Old Accounts Getting Hacked

Devor · Aug 28, 2024

Many of you have seen the threads already, but there's been a rush of posts from old but valid accounts posting spam. Some of them were still stopped by our spam filters, and some we had to delete manually.

Although we call this hacking, most likely they are matching emails and passwords that were leaked from other big site hacks. Many people use the same password for multiple accounts, so when an email and password combo are leaked in one place, scammers know there's a good chance that combination will work in other places.

So while we look into ways to address this issue, we advise everyone to please change your passwords. There are also places online where you can check which passwords have been publicly connected to your email. And finally, this incident highlights why it's always good advice to use a unique password, but it's an absolute must for your email account, followed by your google, facebook, apple, microsoft and bank accounts. Long multiword passwords (dogcatfrogtoad) are more effective, but most of the time they use info from big hack leaks or they trick people into entering their information in the wrong place.

Please report any spam. And stay safe online, folks.

pmmg · Aug 28, 2024

How Secure Is My Password? | Password Strength Checker

Not that everyone has not heard the rules for passwords before, but a tool like the above can show how hard to crack a password really is.

Prince of Spires · Aug 29, 2024

Also, there's this: Password Strength

Thanks for letting us know. I hadn't noticed them yet.

pmmg · Aug 29, 2024

Yes, that was an argument I had at my last company, and was shot down. All those crazy characters really add nothing to the security. Cause most passwrods are 'cracked' because they were leaked, in which case the password is known, or it is brute forced, in which case, the attacking computer just tries every key combination anyway--it does not care what the keys are.

A password like: %$@ewe3 will get cracked in like 3 seconds, where as a password like: MARYhadalittlelamb will take 4 trillion years. (which is all fine and dandy until quantum computing comes on line, and even that will get cracked in like 3 seconds

)

Its better to use password phrases and make them long. Mixing up characters does not hurt, it will thwart a dictionary attack, so stick a number of weird character on the end.

Oddly, the cyber industry, which knows this to be true, still cannot convince the corporate world to adopt it. The reason being, no one wants to be the corporation getting sued for a leak and have to go before congress and say, we were using this newer lessor known password policy. Thats a road to liability for them.

skip.knox · Aug 29, 2024

>most passwrods are 'cracked' because they were leaked,

Yep. And yep also for long passwords. But when I have 50+ passwords to manage, even the long password thing is a challenge. That's where a good pw manager helps. Not only does it generate a long pw, I can set it to remind me to change passwords every 90 days or so. Yes it's a hassle.

pmmg · Aug 29, 2024

There is actually no good reason to change a password every 90 days unless you have reason to believe its been leaked.

Changing password frequently has been shown to lead to higher likelihood of them getting leaked.

From the NIST guidelines:

Frequency of Password Changes

Contrary to popular belief and prior standards, NIST does not suggest frequent password changes (example: every 60 or 90 days); individuals who are asked to change passwords frequently are much more likely to reuse an old password and merely append a number, letter, or special character to the end of it. Professional hackers know this trick and are savvy enough to predict minor changes. Plus, if a previous password has already been compromised, any derivations of that password, even if additional characters are added or modified, are more easily breached in the future.

NIST recommends that businesses enforce password expiration and password resets only when a known compromise has occurred, or every 365 days. The shift to longer password life is intended to encourage users to generate longer passwords that are harder to crack.

Devor · Aug 29, 2024

pmmg said:
Changing password frequently has been shown to lead to higher likelihood of them getting leaked.

I didn't know that. Some places force you to change passwords and it's a pain in the butt that doesn't even help? Geesh.

Although, if Skip's using a password manager, then it should avoid the human-related reasons they're more likely to leak, I should think.

pmmg · Aug 29, 2024

Yep....

The average business or corp will have a policy like:

One strange character
One number or captial letter
min 8 characters
change every 90 days
remember last 8 password.

NIST, who made that standard has reversed course on it, and even the guy who made it up 20 or so years ago has publicly recanted it and said he was wrong.

Their newer standard is long password phrases, and don't change them.

