Re: Hey, I know your password is

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 02Sep2019 09:53, Patrick Dupre <pdupre@xxxxxxx> wrote:

Today, I got a message, staring:
Hey, I know your password is ........

and asking for money.


Do they cite accurately the service for which the password is used?


The password is one of the password that I use. It is not one giving access
to important accounts, but I am a bit wondering about other account.
I am careful with my accounts and passwords.
How can I prevent sort of password steal?
As mentioned, this is largely in the hands of those who have stored your password. 

There are a few ways for your password to leak:

- the service for which the password is used has had a breach.
No reputable service should be storing your actual password, they should be using some kind of salted hash of your password; the service shouldn't be _able_ to leak you password, they just need to be able to check that whatvere passwordyou supply hashes the same way. 

Note that a lot of mailing list software does keep the raw password.

Also, bad logging might record passwords in a log file.
With a hash, if someone obtains the service's records, they can only get your password by trying passwords against the hash. However, if your password is one you invented then that might be a smaller search space than you think. 

- the password was intercepted between you and the service
With https and ssl this should not be possible. The traffic between you and it should be properly encrypted, and if the service certificate is valid then there should not be a man-in-the-middle. 

- your local machine was attacked

Hopefully not.
The best defense with passwords is to have a different one for every service. There are password management tools which help with this: they will keep your passwords in encrypted form, and also generate strong random passwords for you.
The advantage here is that if one service is comprimised, your other services are not.
Note that your email is critical - it is the common avenue for "forgot password" mechanisms. So someone with access to your email might then do the reset-password process for some service and intercept any validation stuff sent to your email. 

So your email is an often ngelected common weak point.

Anyway:

Get a password management tool.

Cheers,
Cameron Simpson <cs@xxxxxxxxxx>
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux