LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > General
User Name
Password
General This forum is for non-technical general discussion which can include both Linux and non-Linux topics. Have fun!

Notices


Reply
  Search this Thread
Old 03-13-2018, 10:23 AM   #1
newbiesforever
Senior Member
 
Registered: Apr 2006
Posts: 2,083

Rep: Reputation: 77
should I bother changing passwords on every website?


Ever since that last massive security breach at Yahoo, besides no longer using Yahoo for e-mail, I have abandoned an unwise and not-very-secure password habit practiced since my youth: I used to cycle between the same few words, if sometimes with numbers or a changed case. Not that I seriously believe using more secure passwords and/or changing passwords would prevent my accounts from getting hacked. I just know I should nevertheless be doing it. (I've got a pretty inexhaustible source for generating passwords: titles and proper nouns from books.)

But should I bother doing it for accounts on sites where I don't make any financial transactions and don't discuss personal information? This site, for instance. Why would hackers want to steal information from my LQ account; and if they did anyway, should I particularly care? If I'm being naive, go ahead and tell me.

Last edited by newbiesforever; 03-13-2018 at 10:30 AM.
 
Old 03-13-2018, 11:04 AM   #2
fatmac
Senior Member
 
Registered: Sep 2011
Location: Upper Hale, Surrey/Hants Border, UK
Distribution: AntiX
Posts: 2,321

Rep: Reputation: Disabled
They would be looking for your email address, as that is what spammers use to send out their crap to people.
It can make life difficult for you as the official owner of that address, & can get you banned from others sites.
Wise to at least have different passwords on each & every site that you use.
 
Old 03-13-2018, 11:10 AM   #3
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,694

Rep: Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031
  • Use a separate password for every site.
  • Enable 2 Factor authentication wherever possible.
  • Never give truthful answers to standard security questions (if you use social media then it's kinda easy to find your date / place of birth and probably your mothers maiden name. Also never use these "Enter your first pet's name and your mothers maiden name and we'll e-mail you a meme with your porn star name!" forms.
  • Enable any warning / security alert / login alert tracking where possible and have it send to your phone by text message rather than e-mail.
 
Old 03-13-2018, 11:35 AM   #4
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 8,183

Rep: Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316
Yes. You have personal information (such as your real name) on the "fun" sites. And the first thing a hacker will do after guessing your password for a "fun" site is to try logging in to zillions of other sites with the same username and password.

Use a password manager.
 
Old 03-13-2018, 12:06 PM   #5
enorbet
Senior Member
 
Registered: Jun 2003
Location: Virginia
Distribution: Slackware = Main OpSys for decades while testing others to keep up
Posts: 1,840

Rep: Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742Reputation: 1742
Well maybe one day we will have a way to employ retina scans on websites and you won't have to bother but until then.....
 
Old 03-14-2018, 09:34 AM   #6
newbiesforever
Senior Member
 
Registered: Apr 2006
Posts: 2,083

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by TenTenths View Post
  • Never give truthful answers to standard security questions (if you use social media then it's kinda easy to find your
Good idea...
 
Old 03-14-2018, 09:42 AM   #7
newbiesforever
Senior Member
 
Registered: Apr 2006
Posts: 2,083

Original Poster
Rep: Reputation: 77
Quote:
Originally Posted by dugan View Post
Yes. You have personal information (such as your real name) on the "fun" sites. And the first thing a hacker will do after guessing your password for a "fun" site is to try logging in to zillions of other sites with the same username and password.

Use a password manager.
Is there a security reason I shouldn't manually keep a file of my passwords, if it works for me? I know perfectly well what a password manager is, and used to use one; but it was made a nuisance by a a university e-mail system that went through more than one password check. After routine password changes, the password manager didn't understand that the change applied to both checks, leading to constant password mistakes. I got annoyed enough that I abandoned the password manager, and have ever since been consulting my manually maintained password file.

Last edited by newbiesforever; 03-14-2018 at 09:43 AM.
 
Old 03-14-2018, 09:47 AM   #8
sundialsvcs
LQ Guru
 
Registered: Feb 2004
Location: SE Tennessee, USA
Distribution: Gentoo, LFS
Posts: 9,078
Blog Entries: 4

Rep: Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165Reputation: 3165
Both OS/X and KDE/Gnome provide some kind of a "secure note" facility and that's what I use. Not just for passwords but for all sorts of things.

Being a lazy sot, I generally use the same password on web-sites but of course it isn't the same as any login password that I use. All of those are "all different," and they're nonsense words. (trypt0phane ... that would have been a good one.) Nevertheless, I do keep secure notes about them.

(But you can't use my login-passwords anyway, unless you've got my one-of-a-kind OpenVPN certificate, which is encrypted with a passphrase and which will have been revoked long before you get a chance to use your stolen prize. In fact, you can't even find my servers' secret doors: to any scanner, "there's nothing there at all." As I discuss in my blog here.) Not a single one of my servers exposes anything, including ssh, directly to the world-at-large. I don't worry about "unauthorized access attempts" because I never get any.

