Anyone else stressed out by the constant required password changes when it comes to email, facebook, etc?

The progression of my password over the years has been something like this

Password:apple

.......a year later.....
"To increase security, please add a capital letter to your password"
Password: Apple

.......a year later.....
"To increase account security, your password must be longer than 5 characters, please change your password"
Password: Appleapple

.......a year later.....
"To increase account security, your password should have a non letter character such as a number, please change your password"
Password: Appleapple1

......a year later.....
"To increase account security, your password must have a special character, please change your password"
Password: Appleapple1!

Of all my different password requiring applications, I have a variety of versions of passwords, anytime my auto fill in ''forgets'' my password, I have to go through the list of password variations. Of course I end up getting it wrong three times, and then I have to decipher the security captcha image...

Will the madness ever end?

It's not madness. It's to help protect you (and everyone else who uses the sites) by enforcing tighter security. A password like apple can be cracked in seconds and a password like Appleapple1! might take a few minutes.

I understand having so many different passwords can get confusing. There are password management apps you can use. The apps will generate long secure passwords. You only ever need to remember the one master password that unlocks the app. Two popular ones are 1Password (https://1password.com/) and Lastpass (https://www.lastpass.com/). Both charge a monthly fee and I think they work on MacOS/iOS and Windows/Android.

I agree it's madness, but necessary. I agree with VG that a password manager is a good idea, although anything with a single point of failure bothers me.
I have been using LastPass recently, but I don't put everything in it.

I keep my critical stuff to myself and use 2 factor on some things as well including multiple U2F security keys.

I recently followed a 30 Day security challenge by Shannon Morse, and day 13 is about password managers.
May be helpful.


https://www.youtube.com/watch?v=OCM-Q0_8xik

I agree it's madness, but necessary. I agree with VG that a password manager is a good idea, although anything with a single point of failure bothers me.]


I can’t see trusting an online password mgr. Although I have no idea of the tech involved it still seems like a single hack gives away all your info.

I did use the same or similar password for all my accounts until paypal was hacked and they stole couple thousand, a few hundred dollars at a time (paypal refunded me immediately) . They told me the hackers probably got the password by hacking some other account.

I have too many to remember which is why I used just one. But, now I gave myself a very simple system. I actually have them listed on a document in my word file. I know, sounds stupid because a hack would reveal all passwords. But what I did was write down the first letter of a word or name then the numbers and/or symbols. I can remember what word or name each letter means. So on my sheet a password looks like this L345 but I know the actual password is Larry345. Or N234# means Nancy234#. I figure even if my sheet was hacked they’d have to figure out what the letters meant and then would have to do a lot of guessing to get it right. Basically I just have to remember what the letters represent which isn’t too difficult. Of course I don't use the same pass more than once anymore. I do similar for user name unless its my email.

It is incredibly hard to hack a decent password. Doing it cold without any social engineering or other kinds of information reconnaissance literally amounts to running huge lists of words and hoping to find a match or matching combination. Add in variables like case, numbers, and special characters and the fact that you have no idea where to start, it could take 10 minutes or 10 years.

It also takes incredibly powerful computers.

It is honestly the last resort because there are easier ways to hack someone or a system.

Last password I made I wrote out 10 random numbers, letters, and symbols verbally. It took me about a month to finally memorize it.

My password process is pretty convoluted on purpose. Besides my personal accounts, there's dozens client accounts, and multiple business accounts.
But I can share a couple of tips that I suggest to clients and business associates. Anyone who needs more details on each just ask.

Separate personal and business accounts completely. Devices, social media, emails and phone numbers.
It should be like two completely different entities. (most people don't listen to this).

Password managers are OK. I personally only use one for certain, non critical accounts.
Critical accounts such as those that control my devices, financial, computer log ins, MS, Google, and other accounts that are important to using my computers or accounts I use 2-Factor authentication on ALL of them and use FIDO U2F Security Key's when it's supported.
https://www.amazon.com/gp/product/B01M1R5LRD/ref=oh_aui_detailpage_o00_s00?ie=UTF8&psc=1


If you are intent on storing a master list of your stuff on your computer, use encryption and password protect the folder.
If you have a NAS there are instructions for each on how to do that.

