How safe is encryption actually?

goodValue

Funnily enough, weak passwords are OK on financial eg bank login as they restrict the number of incorrect attempts before locking you out.

So for what type of websites would a strong password be appropriate?

I can imagine there are some non-financial sites that you would put in sensitive information.

Olinda99

maybe social media ? 

goodValue

If websites adopted a 1 second (say) barrier to password re-entry, would this not put an end to brute force hacking?

goodValue

Olinda99 said:

maybe social media ? 

I recently added 2FA to my email after a recommendation on this site.
From this thread, it appears I will also need a strong password for it.

k_man

goodValue said:

Funnily enough, weak passwords are OK on financial eg bank login as they restrict the number of incorrect attempts before locking you out.

So for what type of websites would a strong password be appropriate?

I can imagine there are some non-financial sites that you would put in sensitive information.

Identifying which sites hold what could be sensitive information is the challenge.

E.g this site has been mentioned.
If someone gets full access to your profile they have your email address (which is private from your username).
Do this for a few non-critical sites (linked by email address, or other common info) and simple profile of you is created.

The site may be non critical, you think, but maybe you send a DM to someone, containing non public info, or a private link etc

Add these together, and someone could work out, where you live, where you bank, when you are on holiday, your hobbies, your recent purchases etc.

What starts as non critical can creep.
Also, weak passwords are more likely to be reused, e.g. this site doesn't matter, I'll reuse old favorite.

Whereas, if you use a password manager (the only realistic way of ensuring all passwords are unique and strong, for those sites that definitely do matter), then all sites can have strong unique passwords.
Then you don't have to decide which sites matter and which don't.

A blog on this subject (albeit from a password manager), which although it looks like it, I didnt read before posting the above!

https://www.stickypassword.com/blog/is-every-site-and-online-account-worth-a-strong-password-3135

Is every site and online account worth a strong password?

....

people asking why they even need a strong password on sites that “aren’t important.”

....

The problem when assigning value to anything is that value is subjective. Value is in the eye of the beholder. What’s valuable to me may not be valuable to you. An online account that isn’t valuable to you may be valuable to a hacker – even if the information he or she gleans from the account is incomplete.

Identity theft is about putting together enough pieces of your ‘life’ to pass oneself off as you.

So, while we are thinking about the value of a piece of information on a supposedly unimportant website (for example, the books you took out of the library, or maybe an old address, or even what college you went to), the bad guys are thinking about completing the puzzle of our entire identities (where we live, our financial records, medical records, credit info, education, children and family members, and on and on) from all the pieces they collect.

...

 your security is like a chain. Even one or a few weak links make for a weak chain. Encouraging people to make a subjective decision like

[ ] this site deserves a strong password

[ ] this site doesn’t deserve a strong password

in the rush of creating a password is not a good idea. It undermines security, and leads to bad decisions and bad practices:

....

When you get down to it, you’re either practicing security or you’re not. So cut it out with the shortcuts and trying to justify bad passwords on unimportant sites. 

 

[Deleted User]

goodValue said:

Olinda99 said:

maybe social media ? 

I recently added 2FA to my email after a recommendation on this site.
From this thread, it appears I will also need a strong password for it.

Yes, email account should be top of your list for a complex password and 2FA - it is the gateway to password resets for all your other accounts. If somebody gains access to your email they can request a forgotten password link for almost all websites and off they go.

But as per other post above, once in the habits of complex passwords with a password manager then it is just as easy to set a complex and unique password for every account.

[Deleted User]

goodValue said:

If websites adopted a 1 second (say) barrier to password re-entry, would this not put an end to brute force hacking?

They generally do and decent websites will usually ban IP addresses that are repeatedly trying passwords without success.

Brute force tends to be an offline attack though and it is actually not the most likely way somebody will be hacked. Here's most likely ways:

1. Phishing that somehow gets you to enter credentials into a spoofed website or download malware that captures your passwords. Worst case is you use that password elsewhere and you have just opened up all your other accounts - 67% of people use the same password on different sites.

This is where browser integrated password managers help - they only provide the password for the correct site, so if you are on a spoofed site it will not offer your password.

Having 2FA and unique passwords for all websites minimise the risk if you fall for a phishing attack.

2. Social engineering - posing as technical support / employer / friend / family through email / phone / social media etc and coercing details from you. You and your wits are the only defence against this.

3. Brute force / dictionary attacks - usually done offline. These occur when a website has been hacked and the "hashed" passwords are stolen. A hash is a non reversible mathematical formula that changes your password into a number. It cannot be used to directly access your account but if a hacker knows the mathematical hash formula they can carry out a brute force attack offline by trying different passwords until they hit the right hash code. One or sometimes more passwords will result in the correct hash code - once they match the hash they know your password or a password the results in the correct hash and can access your account.

Dictionary attacks make it quicker, most people use commons words and names so they don't have to try every single possible password. Typical vocabulary is just 8,000 words. 25% of people use common ones like Password123. 60% use family / pet names or birthdays.

Some websites use the same formula to generate the hash, so a list of known passwords with hashes can instantly be matched up without a brute force - so called "rainbow tables". This is why a complex and unique password is important as it is unlikely to appear on that rainbow table.

My point of view is putting myself in that 10% of users that are the hardest to compromise / crack. I'm not 100% secure but many times more secure than 90% of internet users.

Olinda99

A lot of it is common sense

Do I care if hackers get the password to my 'how to rebuild a motorcycle engine' forum? Well maybe  but it's not the end of the world.

How abour Amazon, eBay? More damage could be done there for sure

Email is the pinnacle - access your email account they can reset every password you own.

[Deleted User]

Olinda99 said:

Do I care if hackers get the password to my 'how to rebuild a motorcycle engine' forum? Well maybe  but it's not the end of the world.

You should though, it isn't just about yourself, it is other people you need to consider.

What if the hacker gets into your rebuildamotorbikefourm.com and discovered you are in private correspondence with people and regularly sell motorbike parts. You are trusted and known to other users. The hacker could then pretend to be you and coerce somebody into sending money to the hacker under the pretence of buying another motorbike part off you.

Besides, if you have 100's of minor accounts like that with unique passwords you will never remember them all so they may as well be complex and stored in a password manager. If they aren't unique then you have a hell of a job on your hands when that password gets out.

k_man

As above, there is no good reason to choose to use weak passwords, anywhere.