I Was Hacked.

Rroff · 14 Oct 2021 at 18:56

dLockers said:
This is why complex passwords are totally and utterly flawed anyway.

Even in this day and age there are sites where the backend doesn't use a particularly strong password system i.e. limited length hash where multiple passwords will match. Bit less usual these days but I know some still do.

I find 2FA a pain in the rear, every site seems to have a slightly different implementation and while the security from other people is much higher so is the chance of locking yourself out of your account forever.

Russinating said:
Please tell me that doesn't mean it's written down on a scrap bit of paper in your wallet or desk drawer.

With 2FA systems you often have to store back up codes somewhere as well... (well you don't strictly have to but it is a good idea to have a copy of them).

mrk · 14 Oct 2021 at 19:05

Might I add that everyone sign up to https://haveibeenpwned.com - You will get an email any time your details are contained in any breach on any platform where the data reaches the outside world.

tyler_jrb · 14 Oct 2021 at 19:07

Russinating said:
What do you mean it's handwritten??

Please tell me that doesn't mean it's written down on a scrap bit of paper in your wallet or desk drawer.

Its locked away safely and means literally nothing to anyone but me

.

mrk · 14 Oct 2021 at 19:10

Also a recommendation for storing passwords/backup codes and other personal details. I keep them in a password protected OneNote file. This is synced to my MS account (coud be on Google Drive/DropBOx etc too or whatever else you use) so I can get to it on my phone if needed or if my computer dies etc. If someone gets into your files then they cannot access the data in the file as it's encrypted. You could use a spreadsheet etc too but I find OneNote far nicer to format everything in a consistent way and makes pasting in scanned documents like passport copies etc easier too. My entire paper filing system is digital for pretty much everything all within one OneNote.

The_Arbiter · 14 Oct 2021 at 19:16

Good to hear no one lost money.

As we're on the subject of security, what's actually feasible with regards to PC physical security? PC gets stolen, that's your drives gone. Is the WIndows' login password actually secure?

mrk · 14 Oct 2021 at 19:21

The_Arbiter said:
Good to hear no one lost money.

As we're on the subject of security, what's actually feasible with regards to PC physical security? PC gets stolen, that's your drives gone. Is the WIndows' login password actually secure?

Windows login secures your account from being logged into and used as if it was you using it, but it doesn't stop someone connecting the drives to another PC and copying the data off it. This is where you can enable BitLocker to encrypt your drives at a drive partition level rather than the more time consuming and resource costly file level. Right click any drive (inc USB drives) in This PC and turn on Bitlocker. If some parts of your system don't meet min reqs then it will advise you on those and you can go from there.

A BitLocker encrypted drive is a paperweight to a thief. Just keep your recovery key safe as you will need it if your PC ever dies and you need to get back into your drives on another system.

mickyflinn · 14 Oct 2021 at 19:37

Zefan said:
Actually, nothing. The actions I took were with concern to profiteering

I recieved an email saying my email had changed but this was after the fact, would it be better an email linking to confirm the changes to account ? Extra layer of peotection.

Semple · 14 Oct 2021 at 20:33

mrk said:
Also a recommendation for storing passwords/backup codes and other personal details. I keep them in a password protected OneNote file. This is synced to my MS account (coud be on Google Drive/DropBOx etc too or whatever else you use) so I can get to it on my phone if needed or if my computer dies etc. If someone gets into your files then they cannot access the data in the file as it's encrypted. You could use a spreadsheet etc too but I find OneNote far nicer to format everything in a consistent way and makes pasting in scanned documents like passport copies etc easier too. My entire paper filing system is digital for pretty much everything all within one OneNote.

That's a lot of faff though. The big luxury with password managers is the auto fill.

mrk · 14 Oct 2021 at 20:37

Semple said:
That's a lot of faff though. The big luxury with password managers is the auto fill.

You can't store other details in a password manage though, just your passwords for accounts. Granted it is a few extra steps but you only need to set it up once, then anytime after it's just accessing like any other account/device/file. At least I know that all my details for anything meaningful whether digital or physical is stored in one place.

Autofill is great though yeah, but as mentioned it's just for passwords to log into apps and websites. I use Firefox on all devices so autofill is able to complete logon for apps on my pone, websites etc etc really easily.

Lmg80 · 14 Oct 2021 at 20:41

.Lethal said:
Ban em!

Why?

