Printer-friendly version
Author:
Taxonomy upgrade extras:
they are false. DO NOT OPEN THEM!!!!! Some puke who lives in his mom's basement has apparently hacked my email account. Unless the subject line of an email from me contains the word H E Y, WITH the spaces, ignore it. my email addy is Cathy _ t _ 99 at yahoo . com
My apologies to anyone who contracts any bad things from one of these false emails.
Catherine Linda Michel
Comments
You're not the only one... I
You're not the only one... I got mails from several hacked tg-fiction aquaintances. I guess people used the same password for their e-mail account they also used for a tg-site that used said account and was hacked.
Good point
It is a good reminder that the login process for BC does not seem to be secure as it is does not seem to be https. For the non-techies, it means it does not seem to be using encrypted communications to handle password and userid processing (please correct me if I am wrong as it may be possible to have a local part of the web page be set to use https, like my bank seems to do.) Consequently it would be very easy to intercept, especially over public WiFi connections.
Kim
Quite frankly, http vs https
Quite frankly, http vs https isn't really much of a difference. I've only ever seen one true 'man in the middle' attack, _ever_, and that's since 1990.
Here is, to me, the best way for you to secure your accounts.
1) Pick three passwords. If you can avoid it, don't bother trying to create a mish-mash password like G5%78rq3#. You'll never remember it unless you write it down. Also, don't use _common_ information about yourself or your family. 'bobtomjim10221976' (your three children and your wedding date). Beyond that, have fun. 'horsepicklebatterycheck' is a better password than the G5%78rq3# I typed previously. It has to do with degrees of entropy. Despite having no capitals, no number, and no funky characters, it's still 23 characters long. If you made everything past tense, you'd end up longer than the entire alphabet. Anyway, those three passwords should be for your casual sites, your important sites, and your financial sites. The reason for three is that if you forget which one you used for a site, you won't run out of attempts before you get it. (Also, some banks are stupid about passwords, and won't let you use a long basic one, but require a short scrambled one)
2) Make a spreadsheet of the web sites you visit, and your logins for each. Most people are signed up for more mailing lists, forums, and sites than they realise. Print this spreadsheet out every time you sign up for a new site, and put it somewhere where you can get to it. Notice that you don't have any passwords on this. This is your personal reference, but should also be associated with your estate/will planning, so that people can close things out if/when you pass on, or are incapacitated. (Look at what happened with Bob Arnold's stuff, and he was mostly prepared) (put a basic password on the spreadsheet if you're really paranoid, but don't get fancy. That's a password you can write on a post-it note on the back of your desk. Just don't say what it's for) (Also, you can use this for servers you log into that aren't web sites)
3) Write down the passwords, and put them in a safe deposit box, or your household safe, or even just in an envelope with your legal documents in a filing cabinet.
4) Come up with a new set of passwords no less than once per year, but no more than once every three months (Unless you can prove your account was hacked by password guessing). With the spreadsheet, you should be able to change all of your passwords within a couple of hours. (Put the new passwords in with the old, in case you miss one - and put the new ones in _before_ you start to change them)
What does this mean? Well, you'll have about two days of scrambling to put it all together, but once you are done, you'll know what you're signed up for in case you end up in legal trouble, hacked, or otherwise need it. You'll be able to change all of your passwords safely and regularly, and in case of the worst, people can be notified and logins deleted/changed/shut down. The spreadsheet, even if you include what email addresses you used to sign up for each, is mostly worthless without the passwords. The passwords are worthless without the spreadsheet(s), and you've just made the major step of being prepared for the worst.
BW
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
Good Advice
My wrinkle on this is to pick a title, saying or quotation, the more obscure the better but one you can remember. Funny or incongruous makes it easier to remember.
AndYoureUglyButInTheMorningIShallBeSober
SukothaiWasA17thCenturySiameseKingdom
InsideOfADogItsTooDarkTooRead
Hugs,
Erin
= Give everyone the benefit of the doubt because certainty is a fragile thing that can be shattered by one overlooked fact.
Another solution without huge complex long phrases...
