Have you been hacked?

enthusiasticsaver

No I have never been hacked but the conversation about password managers etc is interesting and I may look into that.  I use 2FA, face ID or touch ID and keep passwords  in a  protected document printed and in our safe. I like keeping things simple so the thought of numerous random characters for passwords sounds a nightmare.  What happens if you use different devices?  I don't tend to keep stuff in the cloud and I never open unknown links. Infuriates my friends and family who insist on sending me "funnies" by whatsapp, email etc and I never open them. 

Sea_Shell

Don't worry, the AI bots will be gathering lots of useful information from this thread...filed away for future (mis)use. 😉

phillw

k_man said:
The longer the password the longer the brute force will take.

If they can do a brute force on your password, then they are already in to the site. If the site stores passwords in clear text (or the hackers are able to modify it so that it does) then the length is irrelevant.

It's arguably more important you don't use the same combination of email and password on multiple sites (certainly use different ones for different levels of security). I use different emails for different things to ensure that.

k_man

phillw said:

k_man said:
The longer the password the longer the brute force will take.

If they can do a brute force on your password, then they are already in to the site. If the site stores passwords in clear text (or the hackers are able to modify it so that it does) then the length is irrelevant.

It's arguably more important you don't use the same combination of email and password on multiple sites (certainly use different ones for different levels of security). I use different emails for different things to ensure that.

Virtually all sites use some form of hashing for storing passwords (ideally salted too, to prevent precomputed hash tables being used).

The use of longer (and non obvious/found in breach list) password just moves yours further down the list, and gives you time to do something in the meantime (assuming you are aware.

I am not suggesting longer/stronger passwords remove the risk, just reduce it a little.

Agree completely with your last point, most compromising of accounts is done via credential stuffing using previously leaked data.
If users use commonly used passwords, or reuse very strong ones, they are effectively (well not quite) as secure as the least secure site they use.

Using a unique password means any known breach should only require action for that site.

phillw

k_man said:
Using a unique password means any known breach should only require action for that site.

And if you're using unique passwords for each site, then you don't need to worry about brute forcing as they are already in. So you can avoid overly long passwords.

masonic

RG2015 said:

Re brute force attacks.

I don’t understand why any website would not lock access after 3 failed password attempts.

Resetting passwords is quite easy if you do forget.

The issue isn't hackers trying to log in to the online site, it is if they manage to steal the password database.

The actual passwords themselves should never be stored in a database, but the key derived from the user's password can be brute force attacked offline. In this scenario, it is the low-hanging fruit they will go for first, i.e simple passwords. The aim is therefore to put yours beyond their focus.

This is why re-using passwords is a really bad idea, as they can be obtained from a site with weak security you might not care much about, then used on a higher impact site.

This information about general websites is of less relevance for banking, where better security standards are mandatory, including 2FA. Also, should a loss result from a bank losing control of login information, they have an FSCS-backed liability to you.

masonic

enthusiasticsaver said:

No I have never been hacked but the conversation about password managers etc is interesting and I may look into that.  I use 2FA, face ID or touch ID and keep passwords  in a  protected document printed and in our safe. I like keeping things simple so the thought of numerous random characters for passwords sounds a nightmare.  What happens if you use different devices?  I don't tend to keep stuff in the cloud and I never open unknown links. Infuriates my friends and family who insist on sending me "funnies" by whatsapp, email etc and I never open them. 

To use an offline password manager, it is just necessary to periodically send an updated password database to the relevant devices. You can do this over your own home local wifi network to avoid using cloud services. Not quite as convenient as using one of those online password managers, but there's always a trade-off between security and convenience.

RG2015

It would appear that there is a massive gap in my knowledge of these things.

k_man

phillw said:

k_man said:
Using a unique password means any known breach should only require action for that site.

And if you're using unique passwords for each site, then you don't need to worry about brute forcing as they are already in. So you can avoid overly long passwords.

They may only be into the credentials database, and then brute forcing (offline) to get logins to access backend systems.

Most compromises are done via multiple steps often over days, weeks or even months.

Longer passwords mean the account is less likely to be one of the first ones compromised.

The longer password buys time while the breach is found and action taken.

MEM62

RG2015 said:

Thanks.

So up to date anti virus software and not ever clicking on an email link will keep all of my personal data on my hard drive and in the cloud safe. 

Antivirus will never trump common sense as an effective tool for keeping data safe.