more secure since it doesn't store your data in the cloud, but the tradeoff is that the cloud-based services are a heck of a lot more convenient.

If you opt for a cloud-based password manager I would also strongly suggest enabling MFA (multi-factor authentication) on it. And, honesty, I'd enable MFA everywhere that supports it.

kq76 · 02-01-2023, 11:30 AM

Thanks, eriq! You're right, I should switch. Thanks for recommending BitWarden. I saw some headlines awhile ago about LP and figured I should look into others, but didn't for whatever reason. I'll try BitWarden now.

Déjà Bru · 02-01-2023, 12:22 PM

Here's the deal with those online password managers: They are accessible to hackers who are just as good at what they do as the security programmers.

So my preference is for Password Safe, for this reason: I control the data file. The program makes an encrypted file of all of your passwords so that you only have to remember one master password. Mine is 18 characters and I could type it out in my sleep.

But the crucial difference is, unless some professional hacks into my laptop, finds this file, and solves an 18-character password, there is little chance of chicanery. Being a small fry, I doubt anyone will take the time and effort in my case.

"Whoa, buster. That's fine for your laptop. What about your phone?"

Well, it so happens that another kind soul, and again for free, has designed an app for Password Safe. The only trick is, when I update my passwords file on my laptop, I must remember to copy the file to my Google Drive. Then I download it from my drive to my phone, overwriting the old file. Of course, the file on Google Drive is immediately and permanently trashed.

I do NOT allow browsers to remember by login data. That's asking for trouble. Yes, it's a minor hassle to need to open Password Safe and copy over the data (it does have a nifty, customizeable auto-type feature, though) but I would rather do that than cleaning up after a data breach. Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

I come across discussions like this in various places. I am surprised that Password Safe gets so little mention. Why is that? Because of the extra little work that is involved. Sad, really.

Name: th-1347467168.jpg
Views: 1323
Size: 11.6 KB

Name: th-1347467168.jpg
Views: 1323
Size: 11.6 KB

kq76 · 02-01-2023, 12:51 PM

Quote:

Originally Posted by Déjà Bru

Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

Maybe, maybe not. The way I look at it is password managers are another level of security and if you're using one you're probably doing at least better than you would if you didn't use one or better as you can easily have them remember long complex passwords that you couldn't and wouldn't want to bother remembering. Is it full proof? No, of course not, but I think using them is a lot better than using passwords that can be easily brute-forced.

I don't use them for everything however. For example, my banking passwords I only use long passphrases that are only in my head. I have a hints file somewhere to remind me what they are in case I forget, but only I would be able to make sense of the hints. And on top of it I change part of them every once in awhile. I think those are pretty full proof, but with how many things we need passwords for now (I probably have well over 100 in lastpass) there's no way I would want to do that for everything.

And while your solution sounds great for you, I don't think it would work for everyone. It does sound like it's a bit more work than most people are willing to put in, but if you are willing to put in that extra effort then great. It's like how I use a program VeraCrypt to encrypt some files on my computer. It's great, but I think it's something many wouldn't want to bother with.

My opening post was more meant for those people who aren't past using really simple passwords and using the same password for most of the sites they visit. The user I banned this morning posted in a thread 2 years ago that his steam account got hacked. And maybe he was employing some good password practices, but I'd say it's more likely that he wasn't.

Cod · 02-02-2023, 11:39 AM

Quote:

Originally Posted by Déjà Bru

Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

I think BitWarden is much better because you can host your own instance locally without any connection to the outside world. Even if you wanted access, you could setup Mac filtering along with other safety mechanisms to avoid potential issues.

Another option is KeePass, which you can keep on a USB stick and store until you need to use again.

Pelican · 02-02-2023, 04:06 PM

The key here should not be on ranking the best password managers; but recognizing the risks. For many years, I used the same or similar passwords, carrying them around in my head. Then there were enough for me to have to write them down. But that list only helped at home. When away, I could be locked out. And the passwords were still way too simple. After I migrated to Apple products, I eventually discovered Keychain. This is a simple way to store the passwords I choose, accesible on all my devices, with a reasonable degree of security. Now I can use the suggested seventeen-character passwords, and never have to worry about remembering or inputting them. Of course, this amps up the importance of my Apple password - the one I have to remember. But now I can set my phone for facial ID, and my ipad for fingerprint (which works less well). No, I don’t worry over thieves forcing me to access my phone, or cutting off my thumbs. It’s the hidden hackers I’m trying to beat.