Come up with a fairly simple but memorable short phrase or name or something between 8-12 letters long. Now come up with your own scrambling filter. Then come up with a second one. Put your password through the first filter, then the second filter, you now have two passwords. Put the first one through the second filter, you have a third, put the second one through the first filter, and you have a fourth password.
You can keep filtering it any number of times to come up with more and more passwords, but in the end, it all comes to just remembering a single ACTUAL password and which filters you put it through.
Even if you use a couple of commonly known scramble filters, it'd still be nigh impossible for anyone to crack it through guesswork. And if you make up your own...
I use one filter that I made up myself that only I know and it's not written down anywhere but only in my head, and 1337 speak as my filters. The passwords that are only put through 1337 are my "I don't really care too much if this is cracked" passwords, my passwords put only through my private scramble filter are for slightly tougher uses, but it only swaps letters with letters, so I pass THAT through 1337 in order to produce passwords with numbers and special characters for those stupid sites that insist on that.
Abigail Drew.
issues with quotations.
1) Deliberately lose one of the words. My wireless password is a Shakespeare quote, but is missing the first word.
2) Don't capitalize _every_ word, unless you really have a love affair with your shift key. Also, don't capitalize everything unless you love your Caps Lock key. It's too easy to lose track of what's shifted and what's not.
3) Unlike another poster, I strongly recommend against using any sort of 'filters'. That just gives you pain, especially since you'll be changing passwords regularly. Again, a 23 character password is far better than an 8-12 character password, no matter HOW scrambled you make it. Any password cracker/guesser program will have to run through all 26 letters (upper and lower case), 10 numbers, and the various non alphanumeric characters to come up with your password. 23 is just longer than 12, unless you've invented a new form of mathematics.
If you use a quote, please don't use something trite.
"callmeIshmael"
"itwasadarkandstormynight" (however, 'itwasadarkandstormyknight' would be okay).
Feel free to use spoonerisms as well. "thetaleofrindercellaandhertwosistyuglers"
The key is to be able to remember your passwords, rather than constantly be checking.
oooh.. Warning! Some sites _do_ truncate passwords. You normally wouldn't even notice, but you might want to check. What that means is that if your password is 32 characters long, and they only provide a 16 character field for the password, they'll automatically chop you off at 16 characters.
(16 still being better than an 8 character, fluent drunkenese password)
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
Brute forcing 8 to 12 characters...
You have any idea how much computational time that takes? Most password crackers just toss together random word combinations with maybe some 1337 or other strange additions. A scrambled password is ONLY going to be cracked by a brute-force method... and that takes A LOT of computation cycles to crack.
At least for me, remembering my ciphers is easy. Remembering one key word or phrase and remembering my ciphers and remembering which cipher I use where is a lot easier for me, than remembering a bunch of long passphrases. Or even just one long passphrase.
I think it's because I'm such a strong kinesthetic. My random memorization sucks. Anything I can connect with an activity though... Ace.
Abigail Drew.
Using the mandylionlabs.com
Using the mandylionlabs.com 'brute force estimator', an 8 character password with 2 uppercase, 3 lowercase, 2 numbers, and a random character would take about 1.11 hours. Purely random password would be 6,200+ hours.
It doesn't take a lot of memorization. A line from a song, four items on your desk that you can look at, even the last six cars you owned...
I'll get a life when it's proven and substantiated to be better than what I'm currently experiencing.
My double filtered ciphers...
Produce passwords that qualify as "purely random" by all estimators I've ever tried out on them. And I'm paranoid enough that I also try them out on ciphered passwords I don't actually intend on ever using, and preserve the ones I actually use for my own completely secret use.
A line from a song could work, but IMO, any lines from any songs that I actually do have memorized would only take a few guesses for anyone to guess, since I have so few memorized. Items on my desk are constantly in complete flux. I've never owned a single car, and even if items on my desk weren't in constant flux, I'd never remember what was on it anyways, and even if I had owned cars, I'd never remember what cars I'd owned. These things do not get connected to activities by my mind, and therefore they get tossed aside as so much fluff.
