Have you been hacked?

400ixl

robatwork said:

400ixl said:

Ideally you will use a unique email address for every site and a unique complex password for each site as well.

You would need a password manager to achieve this as the normal human could not remember the passwords without writing them down.

Passwords would be complex such as ^wXFm#G8*eYtpUJa2hus and 4S&e%kEa$R$tTW!xH^7h

Try remembering 50+ of those and which website they belong to. 

Sigh - you really don't need a 20 character password. If you're using a password manager then a crazy length doesn't matter so much, but there may be the odd occasion you need to type this into a phone (or shout to your partner across the room) and a 12 character (random) password with symbols is more than enough if you're not holding the nuclear football.

15 years ago 8 characters was deemed enough, now it is absolute minimum with 12-14 being enough. It won't be that much longer that compute power will mean 12 is the minimum.

Sigh as much as you like, but 20 is a decent number to future proof yourself. You can use less if you want and sometimes I will if it is a password to share with no value to be lost such as streaming services.

Using a password manager makes it no different if you use 12, 20 or 40 character passwords as it creates them for you and enters them for you as well. Personally I share very very few passwords with anyone else so it makes no difference. If I do need to exchange them with family members it is all done within a secure vault anyway, so they never have to type them in.

phillw

RG2015 said:

So up to date anti virus software and not ever clicking on an email link will keep all of my personal data on my hard drive and in the cloud safe. 

You should assume that anything you store in the cloud, can be read by someone. It might not be readable by everyone and finding your files would he like a needle in a haystack. But its possible.

phillw

400ixl said:

robatwork said:

400ixl said:

Ideally you will use a unique email address for every site and a unique complex password for each site as well.

You would need a password manager to achieve this as the normal human could not remember the passwords without writing them down.

Passwords would be complex such as ^wXFm#G8*eYtpUJa2hus and 4S&e%kEa$R$tTW!xH^7h

Try remembering 50+ of those and which website they belong to. 

Sigh - you really don't need a 20 character password. If you're using a password manager then a crazy length doesn't matter so much, but there may be the odd occasion you need to type this into a phone (or shout to your partner across the room) and a 12 character (random) password with symbols is more than enough if you're not holding the nuclear football.

15 years ago 8 characters was deemed enough, now it is absolute minimum with 12-14 being enough. It won't be that much longer that compute power will mean 12 is the minimum.

Sigh as much as you like, but 20 is a decent number to future proof yourself. You can use less if you want and sometimes I will if it is a password to share with no value to be lost such as streaming services.

Using a password manager makes it no different if you use 12, 20 or 40 character passwords as it creates them for you and enters them for you as well. Personally I share very very few passwords with anyone else so it makes no difference. If I do need to exchange them with family members it is all done within a secure vault anyway, so they never have to type them in.

If the site has decent security then long passwords aren't necessary. If they are allowing people to bruteforce passwords then you have bigger issues. Long passwords are more important for local data that they would have physical access to, as that can be brute forced

k_man

phillw said:

400ixl said:

robatwork said:

400ixl said:

Ideally you will use a unique email address for every site and a unique complex password for each site as well.

You would need a password manager to achieve this as the normal human could not remember the passwords without writing them down.

Passwords would be complex such as ^wXFm#G8*eYtpUJa2hus and 4S&e%kEa$R$tTW!xH^7h

Try remembering 50+ of those and which website they belong to. 

Sigh - you really don't need a 20 character password. If you're using a password manager then a crazy length doesn't matter so much, but there may be the odd occasion you need to type this into a phone (or shout to your partner across the room) and a 12 character (random) password with symbols is more than enough if you're not holding the nuclear football.

15 years ago 8 characters was deemed enough, now it is absolute minimum with 12-14 being enough. It won't be that much longer that compute power will mean 12 is the minimum.

Sigh as much as you like, but 20 is a decent number to future proof yourself. You can use less if you want and sometimes I will if it is a password to share with no value to be lost such as streaming services.

Using a password manager makes it no different if you use 12, 20 or 40 character passwords as it creates them for you and enters them for you as well. Personally I share very very few passwords with anyone else so it makes no difference. If I do need to exchange them with family members it is all done within a secure vault anyway, so they never have to type them in.

If the site has decent security then long passwords aren't necessary. If they are allowing people to bruteforce passwords then you have bigger issues. Long passwords are more important for local data that they would have physical access to, as that can be brute forced

Unfortunately mere users can't tell how secure a site is behind the scenes, so using long passwords everywhere mitigates the risk.

RG2015

Aside from the (possibly major) inconvenience, as long as I take reasonable security precautions, I assume the banks would reimburse me if I suffered any financial loss due to fraud.

km1500

maybe, maybe not.

Sea_Shell

Is the risk more of an "institutional" hack, on a wide scale, rather than being targeted as an individual.

So somewhere you have an account with, gets hacked, and they gain access to THEIR "copy" of your data.

Especially when it comes to passwords, rather than phishing emails etc etc.

phillw

k_man said:
Unfortunately mere users can't tell how secure a site is behind the scenes, so using long passwords everywhere mitigates the risk.

If the site isn't secure, then the length of the password is irrelevant. It's like putting a ten digit combination lock on a tent.

Any site that would allow the user to brute force their password & not just lock you out after 3 or 4 wrong attempts, is going to have so many issues that you should avoid using it entirely.

k_man

phillw said:

k_man said:
Unfortunately mere users can't tell how secure a site is behind the scenes, so using long passwords everywhere mitigates the risk.

If the site isn't secure, then the length of the password is irrelevant. It's like putting a ten digit combination lock on a tent.

Any site that would allow the user to brute force their password & not just lock you out after 3 or 4 wrong attempts, is going to have so many issues that you should avoid using it entirely.

As noone keeps a big list of which sites are secure and which aren't, all we can do as users is do our best.
Usually we don't know the sites aren't secure until after a breach.

The length of the password isn't irrelevant, as the longer the password, the longer a brute force attempt takes. So the longer password mitigates (or reduces),  but doesn't remove the risk.

Most brute force attacks are against compromised data from the back end of the system, not via the front door.

E.g. the recent LastPass breach (which could have occured at any other cloud based provider) means user data is vulnerable to offline brute force, as with any password encrypted dataset.

The longer the password the longer the brute force will take.

RG2015

Re brute force attacks.

I don’t understand why any website would not lock access after 3 failed password attempts.

Resetting passwords is quite easy if you do forget.