should I bother changing passwords on every website?
GeneralThis forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
should I bother changing passwords on every website?
Ever since that last massive security breach at Yahoo, besides no longer using Yahoo for e-mail, I have abandoned an unwise and not-very-secure password habit practiced since my youth: I used to cycle between the same few words, if sometimes with numbers or a changed case. Not that I seriously believe using more secure passwords and/or changing passwords would prevent my accounts from getting hacked. I just know I should nevertheless be doing it. (I've got a pretty inexhaustible source for generating passwords: titles and proper nouns from books.)
But should I bother doing it for accounts on sites where I don't make any financial transactions and don't discuss personal information? This site, for instance. Why would hackers want to steal information from my LQ account; and if they did anyway, should I particularly care? If I'm being naive, go ahead and tell me.
Last edited by newbiesforever; 03-13-2018 at 10:30 AM.
Distribution: Mainly Devuan, antiX, & Void, with Tiny Core, Fatdog, & BSD thrown in.
Posts: 5,478
Rep:
They would be looking for your email address, as that is what spammers use to send out their crap to people.
It can make life difficult for you as the official owner of that address, & can get you banned from others sites.
Wise to at least have different passwords on each & every site that you use.
Never give truthful answers to standard security questions (if you use social media then it's kinda easy to find your date / place of birth and probably your mothers maiden name. Also never use these "Enter your first pet's name and your mothers maiden name and we'll e-mail you a meme with your porn star name!" forms.
Enable any warning / security alert / login alert tracking where possible and have it send to your phone by text message rather than e-mail.
Yes. You have personal information (such as your real name) on the "fun" sites. And the first thing a hacker will do after guessing your password for a "fun" site is to try logging in to zillions of other sites with the same username and password.
Yes. You have personal information (such as your real name) on the "fun" sites. And the first thing a hacker will do after guessing your password for a "fun" site is to try logging in to zillions of other sites with the same username and password.
Use a password manager.
Is there a security reason I shouldn't manually keep a file of my passwords, if it works for me? I know perfectly well what a password manager is, and used to use one; but it was made a nuisance by a a university e-mail system that went through more than one password check. After routine password changes, the password manager didn't understand that the change applied to both checks, leading to constant password mistakes. I got annoyed enough that I abandoned the password manager, and have ever since been consulting my manually maintained password file.
Last edited by newbiesforever; 03-14-2018 at 09:43 AM.
Both OS/X and KDE/Gnome provide some kind of a "secure note" facility and that's what I use. Not just for passwords but for all sorts of things.
Being a lazy sot, I generally use the same password on web-sites but of course it isn't the same as any login password that I use. All of those are "all different," and they're nonsense words. (trypt0phane ... that would have been a good one.) Nevertheless, I do keep secure notes about them.
(But you can't use my login-passwords anyway, unless you've got my one-of-a-kind OpenVPN certificate, which is encrypted with a passphrase and which will have been revoked long before you get a chance to use your stolen prize. In fact, you can't even find my servers' secret doors: to any scanner, "there's nothing there at all." As I discuss in my blog here.) Not a single one of my servers exposes anything, including ssh, directly to the world-at-large. I don't worry about "unauthorized access attempts" because I never get any.
If you need to deploy a web-site where you can't use OpenVPN to secure the administrative portal, mod_ssl (or its "nginix" equivalent) is your best friend, because "it cuts both ways" if you want it to. It can secure a web-site such that only the bearer of a properly-signed TLS certificate can access it or some designated portion of it. (Not quite as sophisticated because I don't recall that it supports revocation, but I could well be wrong on that.) Access is not available merely due to knowledge of a secret (password), but requires that you bear a credential.
Last edited by sundialsvcs; 03-14-2018 at 09:54 AM.
Is there a security reason I shouldn't manually keep a file of my passwords, if it works for me?
The possibility of having anyone else ever use or service the same PC, or having anyone else in the room when you have that file open, would both be "security reasons".
At least replace the "file" with KeePass or KeePassX.
Never allow utility companies to demand passwords over the telephone.
There is no reason for them to do this - they called you but you
dont know who is really on the other end.
Thats a real bad habit to get into allowing.
And dont be fooled by "just the first and third letter" scam.
Scammers will come back months later to get the rest and I guarantee
you didnt change it (and probably use the same one elsewhere)
There is no security on a phone line at all.
Never allow utility companies to demand passwords over the telephone.
There is no reason for them to do this - they called you but you
dont know who is really on the other end.
Ask for the person's name AND the item / case / ticket reference and then call back on a "known good" number.
Think about which web sites you use the same passwords on - are they really long term
genuine looking sites or just clones or simple sites designed to gather passwords?
(SSL doesnt protect you)
SSL certificates are themselves untrustworthy.
Think who issues them
Now think who might want to put encrypted stuff on servers the server admin cant read
And now think what is to stop them (line above) doing this apparently legitimately
I use a different long complex password for every site and encrypt the files, but I never use a password manager or have my browser remember passwords.
Your mothers maiden name is something you should closely guard IMO.
I use KeepassX for a password vault. It runs on Windows, Mac, and Linux, and the database is portable.
I find it far superior to password vaults that are tied to particular desktop environments, like those keyring thingees, or dependent of the innerwebs.
Ask for the person's name AND the item / case / ticket reference and then call back on a "known good" number.
No. never use passwords on the telephone.
the persons name means nothing at all. a "case/ticket" number means nothing to you.
it is not your responsibility to pay for and call them back.
If they want to verify THEY have called the right number they should ask for something
off your WRITTEN bill or statement that changes every time you get one. This is for THEM
not you. You should ask THEM for information only they should have not the other way around.
If they don't provide written bills or statements you shouldnt be doing business with them anyway.
the biggest threat to your privacy and security isn't the criminals - its government legislation
that has forced you to spread vast quantities of personal information across the planet
to whoever demands it.
Wake up.
Demand they stop asking for more than is required to get the job done and that it never
be used for any other purpose whatsoever. Selling it on should be a criminal offence.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.