How did someone break into my account?

Well, worrying the weather App is the least of my worries today! I have been having problems signing into Comcast/Xfinity—it doesn’t like my password! Then I noticed today that my emails stopped at 5:09 am. i called tech support and was lucky in the person who helped me. He figured out that someone had added their forwarding address and was receiving my emails!!! Stupidly, I deleted that email address before I copied it. We tweaked mt email Settings and hopefully it won’t happen again. Wish i knew how that person got in. And now I’ll have to wonder what i missed in the purloined emails!

1 Like

Recommend you plug your email address into https://haveibeenpwned.com/ to see if your email address and password were compromised in a mass hacking incident. There is also a page that lets you check to see if that Password has been similarly compromised.

Or you may have been “phished” for that information at some point. To guard against that, never click on a link you receive supposedly from your ISP, email provider, social media site or financial institution asking you to validate any type of privacy information (such as your login credentials.

Hopefully you have changed your email password as part of “tweaked [my] email Settings”. That’s all you can do for now.

2 Likes

Al, last week wasn’t my week! The same day that someone forwarded my Comcast email to their email address, that night someone forwarded my phone calls! I kept checking Comcast setting for Mail and Voice forwarding. Anna saw the “new” phone number. I did copy that before I deleted. I have changed my Comcast email at least 3 times in the last week. It seems to be Ok. At least now I know where to look in Settings.

The Comcast fiasco was on Tuesday, Nov. 23rd. That night I got an email from PayPal about an “added Phone number”. I went to PayPal and the first thing I noticed was a name change —-Zane instead of Jane. Then I noticed the page was different —- a business page and not a personal one. I went into Settings and saw the intruder’s number. I copied it before I deleted. And I noticed 2 new banks had been added. PayPal did NOT notify me of any of this —-my email hadn’t been changed nor a new one added.

I have been on the phone to PayPal daily to get everything changed back. That fraud person tried to transfer all of my PayPal to their bank… Then tried to withdraw $3,000 from my bank—twice! It was denied. (I called my bank and it had charged me $70 for 2 insufficient funds! I got the money back!) It has been 7 days and I still can’t access my PayPal balance. Each time I call, it is not resolved.

I’d encourage you to audit your passwords at important accounts—banks, credit cards, Apple, Amazon, Google, Facebook, etc. If they aren’t unique and aren’t strong, use a password manager (Apple’s Passwords, 1Password, LastPass) to change each of those passwords to something that’s strong and unique.

That may be an overabundance of caution, but the Comcast and PayPal hacks suggests that you’re being targeted, and the attackers may have gotten enough information from when they were in your Comcast account to compromise other accounts.

2 Likes

Adam, I do use 1Password and iCloud Keychain. I I make up my own passwords. I don’t trust that I will always have access to 1Password and use theirs. Should I trust the access?

I subscribe to a lot of authors and my son thinks that one of them inadvertently was the culprit when I entered a contest. I have changed my password to Comcast and PayPal a few times since last week. I have also enabled 2 factor authorization on them and Amazon.

Now my problem with PayPal is that it won’t let me have access to my money! I have closed the bank account that was on PayPal and want to use PayPal balance, I can receive money but can’t pay even $5 to a friend on my Contact list. Numerous phone calls have not fixed the problem. Their Help and Resolution Center doesn’t fix it. Does anyone know how to fix the “limitation for my privacy and security’??

Do you know of another App that acts like PayPal? I am in a huge bazaar this weekend and need another way to accept payment —- I don’t use Square or anything like it —-? Any thought about Venmo?

Awhile back, ArsTechnica had a series of articles on breaking passwords, and one message that came through loud and clear was that a lot of passwords you might create and think are secure aren’t so secure because password-cracking software incorporate many of the ways humans think to generate passwords. You’re better off letting 1Password or your Mac create random passwords for you.

How would entering a constant compromise your account user name and password?

I’ve always been wary of PayPal. Whenever it comes down to you losing money or PayPal losing money, the company will choose to have you take the loss. For that reason, the general advice is to never keep a PayPal balance, transferring any received funds to your bank immediately, and to always pay using a credit card so you can do a chargeback if PayPal won’t help you in cases of fraud.

