LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-11-2013, 06:08 AM   #1
GinaC
LQ Newbie
 
Registered: Jun 2013
Posts: 1

Rep: Reputation: Disabled
Compromised?


Hi

The Webmaster on my company website is trying to tell me (and my bosses) that I have compromised the site by using the same email password on the company site as I do on others - ie my bank etc . I know I should have different ones but I can't remember them all!
Is it right that I have compromised the company website? How did the website know it was the same password? And, wouldn't it compromise MY accounts more than the company one as we all know that hackers know we use the same password and therefore would use it to scam banks etc to find me?
I do appreciate any answers.

Gina
 
Old 06-11-2013, 08:05 AM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
1. Do use different passwords for important sites, inc work.(!)
You may want to investigate a password safe like keepassx; just use a really good master passwd to get in.

2. Ask how webmaster knows; it doesn't make sense unless he/she knows more than they should about your passwds.
Maybe you mentioned it???
 
1 members found this post helpful.
Old 06-11-2013, 08:14 AM   #3
thedaver
Member
 
Registered: Jan 2010
Posts: 65

Rep: Reputation: 21
Your employer is generally entitled to obtain passwords (through direct or indirect means) for their systems. It is foolish for you to utilize passwords between your personal and professional accounts - even if never hacked, the employer can/will know a password that can personally affect you.

"I know I should have different ones but I can't remember them all!"

You admit that you are too lazy to make the effort to protect yourself. Accept the consequences of that lack of effort.
 
Old 06-11-2013, 09:29 AM   #4
rtmistler
Moderator
 
Registered: Mar 2011
Location: Sutton, MA. USA
Distribution: MINT Debian, Angstrom, SUSE, Ubuntu
Posts: 5,991
Blog Entries: 12

Rep: Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047Reputation: 2047
@GinaC, One strategy is to pick a few different passwords which satisfy the common rules of
  • 8 characters minimum
  • At least one capital letter
  • At least one number
and then rearrange how which letter you replace with a number or which letter you capitalize, or rotate the word around as you change passwords.

Example only!

Chosen word: woodwork
As passwords: w8odWork, w11dWORK,
Rotating: 8odWorkw, 11dWORKw, odWordw8, 1dWORKw1

And then choose more than one key word to use for passwords, say 3 or so of them so that you can have "work" and "personal" password options, but generally remember them. Or at least be able to get them eventually.
 
Old 06-11-2013, 10:08 AM   #5
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 844

Rep: Reputation: 166Reputation: 166
It's best to have really strong passwords and never use them for more than one account or site. And the only way to do that, IMO, is to use truly random passwords and a password manager to keep track of them.

A password manager like Keepassx that chrism01 mentioned can generate random passwords for you. Its password generation tool allows you to specify custom parameters to match it to the password policy of any particular site (e.g., maximum number of characters, the set of allowed characters and required characters). You won't be able to memorize the generated passwords, most likely, but you really don't need to. You only need to remember your master password for Keepassx. There are other similar password managers too, like Lastpass.

If you can't remember your passwords (best case, your single password manager master password), there's nothing wrong with writing them down and keeping them in a safe place until you do remember them, like in your wallet or your purse. Treat them like you would your credit cards, driver's license, and important personal and financial data.

These articles are worth reading, especially if you think that simple passwords you make up, or passwords based on patterns and common words, are adequate to protect your passwords from cracking.


Anatomy of a hack: How crackers ransack passwords like “qeadzcwrsfxv1331”


The secret to online safety: Lies, random characters, and a password manager

Last edited by Z038; 06-11-2013 at 10:10 AM.
 
1 members found this post helpful.
Old 06-11-2013, 11:22 AM   #6
mddnix
Member
 
Registered: Mar 2013
Distribution: Redhat, Ubuntu
Posts: 525

Rep: Reputation: 141Reputation: 141
@GinaC

I think your webmaster is right. you have compromised the security of the company website. Why would webmaster be concerned about the safety your bank account? He is appointed to take care of the company website, not your personal accounts. You are the one using same password that is used for website. What if your bank account password is compromised, and the hacker also damages the company website, what you gonna argue with the company - that you are the one at loss here?

You know, being in IT field, sooner or later you HAVE to figure out a password strategy for maintaining multiple passwords for different website/accounts. The sooner you do that, the better off you will be.

Pain of remembering multiple passwords is something everybody comes across, so there are some best strategies. one is suggested by 'rtmistler'. just google “password management strategy”. You will get tons of answers.

I suggest you keep every passwords different.

Cheers!!!

Last edited by mddnix; 06-11-2013 at 11:35 AM.
 