The Game · 02-03-2023, 11:19 AM

"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.

pauwoo · 02-04-2023, 01:48 PM

Quote:

Originally Posted by The Game

"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.

Yes! Best reply ever.

Patsy Tebeau · 10-12-2023, 11:00 AM

Who has enough free time to care enough to hack someone's ootp forum account lol

Cod · 01-06-2024, 11:51 AM

Quote:

Originally Posted by gustav

My problem is that I often forget my passwords

Use a password manager. Then you only have to remember one password.

The Game · 01-07-2024, 04:02 AM

Quote:

Originally Posted by Cod

Use a password manager. Then you only have to remember one password.

My sister is my password manger. Her ideas for passwords are great. of course i have to put them all on paper and my phone in case i get logged out. the passwords i create all revolve around players in my leagues. You would have to really follow my dynasty threads and know the backstory of the players i use passwords of.Only account i have ever had hacked was FB 10+ years ago and it was a simple PW.

cake00 · 02-09-2024, 06:49 AM

Quote:

Originally Posted by Déjà Bru

...

Your approach with Password Safe seems solid, especially with the emphasis on control and minimizing the attack surface. While online password managers have their conveniences, the trade-off with potential vulnerabilities is a real concern. Your method of managing the encrypted file locally and being mindful of syncing it to your phone via Google Drive provides a good balance of security and convenience. It's a bit more manual, but the added control might be worth the effort, especially for those who prioritize security over seamless integration. It's interesting how some effective solutions get less attention, possibly due to the extra steps involved, even though they offer a robust approach to password management.

oothomas · 02-21-2024, 12:25 AM

I'm also a long-time fan of Bitwarden, until I start to experience some bugs. I am now using the free version of Proton Pass, and I am pretty happy with it.

kq76 · 07-18-2024, 10:42 AM

Recently I became aware of sim swap scams (it didn't happen to me, it just appeared in my youtube feed) and how they make MFA or 2FA not as safe as we once thought. Anyway, if you don't know about them, I highly recommend you look into them. I watched multiple videos on the topic and the best by far was, surprisingly, this one by a librarian.

Syd Thrift · 07-18-2024, 01:08 PM

It’s still a significant extra step. Like no, it doesn’t make an account unhackable -nothing does that - but most security centers not so much around making an organization impervious to hacking attempts so much as it does around it being so laborious to try that all but the most dedicated hackers are dissuaded (which of course is a constantly escalating issue itself, since if one dedicated hacker writes a script that overcomes a hurdle quickly, that is no longer much of a hurdle anymore).

kq76 · 07-18-2024, 01:16 PM

Quote:

Originally Posted by Syd Thrift

It’s still a significant extra step. Like no, it doesn’t make an account unhackable -nothing does that - but most security centers not so much around making an organization impervious to hacking attempts so much as it does around it being so laborious to try that all but the most dedicated hackers are dissuaded (which of course is a constantly escalating issue itself, since if one dedicated hacker writes a script that overcomes a hurdle quickly, that is no longer much of a hurdle anymore).

Are you talking about MFA / 2FA wrt sim swap scams or the better password management topic in general? Because for me, I honestly thought MFA was maybe the pinnacle of security, but now it sure sounds like if they're successfully able to swap your sim card and you rely on MFA, then you're screwed. Am I mistaken? I get it, to be safe you should follow the steps on the placard she holds up at 9:31, but I still find it scary and makes me think I should disable MFA at least for my banking.

I'd love to get eriq's take on this too, and anyone else who's more knowledgeable than myself on this.

I also added the point about phone app authenticators to the OP. I knew about them before, but I didn't think to add the point and with some of the videos I recently watched it sounds like they're the pinnacle, not MFA.

kq76 · 07-18-2024, 01:22 PM

I should also point out that just this morning a regular user who was hacked a while ago got their account back. We unbanned it and deleted the posts that were made by the hacker. I don't want to out them in case they might be embarrassed by it. But yeah, if anyone doesn't think this happens, it definitely does.

Syd Thrift · 07-19-2024, 07:02 PM

Quote:

Originally Posted by kq76

Are you talking about MFA / 2FA wrt sim swap scams or the better password management topic in general? Because for me, I honestly thought MFA was maybe the pinnacle of security, but now it sure sounds like if they're successfully able to swap your sim card and you rely on MFA, then you're screwed. Am I mistaken? I get it, to be safe you should follow the steps on the placard she holds up at 9:31, but I still find it scary and makes me think I should disable MFA at least for my banking.