Often, trying to talk to PayPal is an exercise in frustration as some of its policies don’t seem well thought out. For example, someone opened an account using my friend’s young daughter’s email address, but the company refuses to do anything about it for “security reasons” because the PayPal account is not hers. Others have complained about similar problems, and the only way anything got done was by publicly shaming the company on Twitter. So you might try that.

I’ve started going to some local farmers markets recently, and it seems like a lot of the vendors there used Venmo.

2 Likes

Conrad, my son thinks that a fake contest page downloaded something that would either copy my key strokes or find my password. I think I know which author because when i clicked on the page, there wasn’t t a contest. too late by that time!

I didn’t know PayPal had a Twitter page! Thanks!

Venmo is owned by PayPal. My understanding is that it got popular with small vendors because it was easier to receive transfers without paying fees. But if you have misgivings about the PayPal corporation, Venmo is the same folks.

Dave

2 Likes

Absolutely. As @chirano said, it’s almost impossible for people to generate strong passwords. If you can remember it and type it easily and quickly, it’s probably not strong enough. :wink:

I’d encourage you to set up Square. It’s a good system, and their readers work well.

1 Like

Not as strong as it could be…maybe…but strong enough for just about any practical purposes…a rememberable password is good enough. I disagree that people are incapable of generating strong passwords…one just needs to be smart about it.

I think we can all agree that Diceware generates pretty decent word based passwords…and once you get over about 17 or 18 characters all the brute force, previous password leaks, rainbow tables, and just about everything but brute force simply isn’t enough because of the possible number of passwords. The bad guy has no idea what the actual length is…and as long as you use upper case, lower case, symbols, and numbers…then length is just about all that matters.

Over at grc.com…Steve Gibson has a page that calculates how large is my haystack to figure out the number of possible passwords that need consideration in a brute force attack…and how long it will take in various scenarios.

For example…here are two 22 character passwords…and both of them will not be found by anything but a brute force attack…even though the words in the first one are individually in the dictionary…they have to be all in the cracker dictionary database or the rainbow table as a whole with all the other characters before it will fail.

Sister%Mazda%Oyster482

gDt_i!yNKvxs6f-ZnqnpaG

Yes…password bad guys are tricky and know a lot of tricks…but taking a gander at https://www.grc.com/haystack.htm and sticking those two passwords in to see how many possible guesses there are…

The first one gives a 95 character search space depth and 3.27x10^43 possible passwords…and will be cracked in 1.04 hundred million trillion centuries at 100 trillion guesses per second in the massive cracking array scenario (well, actually on half of that statistically since the successful guess will be somewhere between the first and last possible guess).

The second one gives the exact same number of total guesses and cracking time…because once you get the brute force the criteria that really matters is length, special and numbers and upper case add to the entropy in the password but not as much as length.

In an even more massive cracking array scenario that can process a trillion trillion guesses per second…that same 22 character password would still take in excess of a million centuries…which is plenty long enough.

Steve goes on in his explanation that it’s not a password strength indicator…but a how hard brute force cracking would be indicator. And it really doesn’t matter how the bad guy searches the possible password universe…there might be some difference between starting with the password a, then b through z, then 1 through 9 and the various symbols before going onto aa and so on…and starting with an assumption that the person used at least 8 characters so starting with aaaaaaaa and incrementing up…but at a trillion trillion centuries to crack…it really doesn’t matter. Even if he started with the knowledge that it was 22 characters that would remove only half of the search space and reduce the trillion trillion centuries to 500 billion tr4illion centuries.

The secret to good passwords…is length…that’s what matters. And a long but password you can remember is precisely as good as an equally long but completely random one…at least for any decent length and how long it needs to resist cracking.

It’s a whole lot easier to remember…and type…3 words…than it is to remember and type completely random gibberish and even with a password manager one still needs to remember and type the master password

Far too many folks still insist that passwords need to be completely random and that makes them perfect…despite brute force taking no longer than something one can remember…and they forget that better is the enemy of good enough.

I’ve tried in the past putting both memorable but long passwords as well as an equally long completely random password into the various password strength pages on the internet…and the conclusion is still that completely random provides no additional actual protection.

3 Words are pretty easy to remember…obviously don’t use your wife and kid’s names, your dogs name, your anniversary or birthday but some words that mean something to you along with always using the same symbol and the same number combination…again not picking a number that an internet search would reveal…well, it just works.