If you need to deploy a web-site where you can't use OpenVPN to secure the administrative portal, mod_ssl (or its "nginix" equivalent) is your best friend, because "it cuts both ways" if you want it to. It can secure a web-site such that only the bearer of a properly-signed TLS certificate can access it or some designated portion of it. (Not quite as sophisticated because I don't recall that it supports revocation, but I could well be wrong on that.) Access is not available merely due to knowledge of a secret (password), but requires that you bear a credential.

Last edited by sundialsvcs; 03-14-2018 at 09:54 AM.
 
Old 03-14-2018, 11:51 AM   #9
dugan
LQ Guru
 
Registered: Nov 2003
Location: Canada
Distribution: Slackware
Posts: 8,183

Rep: Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316Reputation: 3316
Quote:
Originally Posted by newbiesforever View Post
Is there a security reason I shouldn't manually keep a file of my passwords, if it works for me?
The possibility of having anyone else ever use or service the same PC, or having anyone else in the room when you have that file open, would both be "security reasons".

At least replace the "file" with KeePass or KeePassX.

Last edited by dugan; 03-14-2018 at 02:16 PM.
 
Old 03-28-2018, 04:19 AM   #10
fred2014
Member
 
Registered: Mar 2015
Posts: 47

Rep: Reputation: Disabled
Never allow utility companies to demand passwords over the telephone.
There is no reason for them to do this - they called you but you
dont know who is really on the other end.
Thats a real bad habit to get into allowing.
And dont be fooled by "just the first and third letter" scam.
Scammers will come back months later to get the rest and I guarantee
you didnt change it (and probably use the same one elsewhere)
There is no security on a phone line at all.
 
Old 03-28-2018, 04:22 AM   #11
TenTenths
Senior Member
 
Registered: Aug 2011
Location: Dublin
Distribution: Centos 5 / 6 / 7
Posts: 2,694

Rep: Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031Reputation: 1031
Quote:
Originally Posted by fred2014 View Post
Never allow utility companies to demand passwords over the telephone.
There is no reason for them to do this - they called you but you
dont know who is really on the other end.
Ask for the person's name AND the item / case / ticket reference and then call back on a "known good" number.
 
Old 03-28-2018, 04:24 AM   #12
fred2014
Member
 
Registered: Mar 2015
Posts: 47

Rep: Reputation: Disabled
Think about which web sites you use the same passwords on - are they really long term
genuine looking sites or just clones or simple sites designed to gather passwords?
(SSL doesnt protect you)

SSL certificates are themselves untrustworthy.
Think who issues them
Now think who might want to put encrypted stuff on servers the server admin cant read
And now think what is to stop them (line above) doing this apparently legitimately
 
Old 03-28-2018, 01:59 PM   #13
Trihexagonal
Member
 
Registered: Jul 2017
Location: Land of 1000 Nights
Distribution: FreeBSD, OpenBSD and Solaris
Posts: 165

Rep: Reputation: 112Reputation: 112
I use a different long complex password for every site and encrypt the files, but I never use a password manager or have my browser remember passwords.

Your mothers maiden name is something you should closely guard IMO.
 
Old 03-28-2018, 08:09 PM   #14
frankbell
LQ Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Debian, Mageia, and whatever VMs I happen to be playing with
Posts: 13,581
Blog Entries: 20

Rep: Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571Reputation: 3571
I use KeepassX for a password vault. It runs on Windows, Mac, and Linux, and the database is portable.

I find it far superior to password vaults that are tied to particular desktop environments, like those keyring thingees, or dependent of the innerwebs.
 
Old 03-29-2018, 04:42 AM   #15
fred2014
Member
 
Registered: Mar 2015
Posts: 47

Rep: Reputation: Disabled
Quote:
Originally Posted by TenTenths View Post
Ask for the person's name AND the item / case / ticket reference and then call back on a "known good" number.

No. never use passwords on the telephone.

the persons name means nothing at all. a "case/ticket" number means nothing to you.
it is not your responsibility to pay for and call them back.

If they want to verify THEY have called the right number they should ask for something
off your WRITTEN bill or statement that changes every time you get one. This is for THEM
not you. You should ask THEM for information only they should have not the other way around.

If they don't provide written bills or statements you shouldnt be doing business with them anyway.

the biggest threat to your privacy and security isn't the criminals - its government legislation
that has forced you to spread vast quantities of personal information across the planet
to whoever demands it.

Wake up.
Demand they stop asking for more than is required to get the job done and that it never
be used for any other purpose whatsoever. Selling it on should be a criminal offence.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
changing passwords Tinanichole Linux - Newbie 2 09-06-2014 12:10 AM
changing passwords - is there any decent way out? neel_learning_linux Linux - Security 7 11-29-2010 08:34 PM
Stealing website passwords dakramer Linux - Newbie 6 05-20-2009 05:27 AM
Changing Passwords dboogie Linux - Newbie 2 05-02-2004 10:45 PM
Changing Passwords TheRealDeal Linux - General 3 01-20-2004 11:01 PM

LinuxQuestions.org > Forums > Non-*NIX Forums > General

All times are GMT -5. The time now is 12:52 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration