| Internet account security, passwords, AI 'hackbots' 09:43 - Oct 16 with 4017 views | NthQldITFC |
I'm a former web developer and I've always been pretty careful about online security, minimising my exposure and doing (fairly) good practice in password strength and uniqueness, but not good at periodically changing passwords.
I was just about to set up a new family account for something this morning with access including people who aren't particularly web/tech/security savvy, and who may have scoffed at using more than one password or anything more complicated than a personally important word with a few numbers added. I will, of course, insist on more than that for the thing I'm setting up.
But it occurred to me that I haven't read anything much about AI being used in a fire and forget manner to crack all sorts of user accounts on the web, and how much more important good password security might be now. Of course, any decent application will have a throttling function to stop an automated system firing a large number of attempts at it, but AI must in theory make it easier for all sorts of actors to track a person's profile around the web and build up dictionaries of worthwhile password attempts to be tried on an automated basis without tripping security on some weaker websites.
Anyway, a lot of waffle, but just intended as a general 'review your password security' reminder to everyone. I personally use an encrypted password manager with a very strong phrase-based master password which I know well, and strong randomised individual passwords which have to be copy and pasted in (perhaps a slight security risk there though!) Better systems are available, and more knowledgeable minds than mine on here will no doubt advise.
|  |
| |  |
| Internet account security, passwords, AI 'hackbots' on 10:08 - Oct 16 with 3702 views | Guthrum |
The problem with a password manager system is if you suffer a major crash/loss and it is unavailable, wiped or stops working. Then you are mightily stuffed unless you've written them all down somewhere.
Happened to me a year or so ago, couldn't even get into the email account most things were set to use for recovery. |  |
| |
| Internet account security, passwords, AI 'hackbots' on 10:19 - Oct 16 with 3653 views | NthQldITFC |
| Internet account security, passwords, AI 'hackbots' on 10:08 - Oct 16 by Guthrum |
The problem with a password manager system is if you suffer a major crash/loss and it is unavailable, wiped or stops working. Then you are mightily stuffed unless you've written them all down somewhere.
Happened to me a year or so ago, couldn't even get into the email account most things were set to use for recovery. |
That's what backups are for!
I prefer a local backup which is totally under my control, so I use an SSD drive attached to my laptop which backs up on a daily and weekly basis. The backups are as heavily encrypted as the password manager on the the laptop.
A remote backup is better if your house burns down of course!
What might be a better option for some is a constructed memorable phrase of words which have no logical relationship to each other, but which your mind can associate easily. A bit like "which three words" for geographical locations. Then you could theoretically manage a load of unique and strong passwords in your head.
One crucial thing to remember on a basic level is that if you use the same password for every site you have an account on, if one weak site gets hacked, no matter how strong the password is you might be exposing ALL of your other accounts to easy access if your web profile is known or can be guessed.
One approach if you absolutely have to use the same password between different sites is to have a tiered approach - so low importance sites might share one password, and things like banking sites have their own password. But my strong advice is DON'T use the same password on different sites. | |
| |
| Internet account security, passwords, AI 'hackbots' on 10:24 - Oct 16 with 3641 views | Vegtablue |
Do you remember that time when I spelt out how to navigate the ITFC ticket site like you'd never sat in front of a computer before? 😅
What I'd like to know is if Google password manager is safe to use as I'm in pretty deep with these boys (I keep my banking passwords in the brainbox but Google stores everything else). |  | | |
| Internet account security, passwords, AI 'hackbots' on 10:29 - Oct 16 with 3625 views | DanTheMan |
| Internet account security, passwords, AI 'hackbots' on 10:19 - Oct 16 by NthQldITFC |
That's what backups are for!
I prefer a local backup which is totally under my control, so I use an SSD drive attached to my laptop which backs up on a daily and weekly basis. The backups are as heavily encrypted as the password manager on the the laptop.
A remote backup is better if your house burns down of course!
What might be a better option for some is a constructed memorable phrase of words which have no logical relationship to each other, but which your mind can associate easily. A bit like "which three words" for geographical locations. Then you could theoretically manage a load of unique and strong passwords in your head.
One crucial thing to remember on a basic level is that if you use the same password for every site you have an account on, if one weak site gets hacked, no matter how strong the password is you might be exposing ALL of your other accounts to easy access if your web profile is known or can be guessed.
One approach if you absolutely have to use the same password between different sites is to have a tiered approach - so low importance sites might share one password, and things like banking sites have their own password. But my strong advice is DON'T use the same password on different sites. |
A password manager with local or remote backups would be my suggestion.
It is difficult for the non-technical though. |  |
| |
| Internet account security, passwords, AI 'hackbots' on 10:29 - Oct 16 with 3623 views | hoppy |
| Internet account security, passwords, AI 'hackbots' on 10:19 - Oct 16 by NthQldITFC |
That's what backups are for!
I prefer a local backup which is totally under my control, so I use an SSD drive attached to my laptop which backs up on a daily and weekly basis. The backups are as heavily encrypted as the password manager on the the laptop.
A remote backup is better if your house burns down of course!
What might be a better option for some is a constructed memorable phrase of words which have no logical relationship to each other, but which your mind can associate easily. A bit like "which three words" for geographical locations. Then you could theoretically manage a load of unique and strong passwords in your head.
One crucial thing to remember on a basic level is that if you use the same password for every site you have an account on, if one weak site gets hacked, no matter how strong the password is you might be exposing ALL of your other accounts to easy access if your web profile is known or can be guessed.
One approach if you absolutely have to use the same password between different sites is to have a tiered approach - so low importance sites might share one password, and things like banking sites have their own password. But my strong advice is DON'T use the same password on different sites. |
So you're saying it's NOT a good idea just to use the word PASSWORD, PASSWORD1, PASSWORD2, PASSWORD3 etc for all the sites I visit? |  |
| |
| Internet account security, passwords, AI 'hackbots' on 10:35 - Oct 16 with 3582 views | Deano69 |
Let me add to that Multi Factor Authentication (MFA) is an absolute must on anything you can enable it on. |  |
| |
| Internet account security, passwords, AI 'hackbots' on 10:37 - Oct 16 with 3579 views | Pinewoodblue |
| Internet account security, passwords, AI 'hackbots' on 10:29 - Oct 16 by hoppy |
So you're saying it's NOT a good idea just to use the word PASSWORD, PASSWORD1, PASSWORD2, PASSWORD3 etc for all the sites I visit? |
Back in the early 80’s the company I worked for upgraded computer system and for first time passwords were required.
I visited one branch, where I knew the manager would need help, he hated any sort of change. Asked if setting up passwords had gone smoothly, his response was easy they told you what word to use. Every member of staff, even those who knew better, followed his instructions and they all had “password” as their password. |  |
| |
| Internet account security, passwords, AI 'hackbots' on 10:47 - Oct 16 with 3520 views | hoppy |
| Internet account security, passwords, AI 'hackbots' on 10:37 - Oct 16 by Pinewoodblue |
Back in the early 80’s the company I worked for upgraded computer system and for first time passwords were required.
I visited one branch, where I knew the manager would need help, he hated any sort of change. Asked if setting up passwords had gone smoothly, his response was easy they told you what word to use. Every member of staff, even those who knew better, followed his instructions and they all had “password” as their password. |
 | |
| |
Login to get fewer ads
| Internet account security, passwords, AI 'hackbots' on 10:50 - Oct 16 with 3526 views | blueasfook |
Interesting point. I see lots of these things on facebook asking for people to name their first pet or favourite band for example, which people willingly participate in. I am sure that info is being scraped up and fed into LLMs to build profiles to help guess people's passwords. For anything important, I use a strong password generator, and keep that password in a password safe to get it when I need it. I would also add never allow your browser to store your password. [Post edited 16 Oct 2024 10:50]
|  |
| |
| Internet account security, passwords, AI 'hackbots' on 11:04 - Oct 16 with 3377 views | NthQldITFC |
| Internet account security, passwords, AI 'hackbots' on 10:50 - Oct 16 by blueasfook |
Interesting point. I see lots of these things on facebook asking for people to name their first pet or favourite band for example, which people willingly participate in. I am sure that info is being scraped up and fed into LLMs to build profiles to help guess people's passwords. For anything important, I use a strong password generator, and keep that password in a password safe to get it when I need it. I would also add never allow your browser to store your password. [Post edited 16 Oct 2024 10:50]
|
Absolutely that re. scraping.
I do allow my browser to store some passwords, but only for relatively unimportant websites for ease of use, and then the ABSOLUTELY vital thing to remember is that anything important (banking etc. or anything you can't do without losing control of) should NOT be sharing a password.