Even the government…and Defense Department…are starting to get the idea that mandatory password changes are meaningless unless one knows the password was compromised and going to long and complex but not requiring periodic changing requirements. They were already going that way in 2011 when I retired and reports from friends still in the biz indicate the DoD has continued down the make it long and forget about it path.

1 Like

The limitation of his analysis is that it’s based on the assumption that the passwords are random and don’t contain any information. When the typical user attempts to generate a password, that’s usually not the case. Making educated guesses based on human tendencies can greatly reduce the size of the search space, turning a seemingly strong password into a mediocre one.

Can a well-informed user generate a strong but memorable password? Yes, but most people aren’t knowledgeable. In fact, it’s been my experience that people are pretty lazy. If it’s a choice between a poor but easy-to-type password and a good but long password, they’ll opt for the former even when they know better. That’s why I’ve encouraged my friends and family for years to use a password manager to make it more convenient to use good, strong passwords.

OK…there’s probably some validity to your point. However, that doesn’t mean that the password contains any information that the bad guy can use to narrow the search space. Even if it’s known that a person uses 3 words with 2 symbols and some unknown of number characters either after, before, or mixed in the middle…there’s nothing in that knowledge that allows any narrowing of the search space beyond knowing that the entire password probably has a minimum length of 3 times whatever minimum word length is used, 2 for the symbols, and something for the numbers.

If one assumes 4 character words and 4 numbers…that gives a length of 12 + 2 + 4 or 16…so the limited search space is only half of the full search space for 16 characters. 16 characters in a 95 character alphabet results in a search space of 4 x 10^35 and 1.28 trillion centuries in the massive cracking array scenario at 100 trillion guesses per second. Since the bad guy only needs to search half of the search space then that’s only 2 x10^35 and hence 600 billion centuries…but that’s assuming the actual password is only 16, but since that’s the minimum length it does reduce the search space and time.

But it’s still 600 billion centuries…and my point was that better is the enemy of good enough and even only 600 billion centuries is way, way more than enough. Yes…it isn’t as good as a longer password…but it’s exactly as good as a 16 character completely random passwords.

As long as you don’t use 3 words that are easily guessable as being your words after an internet search…kids, wife, dogs, etc…and as long as the number, the number of digits, and which symbol (or symbols…it really doesn’t matter if you use the same symbol between each word or a different one)…then your password is still plenty strong enough and is typeable without much worry about fat fingering it…because even with a password manager there’s still the master password and the login password or code for the computer/device to type in…and even with today’s biometric authentication one still needs to occasionally manually put in a password.

As I said…better is the enemy of good enough…and while everything you said is technically correct…it doesn’t really matter as long as you use a long password, all 4 of the password food groups, and don’t use words or numbers that can be easily guessed to be yours by the bad guy. The password generated as I described it…yes, it’s perhaps a bit harder to figure out a new one than a completely random…but who cares. If it’s not crackable in anything less than even 100 centuries…then it is more than good enough.

I used 3 words in this example and that’s really fine as the math shows…but even knowing that I use 3 word passwords along with some random symbols and numbers that only I know…and even if I use the same symbols and numbers for every password…and even if the bad guy knew that I always use the word symbol word symbol word digit digit digit digit sequence (which I don’t)…brute force cracking tools work by sequentially trying every single possible password. If one makes the search space large enough…and if the cracker is smart enough to run the dictionary and rainbow tables crackers first…it just doesn’t matter. Once you get to a “big number of characters”…that big number is really all that matters.

This is very similar to the folks in the math world that calculate the value of Pi out to trillions of decimal places…yeah, it’s technically better than 3.14159…but it doesn’t matter. NASA uses only 15 digits in their calculations for orbital or otherwise trajectory calculations…because any more than 15 doesn’t matter. They’ve shown that if you take a circle with a diameter the size of the known universe and calculate the circumference of the corresponding circle…yes, by using only 15 digits of Pi the circumference is off…but by the diameter of a hydrogen atom…hence who cares.

