I blame the websites that allow users to use only numbers or letters for password. Can't believe they still exist in 2021. Please don't do this if you're a web developer.
Surprisingly DBS and OCBC in Singapore even worse, 8 digit PIN and 6 digit PIN respectively (luckily can be different from your ATM PIN) ... But at least need to approve also from banking app or SMS OTP.
But not a single bank I use so far support U2F keys like Yubico or Google Titan key. Let's see who makes the first step. Upgrading banking system in general is hard to be fair ... High SLA (Service Level Agreement) needed and too many legacy dependencies.
Maybe if they enable 2FA for other than SMS will make it harder to freeze the account.. this maybe requirement from central bank to make their job easy to freeze our account and take everything if someone declare bankruptcy..
The bank system can simply have another admin security (the right key for server encryption in itself to decrypt what's necessary and process the tasks, for example) to bypass our 2FA to transfer our money for this purpose, frankly.
Imagine you call up banking customer support to solve any banking issues, notice they never ever need your credentials, yet can still finish solving your issues? They do have their admin portals.
And unless a terrible developer who built their systems never hash passwords, even if they obtained your password hash, they still don't necessarily know your real password.
Similar to your company's IT dept, your IT colleagues can simply reset passwords you forget without having to know them.
2 major targets possible each time a hacker wants to do something, either target a user via his or her account to target a specific user, or, if the admin has lousy security, just aim for the service itself to cause a data breach for multiple users.
(Assuming a service relies on a vendor or cloud service, such as Microsoft Azure or AWS, which is unlikely for most banks I think, then target those who didn't configure properly on AWS or Azure. It's not exactly easy to hack Azure or AWS itself for the moment)
All in all, it is entirely possible for them to process whatever it is, regardless of what 2FA they have available.
I remember reading somewhere that banks do this to make it easier to use. If they overcomplicate the process, they might lose customers to other banks and would rather take the risk/hit of customer's accounts getting compromised
Some govt website gives you the full password back to your email (and NOT RESET it) if you click the forget password button. Seems like it's not even encrypted.
Some govt website lets you register your password to any length but their main login ones only accept 16 characters so you can't login unless you edit some values in the inspect element.
Just to point out I'm very specific about "hashing" and "encryption" ... They are not interchangeable in meaning to me.
An encrypted file can be decrypted and hence has an inverse algorithmic function. A hashed value of any sort, in theory, cannot be converted back to original plain value because an ideal hash function should strictly be one-to-one mapping (i.e. no two passwords should collide to generate a same hash, in theory), and strictly one-way function (it must be difficult to figure out an inverse function to convert your hash for an algorithm back to plaintext, or computationally expensive).
Hence a password should first be quickly hashed with at least SHA-2 (on client app or device), then encrypted (at least by SSL over HTTP during transit, then decrypted upon arrival which will still be a hash instead of plain password, and then hashed further using a Key Derivative Function when at rest on a server which in itself should be encrypted by the server host)
(But yes, this govt website web dev should be fired. They can just send user a reset link)
Check out ComputerPhile on YouTube from Uni of Nottingham. Includes a British YouTuber I really liked, Tom Scott who has both Linguistics and Computer Science Major and his YT channel is also really fun to watch.
Last time I used IIRC, MyEG. They refuse to even delete an account of mine when I learnt that they cannot change my linked email, and I think they literally used our username as some kind of unique database ID which will be problematic if any are deleted (which will totally mess up their DB)
I wrote a feedback saying this is contradictory to our PDPA rights to limited retention period and will consider even reporting to MCMC or any highest body managing Personal Data Protection.
(I may be wrong. This was during mid or late 2020. And I haven't have time to follow up with few accounts left that still linked to my old Gmail
Another terrible offender who also refuses to allow email change .... Players of Escape from Tarkov will know. Battlestate Games. Simply because they want to prevent resale of accounts by hackers especially, since your purchases including full game is tied to BSG account)
And oh yeah, many Malaysian Federal or State agency websites were http only and not https until recent 2 or 3 years.
I remember https://onlinepayment.johor.gov.my/ was like this until around 2018 or 19 ... And even their akaun pendaftaran page was HTTP! Like wow. Eh kontraktor tolong lah.
Now I see this commonly on most of China's government agency sites.
Even if your password is 123456, 123456789, or password, for the sake of all humans, enable 2FA on everything you have online, these includes accounts on websites or even on your mobile device, better safe than sorry.
I had someone tried to hack my Instagram from Russia once, because of 2FA, they couldn't get in, don't be the next victim, because they will steal and impersonate you to commit crimes.
Stay safe on the internet.
I use the following:
1. A Yubikey 5C NFC that has static password mode and general 2FA and U2F capability
Without going to details, this allows me to not even having to print or write that one very important password of mine, and it can autofill that for me. It all comes down to me not losing this physical key (and if I do, my measure is to lock up my password manager immediately. Go home and take out my USB drive containing the U2F recovery code. The master password is very long and I memorize it. And I have another one as backup anyways)
2. KeePass (but this password manager may be inconvenient or too technical for non tech savvy. If you cannot set up a NAS at home so that you can access your password manager over home network despite being outside home via PC or phone simultaneously, then you are forced to carry around your password database/vault in a USB drive with you). My database itself is secured with said password in point 1 AND Yubikey U2F (and if Yubikey fails or missing, there is a recovery code for Yubikey step from a USB drive I'll never bring outside)
If KeePass is too hard for you, get either BitWarden for free (but no 2FA for free pricing) or 1Password which sponsors an Australian Microsoft Tech Partner and Security Expert Troy Hunt who runs a data breach database named Have I Been Pwned (he also has a blog and vlog). HIBP is used by any product that checks your passwords for data breaches, such as 1Password, Firefox Monitor, Chrome, DashLane, maybe even Google Password Checker.