If one account with a shared password is hacked, consider them all hacked because you're probably using the same email address to identify yourself, and it's not hard to guess what other websites to try with a known email address AND password. | |
| |
| Internet account security, passwords, AI 'hackbots' on 11:07 - Oct 16 with 3355 views | blueasfook |
| Internet account security, passwords, AI 'hackbots' on 11:04 - Oct 16 by NthQldITFC |
Absolutely that re. scraping.
I do allow my browser to store some passwords, but only for relatively unimportant websites for ease of use, and then the ABSOLUTELY vital thing to remember is that anything important (banking etc. or anything you can't do without losing control of) should NOT be sharing a password.
If one account with a shared password is hacked, consider them all hacked because you're probably using the same email address to identify yourself, and it's not hard to guess what other websites to try with a known email address AND password. |
Would also suggest regularly checking haveIbeenpwned to see if your credentials have been lifted in any known data breaches. If so, change them pronto! | |
| |
| Internet account security, passwords, AI 'hackbots' on 18:16 - Oct 16 with 3017 views | factual_blue |
| Internet account security, passwords, AI 'hackbots' on 10:37 - Oct 16 by Pinewoodblue |
Back in the early 80’s the company I worked for upgraded computer system and for first time passwords were required.
I visited one branch, where I knew the manager would need help, he hated any sort of change. Asked if setting up passwords had gone smoothly, his response was easy they told you what word to use. Every member of staff, even those who knew better, followed his instructions and they all had “password” as their password. |
My former employer made it impossible to use 'password', training' and 'magpie' as passwords.
There was a very large office complex in Newcastle (at the time second only to The Pentagon in terms of employees of employee numbers), hence the ban on 'magpie'. |  |
| |
| Internet account security, passwords, AI 'hackbots' on 19:38 - Oct 16 with 2957 views | stonojnr |
Would it be quicker than a brute force attack ?
I mean essentially AI is just the computer doing the social engineering vector, when people set passwords to birthdays or pet names etc. AI isn't going to be able to guess a random pattern of letters, numbers and special characters however much it knows about you. | | | |
| Internet account security, passwords, AI 'hackbots' on 20:05 - Oct 16 with 2921 views | NthQldITFC |
| Internet account security, passwords, AI 'hackbots' on 19:38 - Oct 16 by stonojnr |
Would it be quicker than a brute force attack ?
I mean essentially AI is just the computer doing the social engineering vector, when people set passwords to birthdays or pet names etc. AI isn't going to be able to guess a random pattern of letters, numbers and special characters however much it knows about you. |
I haven't really given it a huge amount of thought, but a typical brute force attack would be carried out in one go, and any decently engineered site would spot it and start blocking IP addresses or locking accounts. There would also be a limit to the logic (if any) applied to generating the candidate credentials.
AI could, I presume both run longer period organised attacks with less frequent tries (and security-triggering failures) and also build a profile from other linked PII it finds on the web in order to make better guesses at authentication values.
Obviously not everybody uses a random pattern of letters, numbers and special characters, which is exactly why I wrote this post to start with. But I'm no expert. [Post edited 16 Oct 2024 20:06]
| |
| |
| Internet account security, passwords, AI 'hackbots' on 23:18 - Oct 16 with 2718 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 10:24 - Oct 16 by Vegtablue |
Do you remember that time when I spelt out how to navigate the ITFC ticket site like you'd never sat in front of a computer before? 😅
What I'd like to know is if Google password manager is safe to use as I'm in pretty deep with these boys (I keep my banking passwords in the brainbox but Google stores everything else). |
I’ve worked in cyber security for 25+ years so have some insights here.
We ask colleagues to avoid storing passwords in the browser due to the threat of malware compromising your device. In that scenario, passwords stored in the browser could potentially be misused. Malware could also result in a keylogger being installed to capture your passwords at the point of entry.
A dedicated password manager is less risky, but not without flaws especially if cloud based. Cracking all your eggs in one basket means dealing with a very messy omelette. One of the best features of a password manager is the quick creation of truly random and complex passwords which you don’t have to remember or type in. A little black book, non-digital, can be safe if you keep it secure - maybe avoid writing site names in full but use some form of code.
Someone else has suggested MFA. That is the best protection of all, however you do need to consider what happens if you lose your device (or whatever solution provides your additional authentication factor). Also, SMS based MFA is vulnerable to SIM swapping (a social engineering attack on your mobile phone provider) so consider an Authenticator app instead.
Another good suggestion is using a tiered approach. Many services dont really carry much risk, but your main email, social media and anything financial deserves a unique, strong password and MFA.
AI hasn’t made it easier to crack a strong, random password, only a predictable one. Length is strength, so rather that using symbols and numbers you can create a memorable pass phrase by chaining unconnected words. You might be able to construct visual memory triggers to help remember the words, e.g. https://xkcd.com/936/?correct=horse&battery=staple
I’ll stop boring you now… [Post edited 16 Oct 2024 23:31]
|  | | |
| Internet account security, passwords, AI 'hackbots' on 23:26 - Oct 16 with 2696 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 20:05 - Oct 16 by NthQldITFC |
I haven't really given it a huge amount of thought, but a typical brute force attack would be carried out in one go, and any decently engineered site would spot it and start blocking IP addresses or locking accounts. There would also be a limit to the logic (if any) applied to generating the candidate credentials.
AI could, I presume both run longer period organised attacks with less frequent tries (and security-triggering failures) and also build a profile from other linked PII it finds on the web in order to make better guesses at authentication values.
Obviously not everybody uses a random pattern of letters, numbers and special characters, which is exactly why I wrote this post to start with. But I'm no expert. [Post edited 16 Oct 2024 20:06]
|
Brute forcing can be carried out against a stolen copy of an encrypted database - you are right that any decently engineered primary system would have safeguards to throttle and rate limit entries.
With current computing power a 15 character password with no complexity is virtually uncrackable, but for future proofing you may want to go longer or add complexity (quantum computing will be a gamechanger for bruteforcing). | | | |
| Internet account security, passwords, AI 'hackbots' on 23:36 - Oct 16 with 2661 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 10:50 - Oct 16 by blueasfook |
Interesting point. I see lots of these things on facebook asking for people to name their first pet or favourite band for example, which people willingly participate in. I am sure that info is being scraped up and fed into LLMs to build profiles to help guess people's passwords. For anything important, I use a strong password generator, and keep that password in a password safe to get it when I need it. I would also add never allow your browser to store your password. [Post edited 16 Oct 2024 10:50]
|
Perhaps! The main threat here is to the security question that some sites use as additional authentication factor. Many sites ask the same questions, so if one system is hacked then the attacker has your “secret” answer for many sites. You can work around this by creating fake/random answers and store them in your password manager. | | | |
| Internet account security, passwords, AI 'hackbots' on 11:10 - Oct 17 with 2433 views | Pinewoodblue |
| Internet account security, passwords, AI 'hackbots' on 23:36 - Oct 16 by Bbmaj |
Perhaps! The main threat here is to the security question that some sites use as additional authentication factor. Many sites ask the same questions, so if one system is hacked then the attacker has your “secret” answer for many sites. You can work around this by creating fake/random answers and store them in your password manager. |
What solution would you recommend when you want to gain access to sites on a home computer and say a mobile or tablet? | |
| |
| Internet account security, passwords, AI 'hackbots' on 11:23 - Oct 17 with 2407 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 11:10 - Oct 17 by Pinewoodblue |
What solution would you recommend when you want to gain access to sites on a home computer and say a mobile or tablet? |
You could use a cloud based password manager which integrates with the browser to autofill username and password. You can also look up additional notes for things like “secrets”. They should support both Computer and mobile operating systems, but check the license and device requirements!
That would probably provide the optimal user experience, making it very slick and convenient. | | | |
| Internet account security, passwords, AI 'hackbots' on 11:24 - Oct 17 with 2407 views | NthQldITFC |
| Internet account security, passwords, AI 'hackbots' on 11:10 - Oct 17 by Pinewoodblue |
What solution would you recommend when you want to gain access to sites on a home computer and say a mobile or tablet? |
BBmaj's answer will undoubtedly be better than mine, but you could consider a cloud-based encrypted password manager (auto-backed up online) for less important sites ONLY, and then either a memorable random phrase (but make sure it's truly random) or a little black book for critical sites.
If you don't want to do cloud-based even for you less important sites you could have two local copies (home and mobile) and a docked (physical or wi-fi) automatic synchronisation every time they are close enough to communicate.
In either case one or more additional forms of authentication. (SMS, email) etc. | |
| |
| Internet account security, passwords, AI 'hackbots' on 11:55 - Oct 17 with 2330 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 11:24 - Oct 17 by NthQldITFC |
BBmaj's answer will undoubtedly be better than mine, but you could consider a cloud-based encrypted password manager (auto-backed up online) for less important sites ONLY, and then either a memorable random phrase (but make sure it's truly random) or a little black book for critical sites.
