WARNING
- Thread starter trigatch4
- Start date
- Status
I've not been a big fan of webmail of any kind, although I have not use any extensively. I've liked the idea of keeping it all on my drives and backing up the archives to cd.
I see a lot people here use gmail. What is the advantage of gmail over, say the mail servers that come with your hosting? I guess if the mail's not here the FBI can't get it off my hard drive, huh?
HarveyJ
He is - THE CACTUS!
KeePass+Flashdrive is probably as safe as you're going to get.
As for always losing it, get one of the ones that has a keyring on it and stick it with your car keys. How often do you misplace your car keys, after all?
As for always losing it, get one of the ones that has a keyring on it and stick it with your car keys. How often do you misplace your car keys, after all?
For my 9-5 job I am developer/analyst in internet banking and I see this stuff a fair bit. I doubt very much it was a yahoo hack unless all the pwned accounts tie back to the same yahoo email and even then, in those circumstances it would have to be a targeted attack against you as in the large scheme of things professional hackers don't go to those sort of lengths very often (all the systems are automated).
More then likely (and I would bet the farm), your pc got a trojan on it which your av hasn't detected yet. Also, you don't need to visit warez sites, downloaded porn etc to get done, it was only a couple of weeks ago that the businessweek.com website was serving up malware.
I would suggest that for all business related stuff use an email that points to a domain you own rather then a gmail or yahoo account and even then always set up a seconday email on those accounts pointing back to your domain email (which you can use as evidence when contacting them).
Also, assume every single password you have is owned (ftp, email etc) and change them all.
Next for everybody touting 'secure password keeper software' it doesn't matter a shit. Most trojans capture keystrokes and form data (in addition to password stores on pcs) so essentially, whilst it might safe as soon as you go to use it on a infected pc you are owned.
With Keepass you don't keep entering your password though. the malware would have to record your clipboard to catch these - which I realize is not hard to do, but that is an extra measure.
This is true but it only stops the key logging portion of the trojan. Most trojans remain dormant until you visit a url which has been configured in the trojan to make it switch on. It then records everything it can.
Therefore, consider this
1. I have a trojan that is set to start recording when it encounters the following domain (https://login.yahoo.com/)
2. I visit the domain, trojans starts logging and I copy and paste my password in with Keepass.
3. When I click submit to login to yahoo, this is the data that is sent across in the request for access (which is picked up by 98% of trojans these days).
Notice the items in bold? This is my username and password, in the clear and logged, gameover. Whats worst is that when the hackers parses this data to get the credentials they only need to look for the strings 'login=' & 'passwd=' to get my details.
Kinda sad really
Last edited:
I don't see what's wrong with Roboform. All your passwords are only entered once and stored in an encrypted database. Keyloggers can't get at your roboform passwords. And if you share a computer or something just set a good master password in roboform.
Oh that really sucks, I started having different variations of my password, when my account on a popular webmaster forum was hacked (I am still banned there), But the lesson to be learned is don't use any plugins like Gmail manager and other notification tools. I also stopped using Roboform and change passwords every 60 days.
Stop downloading warez (yes i know that is tough) and limit the login's to important sites from a single computer.
Stop downloading warez (yes i know that is tough) and limit the login's to important sites from a single computer.
Guys... Come on... Do some research 
https://www.ironkey.com/dataprotection
That is what you need.
Store your shit on there...
As far as a master PW... I have one 101% memorized that is 75 characters, alpha numeric...
Start off with something random... memorize it... then add to it... memorize that... throw in the last 4 of your phone number, memorize that, add on your middle name in digits, memorize... date of birth, memorize, license place number, memorize...
Add on a bunch of shit you can memorize...
I've had this same pass for 7 years now... I use a variant of it for EVERYTHING (I can pull a segment of it out and use it for a site)
Only ever had 2 security breaches, they were the same person at the same time, and it was a friend that knew my password for those 2 particular sites...
It actually helped me, because I had a nickname I would always call this particular friend that would piss him off, so I integrated that word into a new password and replaces passes with that.
Check out the IronKey... It's the shit!!
Read ALL of the details
https://www.ironkey.com/dataprotection
That is what you need.
Store your shit on there...
As far as a master PW... I have one 101% memorized that is 75 characters, alpha numeric...
Start off with something random... memorize it... then add to it... memorize that... throw in the last 4 of your phone number, memorize that, add on your middle name in digits, memorize... date of birth, memorize, license place number, memorize...
Add on a bunch of shit you can memorize...
I've had this same pass for 7 years now... I use a variant of it for EVERYTHING (I can pull a segment of it out and use it for a site)
Only ever had 2 security breaches, they were the same person at the same time, and it was a friend that knew my password for those 2 particular sites...
It actually helped me, because I had a nickname I would always call this particular friend that would piss him off, so I integrated that word into a new password and replaces passes with that.
Check out the IronKey... It's the shit!!
Read ALL of the details
Here is a quote from a small part of the site btw...
"To prevent unauthorized people or crimeware (malicious software such as viruses and Trojans) from gaining access to your encrypted drive, the IronKey prevents password guessing attacks (e.g. brute-force or dictionary attacks). After 10 incorrect password attempts (and ample warnings), the IronKey locks out all further password attempts. It initiates a patent-pending self-destruct sequence that securely and permanently erases your encryption keys and data. You can use IronKey's Secure Backup software to restore your backed-up data to a new IronKey."
"To prevent unauthorized people or crimeware (malicious software such as viruses and Trojans) from gaining access to your encrypted drive, the IronKey prevents password guessing attacks (e.g. brute-force or dictionary attacks). After 10 incorrect password attempts (and ample warnings), the IronKey locks out all further password attempts. It initiates a patent-pending self-destruct sequence that securely and permanently erases your encryption keys and data. You can use IronKey's Secure Backup software to restore your backed-up data to a new IronKey."
You can also use a simple rule that only you know to generate a PW for every site/software out of a master PW.
One example:
- take the site's name length squared and add it to the end of your master PW.
- Add the site's first two letters and $ before the master PW
So... say your master PW is 42life
On wickedfire it would be
wi$42life100
tadaaaaa
Using that rule, you can even write down your master PW openly without anyone knowing how to get to your real PWs. No need for encrypted DBs or any other shit.
::emp::
One example:
- take the site's name length squared and add it to the end of your master PW.
- Add the site's first two letters and $ before the master PW
So... say your master PW is 42life
On wickedfire it would be
wi$42life100
tadaaaaa
Using that rule, you can even write down your master PW openly without anyone knowing how to get to your real PWs. No need for encrypted DBs or any other shit.
::emp::
The same password or even variations is a bad idea. Lets say you liked jons site and signed up for a newsletter or something there. And he has your WF password....
Not saying he would steal the $29.92 in your paypal but he could probably get your password.
Trust me people that use the same password are asking for it. I have found many cached by google in csv and xls files. And often they use the same password. Its often like "jenny82" or something stupid. Then check their Facebook or myspace and its the same. Hotmail same. Boom done got them.
I know people hate them but I use a U3 flashdrive for email, files, and passwords. On there I have Thunderbird, filezilla, firefox with some developer plugins, and keepass in an old non U3 version. I set it with a password and if I lose it the people get absolutely nothing. They dont even know whose it is, or what files I have on there.
Occasionally make a backup or spare U3.
And trigatch you need to logon to all your registars now and check what is going on with your domains. Those are like gold and a pain to get back once gone. Change those passwords of course.
Hey! How did you know how much was in my Paypal account? I better go change my password.
- Status