Weird Walmart scam...pls explain

[BushMasterBoy]

Or using your account to ship drugs.


https://abcnews.go.com/blogs/headlin...-of-pot-inside

[bellavite1]

Here's how accounts get hacked, they either know you and you have a password based on your wifes or your dogs name and they get in to your account, or they hack a website and get the info needed to match up an email or username and a password that corresponds in which they then have to use that email and password combination at every bank and credit card company login until they find one that works, or they run a piece of software that runs random user names and passwords through a login interface on an online banking or whatever site until they come up with a match.

How do you combat this... You can break up your online use in to various categories such as your logins for online gun forums, vs online shopping sites, vs personal banking. At one time a professor wrote a paper on online security which came up with the whole must be 12 characters long, contain a letter number and special character and so on. This paper was based on combating the idiots that would use the name of their cat or dog and did not address the random password generator software in which if you have a phrase such a CoLoRado18!$ is no different than using reddogjumpup. The special characters and so on make no difference, basically the longer the password the more combinations of numbers letters and special characters the software has to run to break the password, the longer teh password the more time the hacker is wasting trying to figure it out. I think that I read that basically if you have a password over 15 characters long it wouldn't be worth the time for the random generators to mess around with.

For me I use 4 different passwords that are easy to remember phrases for myself that contain enough characters that a random generator would take too long to make it worth figuring out. My online forum and other BS sites use one password, my online shopping sites use another, my business logins use a third and my banking sites use a fourth.

Every year or two I change them. Have yet to have an issue.

The wrench in the whole thing is still the websites that are still living by the false idea that adding caps , numbers or a special character increase your security and require these things.

Now, this just may work!
Thank you!

[Delfuego]

Don't reuse passwords
Enable MFA
Use a password manager

Brute force attacks are not the big threat. 1.Phishing, 2.Breach data, 3.Password guessing/social engineering

Don't reuse passwords
Enable MFA
Use a password manager

[O2HeN2]

How do people keep track of the gazillion passwords required to live a "normal" life???

Password manager like 1Password. There are others but I decided 1Password was the sweet spot for me.

You can also get a "family" subscription if you want to share some passwords with others and keep others to yourself.

Got 1Password about two years ago and haven't looked back.

https://1password.com/

O2

[O2HeN2]

But I have always wondered how much it would suck when that account gets hacked.

If some password manager site got hacked they wouldn't get your passwords*. In a nutshell this is how they all work:

When you subscribe to a service, they generate a key and you supply a password. They don't store the password, so rule number 1 is that if you lose your password manager password, there is NO WAY to recover it. Keep this in mind.

The service never sees your passwords. Your unencrypted passwords exist only on your local system. When you save a new username/password, it's added to your local file of username/passwords, that file is encrypted and sent to the service and stored there in an encrypted state.

You need both the key they generated for you at signup AND your password to decrypt the file. So you need to manually install the gawd-awful (in a good way) key on each system you wish to use the password manager on.

So someone needs BOTH your key and password to get to your info. So getting just one - key or password, is useless.

Takeaways:

• The service itself can't decrypt your info, so the service being hacked is useless*
• The encryption method is very strong. Services differ in strength, but even the "worst" is very good
• You need two pieces of info to decrypt your info, and it's very difficult for someone to get both
• IMHO it's God's gift to modern password security, right up there with two factor authentication

O2

* Of course anything can happen if the hacker is able to modify source code, which is what the SolarWinds hack was based upon.

[Delfuego]

What this guy said ^^^^

[DireWolf]

If some password manager site got hacked they wouldn't get your passwords*. In a nutshell this is how they all work:

When you subscribe to a service, they generate a key and you supply a password. They don't store the password, so rule number 1 is that if you lose your password manager password, there is NO WAY to recover it. Keep this in mind.

The service never sees your passwords. Your unencrypted passwords exist only on your local system. When you save a new username/password, it's added to your local file of username/passwords, that file is encrypted and sent to the service and stored there in an encrypted state.

You need both the key they generated for you at signup AND your password to decrypt the file. So you need to manually install the gawd-awful (in a good way) key on each system you wish to use the password manager on.

So someone needs BOTH your key and password to get to your info. So getting just one - key or password, is useless.

Takeaways:

• The service itself can't decrypt your info, so the service being hacked is useless*
• The encryption method is very strong. Services differ in strength, but even the "worst" is very good
• You need two pieces of info to decrypt your info, and it's very difficult for someone to get both
• IMHO it's God's gift to modern password security, right up there with two factor authentication

O2

* Of course anything can happen if the hacker is able to modify source code, which is what the SolarWinds hack was based upon.

^From a layman's perspective, this is accurate description for many of the common services/methods (but not all).

That said, for those with a significantly lower risk-tolerance - it needs to be mentioned that most of those considerations make a number of assumptions which in many instances may be suspect due to improper implementation....Crypto is hard for most folks to really grasp at a fundamental level, which often results in mistakes being made.

In other words, one could throw in all the bells-and-whistles (e.g. latest crypto algorithms, enormous key-space/length, massive-entropy RNG/IV, decoupled Dek/Kek, HSMs, etc.), and still have a simple/stupid mistake undermine the whole thing.

Have seen similar situations multiple times, some of which boggle the mind....