Buyer Beware
- Thread starter futo
- Start date
Outside somewhere
Overland certified public figure brand ambassador
Was it the one where the buyer wanted to buy from someone who was upside down in their vehicle and pay by EFT? Noticed that one went missing.
dwh
Tail-End Charlie
Hackers hack. Sometimes they hack databases and sometimes get people's logins and passwords (along with names, addresses, birthdates, phone numbers, mother's maiden names, etc. ad nauseum).
Since most people are lazy knuckleheads, they use the same passwords - and login names - on every forum, blog, email, YouGoogleTube, TwitFace, bank and pr0n account.
So when the hackers hack some site, they've now got some knucklehead's login/password for every site.
Hacker's generally target big sites, so they can get account data for MILLIONS or BILLIONS (with a B) of knuckleheads.
Then they either sell it, or just give it away by posting it for all the other hackers to use.
Which they certainly do.
https://m.theregister.co.uk/2016/12/19/yourii_hackedii_yahooii_accountii_isii_worthii_00003ii/
This site doesn't have to get hacked for some shady character with very little skill to hijack someone's account. Getting that info from somewhere else will work 90% of the time.
I'm a lazy bastard, but NOT when it comes to passwords. Having spent 12 years as a network engineer and IT consultant with clients like AT&T, Consolidated Edison and Kaiser Permanente - and having root/admin passwords to a lot of heavy iron networks and backbone routers - when it comes to passwords I'm a certified card-carrying fanatic. I have clinically diagnosed "Password OCD".
I used to have to write my own password generators and manually encrypt/decrypt the files where I stored password lists. But no more. There are quite a few "password manager" apps out there now.
I don't use the password managers that store the encrypted password file "on the cloud". This is because I thoroughly understand cloud systems and I don't trust them as far as I can throw them. Hell, I read about some cloud system getting hacked on what seems like a weekly basis.
https://m.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/
The password manager I'm using these days is 'Enpass':
https://www.enpass.io/
It's free for up to 20 login/passwords. More than that and you pay. But it's cheap.
It can automatically generate truly monstrous passwords that will give even NSA code-breaking supercomputers fits. Or, if you want to be a knucklehead, you can just manually enter in a password of your own choosing.
It stores the encrypted database file with the login/pass data locally, not on the cloud. So it works even if you can't connect to some cloud somewhere.
It has the option to backup the encrypted database file to Google Drive, Dropbox, or whatever. That's good, because they have ported the app (translated the programming code) to damned near every platform, so it's easy to sync my phone, Windows box, Linux box and whatever so they all have the same master password list when I open up Enpass on whatever device.
It's super easy to just open up Enpass (master password of your own choosing required), then copy the login/password to the clipboard and paste to the login screen of ExPo, online banking or whatever. That's important, since no one, not even a mutant brainiac like me can remember a monster password. (Well... RainMan could probably do it. I can't.)
Listen to these words of wisdom my friends; they were carved on silicon tablets by the net.gods:
"NEVER USE THE SAME PASSWORD IN TWO DIFFERENT PLACES! IF YOU DO, THE NET.GODS WILL SEND NET.DAEMONS PUNISH YOU FOR YOUR SIN!"
Since most people are lazy knuckleheads, they use the same passwords - and login names - on every forum, blog, email, YouGoogleTube, TwitFace, bank and pr0n account.
So when the hackers hack some site, they've now got some knucklehead's login/password for every site.
Hacker's generally target big sites, so they can get account data for MILLIONS or BILLIONS (with a B) of knuckleheads.
Then they either sell it, or just give it away by posting it for all the other hackers to use.
Which they certainly do.
https://m.theregister.co.uk/2016/12/19/yourii_hackedii_yahooii_accountii_isii_worthii_00003ii/
This site doesn't have to get hacked for some shady character with very little skill to hijack someone's account. Getting that info from somewhere else will work 90% of the time.
I'm a lazy bastard, but NOT when it comes to passwords. Having spent 12 years as a network engineer and IT consultant with clients like AT&T, Consolidated Edison and Kaiser Permanente - and having root/admin passwords to a lot of heavy iron networks and backbone routers - when it comes to passwords I'm a certified card-carrying fanatic. I have clinically diagnosed "Password OCD".
I used to have to write my own password generators and manually encrypt/decrypt the files where I stored password lists. But no more. There are quite a few "password manager" apps out there now.