I'd love to get eriq's take on this too, and anyone else who's more knowledgeable than myself on this.

I also added the point about phone app authenticators to the OP. I knew about them before, but I didn't think to add the point and with some of the videos I recently watched it sounds like they're the pinnacle, not MFA.

I’m talking about sim swap scams. Yes, they mean MFA is not inviolable but it’s still a major step for a potential hacker to take and for the vast majority of users and companies that’s enough for them to not bother. If you’re Visa or the US gold reserve, sure, you need more. I’ve worked at multiple places who used a dongle and I think those are also hard (although I’m sure not impossible) to spoof or bypass.

kq76 · 07-19-2024, 08:26 PM

Well, the thing about sim swap scams that scares me more than most is you don't even have to do anything stupid or fall for anything, the scammer simply needs to convince the phone company that they're you and that you got a new phone, theirs. Now yeah, they still need to be able to answer some private info questions, but how hard is that really? I remember at least one time I was on the phone with my bank trying to prove I was me and I couldn't remember the answers to their questions, but they lead me to the answer. Afterwards I thought to myself, "well, I'm glad I got this resolved, but they probably shouldn't have okayed me". I'd think that a phone company employee might be even less strict than a bank one. Hopefully they're all being trained well enough on this.

02-01-2023, 09:07 AM	#1
kq76 Global Moderator Join Date: Nov 2002 Posts: 11,695	Don't Get Hacked: Practice Better Password Management, Please Occassionally we see long-term legit user accounts start posting spam out of nowhere and I have to imagine it's due to poor password practice. We then have to ban these accounts. You might say, just email them to reset their password. Well, that might work, but oftentimes the spammer will replace all the user's data with spam links so we have no way to contact the user. And even if the email is still legit, we can't wait for them to maybe respond and let the spammer spam more. Anyway, if you don't want your account to be at risk of being hacked, please make sure you are practicing good password management. There are plenty of sites out there listing what you should do and not do, but here's a list off the top of my head: don't use too easy of a password, like password or 12345678 don't use the same password for different sites the longer the better, consider passphrases (I find that 13 characters often gets me the green strength bar) don't just use alphanumerics, use special characters too use multifactor authentication (MFA) where possible (I imagine a lot of people choose not to use it as it can be a pain, but one day it might save you a huge headache) use phone app authenticators, like Google Authenticator if something is really important, change at least part of that password every once in awhile (sometimes a site will force you to change a password every 90 days, but once a year or two is better than never) use a password manager, like BitWarden or an alternative, to keep randomly generated passwords for sites that wouldn't be a huge headache even if they did get hacked and for those most important of passwords, it's probably best to only keep them in your head, with a hints file somewhere, if necessary, that would only make sense to you EDIT: Actually, maybe don't use MFA / 2FA, read this. __________________ My OOTP Wishlist \| My FAQ List OOTP Wiki \| Your Recommended Team Nicknames, By City (A Crowdsourced Project) Last edited by kq76; 07-18-2024 at 12:05 PM. Reason: replaced LastPass with BitWarden and added note about keeping some only in your head

02-01-2023, 11:30 AM	#3
kq76 Global Moderator Join Date: Nov 2002 Posts: 11,695	Thanks, eriq! You're right, I should switch. Thanks for recommending BitWarden. I saw some headlines awhile ago about LP and figured I should look into others, but didn't for whatever reason. I'll try BitWarden now. __________________ My OOTP Wishlist \| My FAQ List OOTP Wiki \| Your Recommended Team Nicknames, By City (A Crowdsourced Project)

02-01-2023, 12:22 PM	#4
Déjà Bru Hall Of Famer Join Date: Apr 2009 Location: Long Island Posts: 11,283	Here's the deal with those online password managers: They are accessible to hackers who are just as good at what they do as the security programmers. So my preference is for Password Safe, for this reason: I control the data file. The program makes an encrypted file of all of your passwords so that you only have to remember one master password. Mine is 18 characters and I could type it out in my sleep. But the crucial difference is, unless some professional hacks into my laptop, finds this file, and solves an 18-character password, there is little chance of chicanery. Being a small fry, I doubt anyone will take the time and effort in my case. "Whoa, buster. That's fine for your laptop. What about your phone?" Well, it so happens that another kind soul, and again for free, has designed an app for Password Safe. The only trick is, when I update my passwords file on my laptop, I must remember to copy the file to my Google Drive. Then I download it from my drive to my phone, overwriting the old file. Of course, the file on Google Drive is immediately and permanently trashed. I do NOT allow browsers to remember by login data. That's asking for trouble. Yes, it's a minor hassle to need to open Password Safe and copy over the data (it does have a nifty, customizeable auto-type feature, though) but I would rather do that than cleaning up after a data breach. Over the long run, you think BitWarden is going to be any better than LastPass in that regard? I come across discussions like this in various places. I am surprised that Password Safe gets so little mention. Why is that? Because of the extra little work that is involved. Sad, really. __________________ - Bru