Old 06-11-2013, 05:37 PM   #7
annonyxxxx
Member
 
Registered: May 2013
Posts: 31

Rep: Reputation: 9
@ GinaC

I'll suggest changing passwords ASAP including your bank account.

I keep a list of my passwords on an encrypted usb stick. All you need to remember is one password.

Having strong passwords and a system to manage them is important ESPECIALLY if you're in the IT industry. Employers pay good money and put their trust on your knowledge.

Last edited by annonyxxxx; 06-11-2013 at 05:45 PM.
 
Old 06-11-2013, 06:40 PM   #8
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,477

Rep: Reputation: Disabled
Quote:
Originally Posted by GinaC View Post
Is it right that I have compromised the company website? How did the website know it was the same password? And, wouldn't it compromise MY accounts more than the company one as we all know that hackers know we use the same password and therefore would use it to scam banks etc to find me?
Think of it this way: Whenever you create an account on a web site, you're giving them your username and password. Which is no big deal if that particular username/password combination is only used on that particular website, but otherwise... well, this XKCD comic explains it well.
Quote:
Originally Posted by GinaC View Post
I know I should have different ones but I can't remember them all!
No, you can't, and I disagree with those suggesting that you're lazy for pointing out a very obvious problem of conflicting goals:
  • We should all use different passwords for every service we use,
  • we should use strong non-guessable passwords and change them regularly,
  • we should never re-use old passwords,
  • we should never write them down anywhere,
  • and we should never forget them.
If the number of accounts is less than 10, then sure, it might be doable. But that's just not the case for most people; 20+ different accounts are the norm rather than the exception.

But a solution exists: Use long sentences or nonsensical (preferably funny) combinations of regular words (XKCD to the rescue again), and you've created an unguessable, easy-to-remember password you'll never have to change.

PS: You definitely should ask your webmaster how he was able to figure out your password. He may have used a dictionary attack, or a brute force attack if your password was really short. In that case he should also have told you to use a stronger password.

Or he may actually be storing passwords in plain text, in which case he should be given a severe reprimand.
 
Old 06-11-2013, 09:08 PM   #9
yancek
LQ Guru
 
Registered: Apr 2008
Distribution: PCLinux, Slackware
Posts: 7,397

Rep: Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417Reputation: 1417
Quote:
How did the website know it was the same password?
Did you tell them you used the same password on your company website as you use elsewhere? If so, just deal with it. If not, I would wonder how they got that info. Keeping different passwords on an encrypted flash drive sound like a good idea, only need to remember one.
 
Old 06-12-2013, 12:40 AM   #10
Z038
Member
 
Registered: Jan 2006
Distribution: Slackware
Posts: 844

Rep: Reputation: 166Reputation: 166
Employers in the US can legally install keyloggers on company-owned PCs used by employees, and otherwise monitor their activities. If Gina didn't tell someone that she uses the same password everywhere, I would suspect a keylogger.
 
Old 06-12-2013, 04:26 AM   #11
salasi
Senior Member
 
Registered: Jul 2007
Location: Directly above centre of the earth, UK
Distribution: SuSE, plus some hopping
Posts: 4,064

Rep: Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894Reputation: 894
There has been some really good input in this thread. In particular, the recommendation to use a password manager is particularly good (and convenient).

Many browsers have some kind of password manager built in, which is a plausible route, if the problem is the number of websites for which you have to remember passwords.

I'm currently experimenting with/transitioning to Keepass. After reading one of those Ars Technical articles that Z038 mentioned, I came to the conclusion than something better than bolting together fragments of words, some particularly random commands and some memorable numbers was required, because while the passwords may have been tolerably strong when seen on their own, if one leaked out, that would degrade the security of others, because there are some common themes that a person could see.

One disadvantage of the 'password manager built in to the browser' approach is that some sites on the 'net that you log in to change the URL of the log in page, and that 'breaks' the log in ability, and there is then nothing that you can do to associate the old log in with the new page address. This is inconvenient, unless you have another record of the password (which kind of defeats the point, unless you are very careful) and then, the more manual approach with a separate password manager may be more convenient.
 
Old 06-12-2013, 09:55 PM   #12
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,417

Rep: Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397Reputation: 2397
Also, with eg keepass/keepassX, you can (should be able to) copy/move the (encrypted) db between systems. It also runs on Linux & MSWin (possibly others).
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Compromised? Jukas Linux - Security 6 12-06-2006 08:16 PM
Compromised ? ./2[1].6.12 DaveQB Linux - Security 4 10-10-2006 07:47 PM
Compromised??? redice Linux - Security 5 02-25-2006 02:14 PM
Compromised? I can't tell. Chuck23 Linux - Security 11 02-15-2005 08:33 AM
Am I compromised? dripter Linux - Security 5 01-27-2004 01:31 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration