Re: [silk] What do you do when you get to know that you have been pwned?
On Sun, Feb 24, 2019 at 1:16 PM Udhay Shankar N wrote: > such as a yubikey. >> > >> > >> Are these available for purchase in India? >> > > e.g > https://www.amazon.in/Yubico-Authentication-USB-Security-Key/dp/B018Y1Q71M > Somewhat related, and good news on the being-pwned front: https://techcrunch.com/2019/02/25/more-passwordless-logins-are-coming-to-android/ The FIDO Alliance and Google today announced that Android (from version 7.0 up) with the latest version of the Google Play Services is now FIDO2 certified. At first glance, that sounds rather boring, but it will enable developers to write apps that use a phone’s fingerprint scanner or a FIDO security key to authenticate users without making them type in a password. As I’m not aware of too many people who like to type in complicated passwords that their IT department makes them change every few months, that’s a big deal. Developers will be able to enable password-less logins in their web and native apps. Chrome, Microsoft Edge and Firefox already fully support this feature, as does Apple’s Safari (but only in preview). In addition to the convenience, FIDO2 also promises to offer phishing-resistant security, given that this technology won’t let you authenticate on a malicious site. -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
Re: [silk] What do you do when you get to know that you have been pwned?
On Sun, Feb 24, 2019 at 1:11 PM Aadisht Khanna wrote: > > > > such as a yubikey. > > > > > Are these available for purchase in India? > e.g https://www.amazon.in/Yubico-Authentication-USB-Security-Key/dp/B018Y1Q71M -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
Re: [silk] What do you do when you get to know that you have been pwned?
> > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware token > such as a yubikey. > > Are these available for purchase in India?
Re: [silk] What do you do when you get to know that you have been pwned?
On Fri, Feb 22, 2019 at 06:54:41AM -0800, Thaths wrote: > In addition to all of those steps, I also recommend using unique > passwords in all the sites. It is not going to be possible for you to > remember that many unique passwords (especially if you choose strong > passwords). I recommend you choose strong passwords that you memorize > for one or two of your key accounts (Google, Facebook). And use a > password management (I personally use keepass) to generate and store > strong unique passwords for your other sites. This, this so much. I have a KeePass2 file with all my passwords. Every time I have to register into a new site, I tell it to generate a new one, which will be something like Q4s.-.-%534[]aTMfd_. I don't even have to forget it. If (or when) the site gets breached, it gives a bit of peace of mind to know that the password can't be used to access any of my other accounts. Also, I have that password file sync with my phone, and then I use KeePassDroid to access them. Cheers, -- José María (Chema) Mateos || https://rinzewind.org/
Re: [silk] What do you do when you get to know that you have been pwned?
On Fri, Feb 22, 2019 at 7:24 AM Ra Jesh wrote: > Hahaha. Neat!!! > Actually, (a) If you are doing this "Forgot password" thing too often on a reasonably well-built site, you are setting off all kinds of red flags about being a potentially malicious actor. If they have a bot-or-not reputation score for you, you are burning through that score with each attempt at 'Forgot password', (b) Your scheme to have random passwords on these sites is only as secure as the password on the email account you use for recovery. Thaths > > On Fri, Feb 22, 2019, 20:51 Ashim D'Silva > wrote: > > > For sites I don’t use too often, I was always tempted to reuse passwords > > which is a pretty bad practice, so I started just using the forgot > password > > feature more often. So I have a ridiculous entirely random password that > I > > don’t know, and then just say forgot password when I want to log in. > > > > It’s could also be a good way to go about changing all your passwords—and > > side effect is it confirms your backup email. > > > > Cheerio, > > > > Ashim > > Design & Build > > > > The Random Lines > > www.therandomlines.com > > > > > > On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > > > > > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N > wrote: > > > > > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N > > wrote: > > > > > > > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most providers > > > give > > > > > you the option to "log out all current sessions") > > > > > 2. Change all the passwords of pwned email addresses > > > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware > > > token > > > > > such as a yubikey. > > > > > > > > > > > > > Additionally, I'd also suggest you log in to your various > (potentially) > > > > compromised accounts, check under security setting to see if the > backup > > > > email address (where password reset notifications are sent) and > backup > > > > phone number have been tampered with. > > > > > > > > > > > > > In addition to all of those steps, I also recommend using unique > > passwords > > > in all the sites. It is not going to be possible for you to remember > that > > > many unique passwords (especially if you choose strong passwords). I > > > recommend you choose strong passwords that you memorize for one or two > of > > > your key accounts (Google, Facebook). And use a password management (I > > > personally use keepass) to generate and store strong unique passwords > for > > > your other sites. > > > > > > Thaths > > > > > > > > > > > > > > -- > > > > > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > > > > > > > > > -- > > > Homer: Hey, what does this job pay? > > > Carl: Nuthin'. > > > Homer: D'oh! > > > Carl: Unless you're crooked. > > > Homer: Woo-hoo! > > > > > > -- Homer: Hey, what does this job pay? Carl: Nuthin'. Homer: D'oh! Carl: Unless you're crooked. Homer: Woo-hoo!
Re: [silk] What do you do when you get to know that you have been pwned?
The haveibeenpwned.com site is great and I use it every six months or to check if any logins have been compromised. (Sorry I keep forgetting the Silk protocol about replying before or after a thread.) On Fri, Feb 22, 2019 at 3:59 PM Ashim D'Silva wrote: > Medium made a huge deal about it when they released it as a feature: > https://blog.medium.com/signing-in-to-medium-by-email-aacc21134fcd > > Makes total sense though; passwords are an old solution to a difficult > problem. Of course it also means that your email better always be in your > control otherwise that’s the single point of failure. > > Cheerio, > > Ashim > Design & Build > > The Random Lines > www.therandomlines.com > > > On Fri, 22 Feb 2019 at 17:25, Deepa Mohan wrote: > > > I must say that "use 'forgot password'!" is advice I get very often from > my > > bank. I think it is an absurd solution that works! > > > > On Fri, Feb 22, 2019 at 8:53 PM Ra Jesh wrote: > > > > > Hahaha. Neat!!! > > > > > > On Fri, Feb 22, 2019, 20:51 Ashim D'Silva > > > wrote: > > > > > > > For sites I don’t use too often, I was always tempted to reuse > > passwords > > > > which is a pretty bad practice, so I started just using the forgot > > > password > > > > feature more often. So I have a ridiculous entirely random password > > that > > > I > > > > don’t know, and then just say forgot password when I want to log in. > > > > > > > > It’s could also be a good way to go about changing all your > > passwords—and > > > > side effect is it confirms your backup email. > > > > > > > > Cheerio, > > > > > > > > Ashim > > > > Design & Build > > > > > > > > The Random Lines > > > > www.therandomlines.com > > > > > > > > > > > > On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > > > > > > > > > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N > > > wrote: > > > > > > > > > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N > > > > > wrote: > > > > > > > > > > > > > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most > > providers > > > > > give > > > > > > > you the option to "log out all current sessions") > > > > > > > 2. Change all the passwords of pwned email addresses > > > > > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a > > hardware > > > > > token > > > > > > > such as a yubikey. > > > > > > > > > > > > > > > > > > > Additionally, I'd also suggest you log in to your various > > > (potentially) > > > > > > compromised accounts, check under security setting to see if the > > > backup > > > > > > email address (where password reset notifications are sent) and > > > backup > > > > > > phone number have been tampered with. > > > > > > > > > > > > > > > > > > > > > In addition to all of those steps, I also recommend using unique > > > > passwords > > > > > in all the sites. It is not going to be possible for you to > remember > > > that > > > > > many unique passwords (especially if you choose strong passwords). > I > > > > > recommend you choose strong passwords that you memorize for one or > > two > > > of > > > > > your key accounts (Google, Facebook). And use a password management > > (I > > > > > personally use keepass) to generate and store strong unique > passwords > > > for > > > > > your other sites. > > > > > > > > > > Thaths > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > > > > > > > > > > > > > > > > > -- > > > > > Homer: Hey, what does this job pay? > > > > > Carl: Nuthin'. > > > > > Homer: D'oh! > > > > > Carl: Unless you're crooked. > > > > > Homer: Woo-hoo! > > > > > > > > > > > > > > > -- *Sidin Sunny Vadukut* Mobile: +44 757 244 1292 Blog: http://www.whatay.com @sidin
Re: [silk] What do you do when you get to know that you have been pwned?
Medium made a huge deal about it when they released it as a feature: https://blog.medium.com/signing-in-to-medium-by-email-aacc21134fcd Makes total sense though; passwords are an old solution to a difficult problem. Of course it also means that your email better always be in your control otherwise that’s the single point of failure. Cheerio, Ashim Design & Build The Random Lines www.therandomlines.com On Fri, 22 Feb 2019 at 17:25, Deepa Mohan wrote: > I must say that "use 'forgot password'!" is advice I get very often from my > bank. I think it is an absurd solution that works! > > On Fri, Feb 22, 2019 at 8:53 PM Ra Jesh wrote: > > > Hahaha. Neat!!! > > > > On Fri, Feb 22, 2019, 20:51 Ashim D'Silva > > wrote: > > > > > For sites I don’t use too often, I was always tempted to reuse > passwords > > > which is a pretty bad practice, so I started just using the forgot > > password > > > feature more often. So I have a ridiculous entirely random password > that > > I > > > don’t know, and then just say forgot password when I want to log in. > > > > > > It’s could also be a good way to go about changing all your > passwords—and > > > side effect is it confirms your backup email. > > > > > > Cheerio, > > > > > > Ashim > > > Design & Build > > > > > > The Random Lines > > > www.therandomlines.com > > > > > > > > > On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > > > > > > > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N > > wrote: > > > > > > > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N > > > wrote: > > > > > > > > > > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most > providers > > > > give > > > > > > you the option to "log out all current sessions") > > > > > > 2. Change all the passwords of pwned email addresses > > > > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a > hardware > > > > token > > > > > > such as a yubikey. > > > > > > > > > > > > > > > > Additionally, I'd also suggest you log in to your various > > (potentially) > > > > > compromised accounts, check under security setting to see if the > > backup > > > > > email address (where password reset notifications are sent) and > > backup > > > > > phone number have been tampered with. > > > > > > > > > > > > > > > > > In addition to all of those steps, I also recommend using unique > > > passwords > > > > in all the sites. It is not going to be possible for you to remember > > that > > > > many unique passwords (especially if you choose strong passwords). I > > > > recommend you choose strong passwords that you memorize for one or > two > > of > > > > your key accounts (Google, Facebook). And use a password management > (I > > > > personally use keepass) to generate and store strong unique passwords > > for > > > > your other sites. > > > > > > > > Thaths > > > > > > > > > > > > > > > > > > -- > > > > > > > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > > > > > > > > > > > > > -- > > > > Homer: Hey, what does this job pay? > > > > Carl: Nuthin'. > > > > Homer: D'oh! > > > > Carl: Unless you're crooked. > > > > Homer: Woo-hoo! > > > > > > > > > >
Re: [silk] What do you do when you get to know that you have been pwned?
