Data leak

[OXFORDBEE]

My iPhone has just reported that there has been a data leak from the beekeeping forum and my account is compromised.

Has there been a data leak?

 

[Erichalfbee]

@Angie ?

 

[W0otz]

My iPhone has just reported that there has been a data leak from the beekeeping forum and my account is compromised.

Has there been a data leak?

Did it definitely say there's been a data leak from beekeeping forum and your account is compromised?
It's becoming increasingly common for web browsers and other devices/services/sites to tell you if your password has been found in a previous breach elsewhere. Simply a case of "the password you're trying to use has been seen in a list of leaked passwords" Try putting your password in here: Have I Been Pwned: Pwned Passwords (it's totally safe) and it'll tell you if it's in any of the breaches recorded in their database.

 

[Boston Bees]

My iPhone has just reported that there has been a data leak from the beekeeping forum and my account is compromised.

Has there been a data leak?

When you say "My iPhone has just reported", do you mean you have received a text message? Or was it a pop up from the iPhone itself?

 

[OXFORDBEE]

When you say "My iPhone has just reported", do you mean you have received a text message? Or was it a pop up from the iPhone itself?

If I go into passwords in my I phone and select beekeepingforum..co.uk I get a security recommendation with the text "This password has appeared in a data leak, which puts this account a thigh risk of compromise. You should change your password immediately."

 

[Boston Bees]

If I go into passwords in my I phone and select beekeepingforum..co.uk I get a security recommendation with the text "This password has appeared in a data leak, which puts this account a thigh risk of compromise. You should change your password immediately."

That's completely different. It is telling you that you have used the same email and password combination somewhere else (e.g. on another site completely), and THAT site has been hacked. So, yes, you should change this password, and not use the same password on different sites if possible, but this message is not saying that the Beekeeping Forum has had a data leak.

 

[W0otz]

That's completely different. It is telling you that you have used the same email and password combination somewhere else (e.g. on another site completely), and THAT site has been hacked. So, yes, you should change this password, and not use the same password on different sites if possible, but this message is not saying that the Beekeeping Forum has had a data leak.

Not even that necessarily - somebody has used that password somewhere else, and it's been leaked. Not necessarily you and not necessarily in conjunction with your email address. Still a good idea to change your password here and anywhere else you've used it (nowhere else right? Password re-use is bad!)

 

[OXFORDBEE]

That's completely different. It is telling you that you have used the same email and password combination somewhere else (e.g. on another site completely), and THAT site has been hacked. So, yes, you should change this password, and not use the same password on different sites if possible, but this message is not saying that the Beekeeping Forum has had a data leak.

Ah, thanks for that it would make sense but to the best of my recollection I've only used the lower case password with this form and an upper case variant with the BBKA forum.

There were alerts which mentioned the beekeeping forum but I didn't take a screen dump so at this point I can't prove it.

Thanks for the reply.

 

[pargyle]

I converted to Dashlane about two years ago and have got everything important onto random 12-16 digit passwords.

I have to admit that this website had slipped the net, and was still on a very insecure password, until this thread happened! Now my password is xkTBNf&34!Q and I think you can agree no-one is going to guess that!

Oh, hold on ......

Seriously though ... If you don't use something like Dashlane or another random password generator ... passwords used should not be a recognisable word, should contain upper and lower case letters, a special character and at least one number. The more random and obscure you make it - the safer it is.

I was contacted by a debt collection agency working for a finance company last year looking for a payment from me ... someone had gained access to all my personal details - including a former Bank account (fortunately long since closed) they had taken out finance for insurance for a car on line with a major Insurance company -and had used all my details and the bank account (they had created a new email address in my name) but, of course, the account was defunct and no payments could be taken. They had obviously found a way in to some website where these details had all been stored insecurely but it was very much a wake up call for me.

Password integrity is really important if your details are compromised as it's only a short step from one innocuous website to access your bank account if it has a similar (or worse same !) password.

 

[gmonag]

I totally agree. I use a password generator/safe for all my accounts (I have 150+!). I have no idea what any of them is, I always use the password safe and change important ones periodically.

 

[Martimart]

Seriously though ... If you don't use something like Dashlane or another random password generator ... passwords used should not be a recognisable word, should contain upper and lower case letters, a special character and at least one number. The more random and obscure you make it - the safer it is.

I was contacted by a debt collection agency working for a finance company last year looking for a payment from me ... someone had gained access to all my personal details - including a former Bank account (fortunately long since closed) they had taken out finance for insurance for a car on line with a major Insurance company -and had used all my details and the bank account (they had created a new email address in my name) but, of course, the account was defunct and no payments could be taken. They had obviously found a way in to some website where these details had all been stored insecurely but it was very much a wake up call for me.

Password integrity is really important if your details are compromised as it's only a short step from one innocuous website to access your bank account if it has a similar (or worse same !) password.

I believe the general advice on this has changed. The random letters and numbers are not necessarily that secure as you'd think. My company email was hacked in Feb and it caused us loads of work and hassle. You have to remember that the hackers need to start with a known email address, even one as simple as Info@.... then a computer program throws millions of automatically generated passwords at it and a bit like cracking the Enigma code they can get in.

From the advice we received, each user picks 3 known words to them, so mine could be SiameseBeesTesla that would be equally as strong and more secure than using a encryption service... which could be hacked. The most important thing you can do to prevent hacking is use a form of Multi Factor Authentication, whereby logging on to a email account or service sends a code to your mobile number that you then have to type in. This is 100% secure.

 

[Boston Bees]

I believe the general advice on this has changed. The random letters and numbers are not necessarily that secure as you'd think. My company email was hacked in Feb and it caused us loads of work and hassle. You have to remember that the hackers need to start with a known email address, even one as simple as Info@.... then a computer program throws millions of automatically generated passwords at it and a bit like cracking the Enigma code they can get in.

From the advice we received, each user picks 3 known words to them, so mine could be SiameseBeesTesla that would be equally as strong and more secure than using a encryption service... which could be hacked. The most important thing you can do to prevent hacking is use a form of Multi Factor Authentication, whereby logging on to a email account or service sends a code to your mobile number that you then have to type in. This is 100% secure.

You are right about MFA of course.

But I am unclear why SiameseBeesTesla would be harder to crack than Xkgf45!lsd23AS ? I think it would be much easier, as it uses actual words which are in common usage, plus no numbers, symbols etc. The danger is also that you use the same three words on more than one account (after all, if you don't, why not just use random strings of characters?), and if you do that then a hack on one account spreads to your other accounts.

 

[jenkinsbrynmair]

From the advice we received, each user picks 3 known words to them, so mine could be SiameseBeesTesla that would be equally as strong and more secure than using a encryption service.

They also now advise that the three words be separated by a hyphen, Home office cipher bods have now directred us to use this new system, bloody great especially as my current method was totally random and (for me) easy to write down a reminder which would have had no connection to the password

 

[madasafish]

ANY system which allows multiple logons with incorrect passwords in an attempt to gain access is very badly designed. Most have three tries and the account is locked.

 

[Martimart]

You are right about MFA of course.

But I am unclear why SiameseBeesTesla would be harder to crack than Xkgf45!lsd23AS ? I think it would be much easier, as it uses actual words which are in common usage, plus no numbers, symbols etc. The danger is also that you use the same three words on more than one account (after all, if you don't, why not just use random strings of characters?), and if you do that then a hack on one account spreads to your other accounts.

Absolutely no idea, just relaying what pretty much every IT company told me, plus the one we contracted with to sort the mess out.

 

[jenkinsbrynmair]

But I am unclear why SiameseBeesTesla would be harder to crack than Xkgf45!lsd23AS ? I think it would be much easier, as it uses actual words

Maybe the reason it's harder to crack is because it is a random selection of three 'real' words not just a random group of letters and symbols.
If GCHQ are happy with it, who am I to argue?