If you don't want to do cloud-based even for you less important sites you could have two local copies (home and mobile) and a docked (physical or wi-fi) automatic synchronisation every time they are close enough to communicate.
In either case one or more additional forms of authentication. (SMS, email) etc. |
This is great advice.
Worth considering that with MFA enabled on your critical sites, the password manager may be sufficiently secure. The site will fingerprint your device and allow you in when you connect from a trusted device. If you login from a new device (or an upgraded one), the MFA will be triggered, hopefully blocking access for any hacker even if they did steal/guess your password.
For the techies out there, you should find it easy to make good choices. For others, a fairly simple approach which adds security may be best. | | | |
| Internet account security, passwords, AI 'hackbots' on 12:27 - Oct 17 with 2268 views | Coastalblue |
| Internet account security, passwords, AI 'hackbots' on 10:08 - Oct 16 by Guthrum |
The problem with a password manager system is if you suffer a major crash/loss and it is unavailable, wiped or stops working. Then you are mightily stuffed unless you've written them all down somewhere.
Happened to me a year or so ago, couldn't even get into the email account most things were set to use for recovery. |
I use LastPass and have for donkey's years, it may well have been superseded by better options now in fairness but that works across all devices, laptop, phone or whatever else you may have.
If you do have a crash then you can just go the website and re-download or log in there, in reality I only need one password, that accesses all the others. (probably means in my case it's the weakest of the lot when it should be the strongest, but that's not the fault of the software) |  |
| |
| Internet account security, passwords, AI 'hackbots' on 12:39 - Oct 17 with 2240 views | DanTheMan |
| Internet account security, passwords, AI 'hackbots' on 12:27 - Oct 17 by Coastalblue |
I use LastPass and have for donkey's years, it may well have been superseded by better options now in fairness but that works across all devices, laptop, phone or whatever else you may have.
If you do have a crash then you can just go the website and re-download or log in there, in reality I only need one password, that accesses all the others. (probably means in my case it's the weakest of the lot when it should be the strongest, but that's not the fault of the software) |
I'd recommend Bitwarden these days for what it's worth. LastPass has gone down hill a bit. | |
| |
| Internet account security, passwords, AI 'hackbots' on 12:40 - Oct 17 with 2235 views | Ryorry |
| Internet account security, passwords, AI 'hackbots' on 11:55 - Oct 17 by Bbmaj |
This is great advice.
Worth considering that with MFA enabled on your critical sites, the password manager may be sufficiently secure. The site will fingerprint your device and allow you in when you connect from a trusted device. If you login from a new device (or an upgraded one), the MFA will be triggered, hopefully blocking access for any hacker even if they did steal/guess your password.
For the techies out there, you should find it easy to make good choices. For others, a fairly simple approach which adds security may be best. |
Thanks for all the advice, much appreciated.
How safe do you consider banking apps are using a 5 digit passcode if face recognition fails? [Post edited 17 Oct 2024 12:41]
|  |
| |
| Internet account security, passwords, AI 'hackbots' on 13:08 - Oct 17 with 2169 views | Bbmaj |
| Internet account security, passwords, AI 'hackbots' on 12:40 - Oct 17 by Ryorry |
Thanks for all the advice, much appreciated.
How safe do you consider banking apps are using a 5 digit passcode if face recognition fails? [Post edited 17 Oct 2024 12:41]
|
It depends…
Probably safe enough, as the App should be installed on a device which will be recognised and trusted. If not, additional information/confirmation should be requested and not just a 5 digit PIN. However, if your device is compromised then you may be at some risk.
Banks are actually quite good when it comes to security though. There will be close scrutiny of the app security/updates and they build in additional safeguards for approving payments or changing personal details. But that safeguard could be a code sent by SMS to the compromised device!
Morale of the story = be cautious when installing new apps on your phone and make sure you apply security updates. I won’t mention VPN apps here, although that could be relevant to some readers.
Do your banking in person at a branch if you want to avoid risks (although app can be very convenient for modern life and also help to quickly identify suspicious activity/payments).
The main threat here is social engineering or phishing, where you are “persuaded” to carry out the attackers actions (that may be making the payment or installing the malware laden app). It’s simple and remarkably effective. Attacks will focus on low hanging fruit, so east and cheap will be preferred to highly technical and complex. | | | |
| |
By continuing to use the site, you agree to our use of cookies and to abide by our Terms and Conditions.