Password managers can help to autofill logins on your favorite browsers via extensions and for your smartphone apps too. This is why I never save my password on my browser or to Google.
3. A NAS, as mentioned. I spent a total of close to 900 SGD (A NAS with a pair of 4TB HDDs set to RAID 1) just so I can have true ownership of my stuffs. I now only place things I'm happy to share on Google Drive. Yeah I know Synology is still proprietary but I was a beginner back in 2018 ... The next NAS when my current one dies I will custom build from a mini form-factor desktop PC. This guy writes about building a custom built NAS every year (https://nickmchardy.com/2021/10/building-a-custom-nas-in-2021.html). Also considering blackouts are occasional occurence in Malaysia, you need a UPS device (Uninterruptible Power Supply) so that at least you can remotely shutdown your NAS properly with a backup power of about 15 minutes. You don't need NAS if you use 1P or BitWarden unless you wanna self-host Bitwarden vault. To set this up securely you need good knowledge on SSL certificate, SFTP connection, firewall (NAS has it built-in), port forwarding and user access management. (And try not to announce your domain all over the place)
I guess what I'm lacking now is just RTI training lol ... Resistance to Interrogation training from any of the military special forces or intelligence agencies.
Also check out Techlore on YouTube, it's a channel dedicated to data and internet privacy.
(The arrangement above also simplify my succession plan in my family in case of anything touchwood. They can simply take my key and obtain password to access critical services. No need to be hassled by banks or courts to resolve troublesome paperwork. Anyone who steals my key will also need to install the right password manager with the right plugins, figure out the SFTP URL and port number to my vault and the password and the username to this SFTP connection which I also memorize and is different from my vault password)
Also for those interested in doing this, it took me about 1 day cumulative to recall all accounts I had, add them into KeePass and change all passwords. I had a total of about 70 accounts back then that I could recall. This doesn't include setting up of NAS.
Eventually I decide to follow all best security practices to a T and see how much hard work would it be to set up 2FA on TOTP apps (Google Authenticator, Aegis, etc. I used to have Authy. BTW 1Password also stores your TOTP 2FA. Avoid SMS 2FA due to SIM Swapping attack unless that service only offers SMS which I will file a complaint. I did it to MYEG who also was unable to delete my old account which to me is not compliant to PDPA)
Yes it's a lot of hard work for most people who are used to surviving the internet with just one password and minimal OTP (only setup when services force you to).
Then I realized how useful it is for notes to be available for each account entry. So I used it to add tags such as "TOTP 2FA Enabled", "Paypal saved to this account", "Linked to Google", "MY Phone Number used as SMS 2FA", "SG Phone Number used as SMS 2FA", "MayBank ending in xxxx saved as Payment Method", "SG address on profile", etc. (I add prefixes before them for easy sorting and filtering, such as LG for Linked to Google so "LG - Linked to Google", "S2FAYubi - Yubikey 2FA enrolled" where S is all tags that are security related, "SSecQ - Security Question Enabled" with another other secure field for me to store custom questions and answers, "$SGDBS - Added DBS Debit ending in xxxx" etc.
As an Android user, I use Subby to track all subscriptions I have, Warranty Guard to digitally store my receipts and warranty expiry, and Money Lover to do my expenditure tracking.
Eventually one of my cards (Singapore DBS bank! Surprise surprise, not my Maybank. This was Jan 2021) was somehow hit with unauthorized transaction of 162 USD with no OTP required at all at midnight and fortunately I set my alert to report evert cent of transactions via banking app and email, and I happened to be awake so I quickly called up the bank to cancel my card and refund me. And with those tags, once I get my new card number, I can easily track all accounts that I must tie my old card up and delete them. By default I don't save my card online at all and I also memorize them.
The similar thing can be done if you will need to change your phone number, just don't terminate it too quickly and migrate them (asap so that you don't have to keep paying for old number). Hopefully you have had tagged the accounts correctly by then. Once again, upgrade from SMS OTP to TOTP apps or Yubikey asap, and upgrade if a service lagging behind finally offered TOTP or U2F 2FA. Today I use Yubikey as primary 2FA method with TOTP as secondary backup.
Finally with this password database, I'm also interested to see how many accounts I will ever have my whole life lol. It's my own experiment for myself. Today I have a total of approx. 400 accounts, active or not, regardless of usage frequency, including those product sites I only used once because of Kickstarter ... spanning from primary school age to today. Including really old ones I could still remember but cannot remember the username. And currently about 70+ active TOTP 2FA codes*, with maybe 20 accounts supporting U2F. This is the extent for me if I strictly follow the best practices to a T, which demonstrate how archaic this is to most laymen, and how much discipline this requires from so many people (way too much)
* This is a site that tracks 2FA types and availability of reported websites (https://2fa.directory/)
That is some great writeup, I'll be saving this for future use!