02-02-2023, 04:06 PM	#7
Pelican Hall Of Famer Join Date: Mar 2021 Location: Wilmington, Delaware Posts: 2,886	The key here should not be on ranking the best password managers; but recognizing the risks. For many years, I used the same or similar passwords, carrying them around in my head. Then there were enough for me to have to write them down. But that list only helped at home. When away, I could be locked out. And the passwords were still way too simple. After I migrated to Apple products, I eventually discovered Keychain. This is a simple way to store the passwords I choose, accesible on all my devices, with a reasonable degree of security. Now I can use the suggested seventeen-character passwords, and never have to worry about remembering or inputting them. Of course, this amps up the importance of my Apple password - the one I have to remember. But now I can set my phone for facial ID, and my ipad for fingerprint (which works less well). No, I don’t worry over thieves forcing me to access my phone, or cutting off my thumbs. It’s the hidden hackers I’m trying to beat. __________________ Pelican OOTP 2020-? ”Hard to believe, Harry.”

02-03-2023, 11:19 AM	#8
The Game Hall Of Famer Join Date: Feb 2012 Location: Inside The Game Posts: 30,937	"like password or 12345678" mine is 1234567890 its harder and people dont think to put 0 after 9. __________________ Go today don't wait for tomorrow It isn't promised, all the time you get borrowed Don't live your life for other people Don't bottle your emotions till they crack and fill a couple just sorrows Take your mind and refocus go get a paper write your goals out Throw your middle fingers to all your haters "Stay Strong"

10-12-2023, 11:00 AM	#10
Patsy Tebeau All Star Starter Join Date: Aug 2023 Location: Wilkes-Barre, PA Posts: 1,031	Who has enough free time to care enough to hack someone's ootp forum account lol __________________ They say follow your heart Follow it through But how can you When you're split in two?

02-21-2024, 12:25 AM	#14
oothomas Bat Boy Join Date: Feb 2024 Posts: 10	I'm also a long-time fan of Bitwarden, until I start to experience some bugs. I am now using the free version of Proton Pass, and I am pretty happy with it.

07-18-2024, 10:42 AM	#15
kq76 Global Moderator Join Date: Nov 2002 Posts: 11,695	Recently I became aware of sim swap scams (it didn't happen to me, it just appeared in my youtube feed) and how they make MFA or 2FA not as safe as we once thought. Anyway, if you don't know about them, I highly recommend you look into them. I watched multiple videos on the topic and the best by far was, surprisingly, this one by a librarian. __________________ My OOTP Wishlist \| My FAQ List OOTP Wiki \| Your Recommended Team Nicknames, By City (A Crowdsourced Project)

07-18-2024, 01:22 PM	#18
kq76 Global Moderator Join Date: Nov 2002 Posts: 11,695	I should also point out that just this morning a regular user who was hacked a while ago got their account back. We unbanned it and deleted the posts that were made by the hacker. I don't want to out them in case they might be embarrassed by it. But yeah, if anyone doesn't think this happens, it definitely does. __________________ My OOTP Wishlist \| My FAQ List OOTP Wiki \| Your Recommended Team Nicknames, By City (A Crowdsourced Project)

07-19-2024, 08:26 PM	#20
kq76 Global Moderator Join Date: Nov 2002 Posts: 11,695	Well, the thing about sim swap scams that scares me more than most is you don't even have to do anything stupid or fall for anything, the scammer simply needs to convince the phone company that they're you and that you got a new phone, theirs. Now yeah, they still need to be able to answer some private info questions, but how hard is that really? I remember at least one time I was on the phone with my bank trying to prove I was me and I couldn't remember the answers to their questions, but they lead me to the answer. Afterwards I thought to myself, "well, I'm glad I got this resolved, but they probably shouldn't have okayed me". I'd think that a phone company employee might be even less strict than a bank one. Hopefully they're all being trained well enough on this. __________________ My OOTP Wishlist \| My FAQ List OOTP Wiki \| Your Recommended Team Nicknames, By City (A Crowdsourced Project)