Yes…you need to be careful about how you choose your words and what numbers you use and what symbols…but in the example above…even if I told you there were 2 dollar signs, 4 digits, and 3 uppercase letters…but didn’t tell you the length of the password then the time to crack is still a very long time. A password with only 3 words of 4 characters is trivially broken…but once I tell you the additional info of 2, 4, and 3 the problem for you the cracker becomes almost immeasurably harder and extends the cracking time well beyond anything even unreasonably expected.

And it really doesn’t matter that computers always get faster…as I said before even a trillion trillion guesses per second doesn’t reduce the time required to crack in any meaningful way. Password entropy shows this. The 3 words of 4 characters, 3 upper case, 4 digits and 2 symbols gives 117 bits. Nuclear launch codes use encryption keys of something in the 170 bits range for telling submarines or missile silos to launch nuclear weapons (at least they did when I left the submarine force in the late 80s so it wouldn’t surprise me if today’s crypto gear used longer keys). 5 or 6 character words get up to 138 and 157 bits. True…171 is more than any of those…but we’re not talking about a high value target like decryption of nuclear weapon launch codes and unless your name is Assange or Snowden nobody’s gonna be willing to spend even a century of computer time trying to crack your password.

Yes…people are lazy and yes…everybody should use a password manager and not reuse passwords. Despite many preachings and lectures to my spouse with a Masters degree in business and a bachelors degree in Medical Laboratory Technology…I still haven’t convinced her that using the same password over and over again is a bad idea. I did convince her to use adequate passwords for email, financial stuff and important things…but she has many at various web sites that are less than secure in my view. Her view is that she doesn’t care if somebody figures out her password to a web site that has no credit card data stored on it. But even with a password manager…one still needs to remember the master password, one’s login password to the computer, and the password for the admin account on the computer so she can install things when necessary…and for those good enough is…well, good enough…and those passwords do meet my restrictive definition of good enough. And…yes…they are as secure as completely random passwords because I follow the common sense rules for the words, numbers, and special characters.

All of my examples above are just that example…there’s no hint in there about what I actually do because that would be against the “don’t tell anybody your rules” rule. The biggest rule is…make sure they’re random, unrelated words and don’t forget to make sure the 4 food groups in password derivation are all included.

1 Like

Neil and Conrad, uhh… could you simplify what you said in less words? I read your posts, but don’t quite get it.

I

I have posted my PayPal problem to their Facebook and Twitter accounts and have received unhelpful replies. They tell me that I am not blocked nor limited, but I can’t send money to anyone. I wanted to send a screenshot of the reply, but I don’t see a way to do that. (I don’t see a camera/or photo icon.) Apparently, PayPal has an algorithm or something like it to prevent suspicious or bad accounts from sending money. But customer service claims my money is available. I was told by 1 agent to wait 72 hours before signing in so PayPal can reset the “algorithm or privacy or other” on my account. Another agent told me to wait 48 hours. So tomorrow (Friday) it will be 72 hours. I hope it’s fixed. meanwhile…

On the Facebook post, a gentleman offered to help me solve the problem, but I would have to download Hangout “to use the procedures to find someone who works on PayPal” to help me. Is anyone familiar with Hangout or What’sAPP? What do these apps do? Is there a danger to using them to get my info? Your comments would be appreciated!

This sounds like a scam. I wouldn’t grant any random stranger access to my computer. Especially not for accessing my finances.

I think if you do this, he will steal even more of your identity.

Hangout is a Google group-chat app. WhatsApp is another chat app. It makes absolutely no sense why you would have to install them in order to get help. But you can use them to grant others remote access to your computer. I suspect that that’s where this “gentleman” wants to go.

2 Likes

Neil and I went off on a tangent. You can ignore the posts.

My advice is to trust 1Password (or the password manager of your choice) to generate and keep track of your passwords.

There will still be a few passwords you do need to commit to memory. For example, I have memorized the passwords to my main Apple ID and to my 1Password vault. With just those two passwords, I can set up a new computer from scratch and regain access to everything else. Because those two passwords are so critical, they need to be strong ones.

If you want to know what’s involved in making up a good, strong password, you can try to read what Neil and I wrote above, but it’s really not necessary practically speaking. When I want a password I want to be able to memorize, I just repeatedly generate passwords in 1Password until one pops up that for whatever reason I find relatively easy to remember.

2 Likes