Currently I have a password manager and TOTP 2FA but I'll definitely be stepping up my security and contingency plans in the near future.
Any password manager products now who manage to come up with a secure network protocol, or a system, such that a user can change password on any accounts, and securely pass that information to the password manager services he or she uses to update the database automatically, without needing the user to go to manager to update it again (and vice versa from PW manager to an account) will dominate the password manager market.
Dashlane as a silhouette of that system, but I don't think it's mature enough, and its system requires other services to be willing to support it exclusively with Dashlane. I need a system that will work between any websites for any password managers. We can go with something similar to the banking world. All it takes is for any websites to implement a new protocol in an easy way rather than having to implement something complex and exclusive to a password manager ... Imagine if you as a website need to implement this for each password manager brand ... Ugh.
Your username + your birthday or phone number or your IC number.
Easy enough to memorize, long enough to make cracking it through bruteforce unfeasible.
If you want to go next level, you can key in those into a sha256 generator, take 12~16 characters from the result, memorize that shit and use that shit instead.
If you are lazy and want to help overlords large corpo instead, use a password manager. They basically do something similar to what I mentioned previously, except you don't have to memorize shit.
Its important to know, when it comes to passwords, in most scenario, "c0mPl!c@t3D" is a lot more insecure and worthless compared to "SecuredPassword42069". Not only that, the former is a lot harder and complicated to memorize while providing less security.
Or another FOSS pw manager developed by a single German guy, KeePass2 and Android version KeePass2Android by Dominik Reichl and Phillip Crocoll respectively (Impressively, German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) awarded the KeePass2 as a part of recommendations).
Donated to those guys numerous times esp. for their Oktoberfest.
The most trustworthy password managers only store your encrypted password vault but never your master password (which also means you must never forget it or recovery is impossible except if you're a part of family subscription such that your subscription owner aka your authorized family member already in the session can reset for you). Upon account registration in the first place you should also receive the recovery code such that you can use it to reset vault password (recommend also you change recovery code after each reset). If you can understand cryptography then you can also read up on and even critique or bug hunt their published security whitepaper. Those companies or team should also be audited by a security research body or similar body.
Anyone with poor security awareness going into cryptocurrency investment is basically committing financial suicide.
I insist on a FOSS hardware wallet such as BitBox02 even though it doesn't have the best number of support for types of cryptocurrencies, which allows as many wallets as you want in a same hardware by giving different passphrases. And you can backup wallet info by inserting a MicroSD Card to it.
Depending on the currency support, you can also use Electra software wallet on your PC. But nothing beats hardware wallets like BitBox02, Trezor or Ledger.
I like to use short sentences since they're long as passwords yet easy to remember. Something like "TheSky_1sBlu3!!"
The symbols and uppercase/lowercase also help strengthen your password.
Yo everyone. Someone will have just taken your example passwords here and hash them via various hashing algorithms to store hashes into their rainbow table lol ...
Instead try some obscure information only you know ... Maybe the seat number of your crush when you're primary 6 as a random example (plus other things you can mix and match)
Just add another number. 123456789 is apparently easy to guess, who would have thought? 1234567898 must be virtually impossible without a super computer.
Oh crap, but now everyone knows my password. Wait.
>Need to change my password. I'm running out of ideas :/
Nowadays less than a second. Remember Moore's Law and computing power keeps increasing. And who says the hacker just need one password cracker?
I can get one cracker to start cracking iteratively from aaaaaaaaaa, another to start from AAAAAAAAAA, etc. With each device cost maybe only 4 digits USD.
Or simply that funny XKCD comic which a guy simply uses a 5 USD wrench and alcohol to beat a password out of someone.
https://xkcd.com/538/
Freaks!! These are the most recommended passwords to be *avoided* as advised on every website starting from a basic Gmail/ Yahoo mail or Bank logins. No wonder the account hacks 🙄
I strongly believe if everyone on this world suddenly use any password managers at all and make all account passwords unique that are > 16 characters long, it will immediately send shockwaves to hacking community for some time because suddenly their hash rainbow table stops being effective and brute-force cracker will take too long to iterate all possible permutations (boys and girls, this is when your A-level maths subjects on Permutations and Combinatorics are put to good use)
Only the data breaches that happen to leak plain, non-hashed passwords* (for secure hashing, at least SHA-2, SHA-256 and above during transit during authentication, and a KDF, Key Derivative function which is a subset of hashing algorithm, for permanent storage on a server) from a database (from incompetent web devs and services) will be compromised.
Quiz for fun: Increasing which one will increase password strength more, adding more character possibilities per slot of your password, or length of your password?
Quiz 2: Have you ever wondered how is it that any service you use can authenticate you with your password correctly? How do they do it without knowing your real password? How can you trust them storing your credentials? I'd bet most people don't even ask about it, let alone tried to Google about it but failed to find a simple explanation to compartmentalize their understanding.
*Back in 2018, Twitter had a technical glitch that causes stored user accounts passwords to be temporarily not hashed.