The_Arbiter · 14 Oct 2021 at 21:13

mrk said:
Windows login secures your account from being logged into and used as if it was you using it, but it doesn't stop someone connecting the drives to another PC and copying the data off it. This is where you can enable BitLocker to encrypt your drives at a drive partition level rather than the more time consuming and resource costly file level. Right click any drive (inc USB drives) in This PC and turn on Bitlocker. If some parts of your system don't meet min reqs then it will advise you on those and you can go from there.

A BitLocker encrypted drive is a paperweight to a thief. Just keep your recovery key safe as you will need it if your PC ever dies and you need to get back into your drives on another system.

Thanks! I'll get onto Bitlocker, and a quick look it sounds decent. I previously looked into encryption but never came across this as i was looking at encrypting drives on the hardware side, and quickly found out that wasn't really feasible for me.

Rainmaker · 14 Oct 2021 at 21:18

mrk said:
You can't store other details in a password manage though, just your passwords for accounts.

Wut? Bitwarden stores: my passwords, bank accounts, credit and debit cards (all with auto fill), 2FA/OTP codes, and the 'secure note' section can be filled with anything you like. I have my Bitlocker and luks passwords/codes in there, my recovery codes (saved in each domain's own record with the user/pass and OTP), encryption seed phrases for my e2e instant messengers, recovery seeds for my crypto wallets, software serials/keys, online banking PINs and login codes... You name it. If your password manager doesn't do all that and more, upgrade.

DXP55 · 14 Oct 2021 at 21:44

I use a password manager but for some reason I never used it on OCUK - so after reading the other thread it's now got a18 digit password.

Semple · 14 Oct 2021 at 22:36

mrk said:
You can't store other details in a password manage though, just your passwords for accounts.

You can store some things on there. I think a lot of services do offer some cloud storage. Granted you're not going to get loads on there - I use a bitlocker VHD for digitised everything.

Semple · 14 Oct 2021 at 22:40

Rainmaker said:
Wut? Bitwarden stores: my passwords, bank accounts, credit and debit cards (all with auto fill), 2FA/OTP codes, and the 'secure note' section can be filled with anything you like. I have my Bitlocker and luks passwords/codes in there, my recovery codes (saved in each domain's own record with the user/pass and OTP), encryption seed phrases for my e2e instant messengers, recovery seeds for my crypto wallets, software serials/keys, online banking PINs and login codes... You name it. If your password manager doesn't do all that and more, upgrade.

so basically if you lose that or its hacked, then you're ******

mrk · 14 Oct 2021 at 22:42

Rainmaker said:
Wut? Bitwarden stores: my passwords, bank accounts, credit and debit cards (all with auto fill), 2FA/OTP codes, and the 'secure note' section can be filled with anything you like. I have my Bitlocker and luks passwords/codes in there, my recovery codes (saved in each domain's own record with the user/pass and OTP), encryption seed phrases for my e2e instant messengers, recovery seeds for my crypto wallets, software serials/keys, online banking PINs and login codes... You name it. If your password manager doesn't do all that and more, upgrade.

Ah did not know of that app, only really hear people talk about Authy and the like! I choose specifically not to put total faith in one third party solution though. For example I know that Mozilla won't ever go under, well they could but it's highly unlikely. The same reason I know the MS Authenticator app will always be around and Firefox will always have a synchronised password/autofill system.

Quartz · 14 Oct 2021 at 23:38

I use Authy for 2fa and LastPass for passwords. I do need a way of having recovery codes available when I’m travelling. Suggestions? Having them on my iPad or phone isn’t a good idea.

Rainmaker · 15 Oct 2021 at 00:18

Semple said:
so basically if you lose that or its hacked, then you're ******

Haha. I'm not a moron, so I have backups of the database in three places (on-prem and off-prem); and good luck cracking AES256 with a 4096 bit key (seeded by a 30 character aA1& space password) further layered at-rest inside GPG crypt. I'll even give you a clue - it starts with '3'.

Deleted member 77746 · 15 Oct 2021 at 00:34

Semple said:
so basically if you lose that or its hacked, then you're ******

The same as stealing a book with hand notes of passwords, phone numbers, card information e.t.c to all online accounts.

Blackjack Davy · 15 Oct 2021 at 00:42

tyler_jrb said:
Its locked away safely and means literally nothing to anyone but me .

Until hackers find a way to reach through the internet out of your computer monitor to rifle through your paperwork I think people will be ok lol