Bitcoin Forum

Other => Beginners & Help => Topic started by: AwkwardSituation on October 09, 2012, 03:53:54 PM



Title: Do not use same username and pw ANYWHERE
Post by: AwkwardSituation on October 09, 2012, 03:53:54 PM
Seriously.  The number one way to get owned is to use the same username and password, email and password, etc., on sites like here, and your mining pool, or email and facebook.  It negates the purpose of having a username and password if they are all the same.  We can't trust that the websites, and their databases and the traffic going between them are secure, so why not add a little fun to would be hackers trying to get your bitcoins by using a bunch of different passwords.  We are often locked into using the same username often times because it is our email address, but the password we can control.

You can use a computer NOT connected to the internet to run a program like KeePass to store all your different usernames and passwords, there are a lot of free password management programs.  Smart Phones have them too and if you don't install untrusted applications on your phone you can be "fairly" sure your smartphone is secure, though that's not guaranteed by any means either.

DO encrypt your bitcoin wallet and back it up.  Use a silly passphrase, not a password to secure it. 

That's all, god damn I'm tired of saying this.  Key loggers fucking suck.


Title: Re: Do not use same username and pw ANYWHERE
Post by: Belami on October 09, 2012, 03:56:31 PM
Did you have a bad experience with this?


Title: Re: Do not use same username and pw ANYWHERE
Post by: pekv2 on October 09, 2012, 03:57:21 PM
lol.

I had a thread written up and was stickied, but members kept trolling it, I ended up clearing the OP and locking it. Lets see how many more threads like this one here pop up. You can thank the mods for not cleaning up the OT posts and trolls.


Title: Re: Do not use same username and pw ANYWHERE
Post by: RaTTuS on October 09, 2012, 04:07:55 PM
just get yourself a lastpass [free] account and use it


Title: Re: Do not use same username and pw ANYWHERE
Post by: nobbynobbynoob on October 09, 2012, 04:12:56 PM
Keyloggers are indeed pure evil, but good password management won't immunize one from those anyway, only multi-factor authentication (Yubikey, SMS verification, etc.) can do that.


Title: Re: Do not use same username and pw ANYWHERE
Post by: AwkwardSituation on October 09, 2012, 04:21:42 PM
Yeah two factor authentication would be nice to have everywhere, I use it for my gmail account myself.  No I have never had a bad experience with this, but i have helped hundreds of people who have. 

LastPass, KeePass, yeah good stuff.  Use it people.  Damn these forums get a TON of action, there probably aren't enough moderators man.....This is probably one of the busier forums I have seen.


Title: Re: Do not use same username and pw ANYWHERE
Post by: Handle on October 09, 2012, 06:49:58 PM
This is very important! Some years back I found some databases of forums via google because the backup folders were not protected at all! One was from a forum with several thousand members. Sometimes it needs no uber-skilled crook to hack a site and steal their database, even admins of large sites can be lazy and / or careless so the best thing is always to expect the worst and choose a strong password you use only for that specific site. Tools for this (KeePass and so on) have already been mentioned here.


Title: Re: Do not use same username and pw ANYWHERE
Post by: ryann on October 09, 2012, 06:56:00 PM
The only way to stop a keylogger is by using key encryption software.


Title: Re: Do not use same username and pw ANYWHERE
Post by: WorldOfBitcoin on October 09, 2012, 07:02:17 PM
The only way to stop a keylogger is by using key encryption software.

Or use on screen keyboard for important passwords


Title: Re: Do not use same username and pw ANYWHERE
Post by: ryann on October 09, 2012, 07:15:33 PM
The only way to stop a keylogger is by using key encryption software.

Or use on screen keyboard for important passwords

On screen keyboards can still be seen by a trojan. If they are recording your screen they will see which buttons you pushed.


Title: Re: Do not use same username and pw ANYWHERE
Post by: Kontakt on October 09, 2012, 07:26:06 PM
It would be interesting to design a hardware solution to this; some sort of keyboard that transmits encrypted data that could be decoded by a plugin in the web browser that would print the cleartext in the fields selected.


