Do you use unique passwords for all your sites?
No, you're wrong. This article clearly says you should use the same password across sites, especially as a business!
8) Try to use one password for everything
It's pretty easy to devise a password eight figures long or more that includes one upper case letter, a number and a symbol. Dream one up and try to use it across every business account
Comment has been collapsed.
With two factors authentication not a single soul can hack. Unfortunately not all services/portals have it.
I'd suggest password management as well. So far I've been using Last Pass and no complaint. I attach SMS auth for my last pass account, so it's only accessible if the hacker somehow gets a hold of my phone physically.
Comment has been collapsed.
I strongly suggest people use lastpass,
been using this for years now and its the best program choice I've ever had.
Theres also browser plugins to help you manage your stuff.
Comment has been collapsed.
I'm a long time user and love their program. Makes it so easy to generate unique and longer passwords. Need a password? Select the length, number of digits, special characters, etc. and it generates and then saves the password. I even pay the extra $12/year so I can use the app on my phone.
Many, many years ago when I first entered all of my passwords into the program and ran the security check, I was actually surprised at how many duplicates and weak some of them were. I knew better, but it's so easy to use the same password, especially for those sites that aren't important, like community sites.
Comment has been collapsed.
reminds me of a co-worker, who had a word document that we nicknamed the "Fred Identity Theft Manual". It contained his date of birth, bank number, login and password grouped together for every bank, credit card numbers with expiration date, security code and billing address, you name it.
It was the only item on the desktop of his computer.
Best part: the password for his computer was written in big letters on the whiteboard behind his desk!
Comment has been collapsed.
It uses two factor authentication so the password alone won't do them much good.
https://lastpass.com/multifactor-authentication/
Comment has been collapsed.
A good technique is password phrases. For instance, if my password was: Password3
I could instead alter it for bundlestars or google to be: Password3_Bundlestars or Password3_google
edit: password manager is best though.
Comment has been collapsed.
True true. I honestly hadn't though of that. derp.
Still, it will take that much longer to crack your initial password, which will render your other passwords safer. Dictionary attacks usually only scope out the easiest targets.
Comment has been collapsed.
I use LastPass but I had a problem with their Firefox addon: it made my Firefox terribly slow - after uninstalling it, my Firefox came back to its true speed. So, I just use their website for managing my password and use their password generator
Firefox's Save Logins is also excellent and minimalist addon and consumes very minimal resources. But remember, don't use it if you share your PC...
I think it's easy for Bundle Stars to resolve the problem - use IP check like implemented by those Indie Gala and Humble Bundle. And of course that would sacrifice ease of login if your IP address keep resetting.
Comment has been collapsed.
BUMP for exposure. There are some good recommendations for password managers and other computer security thoughts in this thread. 22% of the current pollsters who voted "lazy", please consider at least exploring the use of a password manager because it will only be a matter of time before you learn this the hard way.
Comment has been collapsed.
EDIT: I saw your edit but will leave this post in case others are looking for some clarification
I started this because of the BundleStars warning -- I highly respect them for their efforts to combat poor security habits of their users. It's not really a BundleStars problem and they didn't have to publicize in this way, but it does help get people to practice better security habits. I also want people to realize this isn't just a BundleStars issue -- if you are using the same password issue it will affect all the sites you use the same login at.
I don't know which gaming site(s) were compromised, and I don't think there is any way of knowing. Likely many smaller bundle/store sites and gaming communities or gaming news sites are fairly susceptible to attack vectors and easy database mining, and many probably don't even have the tools or experience to know if their database has been compromised. Whether they are worth the effort to hack is another story, but the more people use unique passwords the less rewarding the effort to hack becomes.
Comment has been collapsed.
This doesn't necessarily mean the compromised site stored passwords in plaintext. If you root a server rather than just find a SQL injection, you can just add a few lines to login.php or whatever to collect cleartext passwords surreptitiously until the breach is uncovered.
Comment has been collapsed.
True, but a significant part of the problem still probably stems from storing plaintext passwords which is absolutely inexcusable. Anyone can be a victim of a 0day attack, but storing passwords safely has such a completely effective, standard and widespread solution that anyone not using it really deserves to have their ass thrown in prison for putting others at risk.
<\rant>
Comment has been collapsed.
For sure. I couldn't be happier if more sites started using bcrypt or scrypt for password hashes.
Non-crypto hashes still seem to he the norm though and, salted or not, they are still very weak.
Comment has been collapsed.
For those who don't want to use password management software, acrostic phrases tend to make easy passwords. For example:
This is my 3rd password for google's email - Tim3pfge
But I hate having to take money out of the bank - BIhhtmootb
(bonus points if you're multi-lingual)
Comment has been collapsed.
I use Keepass myself. Great manager! What it lacks in the convenience of a web browser plugin it makes up by being able to store your encrypted database on your cloud storage of choice (Google Drive, Dropbox, MS OneDrive) so that you can access it on any computer or phone where you can log into that service.
Comment has been collapsed.
3 Comments - Last post 3 minutes ago by thoughtfulhippo
21 Comments - Last post 23 minutes ago by BraiNKilleRGR
48 Comments - Last post 1 hour ago by pizzahut
1,761 Comments - Last post 1 hour ago by FranckCastle
22 Comments - Last post 1 hour ago by entomberr
539 Comments - Last post 1 hour ago by Axelflox
3 Comments - Last post 3 hours ago by Chris76de
0 Comments - Created 1 minute ago by Lugum
174 Comments - Last post 7 minutes ago by galione888
9,140 Comments - Last post 9 minutes ago by fenrir3778
51 Comments - Last post 9 minutes ago by Rzehooj
3 Comments - Last post 19 minutes ago by Ekaros
66 Comments - Last post 22 minutes ago by cg
9 Comments - Last post 39 minutes ago by CptWest
So BundleStars has taken a nice initiative and asked their users to reset their passwords after having been alerted to the fact that some website (not theirs!) with a lot of userbase crossover has likely had their database comprised.
Users that have been using the same login/email and password across multiple sites take note: if any one of the sites has their databases compromised, it is very easy for people with access to that list of login/passwords to then try those logins at related sites and of course, the prize target being financial/banking sites and sites rich with personal information.
A lot of bundlesites look like fly-by-night operations with questionable security practices, and even the biggest companies like Sony, Target, Home Depot, amongst many others have had database breaches in which logins/passwords/personal info has been accessed. No database is 100% safe, so fight this inherent vulnerability with logic and DON'T USE THE SAME PASSWORDS ON YOUR IMPORTANT ACCOUNTS
If you are not already doing so, I highly recommend the use of password management software to make long (20+ characters), random, unique passwords for every single one of your website accounts. If you need to use a password that you can memorize for quick access to some service where use of password management software is either too cumbersome or impractical, then it should be a long, unique password generated by stringing together odd word combinations or somesuch.
Please be vigilant and please be careful with your accounts and computer safety!
Comment has been collapsed.