My ciphers on the other hand. There was a long drawn out process that produced those. Easy peasy. And a short phrase 8 to 12 characters that could literally be ANYTHING because my ciphers render it "random"? Who can't handle that?
In the end I guess it depends on your brain type what you are most comfortable trying to remember. Me. Short short short passwords and complex ciphers are much much simpler to remember than any long 18+ character phrase. Especially with any intentional misspellings mixed in. I'd be confused as hell trying to remember something TRULY random instead of something that is merely interpreted as random to any brain but mine. I know I'm weird. I freely admit to being probably the weirdest person on Earth. SO?
Abigail Drew.
Spoofing
I've got a number of those emails from different people in the TG community and they seem to be spoofed addresses. That means, they are NOT coming from the actual email addresses that they purport to be coming from but seem to be faking the addresses in some way.
Still, that means that some evil phishing bastitch has got hold of a list of TG community email addresses.
I will also be looking into making sure that BC sign-ins are as secure as we can make them.
Hugs,
Erin
= Give everyone the benefit of the doubt because certainty is a fragile thing that can be shattered by one overlooked fact.
emails aren't my problem
Someone sent me a grilled cheese sandwich through the post. It looked like it might've been good at one point, but it had green mold on it and though I was sure I put it on the kitchen counter, I found it on the arm of my couch flipping through the channels of my TV.
Katie Leone (Katie-Leone.com)
Writing is what you do when you put pen to paper, being an author is what you do when you bring words to life
Good thing that it was not
Good thing that it was not spam ;) (Who sends sandwiches in the mail???)
PS.
Your story reminds me of this comic: http://bash.im/comics/20120910
The text reads: the thing in bachelors life is... do not to allow the mold to evolve.
Someone hacked my yahoo email twice
My Yahoo email has been hacked twice. It's pretty easy for me to tell when it happens because my drab email is in the address book. When my drab email shows up with an email from my femme email, I know I've been hacked. I just go in and change the password.
On another note, my wife's MSN account has been hacked three times, again it's easy to tell, because she never sends mail from that account. She only uses it when she needs to supply an email address to a web site. It help keep spam out of her regular email. ;o)
Hugs
Patricia
Happiness is being all dressed up and HAVING some place to go.
Semper in femineo gerunt
Maybe it's the full moon? Or Halloween? Yeah, BC's been slow
Seems much better today though.
As to email spoolers and the like. If I am not sure who an email is from, I delete it.
If it is an obvious spam, I sent it to the spam file at AOL so that address gets blocked.
Some antivirus, anti spamware programs can open a email in a protected *space* in your PC. Emails with attachments really send up red flags with me and I am very careful with those.
So that might work for those emails you are not sure of.
OR as I did with someone I know here who seemed to send me a spam, I emailed their known address.
Got a reply back that yes their address had been hacked somehow and the suspicious email was not the.
Nasty business, spammers.
All that trash hogs bandwidth, messes up you computer and all and that is not counting stolen card numbers and other identity theft or other theft.
The bandwidth and lost productivity alone costs us millions each year or so I have read.
If I see any here I try to always let Admin know so Erin and her elves can toast their slimy butts!
I love the smell of burning spam in the morning. It smells like victory.
-- GRIN --
John in Wauwatosa
P. S. All this vigilance costs Erin and co time AND money.
Tight wallet me actually donated to BC this year. So if you can, open your wallets too. Let the moths out and send a few buck Erin's way. As Jack Benny said in the old UPAF -- United Performing Arts Fund -- public service ads in Milwaukee, "Don't just applaud. Send money."
John in Wauwatosa
If you're getting emails from me,
Why not simply only use this site for messages, or use a code phrase as well as a seperate account dedicated to mail for this site
May Your Light Forever Shine
Email subject line addition (mb)
On the rare occaisions that I send an email to my home email address from my work one I try to remember to add my initials to the subject line as an indication to my SO that the email really came from me.
It's a simple way to "personalize" emails that can indicate that they aren't spam.
Michelle B