Course....now the standard is 2 factor for anything important. IF MS could implement 2 factor for any account unused in the last year, that would stop all the spammers.

I cited NIST at my last company, and they shot me down. They said....

One strange character
One number or captial letter
min 8 characters
change every 90 days
remember last 8 password.

Annoys the crap out of everyone, and weakens and not strengthens protection. This type of policy leads to ppl keeping little sticky notes under their keyboards, or passwords like qwer1234.

pmmg · Aug 29, 2024

The issue with password managers, and its not a terrible concern, is that everything is stored in one place. They crack the manager, they crack everything. Plus its also counter to convenience.

That's the terrible thing with security. Its always a fight between convenience and security. Its always a fight between people complaining cause the process sucks, and things getting leaked.

And...there is no such thing as security really. There is only making it harder. The only way to have security is not be online at all.

skip.knox · Aug 29, 2024

Well, that recommendation acknowledges that changing passwords is a good idea; it merely suggests a less-frequent schedule (12 months versus 3 months). Moreover, the underlying argument is that users tend to re-use passwords. That's a reasonable observation for a large or random group of users, but it doesn't necessarily hold for an individual user, who might consciously avoid re-use of passwords. Those same pw management programs can enforce or remind you of re-used passwords. Finally, some organizations enforce non-reuse, though the algorithms can be gamed.

I don't entirely disagree with the quoted advice; I only raise contingent points to say there's some nuance to advice.

skip.knox · Aug 29, 2024

>everything is stored in one place
It's not the cracking that makes me nervous, it's me. I lose that one device or otherwise have trouble (e.g., botching the master pw), and now I've created a real headache for myself. It hasn't ever happened, but I can be fiendishly clever at being inept.

Here's another angle on pw management. I sign up at sites, then sooner or later decide I'm not interested. I just stop using the site, but my account is still there and the login information is still in my pw manager. I'm aware of this just now because I'm making myself do some clean up. It feels like a waste of hours, but I have way more passwords than I'm using and that feels foolish.

Still working on finding a fantasy writing angle to this thread. <grin>

pmmg · Aug 29, 2024

I've got a ton of logons on sites I dont visit anymore as well. I wish I could go kill them all, but...that would mean spending a day of a few days going and cleaning them all up. It is a pain.

Mostly, I look at them and decide...meh...if that got hacked, I dont care.

I hate to say, but I do think a day is coming soon when AI takes over the password problem, and we wont have to fuss with it anymore. One day, we will have an encryption chip implanted in our brain and it will just be our key to everything. --till it gets compromised

I have a password manager and stopped using it. It was just easier to reset my password when I forgot then to figure out how to get back into the password manager.

Prince of Spires · Aug 30, 2024

I actually find using a password manager a lot more convenient than not using one. I only have to remember 1 single password, and I can sign-in everywhere without reusing a password. Passwords can be as long or short as they need to be, and if some site has some weird extra password rule, then complying with it is easy.

I don't even need to remember if I have an account somewhere or not. The password manager does that for me. If I end up on a log-in screen, it simply fills in any details for me it has and logs me in. I would recommend it to anyone.

Old Accounts Getting Hacked

Devor

Fiery Keeper of the Hat

pmmg

Myth Weaver

Prince of Spires

Istar

pmmg

Myth Weaver

skip.knox

toujours gai, archie

pmmg

Myth Weaver

Frequency of Password Changes

Devor

Fiery Keeper of the Hat

pmmg

Myth Weaver

pmmg

Myth Weaver

skip.knox

toujours gai, archie

skip.knox

toujours gai, archie

pmmg

Myth Weaver

Prince of Spires

Istar

Old Accounts Getting Hacked

Fiery Keeper of the Hat

Myth Weaver

Istar

Myth Weaver

toujours gai, archie

Myth Weaver

Frequency of Password Changes​

Fiery Keeper of the Hat

Myth Weaver

Myth Weaver

toujours gai, archie

toujours gai, archie

Myth Weaver

Istar

Frequency of Password Changes