Title: Re: Do not use same username and pw ANYWHERE
Post by: RodeoX on October 09, 2012, 07:31:07 PM
With the right hardware you can keylog just by reading the tiny amount of electromagnetic energy that bleeds off each time you strike a key.  Even if your not connected to a network.


Title: Re: Do not use same username and pw ANYWHERE
Post by: Kontakt on October 09, 2012, 07:33:48 PM
With the right hardware you can keylog by looking over the person's shoulder with a satellite.


Title: Re: Do not use same username and pw ANYWHERE
Post by: nobbynobbynoob on October 09, 2012, 08:24:46 PM
With the right hardware you can keylog just by reading the tiny amount of electromagnetic energy that bleeds off each time you strike a key.  Even if your not connected to a network.

Electromagnetic shielding is available for the truly paranoid! (Probably only via the black market in some countries?)


Title: Re: Do not use same username and pw ANYWHERE
Post by: Foxtra on October 09, 2012, 08:31:21 PM
I didn't know LastPass, I just tried. It's amazing thx a lot.
EDIT : By the way, get one month free premium account for free signing here : https://lastpass.com/f?728556 (https://lastpass.com/f?728556)


Title: Re: Do not use same username and pw ANYWHERE
Post by: pre4ead on October 09, 2012, 09:14:10 PM
Are there potential vulnerabilities with LastPass? (eg if someone accesses your LastPass, they have all of your passwords). Is there a risk here?


Title: Re: Do not use same username and pw ANYWHERE
Post by: lakingsfan12 on October 09, 2012, 09:20:25 PM
Are there potential vulnerabilities with LastPass? (eg if someone accesses your LastPass, they have all of your passwords). Is there a risk here?

At some point you have to trust someone.  It is scary to think that your passwords are all stored there - make sure your account password in to lastpass is very complex.  According to their site, they use an encryption method that uses your password to encrypt your passwords in their DB so even if they were hacked, your passwords are "safe."

I have been using lastpass for at least 3 years now and have been very happy with it.  The only problem I find is when I am away from my computer and want to log into a financial site or something - I have no idea of my password and have to do a little jumping around to their site to find it - but its worth it.


Title: Re: Do not use same username and pw ANYWHERE
Post by: MaxSan on October 09, 2012, 09:24:50 PM
lol LastPass

pretty sure was a LastPass account that got hacked which caused a fuckload of coins to be stolen from bitcoinica.

Stupid idea, nice way to make it easy for people to rob you, only have to log a single passoword and they gain all access.. magic.


Title: Re: Do not use same username and pw ANYWHERE
Post by: cedivad on October 09, 2012, 09:37:56 PM
With the right hardware you can keylog just by reading the tiny amount of electromagnetic energy that bleeds off each time you strike a key.  Even if your not connected to a network.
Try it and then tell me.
I know about the physics under the wood, but its still fantascientific.


Title: Re: Do not use same username and pw ANYWHERE
Post by: dirtycat on October 09, 2012, 10:00:33 PM
so your saying I shouldn't use the same username / pass at all sites I register with?


Title: Re: Do not use same username and pw ANYWHERE
Post by: defxor on October 09, 2012, 10:36:14 PM
At some point you have to trust someone.  It is scary to think that your passwords are all stored there - make sure your account password in to lastpass is very complex.  According to their site, they use an encryption method that uses your password to encrypt your passwords in their DB so even if they were hacked, your passwords are "safe."

Only your encrypted passwords are stored at LastPass. Since they don't have your key (the passwords are decrypted locally when you access them) it's impossible for someone to get your passwords from LastPass even if they hack their servers. They still need to somehow get your password from you.

pretty sure was a LastPass account that got hacked which caused a fuckload of coins to be stolen from bitcoinica.

The password to the account was the same as a string visible in the leaked source code. That's extremely bad password management - of course your LastPass master password should be extremely secure and unique.

I'd also recommend using two factor authentication towards your LastPass account. Google Authenticator on an Android mobile is an easy and painless solution.

tl;dr: Use unique strong passwords everywhere. Never re-use passwords. LastPass helps you accomplish just that.