0

I've recently had some success and traffic increase with an online business I own and due to that someone has hacked my domain email and twitter accounts. My bank password is the same and I just changed everything to some really random difficult 16 character pass (looks like a bitcoin address honestly). But the problem is I can not remember this password...

I'm afraid to store it on my Dropbox because if my PC is compromised they can gain access. Is the only way to store it on a flash drive or sticky note and put that in my wallet or something? Or take a photo on my phone? The chances of my phone being stolen are slim to none. Seems very cumbersome to have to look at my phone every time I login to my bank and enter some 16 character password..

And also, how do large corporations and VIP (billionaires, celebrities, heads of state) individuals secure their passwords?

Thanks

Goose
  • 119
  • 5
  • 1
    Use a password manager. Please don't ask "what if they gain access to that too?" :D Because everything has its own positives and negatives, you just have to choose the right one with less vulnerabilities that matches your requirements. (And consider changing your bank password if it was in any way related to your hacked accounts) – Ebenezar John Paul Mar 28 '14 at 05:54
  • Understand there is always compromise. Convenience or security in this case. – deed02392 Mar 28 '14 at 09:05
  • 6
    Wealthy people use the same bad practices normal humans use... don't assume they are a good example – Rory Alsop Mar 28 '14 at 12:42
  • 6
    `And also, how do large corporations and VIP (billionaires, celebrities, heads of state) individuals secure their passwords?` They... don't. Worked for a guy once, owned a decent sized company (and a bunch of smaller ones), with a personal worth of mid-nine figures, and his password for ***everything*** was `bob`. Three guesses what his first name was. Assuming that the rich and powerful actually do security right is a very dangerous assumption. Focus instead on how to do it right, and ignore the mind-numbingly foolish practices of the rich and famous. – HopelessN00b Mar 28 '14 at 15:35

4 Answers4

6

Do not use the same password on multiple sites. That's number one. Second, don't use simple passwords for any site where you care about your account.

To do this, you need a paper list or a password manager (e.g. KeePass, LastPass, etc). A manager is almost always the way to go.

mgkrebbs
  • 410
  • 5
  • 13
  • 1
    Exactly. Your password manager is protected by a secure passphrase that you only use locally. Other passwords are random strings. – dr jimbob Mar 28 '14 at 15:18
2

Your information is only secure as the server it lays on and the client machine and network is secure.

It's always good practise to have different passwords for different websites.

Reason behind it: Let's say you have same password for everything. Let's pretend "Facebook" got compromised with some vulnerability and got your password, they would able to get ALL your other accounts.

Dropbox isn't a good form of security to keep your password secured. As if I was on your network I could setup packet sniffer and next time it syncs (when you make an edit to that file) I could get your passwords. I'd recommend you use small container of TrueCrypt which has KeePass in there, if you really need to store your passwords on Dropbox.

My recommendations:

  • Use different password for everything.
  • Use two-step/three-step authentication where ever possible (Most large companies do have this functionality but not enabled by default). Use this especially for your emails (Hotmail supports this) as generally this is form for resetting passwords and verifying your identify.
  • Do NOT use public machine or network for accessing sensitive information as it can be easily sniffed via network sniffer like cain.
  • Do NOT let untrusted people on your network.
  • If you do need wireless? Isolate them from your network to prevent packet sniffing.
  • If you can't remember your password(s) for your account(s) then use KeePass. I have KeePass in a TrueCrypt container with keyfiles.
  • Ensure you're AV/FW are up-to-date to prevent malware such as keyloggers/remote sniffers/form grabbers etc.
Paul
  • 1,552
  • 11
  • 11
  • 1
    Whaaa...? I'm so confused. The entire point of HTTPS is that if you're on the network you can't sniff the traffic. And why TrueCrypt a KeePass database that is already encrypted with a password?! – user541686 Dec 09 '16 at 09:16
  • 1
    Yes, that's true that HTTPS reduces the chance of between you and server been sniffed, however not all websites support HTTPS. Well, It's an extra security measure. If there is ever an flaw within either TrueCrypt or KeePass at least the attacker would have to compromise both software to get to my list of passwords. So, it's not just single point of failure. – Paul Dec 09 '16 at 09:50
1

... I don't think there's a perfect one-size-fits-all solution. Different solutions are best in different cases.

I think password safe's are a good balance of difficult passwords/not losing them, though obviously this makes the security of your password safe critical; it may even be worth having several password safes, perhaps for different classes of 'thing' or for different security levels.

If a password safe's encryption is sufficiently trustworthy, using dropbox to cascade it between your devices might actually still only have a moderately acceptable level of risk... many people do that to sync password safe's between computers/phones.

Frankly, post-it notes inside a locked draw are not the worst thing in the world if your premises are relatively secure.

Corporations / VIP's frankly probably often trust assistant's etc with their stuff, and they better be good at it.

pacifist
  • 794
  • 3
  • 8
1

Large corporations have an information security team and they are responsible for the different security policies and practices (password policies, key management, pentesting...).

There are also a lot of recognized publications with good practices in security management they tend to follow (like ISO27001/ISO27002...).

About VIP people, I don't think they are concerned enough about they information security but I believe they will just have a consultancy or similar that will guide them to follow safe practices.

About you, you can do the very same, hire a Information Security Consultant for hours to help you with your security issues or learn the stuff yourself.

kiBytes
  • 3,450
  • 15
  • 26