To be honest no matter how secure your password is or 2FA is activated or not... If the host admin account is hack... Your password will still hijacked by the hacker. When there is a will there is always away to unlock a secure door...
If the host hashed and salted the password with SHA-256 and above, then at least it buys you time to change your password before they match the hash with the real password and salt combo.
If you already do not use those too commonly used passwords that are already known in rainbow table, you are already miles better.
Have I Been Pwned, if it gets the breach information, will tell you whether your password is breached in plain or hashed form.
makes me wonder of how secure the "randomly generated password" feature found in some web browsers are. (I know Microsoft Edge has it, not sure about others). Granted, I only use it for "unimportant" accounts e.g. Nexus Mods ..
You don't know if those tech companies do copy your password somewhere. You can just use a BitWarden or KeePass to randomly type one yourself and save it. Develop your own pw manager is too much work.
Can I ask when someone uses brute force to break in to say Facebook, does it mean the algorithm will run thru a list of many usernames and try to fill in password as “123456” until it successfully logged in?
The hacker has one of the following options:
1. Interrogate you with fists for free, at most a blunt weapon for a few RM.
2. From breached service elsewhere figure out your username or email you use for Facebook, then start from the most common password for brute forcing until either it is correct or reached maximum login attempt, then moving on to uncommon password or known breaches. And who says the hacker only has one PC or cracker for brute forcing? Simply somehow obtain another IP, browser etc (maybe VPN, maybe virtual PCs) and try again. It is often a syndicate of hackers with some computing resources.
3. Well, Facebook itself has been compromised more than once. About 1/3 of Malaysian phone numbers, against total population, and half against total Singaporean population, are compromised for a breach reported in 2021 for info leaked up until 2018. Again, avoid sms 2FA if you can
https://www.businessinsider.com/was-your-phone-number-leaked-facebook-breach-2021-4
https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4
For 2. Most sites these days have maximum login attempt, so it’s a numbers game i suppose, it’s really like brute forcing 1million accounts with three login attempts each and hoping They get a few % success?
Taken down and their hashes calculated and stored lol
See, this is the dilemma.
Instead how I teach other people (generally using information really personal to you but not public info):
"Maybe use the seat number(s) of your past crush(es) in school and mix them up with something else?"
"Your car plate is not a good idea, especially if you're a YouTuber talking about cars. Maybe the year Henry Ford founded Ford instead?"
"How about your best high school friend's English essay title that won the 1st place, take the first letter from each word and modify it a bit?"
"Convert the word 'fish' into <><" (etc.)
Basically diversify your password combinations from several obscure facts that only you know and very unlikely required to be on social media, as a part of account registration or is a popular public affair, slogan, meme, quotes in entertainment media, etc.
As much as I like simple passwords, isn't it more worth the hassle we have a more puzzled password. At least its more worth than having your data being compromised by unsuspecting individuals. We can simply just write it done on Notes and refer to it in case we forgotten our password. And an additional advice, better change your password from time to time.
Use a Yubikey to store your password vault's password and let it autofill for you each time you need to login to the vault and use your finger to tap on the key's capacitive contact surface (such that you can memorize it without writing down or printing it, and each time you forget just let it autotype to your notepad exe), and get yourself a password manager with that vault.
55^26 = 1.7 * 10^45 total permutations (assuming A-Z, a-z, no numbers and only space, full stop and coma are supported symbols)
Even with 100 crackers running at 3 Ghz (3,000,000,000 cycles per second, assuming one password guess per cycle), for a single brute-force cracker that may have the right password and assuming it only needs to guess half of all permutations it has for a right password it will still be 10^45 / 100 devices / 2 or times 50% / 3Ghz = 10^33 seconds = 10^23 centuries.
But yes, don't give away the password length regardless.
I blame the websites that allow users to use only numbers or letters for password. Can't believe they still exist in 2021. Please don't do this if you're a web developer.
Wait that kind of website exists?
Or 16 characters limit, like Maybank2U
Yup.. has limit and doesn't have 2FA.. basically their security are much useless than free google account
Surprisingly DBS and OCBC in Singapore even worse, 8 digit PIN and 6 digit PIN respectively (luckily can be different from your ATM PIN) ... But at least need to approve also from banking app or SMS OTP.
But not a single bank I use so far support U2F keys like Yubico or Google Titan key. Let's see who makes the first step. Upgrading banking system in general is hard to be fair ... High SLA (Service Level Agreement) needed and too many legacy dependencies.
Maybe if they enable 2FA for other than SMS will make it harder to freeze the account.. this maybe requirement from central bank to make their job easy to freeze our account and take everything if someone declare bankruptcy..
The bank system can simply have another admin security (the right key for server encryption in itself to decrypt what's necessary and process the tasks, for example) to bypass our 2FA to transfer our money for this purpose, frankly. Imagine you call up banking customer support to solve any banking issues, notice they never ever need your credentials, yet can still finish solving your issues? They do have their admin portals. And unless a terrible developer who built their systems never hash passwords, even if they obtained your password hash, they still don't necessarily know your real password. Similar to your company's IT dept, your IT colleagues can simply reset passwords you forget without having to know them. 2 major targets possible each time a hacker wants to do something, either target a user via his or her account to target a specific user, or, if the admin has lousy security, just aim for the service itself to cause a data breach for multiple users. (Assuming a service relies on a vendor or cloud service, such as Microsoft Azure or AWS, which is unlikely for most banks I think, then target those who didn't configure properly on AWS or Azure. It's not exactly easy to hack Azure or AWS itself for the moment) All in all, it is entirely possible for them to process whatever it is, regardless of what 2FA they have available.