I must say that "use 'forgot password'!" is advice I get very often from my bank. I think it is an absurd solution that works! On Fri, Feb 22, 2019 at 8:53 PM Ra Jesh wrote: > Hahaha. Neat!!! > > On Fri, Feb 22, 2019, 20:51 Ashim D'Silva > wrote: > > > For sites I don’t use too often, I was always tempted to reuse passwords > > which is a pretty bad practice, so I started just using the forgot > password > > feature more often. So I have a ridiculous entirely random password that > I > > don’t know, and then just say forgot password when I want to log in. > > > > It’s could also be a good way to go about changing all your passwords—and > > side effect is it confirms your backup email. > > > > Cheerio, > > > > Ashim > > Design & Build > > > > The Random Lines > > www.therandomlines.com > > > > > > On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > > > > > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N > wrote: > > > > > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N > > wrote: > > > > > > > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most providers > > > give > > > > > you the option to "log out all current sessions") > > > > > 2. Change all the passwords of pwned email addresses > > > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware > > > token > > > > > such as a yubikey. > > > > > > > > > > > > > Additionally, I'd also suggest you log in to your various > (potentially) > > > > compromised accounts, check under security setting to see if the > backup > > > > email address (where password reset notifications are sent) and > backup > > > > phone number have been tampered with. > > > > > > > > > > > > > In addition to all of those steps, I also recommend using unique > > passwords > > > in all the sites. It is not going to be possible for you to remember > that > > > many unique passwords (especially if you choose strong passwords). I > > > recommend you choose strong passwords that you memorize for one or two > of > > > your key accounts (Google, Facebook). And use a password management (I > > > personally use keepass) to generate and store strong unique passwords > for > > > your other sites. > > > > > > Thaths > > > > > > > > > > > > > > -- > > > > > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > > > > > > > > > -- > > > Homer: Hey, what does this job pay? > > > Carl: Nuthin'. > > > Homer: D'oh! > > > Carl: Unless you're crooked. > > > Homer: Woo-hoo! > > > > > >
Re: [silk] What do you do when you get to know that you have been pwned?
Hahaha. Neat!!! On Fri, Feb 22, 2019, 20:51 Ashim D'Silva wrote: > For sites I don’t use too often, I was always tempted to reuse passwords > which is a pretty bad practice, so I started just using the forgot password > feature more often. So I have a ridiculous entirely random password that I > don’t know, and then just say forgot password when I want to log in. > > It’s could also be a good way to go about changing all your passwords—and > side effect is it confirms your backup email. > > Cheerio, > > Ashim > Design & Build > > The Random Lines > www.therandomlines.com > > > On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > > > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N wrote: > > > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N > wrote: > > > > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most providers > > give > > > > you the option to "log out all current sessions") > > > > 2. Change all the passwords of pwned email addresses > > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware > > token > > > > such as a yubikey. > > > > > > > > > > Additionally, I'd also suggest you log in to your various (potentially) > > > compromised accounts, check under security setting to see if the backup > > > email address (where password reset notifications are sent) and backup > > > phone number have been tampered with. > > > > > > > > > In addition to all of those steps, I also recommend using unique > passwords > > in all the sites. It is not going to be possible for you to remember that > > many unique passwords (especially if you choose strong passwords). I > > recommend you choose strong passwords that you memorize for one or two of > > your key accounts (Google, Facebook). And use a password management (I > > personally use keepass) to generate and store strong unique passwords for > > your other sites. > > > > Thaths > > > > > > > > > > -- > > > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > > > > > -- > > Homer: Hey, what does this job pay? > > Carl: Nuthin'. > > Homer: D'oh! > > Carl: Unless you're crooked. > > Homer: Woo-hoo! > > >
Re: [silk] What do you do when you get to know that you have been pwned?
For sites I don’t use too often, I was always tempted to reuse passwords which is a pretty bad practice, so I started just using the forgot password feature more often. So I have a ridiculous entirely random password that I don’t know, and then just say forgot password when I want to log in. It’s could also be a good way to go about changing all your passwords—and side effect is it confirms your backup email. Cheerio, Ashim Design & Build The Random Lines www.therandomlines.com On Fri, 22 Feb 2019 at 16:55, Thaths wrote: > On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N wrote: > > > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N wrote: > > > > > > > 1. Log out all gmail/facebook/other social sessions (Most providers > give > > > you the option to "log out all current sessions") > > > 2. Change all the passwords of pwned email addresses > > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware > token > > > such as a yubikey. > > > > > > > Additionally, I'd also suggest you log in to your various (potentially) > > compromised accounts, check under security setting to see if the backup > > email address (where password reset notifications are sent) and backup > > phone number have been tampered with. > > > > > In addition to all of those steps, I also recommend using unique passwords > in all the sites. It is not going to be possible for you to remember that > many unique passwords (especially if you choose strong passwords). I > recommend you choose strong passwords that you memorize for one or two of > your key accounts (Google, Facebook). And use a password management (I > personally use keepass) to generate and store strong unique passwords for > your other sites. > > Thaths > > > > > > -- > > > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > > > > > -- > Homer: Hey, what does this job pay? > Carl: Nuthin'. > Homer: D'oh! > Carl: Unless you're crooked. > Homer: Woo-hoo! >
Re: [silk] What do you do when you get to know that you have been pwned?
