My account was hacked -horribly

Well, which one is harder to hack: your note with all your passwords written on it, or the password vault program's encrypted database with all your passwords in it? If you need to recheck several of your passwords daily because they are impossibly complicated, I doubt you bother to hide the note away as carefully every time. And of course all auto-filling functions null both of the above methods.

Actually I do sometimes leave my note on my desk............but not when someone is visiting. And when someone is visiting I know they are here........unlike someone sneaking in the backend of my network nosing around in my computer. As I said..............how are most (by a long shot) computers hacked? By someone looking over your shoulder? I think not.

That was my point........my method is as secure as any. Especially since my note taking is so hap hazzard, only I could know which site goes with which password.............hehe, sometimes I don't even know. Any security expert will tell you off computer storage of sensitive information is much more secure than on computer storage. Same rules for backing up data applies here. If it's on your computer it's likely some determined hacker will find it, copy it, use it. If it ain't there, they have to find my house, find my note, decpher my note, then pray they can get in my head to figure out what goes with what.

I don't even bother locking them up anymore.

Name one. I venture that no competent security expert would make any such sweeping statement. Backup data is a completely different subject, and the key is "off site", not "off computer".

Programs like Password Corral (which I use and like) are good enough for personal and business use. I work at a company that's a big target for industrial espionage (60,000 employees, makes networking equipment) and takes security very seriously -- enough to make quite a nuisance of it, for stuff that's not related to national security. They provide Password Corral (which is no doubt equivalent in protection to the others mentioned above) for us to store our passwords, knowing that our computers will often be on unsecured networks.

Of course, it's still only as good as the master password.

Pegy, your system is probably good enough for your purposes, but I doubt it's what security experts recommend. Our company specifically mandates that passwords not be written down on paper. It may be my mistake, but I assume they've followed the research in this recommendation.

Even if you had 100 different accounts with different username/passwords, that would be a trivial problem for a hacker to sort out. It's far easier than numerically hacking your passwords. Far, far, far easier, by orders and orders of magnitude, assuming they don't need to figure all of them out. They'd only need a couple good ones to do serious damage.

I don't give a rats ass if you work for the DOD, Homeland Security, NSA, CIA, FBI..............I was talking about my computer sitting in my house on my street in my home town. My network consists of two (you know one finger on each hand?) computers. I deal with my security on my computer on my network. So, I'm impressed with your 60,000 users...........you got a job to do. You have 60,000 individuals who use your company's computers on your company's network.........you are tasked with securing them. You do not know every individual user of the computers on your network, consequently you cannot trust even one to observe what you and your company have for security. You're trying to tell me that your network security is comparable to a home network? Or more like I should treat my home network the same way you treat your company's network? I do not have a problem keeping my passwords secure........neither does the other person on this network. We both are fairly internet savvy.........we both know the dangers. We both keep our passwords secure.........as safe from hacking as we possibly can. A "password safe" will not be any more secure than the method both of us use...........our passwords are not centralized in one encrypted file box on our computers or network ("on site" if you insist). Tell me how any hacker can access my passwords on this computer if those passwords are not stored on this computer. If I get hacked and they find my password for SL........then they would find it if I had it stored "on site" too becuase they would have found it by a mistake I might make by checking the "remember me" box. A password safe would not protect me for that.

God, I just love the show offs here. Who the hell was talking about a commercial large corporation network? Not me. I simply outlined a way to create a hard to crack password and cautioned that it may be hard to remember for the first few times you use it.......I said write it down. Then get jumped by some smart ass telling me to basically automate it with some password creation/storage software. That is overkill...........and for my purpose (and most other people using SL) it's more a pain in the ass than a help. Nothing to gain.......one possible pit fall my method does not have. That being one location, one password to crack. Now I get a scolding from another smart ass about how much they know and how much we peons don't.

Thanks for the lecture........it was not appreciated. You know the old saying? Everyone loves a little ass. No one likes and asshole.

I don't think Lear was out of line in giving his thoughts, and I enjoy reading any posts that give honest opinions and ideas - yours, Lear's, and all the rest. It's natural that different people have different experiences to draw from, and I feel I benefit from reading a wide variety of posts. Let's not fight - you all bring valuable ideas to the table.

Thanks Osprey.............I let my bad day get the best of me.

Sorry, Lear. I'm not usually so short tempered.

Its much easier for me to remember one complicated password that I make up myself and change on a regular basis than it would be for me to keep track of the sticky with 20 or 30 passwords that I change on a regular basis. That's the only reason I use a password generator that has one master password. It works for me.



ETA~I execute the program from a thumbdrive, the passwords do not stay on my computer. Wasn't that the original intention of thumbdrives to begin with? Sure someone can steal both of those thumbdrives and crack them or even just copy one of them without my knowledge. I'm sure that any determined hacker can get anyone's information if they target that individual. In general I think that most criminals (cyber and otherwise) go after the easier targets.

No worries. Sorry I rattled your cage. I need to remember to tone it down myself.

I read this tip in an investment magazine. (Sorta like a virgin reading Playboy.)

Pick 3 passwords that you use for all your accounts. Make them all good ones. This way, it's not hard to find the right one if you forget, and if one password gets compromised, at least you haven't lost everything.

The biggest difficulty with that is the rules for passwords keep changing, so I ended up with more than 3.

In any case, if you figure out my cat's name, I'll have to shoot you.

The first rule of security is that it needs to be commensurate with the threat. Having too much is safe, but involves considerable expense and inconvenience. (Here, I'm talking about secure communications in general, not merely passwords. It boggles the mind how much effort goes into establishing the inverted pyramid of trust, to coin a phrase, and at the very bottom there's always some person trusting another person.)

The more value you're protecting, the more (effort and money) you have to spend to keep it secure, because the more your enemies are willing and able to spend to thwart you.

On that scale, most SL passwords are small spuds, and a post-it note might be all that's necessary. But for your own sake, choose a decent password.

(Makes mental note: Lear Cale Tiddles)

Not Bigglesworth?

True, we put a ton of personal information out there in all kinds of different ways. Your SL password might not mean much but how about someone like my father?

When my Dad died in I had to get onto his computer but it was password protected. It took me 45 minutes to guess his password but I did it lol well I finally guessed that it was the "serial number' hand written on the water heater under his kitchen sink. Mostly because I knew him and his thinking pasterns and ideas about 'secure passwords.' It turned out that his admin password was also for his AOL, BofA, gmail, paypal,... on and on You crack one you crack them all.

It kind of ties in with an earlier post about a magazine recommending a minimum of 3 passwords.

I wonder how many people reading this thread are thinking of changing some passwords.

Actually I just got to thinking that I'm probably past my 6-month mark. This thread is a good reminder.

POW!

Not to add any fuel to this good password, bad password topic. The computer I'm on right now is Windows based (Vista). Actually I should say the OS I'm using is Vista. My computer has two hard drives. One (the primary drive) is Vista. The other drive is my Linux OS. The only time my Linux ever sees the internet is for updates and when I do any financial business such as online banking , checking account balances, etc. When I use Linux for any other purpose (like GIMP) I disconnect it from the network..........I don't even check my email with that OS. All other activities (especially internet stuff) I use Vista......and there are no account numbers or personal information that would lead to any financial information about me on this drive. The closest any account information comes to being exposed to the internet is SL........my PayPal account which is set to only pay LL when billed. Any other requests will be held until I authorize them (and I only do that while using Linux).

I'm not paronoid about ID theft or someone having access to my money.......but I am careful. I do keep a constant watch for suspicious activities. And I do devise difficult to break passwords which are changed regularly. Yeah, sometimes it's a pain in the ass but not nearly so hard as it could be if I left all my money for the taking or my hard worked for credit rating. A determined hacker will defeat any security given enough time.....that I'm very much aware of. I doubt I would be a good target since I'm broke as a pauper but what little I do have I can't afford to have someone take it. So I take a little time and make a little effort to protect myself.

lets just get some perspective here, last week someone stole £8000 from my real life bank account, it happens, I discovered it within 6 hours, it was a transaction that was halted I'll get my money back! I'm pissed though!

When I worked for a large company, it was disclosed that 75% of theft about £14,000,000 was by staff members, it makes you wonder how much is stolen by bank employees???

A nice little password format is:

smallword#CAPITALS[symbol]

Example:

flew5LIGHTYEARS*

hey that's my password! did you steal my £8000?

It was a random example

... but I wouldn't mind 8000 GBP.

Here's what I do. I have a macro program and I use it to store a sequence of random numbers, letters, and symbols. I also choose a single word that remains constant for all my passwords. When I need to create a new password, I choose a part of the web site name or service that I know I can pick out easily later. Then I combine them:

word + macro + site name segment

So if I'm on Google, I might choose "goo" as the site name portion. Let's say my constant word is "dagwood". I type "dagwood", hit my macro key which outputs something like "3%5kl498,/&#", and then type "GOO". My password for Google is now "dagwood3%5kl498,/&#GOO". I only have to remember my constant word, which doesn't change, and be able to pick out the portion of the site name when I next go there. I don't write these down.

When I want to change passwords, I change my constant word. Sometimes I change the macro too but not as often.

One reason I did it this way is because key loggers can't read the output from my macro. They may be able to capture "dagwood" and "GOO" but they can't figure out the symbols in between. This depends on your macro program not using simulated typing keystrokes, but rather using immediate text entry, which mine does. A key logger will only see my macro character, not the text it outputs.

And by the way, the order I gave above isn't the real one I use.

Anyone check my account looking for riches are going to be so disappointed......hell they may even feel sorry for me and leave me a bit