For Windows users, Windows 10 Pro comes with Bitlocker.
You can also use Veracrypt, although it can be a bit "techy".
https://www.veracrypt.fr/en/Home.html

Or you can follow this tried and true method:
https://www.laptopmag.com/articles/password-protect-folder-windows-10

This will also work for USB drives.

If you need help creating strong passwords there are a ton of random password creators online such as:
https://lastpass.com/generatepassword.php

For passwords that you need to remember frequently, use long phrases such as song lyrics and movie quotes that only YOU know are special to you. Don't use common phrases and quotes that everyone uses. If you're a Black Crows fan (for instance) and everyone knows it, then don't use lyrics from their songs as your phrase. Long passwords are ridiculously hard to crack.

Last point, all the security in the world is only effective as the weakest link. If the company or account or service that you are using is hacked, you are essentially screwed too. Especially if you use the same email and password across multiple accounts.

You can find out if an email or username that you use has been hacked and posted on the "dark web" with this site:
https://haveibeenpwned.com/

If anything shows up, change that password, or even better delete the account if you no longer use it.

You can hear security tips all day long, but they are worthless if you don't implement them. Yes, it can be time consuming. However wanting everything to be easy like a Ron Popeil appliance is why so many people are sitting ducks.

If your attitude is "I don't have anything that anyone could possibly want" then you are the weakest link of all your family, friends, business associates and the company you work for. To get to them, (if I was a bad hacker) I'd target you. Just something to think about.

If your attitude is "I don't have anything that anyone could possibly want" then you are the weakest link of all your family, friends, business associates and the company you work for. To get to them, (if I was a bad hacker) I'd target you. Just something to think about.

This is probably one of the leading excuses for bad security. Aside from Harold's point about this attitude putting others at risk, there are the multitude of reasons hackers want to break through. One of which is to commandeer weak computers and make them part of a zombie network. If your computer is attacked in this manner, you could become a channel for spam blasts or worse, criminal activity. Imagine getting a knock on your door from the FBI for something you know nothing about. Yes, that does happen. You may even lose your computer during the investigation.

Sometimes, you need to listen to us "scare mongers" because the "I don't have anything someone wants" attitude is exactly what someone out there is looking to exploit. Being an easy target is dangerous.

This is probably one of the leading excuses for bad security. Aside from Harold's point about this attitude putting others at risk, there are the multitude of reasons hackers want to break through. One of which is to commandeer weak computers and make them part of a zombie network. If your computer is attacked in this manner, you could become a channel for spam blasts or worse, criminal activity. Imagine getting a knock on your door from the FBI for something you know nothing about. Yes, that does happen. You may even lose your computer during the investigation.

Sometimes, you need to listen to us "scare mongers" because the "I don't have anything someone wants" attitude is exactly what someone out there is looking to exploit. Being an easy target is dangerous.

Excellent point.

The most common attack against networks are DDOS, Distributed Denial of Service attacks. In short this means a hacker summons the power of hundreds, thousands or millions of computers AND/OR devices and makes them all send requests to one target. The server gets overloaded and either locks up so that no one can access it, or shuts down. This can also open a hole in the security to allow an attacker into the network.

Hackers who use this method don't own thousands of computers, they are using yours. Little scripts that lay dormant on your computer that you don't even know are there lay wait to get the signal and send out attacks. Most times you will never know it's happening or that you've even been infected.

The Dyn DNS attack that shut down thousands of websites last year was a series of multiple DDOS attacks that used the hundreds of thousands of Internet of Things devices that had already been infected. Things like wif cameras, baby monitors, home automation devices, and so on.

It's literally just like the movie Independence Day. The invading aliens first crippled our communications by using our own satellites against us and using them to send their own signal for attack. A DDOS attack is the exact same thing. Using our devices against us to execute the attack.

So, maybe you personally don't care about your own privacy, but you still have a responsibility to NOT be a catalyst for others to be attacked. Take your security seriously.

Use common sense security. Don't download free stuff that you know is not supposed to be free. Don't use free music and movie sites...these are some of the most successful ways to continually infect thousands of computers. Don't just buy and connect anything to your network because it's cool. Check it's security. Check reviews. Vet the manufacturer. Take old devices offline.

If you are connected to the internet in any way it's not just about you. It's about all of us.

Something else to think about, large businesses are doing something about it and are increasingly hard to hack. Small businesses and individuals are doing nothing and it's why attacks on people and small businesses are skyrocketing. Easy targets.

If your company network, or computer is breached, what kind of info would a hacker get about you, your business, your associates, your family, or know about your life in general?

Don't ignore your security because it's too hard or too time consuming or because you're mad that we have to do all of this now. We've always had to, we just didn't. Now we have to catch up and get smarter.

Interesting info about comps being used to attack other comps. Something most of us non tech folks would never know about. For basic security what do you recommend, Norton, pc matic or what. I mean for the NON-tech people.

I don't do anything hi-tech but I use the comp extensively basically for documents and presentations and communications. Nothing too secret or valuable to a hacker BUT I do have to keep records that include a lot of personal info for clients and investors including ss#s, address, financial info, bank info, wire transfer info, copies of checks, spouse info even copies of signatures etc.

I do NOT keep that info on a computer (just paper files, boxes full of paper) for fear of a hack. Would love to know of a foolproof way to keep in pdf form on computer.

...BUT I do have to keep records that include a lot of personal info for clients and investors including ss#s, address, financial info, bank info, wire transfer info, copies of checks, spouse info even copies of signatures etc.

I do NOT keep that info on a computer (just paper files, boxes full of paper) for fear of a hack. Would love to know of a foolproof way to keep in pdf form on computer.

All of those things are very valuable to a thief for a variety of reasons. It's actually a treasure trove of information that someone can do a lot with.

Sadly nothing is full proof, but that doesn't mean it's hopeless. For me it's about making it too much trouble for the average malicious hacker looking for an easy opportunity, and being able to recover quickly should disaster strike.

The following are my preferences and recommendations and by no means the only way to go.

On a Windows computer Windows Defender is pretty good. They keep it updated and are very quick about security patches.
I'm not a big fan of Norton's or any others that you mentioned anymore for PC's. Just a personal choice. If I were to use a 3rd party antivirus I would probably go back to Avast.

Additional tools you can use are Malware bytes as an additional scan to run every now and then. Keep your browsers updated and use extensions like https everywhere https://www.eff.org/https-everywhere and a pop up blocker.

Be aware of clicking on emails, following janky social media links, downloading things, sticking things in your computer (flash drives and such), using a VPN when on any other wifi other than your own, and so on. A lot of this is just keeping software updated and using common sense.

For securing your documents and anything else of importance I recommend a 3-2-1 backup plan.

1. A copy on your password protected computer. You can use password protected folders ( see previous post) and you can password protect PDF's.
2, A back up copy on a NAS ( network attacked storage) that you can set encryption on ( just about every NAS has encryption). Anything from a multi disk NAS to a pocket sized back up drive is better than nothing.
3. A copy offsite or cloud back up. The free cloud storage that comes with MS Office and Apple products is good for the basics. But you may want to get your own service too if you want more features and to back up everything,.

The premise of the 3-2-1 plan is that you won't experience a failure of all 3 at the same time, and if your main computer becomes infected and/or unrecoverable (as with ransomware) you can easily take out, destroy, and replace the hard drive and grab one of your other 2 backups to get back up and running quickly. (keep your Windows key handy so that you can reinstall Windows).

And set regular backups on your computer.

Nothing wrong with paper. While it is hack proof, it is also fragile. Maybe think about getting a fireproof safe.

I have like the same 3 three passwords lol. When I need to make variations I make variations that i can remember. Never really had the issue of forgetting passwords / pins.

I'm with Harold on not liking software such as Norton. Some virus writers create their bugs specifically for Norton so you can get infected undetected. Harold also mentioned Avast. I agree, that would be a good choice.

I don't use virus softwares period. Windows comes with its own virus software that works just fine. Don't want malware or viruses? Don't go on sketchy websites, open stupid emails, or download things that you don't know enough about. Ez

Don't want malware or viruses? Don't go on sketchy websites, open stupid emails, or download things that you don't know enough about. Ez

But it's not that easy. How about malicious code buried in advertisements shown on news sites? Even with Adblock Plus I still get some redirects squeak through.

But it's not that easy. How about malicious code buried in advertisements shown on news sites? Even with Adblock Plus I still get some redirects squeak through.
What websites are you going on that have ads like that? I don't look at the news on my computer, I mostly do web design, school work, etc. on my MacBook. As for my PC, I mostly download Steam games. Everything else is on my phone. People will fall for the website that locks you out of your computer that says it's Microsoft because no one knows you can CTRL - Alt - Delete and close it with Task Manager. It's easy for me to understand computers probably because I grew up with them, but why is it so difficult for older people to understand them? Why is it so foreign?

