Friday, September 12, 2014

If you have GMail, check this tool!

A list of 5 million GMail addresses was published, together with *a* hacked password for each. According to Google those passwords must have come from somewhere else, because mostly they weren't GMail passwords. If you used that somewhere else password for GMail too, you have been notified by Google already. If you haven't been notified, you can use this tool to see if your address has been compromised.

Unfortunately it doesn't tell you WHICH of your passwords from somewhere else has been compromised. So it could be one of many gaming sites that have been hacked over the years where you used your GMail address as UserID.

For me that was the opportunity for some drastic action: I made a list of all the games and sites that I have an account on, and changed them ALL. That took hours, but because I used a list of freshly created strong passwords, all my accounts should now be secure. Some of them already had extra protection, e.g. the authenticator from Battle.net and some other 2-step verification systems, but I changed their passwords anyway.

So how do I store all those passwords? Old style, written down in a book hidden in my library. It would need a weird combination of burglar/hacker to get that list. And because it is hand-written with no trace on a computer, the list itself can't be hacked. I prefer that system to Password Manager software. If you have a password manager on your home PC, what do you do if your hard drive crashes and all your passwords are irretrievably lost? Sorry, I trust paper more than I trust software.

17 comments:

  1. Same here.

    I had an experience a few years back where as I recall it might have been a WoW guild site that was compromised and I'd foolishly used the same password for Hotmail, Facebook etc.

    I went out and bought one of those index books and recorded a unique password for every single website I use.

    I went through the same thought processes as you when I opted for the book.

    I just hope my house doesn't burn down.

    ReplyDelete
  2. Oh should add that Chrome does remember most of my passwords.

    Chrome locks all that behind my Google account password (that I remember) and an additional 32 character password that I can also remember.

    Just the other day I also set up secondary security on that account with the codes they send to your mobile etc.

    So if my book did get burnt to ashes I would not be entirely screwed.

    I'd say the odds of that getting hacked are less than the chances of the book being destroyed or stolen but still both are so low that I wouldn't lose sleep over it.

    However thinking about it the MASSIVE security hole is my cellphone. It is logged into Google with access to all my accounts. If that gets stolen I am done for.

    ReplyDelete
  3. I use KeePass. Seems very handy
    http://keepass.info/

    What is KeePass?
    Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your website's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, website, etc. Unimaginable.

    ReplyDelete
  4. Thanks for the explanation. I saw that site but wondered why it listed a password that I haven't used for years and only ever used on random gaming sites with nothing important linked to them. Makes sense now.

    I could change all my real passwords with all the real sites I visit but god knows how many dozens of random sites I've registered with over the years. At least I used throwaway passwords with them all, nothing I'd use on a real site.

    ReplyDelete
  5. I have all passwords in a password manager, backed up in the cloud. Life is too short to be anxious. :D

    ReplyDelete
  6. I don't use password manager software, but I keep my passwords in an encrypted document stored on OneDrive so it's synced to my PC and my laptop and stored in the cloud.

    ReplyDelete
  7. "So how do I store all those passwords? Old style, written down in a book hidden in my library."

    Make sure you keep a copy of that list elsewhere as well - either in a fire-resistant document box, or somewhere off-site.

    I speak from recent experience: house fires do happen. Depending on what the accounts are for, having a list of passwords may or may not make a big difference in how easily you are able to return to "normal".

    ReplyDelete
  8. I just ordered a fire resistance lock box from Amazon. £23. I will put my birth certificate and paper driving licence in there too.

    I'm glad this blog was made as it got me thinking about that!

    ReplyDelete
  9. If someone gets access to a computer you use at home or at work it is still disappointingly easy to get plaintext versions of all the stored passwords in Chrome and probably other browsers too. I know deep down I should never tick that box that says remember passwords for this site but I am too lazy.

    ReplyDelete
  10. Anonymous13/9/14 22:01

    The problem with the book is that it encourages relatively short, easily typable passwords. I like the PW manager churning out some sixty character gobbledy gook that I can cut and paste. Since brute force attacks and overuse of passwords is the most common danger I think that a PW is overall more convenient and more secure for most situations.

    ReplyDelete
  11. I never wrote any password anywhere.
    I make them so none can find them, but that I have a logic on creating them that me and only me will remember. Only issue is to know which one I used on which old site :P

    ReplyDelete
  12. Woody, have you thought about using an iPhone 5S? The fingerprint sensor is reliable enough that you can leave the phone on auto-lock upon turning off. So if someone steals your phone (provided it's not on at that minute, like it's not snatched out of your hands), your data is safe.

    ReplyDelete
  13. "If you have a password manager on your home PC, what do you do if your hard drive crashes and all your passwords are irretrievably lost?"

    We're not in the 90s any longer Tobold. All decent password managers also store the passwords online, on their own servers.

    And the danger is minimal, even if somehow their servers got hacked. The culprits would only get some unintelligible hash codes that cannot be reverse-engineered. And it's hard for a hacker to access my account directly, since these password managers offer 2 and even 3-way auth options.

    And just to provide a similar example for your situation, what do you do if your library, God forbid, burns down?

    ReplyDelete
  14. @changed I have a note 3 at the moment but I've heard the note 4 has a finger print sensor. I plan to get one in October when its released but may not use the sensor.

    In the video I saw it didn't seem to work so well and took multiple attempts to unlock?

    Im lazy and want to be able to unlock my phone as quick as I can now.

    ReplyDelete
  15. Anonymous15/9/14 07:59

    You have traded current gen password issues by adopting a major past-gen issue; the majority of "hacks" were because friends/family used your password.

    For the morbidly inclined, a paper-based list of passwords is great for should you die and your estate need access to your bank account/utility bills/letting your online friends know.

    I think the ideal solution is a locked card-file.

    ReplyDelete
  16. https://isleaked.com/action/check/

    This shows you the first two letters/symbols/numbers of the 'hacked' password.

    My email is on the list with a throwaway password that was never linked to it, and only used for trash forums I didn't trust.
    Seems appropriate.

    ReplyDelete
  17. "If you have a password manager on your home PC, what do you do if your hard drive crashes and all your passwords are irretrievably lost?"

    As others have noted before me, either the software itself or you as the user can store the passwords database in the cloud. This makes the issue of a crashing local drive a non-issue.

    "Sorry, I trust paper more than I trust software."

    Spoken like a true D&D player :)

    ReplyDelete

If you want your comment to not be deleted: Stay on topic, and remain polite while arguing your opinion.