On Fri, Feb 22, 2019 at 2:42 AM Udhay Shankar N wrote: > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N wrote: > > > > 1. Log out all gmail/facebook/other social sessions (Most providers give > > you the option to "log out all current sessions") > > 2. Change all the passwords of pwned email addresses > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware token > > such as a yubikey. > > > > Additionally, I'd also suggest you log in to your various (potentially) > compromised accounts, check under security setting to see if the backup > email address (where password reset notifications are sent) and backup > phone number have been tampered with. > In addition to all of those steps, I also recommend using unique passwords in all the sites. It is not going to be possible for you to remember that many unique passwords (especially if you choose strong passwords). I recommend you choose strong passwords that you memorize for one or two of your key accounts (Google, Facebook). And use a password management (I personally use keepass) to generate and store strong unique passwords for your other sites. Thaths > > -- > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) > -- Homer: Hey, what does this job pay? Carl: Nuthin'. Homer: D'oh! Carl: Unless you're crooked. Homer: Woo-hoo!
Re: [silk] What do you do when you get to know that you have been pwned?
This are good suggestions! Thanks Udhay. I was wondering if anyone has had this happen before and what steps they took. Have you ever been notified that your email ID and/or other details appears in a dump of data breach info? On Fri, Feb 22, 2019, 16:11 Udhay Shankar N wrote: > On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N wrote: > > > > 1. Log out all gmail/facebook/other social sessions (Most providers give > > you the option to "log out all current sessions") > > 2. Change all the passwords of pwned email addresses > > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware token > > such as a yubikey. > > > > Additionally, I'd also suggest you log in to your various (potentially) > compromised accounts, check under security setting to see if the backup > email address (where password reset notifications are sent) and backup > phone number have been tampered with. > > -- > > ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com)) >
Re: [silk] What do you do when you get to know that you have been pwned?
On Fri, Feb 22, 2019 at 2:04 PM Udhay Shankar N wrote: > 1. Log out all gmail/facebook/other social sessions (Most providers give > you the option to "log out all current sessions") > 2. Change all the passwords of pwned email addresses > 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware token > such as a yubikey. > Additionally, I'd also suggest you log in to your various (potentially) compromised accounts, check under security setting to see if the backup email address (where password reset notifications are sent) and backup phone number have been tampered with. -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
Re: [silk] What do you do when you get to know that you have been pwned?
On Fri, Feb 22, 2019 at 1:39 PM Ra Jesh wrote: Compromised data included email addresses, IP Addresses, passwords, and > usernames. > 1. Log out all gmail/facebook/other social sessions (Most providers give you the option to "log out all current sessions") 2. Change all the passwords of pwned email addresses 3. Enable 2FA EVERYWHERE that supports it. Ideally, with a hardware token such as a yubikey. Udhay -- ((Udhay Shankar N)) ((udhay @ pobox.com)) ((www.digeratus.com))
[silk] What do you do when you get to know that you have been pwned?
This morning I received a notification from haveibeenpwned dot com informing me that the latest leak from UnderArmor affiliated My Fitness Pal app has my details included in the data that was breached. What steps do you recommend people should take if they're data has been stolen? Compromised data included email addresses, IP Addresses, passwords, and usernames.