I don't use the password managers that store the encrypted password file "on the cloud". This is because I thoroughly understand cloud systems and I don't trust them as far as I can throw them. Hell, I read about some cloud system getting hacked on what seems like a weekly basis.
https://m.theregister.co.uk/2017/07/18/dow_jones_index_of_customers_not_prices_leaks_from_aws_repo/
The password manager I'm using these days is 'Enpass':
https://www.enpass.io/
It's free for up to 20 login/passwords. More than that and you pay. But it's cheap.
It can automatically generate truly monstrous passwords that will give even NSA code-breaking supercomputers fits. Or, if you want to be a knucklehead, you can just manually enter in a password of your own choosing.
It stores the encrypted database file with the login/pass data locally, not on the cloud. So it works even if you can't connect to some cloud somewhere.
It has the option to backup the encrypted database file to Google Drive, Dropbox, or whatever. That's good, because they have ported the app (translated the programming code) to damned near every platform, so it's easy to sync my phone, Windows box, Linux box and whatever so they all have the same master password list when I open up Enpass on whatever device.
It's super easy to just open up Enpass (master password of your own choosing required), then copy the login/password to the clipboard and paste to the login screen of ExPo, online banking or whatever. That's important, since no one, not even a mutant brainiac like me can remember a monster password. (Well... RainMan could probably do it. I can't.)
Listen to these words of wisdom my friends; they were carved on silicon tablets by the net.gods:
"NEVER USE THE SAME PASSWORD IN TWO DIFFERENT PLACES! IF YOU DO, THE NET.GODS WILL SEND NET.DAEMONS PUNISH YOU FOR YOUR SIN!"
Last edited:
Most importantly, use two step login, especially for email. It makes hacking gmail almost impossible because even if they got your password they would need to 1) Obtain your cell phone, or 2) Know your phone # and somehow hack your phone... highly unlikely unless maybe you're the President.
The problem I have with things like Enpass is I don't understand how they work. What happens if I want to access expeditionportal on a library computer? I won't know the password. So then what do I do, login to enpass at the library? If there's a "master password" that you know and must type in, then you are naturally exposed to keyloggers, aren't you? Does it matter if all your passwords are super encrypted if you still need 1 master password that you must manually type in at different areas? Maybe I just don't understand
WideAngleWandering
Deambulador
I use Keepass. Its completely free and cross platform.
I'm of two minds on 2FA. It's certainly better than having a single password used across multiple sites. But I'm concerned about the reliance in SMS for the second factor. It has become nearly trivial to I to intercept and reroute SMS messages to steal those codes. You don't have to be a president-level target anymore. I certainly won't use SMS for authentication to my bank.
There are cases where I think a strong, unique password is better than 2fa with SMS.
I'm of two minds on 2FA. It's certainly better than having a single password used across multiple sites. But I'm concerned about the reliance in SMS for the second factor. It has become nearly trivial to I to intercept and reroute SMS messages to steal those codes. You don't have to be a president-level target anymore. I certainly won't use SMS for authentication to my bank.
There are cases where I think a strong, unique password is better than 2fa with SMS.
2 step login does not rely on SMS. You can select to have a phone call instead. It can be made to either a landline or cell phone.
dwh
Tail-End Charlie
You open the Enpass app on your phone, type the master password in on your phone to unlock/open the Enpass app, select the ExPo entry in Enpass, click the little eyeball icon next to the *********** password so you can read it, and then manually type the password into the ExPo login screen on the library computer while reading it off your phone.
Only if you've got a keylogger on your phone. Or on your computer if you've installed the app on your computer.
If there is no keylogger on your phone, but there is on the library computer, then they'll get your ExPo password when you type it in. They won't get the password that unlocks Enpass on your phone.
You install the app on your phone. Or computer. Or tablet. The only time you type in your master password is to unlock/open the app on your device so you can access your login/pass list.
Enpass doesn't need the Internet at all except as a place to store an encrypted backup of your login/pass list (which you can also use to make sure the Enpass installed on your phone has the same list as the Enpass installed on your computer).
It's installed and runs locally. Your master unlock password never goes onto the net. You can use a different unlock password for the one you installed on your phone than the one installed on your computer. The master password is local and only used to unlock the locally installed program (app).
(I lost count of how many times I used the word "local" in this post.
)