 

[mdotb]

But I am unclear why SiameseBeesTesla would be harder to crack than Xkgf45!lsd23AS ? I think it would be much easier, as it uses actual words which are in common usage, plus no numbers, symbols etc. The danger is also that you use the same three words on more than one account (after all, if you don't, why not just use random strings of characters?), and if you do that then a hack on one account spreads to your other accounts.

Estimated time to brute force a password:
uppercase and lowercase letters only, 16 characters, 2bn years
numbers, uppercase and lowercase letters, symbols, 14 characters, 200m years.
(source: hivesystems.io)

So SiameseBeesTesla is "stronger" to brute force attack by virtue of the longer length. That is in fact the main reason that "3 words" password construction is widely recommended now - it encourages much longer passwords than the typically still 8 enforced numbers, upper, lower, and special mix (est. 8 hours to brute force) which are still memorable (so not written down, less likely to be reused) and are partly robust to dictionary attacks due to the n-cubed permutations of any 3 dictionary words.

The other points with regard to repeat use etc., and other forms of attack beyond brute force (e.g. social engineering) are not addressed by the above though.

 

[Boston Bees]

Estimated time to brute force a password:
uppercase and lowercase letters only, 16 characters, 2bn years
numbers, uppercase and lowercase letters, symbols, 14 characters, 200m years.
(source: hivesystems.io)

So SiameseBeesTesla is "stronger" to brute force attack by virtue of the longer length. That is in fact the main reason that "3 words" password construction is widely recommended now - it encourages much longer passwords than the typically still 8 enforced numbers, upper, lower, and special mix (est. 8 hours to brute force) which are still memorable (so not written down, less likely to be reused) and are partly robust to dictionary attacks due to the n-cubed permutations of any 3 dictionary words.

The other points with regard to repeat use etc., and other forms of attack beyond brute force (e.g. social engineering) are not addressed by the above though.

Fair enough, length is more important than randomness, I can buy that.

But their table suggests that for equivalent lengths (say 12 characters), random streams of characters are astronomically better (34k years) than just letters (300 years)

And my password generator allows me to create whatever length of passwords I like, so I'll just set it to 16. Job done.

The HiveSystems table shows that as long as you use 14 characters or more, and don't just use numbers, your password is effectively uncrackable by brute force. This only applies though, if your passwords are completely different on each site you visit, and this is much harder to achieve with words than it is with a password generator. For example, if you use "SiameseBeesTesla" on one site, I bet you use "BeesSiameseTesla" on another, or "SiameseBeesTesla99" etc. This means that when one site is hacked your other sites become vulnerable, however long the passwords are.

And (as you mention) that's before we even get into someone guessing that Bees would be part of your password, based on your social media profile, and Tesla because you have a Tesla, etc etc

I'll stick with the generator, but I suspect we are all OK on this score really, given that we all have plainly given it some thought.

 

[OXFORDBEE]

You are right about MFA of course.

But I am unclear why SiameseBeesTesla would be harder to crack than Xkgf45!lsd23AS ? I think it would be much easier, as it uses actual words which are in common usage, plus no numbers, symbols etc. The danger is also that you use the same three words on more than one account (after all, if you don't, why not just use random strings of characters?), and if you do that then a hack on one account spreads to your other accounts.

I believe the number of characters in the password (as well as a few odd characters for fun) increases the length of time it takes to crack a password such that it becomes effectively "Uncrackable". Pass phrases such as "Th3Big4atCatS@~0n1heM@t" (with character substitutions for the bigfatcatsatonthemat) would be good. Common words can be used in dictionary attacks. The most important thing is being able to remember the password so one can use it! SiameseBeesTesla is easy to remember for me Xkgf45!lsd23AS would have me reaching for a piece of paper. MFA works fine as long as one can find the phone which is somewhat erratic in my current lifestyle.

 

[Erichalfbee]

Passwords. How about touch id? Can’t you use that instead?