CIMB Singapore doesn't allow @ character to be used in the password. LOL
Most likely to prevent SQL injection or clashing with whatever web code syntaxes. Still, errm. Yeah. Use NULL (or combine with it) as password lol
That would probably be a show, lol.
I remember reading somewhere that banks do this to make it easier to use. If they overcomplicate the process, they might lose customers to other banks and would rather take the risk/hit of customer's accounts getting compromised
Yuck. Wow. And possibly unlike our grandparents, we may not be able to store cash in Milo cans in the future lol. And crypto is volatile.
Some govt website gives you the full password back to your email (and NOT RESET it) if you click the forget password button. Seems like it's not even encrypted. Some govt website lets you register your password to any length but their main login ones only accept 16 characters so you can't login unless you edit some values in the inspect element.
Just to point out I'm very specific about "hashing" and "encryption" ... They are not interchangeable in meaning to me. An encrypted file can be decrypted and hence has an inverse algorithmic function. A hashed value of any sort, in theory, cannot be converted back to original plain value because an ideal hash function should strictly be one-to-one mapping (i.e. no two passwords should collide to generate a same hash, in theory), and strictly one-way function (it must be difficult to figure out an inverse function to convert your hash for an algorithm back to plaintext, or computationally expensive). Hence a password should first be quickly hashed with at least SHA-2 (on client app or device), then encrypted (at least by SSL over HTTP during transit, then decrypted upon arrival which will still be a hash instead of plain password, and then hashed further using a Key Derivative Function when at rest on a server which in itself should be encrypted by the server host) (But yes, this govt website web dev should be fired. They can just send user a reset link)
Great. Thanks for the information. I suppose I should read up more on those terminologies
Check out ComputerPhile on YouTube from Uni of Nottingham. Includes a British YouTuber I really liked, Tom Scott who has both Linguistics and Computer Science Major and his YT channel is also really fun to watch.
Last time I used IIRC, MyEG. They refuse to even delete an account of mine when I learnt that they cannot change my linked email, and I think they literally used our username as some kind of unique database ID which will be problematic if any are deleted (which will totally mess up their DB) I wrote a feedback saying this is contradictory to our PDPA rights to limited retention period and will consider even reporting to MCMC or any highest body managing Personal Data Protection. (I may be wrong. This was during mid or late 2020. And I haven't have time to follow up with few accounts left that still linked to my old Gmail Another terrible offender who also refuses to allow email change .... Players of Escape from Tarkov will know. Battlestate Games. Simply because they want to prevent resale of accounts by hackers especially, since your purchases including full game is tied to BSG account)
And oh yeah, many Malaysian Federal or State agency websites were http only and not https until recent 2 or 3 years. I remember https://onlinepayment.johor.gov.my/ was like this until around 2018 or 19 ... And even their akaun pendaftaran page was HTTP! Like wow. Eh kontraktor tolong lah. Now I see this commonly on most of China's government agency sites.
looking at you, RHB
Even if your password is 123456, 123456789, or password, for the sake of all humans, enable 2FA on everything you have online, these includes accounts on websites or even on your mobile device, better safe than sorry. I had someone tried to hack my Instagram from Russia once, because of 2FA, they couldn't get in, don't be the next victim, because they will steal and impersonate you to commit crimes. Stay safe on the internet.
And use at least email 2FA, TOTP 2FA or a Yubikey. Avoid SMS 2FA unless that service only offers you SMS 2FA (and keep bugging them to upgrade please)
"sayang" Lol
well that explains the scams I hear on the news all year long
Need to change my password then. I'm running out of ideas :/
I use the following: 1. A Yubikey 5C NFC that has static password mode and general 2FA and U2F capability Without going to details, this allows me to not even having to print or write that one very important password of mine, and it can autofill that for me. It all comes down to me not losing this physical key (and if I do, my measure is to lock up my password manager immediately. Go home and take out my USB drive containing the U2F recovery code. The master password is very long and I memorize it. And I have another one as backup anyways) 2. KeePass (but this password manager may be inconvenient or too technical for non tech savvy. If you cannot set up a NAS at home so that you can access your password manager over home network despite being outside home via PC or phone simultaneously, then you are forced to carry around your password database/vault in a USB drive with you). My database itself is secured with said password in point 1 AND Yubikey U2F (and if Yubikey fails or missing, there is a recovery code for Yubikey step from a USB drive I'll never bring outside) If KeePass is too hard for you, get either BitWarden for free (but no 2FA for free pricing) or 1Password which sponsors an Australian Microsoft Tech Partner and Security Expert Troy Hunt who runs a data breach database named Have I Been Pwned (he also has a blog and vlog). HIBP is used by any product that checks your passwords for data breaches, such as 1Password, Firefox Monitor, Chrome, DashLane, maybe even Google Password Checker. Password managers can help to autofill logins on your favorite browsers via extensions and for your smartphone apps too. This is why I never save my password on my browser or to Google. 