Forum Compromise Data Revealed

Discussion in 'privacy problems' started by rrrh1, Mar 8, 2016.

  1. rrrh1

    rrrh1 Registered Member

    Joined:
    Sep 10, 2007
    Posts:
    202
    Got an email from a forum that I had forgotten I was even a member of today.
    They were compromised in November, apparently got the whole database.
    I had not logged in since 2013 changed my password today.
    How do most of the members here keep track of where you have logins for various things.
    I am sure there are places where I haven't been for even a longer time and have probably forgotten the login and or user name / email.

    How often do you change your password ?

    rrrh1
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I use KeePass. You can add expiration date. And add notes. And sort by creation date and whatever. I don't see a way to do last-date-used, however. I use a different password for each site. But I don't change them very often.
     
  3. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have kept various copies of passwords by typing them to word pad and then either encrypt them with winrar or axcrypt or put a few files in a tiny 5 mb TC container. Do you trust the encryptinon of KeePass?
     
  4. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    769
    Location:
    "Here on Wilders"
    I use RoboForm on computer (not cloud). I change the master password monthly. All other passwords to accounts I change a quarter of them every 3 months, so by the end of the year all account passwords are changed once and the master password is changed 12 times. Then I start all over again for the next year. :)
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,030
    I haven't researched it enough to have an opinion about that. But this is in a VM, on a LUKS host. So it's not a huge concern.I mostly like it because there's no remote storage.
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,509
    Location:
    Slovakia
    Hardly ever, if if you have a good password, there is no need to change it, unless there was a breach or someone tried to log in (you will get notified).
    I use the same username and email all over the internet, even the same password for most webpages for years, it never failed me.
    But FB login is much more practical, you just click and you are logged in, you do not even have to use FB, just register an account.
    Obviously, for important webpages like paypal and such I use KeePass and TCATO checked for each entry (disabled by default).
    I use axcrypt as a backup file as well, but Keepass is more effective, since copy/paste is not exactly safe.
     
  7. deBoetie

    deBoetie Registered Member

    Joined:
    Aug 7, 2013
    Posts:
    1,150
    Location:
    UK
    I saw a reasonable technical review a while back which evaluated password managers and their databases:

    www.6nelweb.com/bio/papers/pwvault-ESORICS12-ext.pdf

    KeePass and PasswordSafe (Linux support only beta) did reasonably well. The password managers do attempt a bit more than simple copy/paste from encrypted containers in the sense of a) reducing clipboard exposure, b) hiding passwords to reduce exposure to screen scraping, c) reducing in-memory exposure of keys, and d) for KeePass on Windows, allowing password entry on secure desktop (which inhibits some KSL). None of the encryption utilities seem to support that.

    You can use 2FA on both (e.g. with Yubikey).

    For run of the mill websites, I also use LassPass with 2FA. For banking, I use a clean linux pendrive distro on usb, with a memorised password (not in any password manager), which is booted from a laptop using the boot selector. So, horses for courses.
     
    Last edited: Mar 21, 2016
  8. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,599
    Let me pass along what I believe is a relevant extension of this discussion. In candor; posts that are made on forums become semi-public. Lets use Wilder's as my example since we are here reading along. Assuming that we connect as a unique psuedo-individual there really isn't much risk should an intruder secure access to our profiles/passwords, etc..... Don't get me wrong, I don't intend to willing allow it, just what TRUE harm would it be to me the real name behind the psuedo? The emails, IPs, and such are dead ends.

    What could be a problem for many active and advanced members is access to their private messages. Many here develop friendships that evolve to way beyond the public scope of the forum website. There is in my case ( and I am not alone) content of a highly private nature, which would be something I don't want out! To counter act that threat I find that use of PGP/GPG plugs this potential leak. Therefore I present for your consideration a thought that you start mitigating that risk accordingly, because it works well and does what its intended to do.
     
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Thanks guys for all of the input. Much appreciated!
     
Loading...