I have a "throw away" yahoo email address. If I leave the Yahoo home page open, or scroll through, there will be well over 100 blocked ads. I have had a virus come in through one of these ads before (hence the Adblock software).

But it's not that easy. How about malicious code buried in advertisements shown on news sites? Even with Adblock Plus I still get some redirects squeak through.

I would argue that those aren't trustworthy news sites and you shouldn't be visiting them if that's the level of sketchy behavior they exhibit. Typical ad code is going to have trackers and such, but it shouldn't be anything malicious or the new thing...using your browser to mine for bitcoin without telling you.

Most legitimate news sites aren't going to do that and risk pissing off their readers. Privately owned blogs do that.

Sometimes sites get infected and the owners don't know it, but typically large organizations are on top of it.

Still, if you keep your browser updated, use a VPN on sites you aren't sure of or when not using your own wifi, use HTTPS everywhere and keep your browser free of rogue browser helper objects you really shouldn't have many issues like that. Most bad things are invited in. Meaning you did some action ( or neglected to do some action) to let them in. It's rare for something to infect your computer without you doing something to let it in.

I have a "throw away" yahoo email address. If I leave the Yahoo home page open, or scroll through, there will be well over 100 blocked ads. I have had a virus come in through one of these ads before (hence the Adblock software).

Yahoo is THE WORST. Stop trusting them. It's spam central. They've already been hacked multiple times and EVERY user account compromised. Biggest hack in history.

I would throw away and burn anything that has to do with Yahoo with the exception of their Fantasy Sports platform, and even then ONLY use a Yahoo email address for just that and nothing else. I would not use that email address even as a throwaway. It's burned.

By the way, it's owned by Verizon now. So expect a bunch of Verizon marketing to you very soon. Verizon is also a proponent of repealing Net Neutrality and has questionable privacy practices.

In case you can't tell, I'm not a fan of Yahoo.

I have a "throw away" yahoo email address. If I leave the Yahoo home page open, or scroll through, there will be well over 100 blocked ads. I have had a virus come in through one of these ads before (hence the Adblock software).
No. No more Yahoo. It's going to go away and get turned into @verizon.net emails. Go to Gmail with the rest of us.

Gmail wasn't any better for spam. Rather than malicious ads I was getting targeted spam.

I've had yahoo for many years. Would love to leave but so many use my yahoo email name. Would be a pain, like changing a phone #. I've been using PC Matic as security, don't know if its any good but so far I haven't had a problem. Not knowing much about that I just went with the commercials they do, made in America thing.
I do get these little pop ups on the bottom says file execution blocked. I assume that is PC Matic blocking something bad, but I sure don't know.

I've had yahoo for many years. Would love to leave but so many use my yahoo email name. Would be a pain, like changing a phone #. I've been using PC Matic as security, don't know if its any good but so far I haven't had a problem. Not knowing much about that I just went with the commercials they do, made in America thing.
I do get these little pop ups on the bottom says file execution blocked. I assume that is PC Matic blocking something bad, but I sure don't know.

I hear what you're saying and understand. I hear it all the time. "I've had this email address for years, I don't want to change it". That's fine. We're just giving you the lay of the land.

If you use email you're going to get spam. That's just the way it is. Especially free email because with free email you are the product.
I'm not promoting gmail, but I've used it for years and spam goes in the spam folder. I rarely get anything to my inboxes that I haven't asked for or given my email to. It's very easy to train gmail to allow or not allow certain emails and the new updates to the mobile app make it really easy to unsubscribe from emails.

IMO The best solution for any business is private email. If you want to really get on it, a private email address with business solution like from G-Suite, Rackspace, or MS Exchange is the best way to go for safety and professionalism. It's not very hard to forward your yahoo email contacts to your private email and slowly ween your contacts into using it, and using better habits with that email.

I say run your email address (and your backup email address) through https://haveibeenpwned.com/. If it comes back clean, and Yahoo works for you then carry on.

I just ran my Yahoo email address through it and it came back clean. However I ran the backup email address on my Yahoo account through it, and the Yahoo breach came up and that email came back as compromised.


I'm just giving my opinions and admittedly my tin foil hat is a little tight these days. You have to do what works for you.