I got an email telling me that EMMS had theior systems hacked so the matress I ordered meant my name, address, password and credit card were on the black market. I thought I would have a quick clean up and purge of accounts and change the passwords on those I still use.
Sodding loads of them and none have an "DELETE MY DETAILS" button.
Any clever way to get these to remove my accounts from their systems or is it just and email to every info@...com on the list?
If they have got your full CC and address details already then changing a million passwords won't help.
Cancel that CC and get it reissued would be my first port of call...
as above, changing your password isn't enough, you need to cancel the card. If you are a password re-user then you need to go and reset the password everywhere that used the same password 🙁
For deleting your details it is largely a manual process of emailing support if there isn't a button available. It's painful given how easy it is to sign up
And if you haven't done so already get yourself a password manager so all your passwords can be different. It just reduces the risk because sites are getting hacked all the time
CC being cancelled and reissued already. Just thought I would purge my accounts as a precaution
Its usually quicker to deliberately enter the wrong password 3,5,10 times until the account gets locked.
Thing is - if they already have your name, address and CC what could they gain by logging into a long dead account?
I quite often get warnings from my browsers etc that this password and that password could well have been compromised. So the hacker can log into a reptile forum and pretend to be me - so what. Would take me too much effort to track them all down and change them.
Much more important is to go through any accounts you do actually use and change those but then I change my passwords regularly so the ones that flag as compromised are are very old passwords that would no longer be valid for any current account.
In other words - focus your time and effort protecting accounts that do matter and not ones that do not.
+1 on the password manager. As well as storing your passwords and autofilling sites for you, they will also generate secure passwords and let you know if any of the ones you have stored are duplicated or weak.
Of course if the password manager ever gets hacked.....
Websites don't normally store the CVC number and with the new SCA (Strong customer authentication) which has just become mandatory, a CC number on it's own won't be that much use as the provider should refuse any online purchases without 2 factor authetication.
Are there unified password managers these days? Tried one a few years ago but found that they fell over because if I wanted to log on from anywhere other than my home PC I was a bit stuffed.
At work for eg I'm not allowed to install any software or plugins and haven't found a password manager that has a web interface to overcome this.
I instead use the 'layered' password approach. Stuff that doesn't really matter - fora and the like have a common password that gets changed from time to time.
Social media has another which is changed more frequently etc and financial stuff has individual passwords etc.
Coupled with general it security measures it has been robust enough over the years.
Are there unified password managers these days? Tried one a few years ago but found that they fell over because if I wanted to log on from anywhere other than my home PC I was a bit stuffed.
At work for eg I’m not allowed to install any software or plugins and haven’t found a password manager that has a web interface to overcome this.
Chrome / Edge has a built in password manager.. as long as you can log in to the browser it will sync across different devices.
Websites don’t normally store the CVC number and with the new SCA (Strong customer authentication) which has just become mandatory, a CC number on it’s own won’t be that much use as the provider should refuse any online purchases without 2 factor authetication.
The growing problem with 2-factor authentication is its actually pretty easy to call a mobile provider and get your phone number transferred to another sim. The sheer number of mobile customers who can't remember their security info and just kick off at call centre employees instead means providers will fairly readily give in to requests to port number away without providing those details. So if the data that has been breached includes a mobile phone number and enough of the other details you'd need to provide (well - address really) its not to hard to get hold of your phone number as well.
Chrome / Edge has a built in password manager.. as long as you can log in to the browser it will sync across different devices.
Ah OK. I'm out on that basis then. It has to work for me on any device, anywhere and not all devices run the same browser and nor would I want to log into say my MS account on some machines.
It sounds like a good option for some people though.
I'll stick to my plan - the passwords I use can be considered secure in their construct anyway so I'm reasonably confident I'm good.
bitwarden https://bitwarden.com/
is device agnostic and free.
I've got the browser add on on chrome and edge, and the app on my phone which pre-fills sites and apps for me.
you can also login to the password vault on any device if don't/can't install a browser extension.
you can also login to the password vault on any device if don’t/can’t install a browser extension.
Genuine discussion point. Is this more or less secure than having layered passwords (as I call it).
If the hackers get into your vault are you stuffed? And assume you can't use the password generator for the vault otherwise you'd be stuck in some infinite loop trying to login from a computer that you'd can't install add-ons on so your vault password is possibly less secure than all the passwords held in it?
Lastpass user here. For the vault/plugin I need to login with my master password. This is a strong password. I also have 2FA enabled so need a one time code from Google Authenticator. Thirdly if it's an unrecognised or new device I get an initial rejection and an email is sent to me asking to confirm that it is really me.
So for someone to break in they need the following:
- My master password
- My phone (which is secured via a fingerprint)
- Access to my email
Keypass works for me on windows and Android. Needs a bit more setup to make seamless (add plugin for Google drive backup on windows) but other than that works great.
Saw this password-time-to-hack table doing the rounds:
Does Chrome have a password manager? I didn't think so. It remembers your passwords, but isn't a password manager as far as I understand.
I moved from Lastpass to Bitwarden and wouldn't look back. Recommend it for everyone.
I have 500 passwords in my vault, every password is different. I can install browser extensions to autofill password into websites. Or access the Bitwarden website to access my passwords if required. Works across all computers and phone and can be secured via finger print, password and pin. Also 2FA.
Bitwarden also does 2FA for all your sites and passwords/2FA codes can be simply copied into a webpage by keyboard shortcuts.
Bitwarden has a password checker for your master password that you use to access your vault. Last time I checked it'd take 9 years for it to be compromised by brute force attack.
Here's another password checker
https://www.uic.edu/apps/strong-password/
It hides your password and has more feedback.
For passwords I need to remember, I like to use a passphrase generator and then throw in some numbers and symbols to spice things up. Makes it possible to remember very secure 30 character passwords.
