Password Security

FunkyCowie

FunkyCowie

FunkyCowie

Associate
Joined
31 Dec 2004
Posts
1,384
Location
Essex, UK
I have just had an incident with paypal where someone has gotten a hold of £1000 from my bank and paypal account through my paypal account, I am currently awaiting on paypal to sort it out.

I had been changing my paypal password once every three months with a randomly typed 16 character password, other passwords less frequently. Is there a software out there that

1. will go on a USB stick.
2. that can auto change your passwords for you at a user specified time frame by logging into user specified accounts for you and filling in a random new password.
3. will autofill your passwords in when you want to access a site when the USB stick is in the computer.
 
What you are asking for there will be less secure than what you are doing now.
What if you loose the USB Stick?
 
point taken, its just I use quite a lot of passwords and changing them and keeping a list seems a bit of a pain in the butt when I could have it automated especially when what seemed like a very secure method of protection still ended up in me potentially losing £1000
 
To be quite honest, it sounds like you are already following a secure password routine. I think you should be asking how they managed to get into the account. Do you have security questions that are easy to guess? Have you ran a thorough scan on your PC to ensure nothing is logging your passwords?
 
They don't guess your password or bruteforce PayPal. Such passwords are gained through keyloggers and phishing.
Strong passwords are a good thing, definitely for anything on a local machine. Thing is, online I don't think they're a lot of help unless a sites database is compromised and you have a very basic one that they can be looked up in a reverse hash DB or succumb to an attack quickly. 99.99% of the time it's phishing or keyloggers though.
 
I was advised that if you "have" to log on to a site connected with money on someone elses computer to use The On Screen Keyboard

Start/Run/osk

Would that help? Or would that be insecure too?
 
Paypal are refunding, it took me a while to get it out of the person I was talking to but the same 'send to' account was used for multiple thefts.

I use spybot and ms security essentials and have run a check and no isng of malware.

As of yesterday I am now using keepass from a usb stick that I only put in when I need a password.

Paypal says the only way they could have done what they did is through having my user password and that it was, as suggested, accessed through phishing or key logging or visiting a questionable site but I am very conscious of not using the same user account on the computer for banking as I do for visiting potentially 'questionable sites' :D
 
Last edited:
24 hour turn around, its back in my account, i only reported it yesterday and was quoted 2 weeks originally. I am impressed with paypal for now.
 
There seems to be loads of this happening.

A person at work had their paypal account hacked and it's one he never uses at all.

He used a very strong password and again checked his computer at home and he was clean.

I wonder if they are getting the password's else were? Maybe internal?
 
Thats the most likely place for it to occur.

I just added another method of security for my paypal account as I do need one.

I have an old bank account that I never closed it only has £10 in it so that is the account I have linked to paypal.

If I need to send money I do a transfer from my main account to the one for paypal and make the purchase straight a way.

If I need to recieve money, as soon as I have it I transfer it to the main account.
 
Last edited:
I had an issue with PP account access a few years ago. My main account somehow became compromised. I tried changing passwords, several times, double checking for viruses/malware and I already didn't log on on public computers. No matter what, somehow someone kept getting access.
Closed that account and made a new one - no problems since. *touch wood*
Still don't know why there were so many problems one after another.

Some keyloggers will take a screen grab when there is a mouse click so using osk is more secure but still not 100%. It does at least need a software keylogger so there's perhaps more chance of AV picking it up.
 
Belly said:
I was advised that if you "have" to log on to a site connected with money on someone elses computer to use The On Screen Keyboard

Start/Run/osk

Would that help? Or would that be insecure too?
Click to expand...

Keyloggers pick it up the same as a regular keyboard.
 
wow scary stuff - i've just changed my paypal password and started using keepass! Seems quite a good system with dropbox and the android app.

Another step I started a few days ago is using google 2 step authenticator on my mobile. I'm always concerned that my email is the weak point, if someone got into that they could probably get into anything and sometimes it's necessary to sign in on kiosk machines etc.
 
Last edited:
slightly off topic but one thing i wish websites like paypal, banks etc would give you is the option to say you want it so you can only login (or at least login with full access) from one certain ip address. if you use family friends computer to log in then you only get basic access which is just an overview or even nothing at all until you either answer additional questions of get a text with a pin etc. this would mean then that hackers in say spain can't log in if they steal your password

really shocked they don't have anything like this
 
ip addresses change so that isn't really practical. A good solution seems to be smartphone apps which generate one time passwords for your logon session. QUite easy to do.
 
You must log in or register to reply here.
Back
Top Bottom