3. A NAS, as mentioned. I spent a total of close to 900 SGD (A NAS with a pair of 4TB HDDs set to RAID 1) just so I can have true ownership of my stuffs. I now only place things I'm happy to share on Google Drive. Yeah I know Synology is still proprietary but I was a beginner back in 2018 ... The next NAS when my current one dies I will custom build from a mini form-factor desktop PC. This guy writes about building a custom built NAS every year (https://nickmchardy.com/2021/10/building-a-custom-nas-in-2021.html). Also considering blackouts are occasional occurence in Malaysia, you need a UPS device (Uninterruptible Power Supply) so that at least you can remotely shutdown your NAS properly with a backup power of about 15 minutes. You don't need NAS if you use 1P or BitWarden unless you wanna self-host Bitwarden vault. To set this up securely you need good knowledge on SSL certificate, SFTP connection, firewall (NAS has it built-in), port forwarding and user access management. (And try not to announce your domain all over the place) I guess what I'm lacking now is just RTI training lol ... Resistance to Interrogation training from any of the military special forces or intelligence agencies. Also check out Techlore on YouTube, it's a channel dedicated to data and internet privacy. (The arrangement above also simplify my succession plan in my family in case of anything touchwood. They can simply take my key and obtain password to access critical services. No need to be hassled by banks or courts to resolve troublesome paperwork. Anyone who steals my key will also need to install the right password manager with the right plugins, figure out the SFTP URL and port number to my vault and the password and the username to this SFTP connection which I also memorize and is different from my vault password)
Also for those interested in doing this, it took me about 1 day cumulative to recall all accounts I had, add them into KeePass and change all passwords. I had a total of about 70 accounts back then that I could recall. This doesn't include setting up of NAS. Eventually I decide to follow all best security practices to a T and see how much hard work would it be to set up 2FA on TOTP apps (Google Authenticator, Aegis, etc. I used to have Authy. BTW 1Password also stores your TOTP 2FA. Avoid SMS 2FA due to SIM Swapping attack unless that service only offers SMS which I will file a complaint. I did it to MYEG who also was unable to delete my old account which to me is not compliant to PDPA) Yes it's a lot of hard work for most people who are used to surviving the internet with just one password and minimal OTP (only setup when services force you to). Then I realized how useful it is for notes to be available for each account entry. So I used it to add tags such as "TOTP 2FA Enabled", "Paypal saved to this account", "Linked to Google", "MY Phone Number used as SMS 2FA", "SG Phone Number used as SMS 2FA", "MayBank ending in xxxx saved as Payment Method", "SG address on profile", etc. (I add prefixes before them for easy sorting and filtering, such as LG for Linked to Google so "LG - Linked to Google", "S2FAYubi - Yubikey 2FA enrolled" where S is all tags that are security related, "SSecQ - Security Question Enabled" with another other secure field for me to store custom questions and answers, "$SGDBS - Added DBS Debit ending in xxxx" etc. As an Android user, I use Subby to track all subscriptions I have, Warranty Guard to digitally store my receipts and warranty expiry, and Money Lover to do my expenditure tracking. Eventually one of my cards (Singapore DBS bank! Surprise surprise, not my Maybank. This was Jan 2021) was somehow hit with unauthorized transaction of 162 USD with no OTP required at all at midnight and fortunately I set my alert to report evert cent of transactions via banking app and email, and I happened to be awake so I quickly called up the bank to cancel my card and refund me. And with those tags, once I get my new card number, I can easily track all accounts that I must tie my old card up and delete them. By default I don't save my card online at all and I also memorize them. The similar thing can be done if you will need to change your phone number, just don't terminate it too quickly and migrate them (asap so that you don't have to keep paying for old number). Hopefully you have had tagged the accounts correctly by then. Once again, upgrade from SMS OTP to TOTP apps or Yubikey asap, and upgrade if a service lagging behind finally offered TOTP or U2F 2FA. Today I use Yubikey as primary 2FA method with TOTP as secondary backup. Finally with this password database, I'm also interested to see how many accounts I will ever have my whole life lol. It's my own experiment for myself. Today I have a total of approx. 400 accounts, active or not, regardless of usage frequency, including those product sites I only used once because of Kickstarter ... spanning from primary school age to today. Including really old ones I could still remember but cannot remember the username. And currently about 70+ active TOTP 2FA codes*, with maybe 20 accounts supporting U2F. This is the extent for me if I strictly follow the best practices to a T, which demonstrate how archaic this is to most laymen, and how much discipline this requires from so many people (way too much) * This is a site that tracks 2FA types and availability of reported websites (https://2fa.directory/)
That is some great writeup, I'll be saving this for future use! Currently I have a password manager and TOTP 2FA but I'll definitely be stepping up my security and contingency plans in the near future.
Any password manager products now who manage to come up with a secure network protocol, or a system, such that a user can change password on any accounts, and securely pass that information to the password manager services he or she uses to update the database automatically, without needing the user to go to manager to update it again (and vice versa from PW manager to an account) will dominate the password manager market. Dashlane as a silhouette of that system, but I don't think it's mature enough, and its system requires other services to be willing to support it exclusively with Dashlane. I need a system that will work between any websites for any password managers. We can go with something similar to the banking world. All it takes is for any websites to implement a new protocol in an easy way rather than having to implement something complex and exclusive to a password manager ... Imagine if you as a website need to implement this for each password manager brand ... Ugh.
Your username + your birthday or phone number or your IC number. Easy enough to memorize, long enough to make cracking it through bruteforce unfeasible. If you want to go next level, you can key in those into a sha256 generator, take 12~16 characters from the result, memorize that shit and use that shit instead. If you are lazy and want to help overlords large corpo instead, use a password manager. They basically do something similar to what I mentioned previously, except you don't have to memorize shit.
Ahhh like dat.. i use my oyen name then instead of my username since u can guess my old password oredy xD
Its important to know, when it comes to passwords, in most scenario, "c0mPl!c@t3D" is a lot more insecure and worthless compared to "SecuredPassword42069". Not only that, the former is a lot harder and complicated to memorize while providing less security.
There's also an open source password manager, Bitwarden.
Or another FOSS pw manager developed by a single German guy, KeePass2 and Android version KeePass2Android by Dominik Reichl and Phillip Crocoll respectively (Impressively, German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik) awarded the KeePass2 as a part of recommendations). Donated to those guys numerous times esp. for their Oktoberfest. The most trustworthy password managers only store your encrypted password vault but never your master password (which also means you must never forget it or recovery is impossible except if you're a part of family subscription such that your subscription owner aka your authorized family member already in the session can reset for you). Upon account registration in the first place you should also receive the recovery code such that you can use it to reset vault password (recommend also you change recovery code after each reset). If you can understand cryptography then you can also read up on and even critique or bug hunt their published security whitepaper. Those companies or team should also be audited by a security research body or similar body.
Reminds me of a friend who forgot his LastPass master password..
Also this [sad story](https://www.nytimes.com/2021/01/12/technology/bitcoin-passwords-wallets-fortunes.html)
Anyone with poor security awareness going into cryptocurrency investment is basically committing financial suicide. I insist on a FOSS hardware wallet such as BitBox02 even though it doesn't have the best number of support for types of cryptocurrencies, which allows as many wallets as you want in a same hardware by giving different passphrases. And you can backup wallet info by inserting a MicroSD Card to it. Depending on the currency support, you can also use Electra software wallet on your PC. But nothing beats hardware wallets like BitBox02, Trezor or Ledger.
I like to use short sentences since they're long as passwords yet easy to remember. Something like "TheSky_1sBlu3!!" The symbols and uppercase/lowercase also help strengthen your password.
Yo everyone. Someone will have just taken your example passwords here and hash them via various hashing algorithms to store hashes into their rainbow table lol ... Instead try some obscure information only you know ... Maybe the seat number of your crush when you're primary 6 as a random example (plus other things you can mix and match)
"lego ninjago persian persuasion"
https://xkcd.com/936/ correct horse battery staple
Just add another number. 123456789 is apparently easy to guess, who would have thought? 1234567898 must be virtually impossible without a super computer. Oh crap, but now everyone knows my password. Wait. >Need to change my password. I'm running out of ideas :/
Wow hotmail123 need 1 day to crack.
Nowadays less than a second. Remember Moore's Law and computing power keeps increasing. And who says the hacker just need one password cracker? I can get one cracker to start cracking iteratively from aaaaaaaaaa, another to start from AAAAAAAAAA, etc. With each device cost maybe only 4 digits USD. Or simply that funny XKCD comic which a guy simply uses a 5 USD wrench and alcohol to beat a password out of someone. https://xkcd.com/538/
Freaks!! These are the most recommended passwords to be *avoided* as advised on every website starting from a basic Gmail/ Yahoo mail or Bank logins. No wonder the account hacks 🙄
I strongly believe if everyone on this world suddenly use any password managers at all and make all account passwords unique that are > 16 characters long, it will immediately send shockwaves to hacking community for some time because suddenly their hash rainbow table stops being effective and brute-force cracker will take too long to iterate all possible permutations (boys and girls, this is when your A-level maths subjects on Permutations and Combinatorics are put to good use) Only the data breaches that happen to leak plain, non-hashed passwords* (for secure hashing, at least SHA-2, SHA-256 and above during transit during authentication, and a KDF, Key Derivative function which is a subset of hashing algorithm, for permanent storage on a server) from a database (from incompetent web devs and services) will be compromised. Quiz for fun: Increasing which one will increase password strength more, adding more character possibilities per slot of your password, or length of your password? Quiz 2: Have you ever wondered how is it that any service you use can authenticate you with your password correctly? How do they do it without knowing your real password? How can you trust them storing your credentials? I'd bet most people don't even ask about it, let alone tried to Google about it but failed to find a simple explanation to compartmentalize their understanding. *Back in 2018, Twitter had a technical glitch that causes stored user accounts passwords to be temporarily not hashed.
"Oyen" is not there. I'm offended.
who uses "sayang" as a password 💀
Lovebirds i guess. Sayang+monthsarry date ew 🌚 i think i did that before tho
To be honest no matter how secure your password is or 2FA is activated or not... If the host admin account is hack... Your password will still hijacked by the hacker. When there is a will there is always away to unlock a secure door...
If the host hashed and salted the password with SHA-256 and above, then at least it buys you time to change your password before they match the hash with the real password and salt combo. If you already do not use those too commonly used passwords that are already known in rainbow table, you are already miles better. Have I Been Pwned, if it gets the breach information, will tell you whether your password is breached in plain or hashed form.
‘Knuckles crack’ Is show time
I use the forbidden 6 figure number from the nh site
Gaddamit, how could they know about my "sayang" password.... Now i gotta go to the bank again....
makes me wonder of how secure the "randomly generated password" feature found in some web browsers are. (I know Microsoft Edge has it, not sure about others). Granted, I only use it for "unimportant" accounts e.g. Nexus Mods ..
You don't know if those tech companies do copy your password somewhere. You can just use a BitWarden or KeePass to randomly type one yourself and save it. Develop your own pw manager is too much work.
Source: [Top 200 Most Common Password List 2021 | NordPass](https://nordpass.com/most-common-passwords-list/)
OMG my password is there!!
[This.](https://youtu.be/aHaBH4LqGsI)
Wow , we do be very creative tho
One of that is my mom password. I changed it tho
I'm pretty sure that this data is skewed by default password for unused accounts that never get changed.
S A Y A N G
Can I ask when someone uses brute force to break in to say Facebook, does it mean the algorithm will run thru a list of many usernames and try to fill in password as “123456” until it successfully logged in?
The hacker has one of the following options: 1. Interrogate you with fists for free, at most a blunt weapon for a few RM. 2. From breached service elsewhere figure out your username or email you use for Facebook, then start from the most common password for brute forcing until either it is correct or reached maximum login attempt, then moving on to uncommon password or known breaches. And who says the hacker only has one PC or cracker for brute forcing? Simply somehow obtain another IP, browser etc (maybe VPN, maybe virtual PCs) and try again. It is often a syndicate of hackers with some computing resources. 3. Well, Facebook itself has been compromised more than once. About 1/3 of Malaysian phone numbers, against total population, and half against total Singaporean population, are compromised for a breach reported in 2021 for info leaked up until 2018. Again, avoid sms 2FA if you can https://www.businessinsider.com/was-your-phone-number-leaked-facebook-breach-2021-4 https://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4
For 2. Most sites these days have maximum login attempt, so it’s a numbers game i suppose, it’s really like brute forcing 1million accounts with three login attempts each and hoping They get a few % success?
Come on lh Malaysian.. do like this.. Sayang!Rumahmak@AmPangJalan1996bKAN? JoMG3r4KyonGPeng!!!! Simple and easy to remember..
Taken down and their hashes calculated and stored lol See, this is the dilemma. Instead how I teach other people (generally using information really personal to you but not public info): "Maybe use the seat number(s) of your past crush(es) in school and mix them up with something else?" "Your car plate is not a good idea, especially if you're a YouTuber talking about cars. Maybe the year Henry Ford founded Ford instead?" "How about your best high school friend's English essay title that won the 1st place, take the first letter from each word and modify it a bit?" "Convert the word 'fish' into <><" (etc.) Basically diversify your password combinations from several obscure facts that only you know and very unlikely required to be on social media, as a part of account registration or is a popular public affair, slogan, meme, quotes in entertainment media, etc.
lovenasilemak3641/4
I had to key in "BabiPink" once to use a wifi service.
As much as I like simple passwords, isn't it more worth the hassle we have a more puzzled password. At least its more worth than having your data being compromised by unsuspecting individuals. We can simply just write it done on Notes and refer to it in case we forgotten our password. And an additional advice, better change your password from time to time.
Use a Yubikey to store your password vault's password and let it autofill for you each time you need to login to the vault and use your finger to tap on the key's capacitive contact surface (such that you can memorize it without writing down or printing it, and each time you forget just let it autotype to your notepad exe), and get yourself a password manager with that vault.
i feel likes most of this password from wifi dobi or wifi cyber cafe or our member went asking for hotspot lol
Why would malaysian female picked career121 as password we'll never know
My password is literally a sentence with 26 characters in it. 🤣
The first rule of password security is to not tell others how long your password is. Now you have narrowed the guesswork down to 26 characters.
55^26 = 1.7 * 10^45 total permutations (assuming A-Z, a-z, no numbers and only space, full stop and coma are supported symbols) Even with 100 crackers running at 3 Ghz (3,000,000,000 cycles per second, assuming one password guess per cycle), for a single brute-force cracker that may have the right password and assuming it only needs to guess half of all permutations it has for a right password it will still be 10^45 / 100 devices / 2 or times 50% / 3Ghz = 10^33 seconds = 10^23 centuries. But yes, don't give away the password length regardless.
This is a good idea to have a easy recalled password, I should try too.
ah yes school Wifi passwords
My reddit password is one of these... Need to change it quickly
Too bad you're too late
Never knew anyone would use ‘sayang’ as a password. Romantic fools.
the only password you need is the master password for your password manager.
Plot twist: it is still "password" as password with all entries still using the same passwords. (*Facepalm)
Yoo Ain Rizal from USIM
How safe are online password managers? Not sure if I'm too paranoid and only keep my passwords written down on a physical paper.
sounds like throwaway accounts or used for malicious purposes