Provider Hacking and Your Passwords

in #security7 years ago

You probably have heard of the EquiFax Hack.

I posted an article with instructions on how to protect yourself by ordering a Credit Freeze on your account here.

You can read about it here or here.

To me, it's a great example as to why we need cryptos and the blockchain. Blockchain technology would have prevented this issue, because instead of EquiFax having and storing all your data, all they'd have is you public key along with your credit related transactions. That's all hackers could have gotten. The rest would be safely encrypted away on the blockchain, and only you, with your private key could access those details.

Just imagine, a completely trustless system. Sure, some people won't like it, especially those who aren't trustworthy, but it would eliminate a good portion of fraud and identity theft.

I'm sure it'll take a while, but there are projects working in that direction.

Anyway, back to the topic at hand, what the hackers got was not your password, obviously, because EquiFax collect your information without you creating an account. I'm sure you probably sign a contract to let them share information with the vendor, and that's how it is legally binding.

But the point is, you can cancel all your credit cards and get new ones, but you can't erase the trail of your addresses nor your social security number, and your password wouldn't have protected you in this case. In the case of the Home Depot hack, I do believe passwords were retrieved.

But what you CAN do, is protect yourself online. Your e-mail is centrally important, because you may get all kinds of personal information on there, which can be used by an unscrupulous hacker.

Your passwords are, oftentimes, the only thing protecting you from hackers.

And how easy is it to hack a password? It can be very easy.

Here's an article to put things in perspective.

In summary, it says: "Hackers crack 16-character passwords in less than an HOUR."

It talks about the different ways hackers can crack passwords, and mentions a computer that can make 350 billion guesses per second, to guess your password.

Now, in the example above, the hackers had access to stored passwords, so it's a special case. If a hacker is just trying to hack into your e-mail it's a different story/attack. When you create an account password, the vendor's server keeps an encrypted version of it, so neither they, nor a hacker can gain easy access to it. But if they do, then you better have a hard-to-crack password.

So, your password is VERY important.

There are different ways to determine password strength, and I won't go into the technical details here. But here are some rules of thumb to guide you in creating a strong password you can remember.

  1. Common dictionary words are easy to hack. Instead, you can use foreign words, or replace letters with special characters or numbers, or you can double consonants or vowels. "S0me3thingL1keTh!sF0r1nstance!" or "#Schwartzzhund267@M31nnFr3und".

  2. Shorter passwords are easier to crack. Take 3 or 4 words to make a phrase of sorts, so it's easy to remember. So, instead of "password" or "Apr!l221973" maybe do something like "Th3M0nnth0fAapr1l@1426pm".

  3. Don't pick something that could be easily tied to you. If it's known you speak German, don't pick German words, or at least use a bastardized version of the word(s). Don't pick any recognizable dates, like your birthday, or your kids' birthdays, or your spouse's. If you need a date, pick something obscure that can't be linked to you.

  4. Don't use the same password for everything. If hackers crack one of your passwords, they'll try it on all other accounts they can find out you have. And if your username is your e-mail, they already have an in. Obviously, you can go crazy if you have a password for every single website (which would be the safest option), so you can have categories of passwords (which still isn't great 'cos you compromise the entire category) or, you can incorporate a word that reminds you of that service and add that to your "standard password." For example, if your base password is "S0me3thingL1keTh!sF0r1nstance!", you can add "M0n3y$" to it, for your bank's password = ""S0me3thingL1keTh!sF0r1nstance!M0n3y$" whereas for your e-mail, it could be something like "T@lkS0me3thingL1keTh!sF0r1nstance!"

  5. Make your financial passwords the hardest to crack.

  6. If you have a safe, you can keep a written record of your passwords along with the private keys for your cryptos (or pass phrases for your wallets).

Now, a couple other things you can do are:

  1. If the website lets you pick a username, use that instead of your e-mail. Your e-mail can be harvested from your Web Browser, if you have it configured, and often gets sold off to marketing lists. If hackers have that, they already have a starting point to try and get into your account. If your username is very different than your e-mail, then you've put up another barrier.

  2. If the website offers Two-Factor Authentication (2FA), use it!

  3. Use a browser like Firefox or Iron (I don't like Google Chrome because they have a lot of code to spy on you), but on top of that, install the following add-ons (I'll go into more detail on this in another post):
    a) uBlock Origin
    b) HTTPS Everywhere
    c) Privacy Badger

  4. If you're very concerned about privacy (e.g. you're an author researching unsavory stuff for your next book) then you should use the Tor Browser.

  5. Don't click on links in your e-mail. It's easy to make a link appear legit, but actually link to a malicious site. Add-ons as described above, can help protect you from known malicious sites, including "official" sites you didn't know could give you spyware, tracking cookies, etc. -- if you're certain the source is safe, and you're expecting it, then fine. Just be careful.

  6. Install an anti-malware software like Spybot Search & Destroy.

  7. Make sure you have an anti-virus, at least a free one like Avast Home! If you don't mind paying for one, I like NOD32 by ESET.

  8. Don't keep sensitive information on your phone -- including your passwords. Phones are very easy to hack.

Anyway, this is turning longer than I wanted. I will be writing other articles to go into more detail about all this, but I do hope you find it useful. You should treat your cryptos passwords the same.

And as always, thank you for sharing your Light with me :)

Sign up on Coinbase here, and we both get $10.
Sign up for Kraken here
Sign up for Gemini here

Earn up to 40% passive income on your cryptos:
Sign up on BitConnect here, to give me credit
Sign up on Control-Finance here, to give me credit
Sign up on USI-Tech here, to give me credit

Or feel free to shower me with cryptos:
Bitcoin: 12Npj8xAAKnf7EJxZStgeecpniE1pbSvcd
Ether: 0x2636538545ebbcea63fd47af1d4fe3e27f5c3936
Dash: XjGWDB7twAHiN9jk3RUmcQRHq6FxvHvYJu
Litecoin: LN4DeZwJDgTbcaXoBXatrGq2JaXVfkMdi5
ZCash: t1fwHkzXfNGCDV19Xq9esWkCRLcCQFcDddN
And Doge, just because it's Doge: D7wuTkhicw2P2vwKx49RXJ9dhVJoXJoKTQ

Sort:  

Whoa, tons of good info! I'm looking for a good password storing software so I don't have to copy and paste my bigger passwords. I've recently heard copying and pasting is bad. But storing my passwords in a program seems sketchy too!

Do you have any thoughts on that?

Also, I'm pretty sure everything from "Sign up for Coinbase" and down is what they're talking about. There's a lot of "to give me credit" and I bet that's what's flagging the bot. Maybe if you take that out they'll stop hounding you.
(Haha, schwartzhund, hounding...)

I keep my passwords in a text file with an obscure name, compressed and encrypted using 7Zip -- that way I just need to remember one embarrassingly large password.

Congratulations @idealsceneprod! You have completed some achievement on Steemit and have been rewarded with new badge(s) :

Award for the number of comments

Click on any badge to view your own Board of Honor on SteemitBoard.
For more information about SteemitBoard, click here

If you no longer want to receive notifications, reply to this comment with the word STOP

By upvoting this notification, you can help all Steemit users. Learn how here!

Coin Marketplace

STEEM 0.23
TRX 0.12
JST 0.029
BTC 66233.88
ETH 3561.73
USDT 1.00
SBD 3.14