Password Security

Archived From: Finance
  • Go to page :
  • 1 2345
  • Text Only
Voting History
rated:
I thought it would be useful to post a note about passwords and security, given how much of our financial lives are subject to a username and password.

Many of us are familiar with, and use, programs such as keepass, roboform, 1password, truecrypt, etc., which we use to securely store our usernames and passwords.

Some of these programs generate strong passwords as well.

One of the most common "weak links" in the security setup is the ability to reset passwords in the event they are forgotten. Institutions generally allow the password to be reset in one of several ways, and each of them usually involve answering a security question.

Sometimes the security question just pops up in the browser, and sometimes the security question is sent via a link to your e-mail account of record.

Answers to many security questions are easy to guess, especially if someone knows you. "Where did you grow up" "What is the name of your high school", etc. The strongest password in the world is not much of a defense against a "password reset" that requires the thief to "guess" your favorite food is "pizza" or that your mother's maiden name is "McDonald."

I suggest that people populate the security question answer field with another "strong" password generated by the password keeper program of choice. For example, "What is your Mother's maiden name?" gets filled in with "Th36Nx9E8VDiAW".
Another "weak link" is the username. Generally speaking, it is better to have your username also randomly generated, so that people don't easily fall upon your username and start hacking away at the password.

A third weak link to security is our e-mail. Many people use their general e-mail account as their username at their bank. That is dangerous because this provides 1/2 the key to get into the account and our e-mail accounts are usually easy to guess by people who know our names or guess our names. More importantly, our general e-mail accounts are often very easy to hack into because we use our names and because they are publicly available since they are used publicly. And e-mail accounts are generally easy to hack into (some easier than others). Remember, once someone has your e-mail account they can see everybody you bank with and then can try resetting passwords and hacking into your accounts knowing you have relationships with particular banks.

I recommend that financial sites should be linked to a "financial e-mail" account that is used only to open up and communicate with, financial institutions who were provided the e-mail address as part of the account activation process (or who have it because you just created it and updated your profile). Never use such an account to communicate with a merchant, family member, etc. This email account should also be something like Th36Nx9E8VDiAW@gmail.com (that is, use your software to generate a "strong" password and use that password as your username. The password for the account should also be a strong password, of course.

This last recommendation has the benefit of separating your "financial life" from your personal life, and also lets you provide in a letter, or will, an e-mail address to be checked for all of your finance-related accounts in the event you happen to die without an updated list of where you bank, invest, etc. Just put the password in the safety deposit box and your executor will be able to check through your e-mail without trolling through your personal e-mail, and they can then contact the banks to perform their duties as executor.

I know that many of us don't use a strong password for our personal e-mail, because we like to be able to remember the password without having to use a program to fill in the long random password. Opening a "financial e-mail" account will let you keep your current weak password and require you to use that password program to "remember" your banking email password when you need to do some banking.

There are many "tricks" to generating a strong password that you can easily remember, which I would recommend for even your general email account whether you use it for banking or not. For example, a telephone number with area code for the house you grew up in (heck, the original area code may have changed over time, making it that much harder to guess), followed by a character such as / or \ or *, and then string of letters (the first, second or third letter in each word in some phrase you like to use, like "Lord, deliver me from temptation" turns into "ldmft".

So there you have it, some very basic security tips that will go a long way to protect your accounts, and, incidentally, eliminate the "financial clutter" that your personal accounts are plagued with. Just imagine what it would be like to have all of the yodlee/mint e-mails, and bank statement and credit card statement e-mails only going to your "financial e-mail" account. If that seems like a pain, then at least make certain your personal e-mail account is not easily hacked, and is with a provider that does not let you easily reset the password or otherwise allow too many guessing attempts to log on to.

Member Summary
Most Recent Posts
This reminds me, I have to move my front door key from under the plant pot to under the gnome.

Seriously though, there i... (more)

jbloggs (Oct. 28, 2010 @ 8:39p) |

Dave - if you're replacing your thumbdrive, consider using this: https://www.ironkey.com/private-surfing. Sounds like i... (more)

TheKa (Nov. 01, 2010 @ 11:55a) |

Suppose your username is dimatkach everywhere. Anyone could very easily do a DoS attack on you, simply by visiting a nu... (more)

vicester (Nov. 01, 2010 @ 12:26p) |

Consider using "strong" passwords and "strong" usernames generated by password management software.

Consider using a separate e-mail address (using a strong username and a strong password) for all of your financial needs.

Consider using "strong" answers to security questions.

Check every important site you use, for how they "reset" forgotten passwords to determine if someone other than you will be able to reset the password and have access to the new password.


Password Management Programs:
Roboform
Keepass
1Password (for Mac)
LastPass
Encryption Software:
TrueCrypt
Thanks for visiting FatWallet.com. Join for free to remove this ad.

Interesting ideas, but being a person who does actually forget passwords on occasion I appreciate being able to reset them online without having to remember an even more obscure password.

Being someone who travels a lot I've heard about carrying a thumb drive with web browser pre-installed with all relevant passwords saved, has anyone used that method?

Yes, Kanosh. My thumbdrive has firefox on it as well as "roboform". Roboform stores your password for you so you do not have to worry about "forgetting" it, so long as you remember the one "master password" which can be some phone number you have memorized plus some string phrase you can't possibly forget.

I happen to keep those programs in the "encrypted" portion of my thumb drive, so that when I lose the drive, neither the browser nor the roboform program can even be opened up without guessing my truecrypt password.

I suppose I could have firefox "memorize" the passwords since its on an encrypted thumbdrive, but since I have roboform, I use the extra layer of security. That way I do not have to worry about whether "portable firefox" somehow adds something to the computer I am running it on, which would let my saved password be retrieved.

I should say that when I reset my security questions to something I cannot remember, I have no intention of ever using the security question to reset my forgotten password. If worse comes to worst, I just have to talk to a customer service representative to start over, which is what I would prefer to do since a thief is not likely to go through that trouble.

DavidScubadiver said:
The strongest password in the world is not much of a defense against a "password reset" that requires the thief to "guess" your favorite food is "pizza" or that your mother's maiden name is "McDonald."


The new password is then sent to you by e-mail. The thief would first need your email account password to get it (start readin gfrom the beginning )


I suggest that people populate the security question answer field with another "strong" password generated by the password keeper program of choice. For example, "What is your Mother's maiden name?" gets filled in with "Th36Nx9E8VDiAW".

Sure, since it's supposed to be something easier to remember than the password ... Great idea
I'd love to hear you spelling that over the phone, when you need to talk to support

Another "weak link" is the username. Generally speaking, it is better to have your username also randomly generated, so that people don't easily fall upon your username and start hacking away at the password.

Username is not a weak link, because it is useless without a password. If the password is strong enough, the user name can be 'jon', it's perfectly fine.
Also, people cannot "randomly fall upon your username". Well, they can fall upon it, but they can't know about it until they have the password.
Unless, of course, your bank account will tell people something like "you have entered the correct username, but the last 3 characters of the password are wrong" or something like that when you fail to login But if that's the case, you should change the bank, not the username.


A third weak link to security is our e-mail. Many people use their general e-mail account as their username at their bank. That is dangerous because this provides 1/2 the key to get into the account and our e-mail accounts are usually easy to guess by people who know our names or guess our names.

Once again, username is not a key to get into account, not even half key, it's just ... well ... username.
The key for the account is password. As long as it is strong enough and well protected, there is no need in guarding your username, or making it cryptic.
It is a bad idea to use email address as a username for various accounts, but for an entirely different reason - to avoid getting spammed. There is no security risk in it.


More importantly, our general e-mail accounts are often very easy to hack into because we use our names and because they are publicly available since they are used publicly. And e-mail accounts are generally easy to hack into (some easier than others). Remember, once someone has your e-mail account they can see everybody you bank with and then can try resetting passwords and hacking into your accounts knowing you have relationships with particular banks.


Not really. Hacking into an email account from a reputable provider (like google for example) is not any easier, than hacking into your bank account, perhaps, harder. Unless, of course, you decide to use 'pizza' as you password, as most people do. Now *that* is the security risk, not letting people your email address


I know that many of us don't use a strong password for our personal e-mail, because we like to be able to remember the password without having to use a program to fill in the long random password. Opening a "financial e-mail" account will let you keep your current weak password and require you to use that password program to "remember" your banking email password when you need to do some banking.

Worst advice ever.
Do not ever look for excuses to use a weak password, on any of the accounts, that you consider worthy of being protected by the password at all. It does not have to be extravagantly long, and you don't have to use a program to generate it, but it does need to be long enough (like 8 chars min), and not be based on a dictionary or phone book (even an old one), even if you replace some letters with digits, and symbols. To make it mnemonic, probably, the best way is to pick a fairly long phrase, for example:
'quid quid latin dictum sit altum videtur', then make some replacements and abbreviations - e.g. qqL@t!nD$@5!d3tUr
This is both strong and easy to remember.

Ultimately the weakest link is your computer, it is far more common for an account to be compromised through key loggers and other automated password sniffing tools than it is for some one to guess a password. Most secure sites will lock your account if you have more than 4 or 5 login attempts so even weak passwords aren't as bad as surfing the web with insecure browsers like IE or fire fox (if a trojan gets in your tough passwords aren't worth much). Security is a big picture problem and should be looked at from that perspective.

Serious question here: how common is it for a complete stranger to hack into an individual's account by guessing/figuring out both a userid and password? I'm not saying it never happens, but it seems far less likely than any other security breach, simply because the return for effort is so small and uncertain.

DavidScubadiver said: Answers to many security questions are easy to guess, especially if someone knows you...Studies show that in many incidents of identity theft, the culprit knows the victim - often a roommate, ex-boyfriend, ex-spouse, relative, etc. In the time that it would take to break in to my accounts online, the person could have torn a few checks out of the back of my checkbook or made off with a credit card or two out of my sock drawer or even found my little list of passwords that I keep under my deskpad at work (just kidding about that last one). Point is, those who would know you well enough to hack in to your accounts also probably have close access to other means to steal from you.

I'm a train wreck waiting to happen. I use the same username and password for as many accounts as possible. It is just too much trouble to do otherwise.

People's hotmail accounts are broken into routinely, and used to spam others. I do not know why that happens, or if hotmail has done anything to fix it, but, yes, some e-mail accounts are easier than others to hack into. If you think the return is not that high, open up your gmail account and search for "password" in your e-mails. You might find something quite useful to a thief.

Not all passwords are reset by sending them to e-mail, but even those that are, my point is to consider your e-mail password's strength and the fact that your e-mail account is "public", dimatkatch. My assumption is that the e-mail account will be the FIRST thing to get hacked because of how e-mail is used, followed by a discovery of your financial institutions, followed by an attempt to hack those accounts. That's why I recommend a "financial e-mail" account which is not made public.

Having a strong password is great. Having a strong username and password is twice as great. If you are filling in your passwords with a program, and the password is 18 random characters anyway, whats the point of having a "jon" username? Plus, plenty of institutions limit your password or your user name to 8 characters, so I am more comfortable having randomized usernames and randomized passwords.

And having a "weak" password for non-critical e-mail is not really a bad thing, other than opening yourself up to being used to spam other people. I do not recommend it, but am intelligent enough to realize that there are many many thousands of people who will not use a strong password to access their regular email.

dcwilbur said: DavidScubadiver said: Answers to many security questions are easy to guess, especially if someone knows you...Studies show that in many incidents of identity theft, the culprit knows the victim - often a roommate, ex-boyfriend, ex-spouse, relative, etc. In the time that it would take to break in to my accounts online, the person could have torn a few checks out of the back of my checkbook or made off with a credit card or two out of my sock drawer or even found my little list of passwords that I keep under my deskpad at work (just kidding about that last one). Point is, those who would know you well enough to hack in to your accounts also probably have close access to other means to steal from you.

I'm a train wreck waiting to happen. I use the same username and password for as many accounts as possible. It is just too much trouble to do otherwise.
I am just the opposite. I do not know myself well enough to get into my bank accounts should I lose my password programs. Seriously though, just because someone who robs you is likely to "know" you does not mean that they have keys to the house and can turn your burglar alarm off, whereas anybody you went to school with knows what street you grew up on and what school you went to (common security questions).

DavidScubadiver said: dcwilbur said: DavidScubadiver said: Answers to many security questions are easy to guess, especially if someone knows you...Studies show that in many incidents of identity theft, the culprit knows the victim - often a roommate, ex-boyfriend, ex-spouse, relative, etc. In the time that it would take to break in to my accounts online, the person could have torn a few checks out of the back of my checkbook or made off with a credit card or two out of my sock drawer or even found my little list of passwords that I keep under my deskpad at work (just kidding about that last one). Point is, those who would know you well enough to hack in to your accounts also probably have close access to other means to steal from you.

I'm a train wreck waiting to happen. I use the same username and password for as many accounts as possible. It is just too much trouble to do otherwise.
I am just the opposite. I do not know myself well enough to get into my bank accounts should I lose my password programs. Seriously though, just because someone who robs you is likely to "know" you does not mean that they have keys to the house and can turn your burglar alarm off, whereas anybody you went to school with knows what street you grew up on and what school you went to (common security questions).
So the quick and easy response to that is to use a generic, random answer to those reset questions - enter "pizza" as the answer for all of them, from the town you were born in to your mother's maiden name to your favorite movie. You can use the same response for everything, making it easy for you to remember, yet its still completely unguessable based on anything anyone might know about you.

I use the same password for every site I can - but its a completely random chain of letters and numbers, not based on anything memorable. I find it mostly annoying when some sites find it to be non-compliant (ie, they require a special character, or its too long/too short), or require it to be changed every couple months.

Nothing is ever totally secure. A previous poster brings up a good point that when your password is reset, it is emailed so you need access to the email account also the hacked account (assuming the passwords are different).

No matter how many security checks you put in, eventually the data used to allow a reset of an account has to come down to commonly known data.

The most effective questions would be things like favorite food, favorite color, and maybe anniversary date. Things that are commonly not on a credit report or bank statement.

My security solution is I use keypass to randomize all of my passwords, and use a strong password to protect that database. I would never use a public computer to enter any data so I won't carry my stuff on a usb drive. I have synced versions of the database on my home machines and laptops which are all a part of my home domain and have AV software. I don't use any email service that is pulic and free. The biggest short coming was the IPhone but mykeypass works well and filled that void.

My only complaint is that when I call certain CSR (fidelity is a good example) I need my password and unless I have keypass open, I don't know it.

OP, what's your suggestion for people when they lose their thumbdrive or their hard drive fails and they can't even remember their username because it's a 20-character strong password lookalike?

DavidScubadiver said: People's hotmail accounts are broken into routinely, and used to spam others.

Keep away from hotmail, and any other microsoft product (including IE, and windoze) as much as you can.
That is the best security advice anyone can give you


Not all passwords are reset by sending them to e-mail, but even those that are, my point is to consider your e-mail password's strength and the fact that your e-mail account is "public", dimatkatch.


The point is that my e-mail password's strength is the same as my bank account's. If you can crack one, you can crack the other, no need to reset anything.


Having a strong password is great. Having a strong username and password is twice as great.

It isn't. Not any more than having a password twice as long anyway.

If you are filling in your passwords with a program, and the password is 18 random characters anyway, whats the point of having a "jon" username?
Same point as in using yourbankname.com instead of the ip address - it's more convenient.
I don't use a program to fill in my passwords, btw. That's a lot more risky, than having dimatkach for a username.


Plus, plenty of institutions limit your password or your user name to 8 characters, so I am more comfortable having randomized usernames and randomized passwords.
I would never be comfortable dealing with an institution stupid enough to come up with such limits. That indicates, that they have no clue about security, and will be broken into soner or later. Randomize all you want, you'll never be safe with such an institution. Your best choice is to run.
As someone mentioned above, 99% of online theft happens when provider's database becomes compromised, not by somebody just luckily guessing your security answer. If the security policies of your institution do not make sense (like stupid limitations on usernames, or characters you can use in the password or whatever), it just doesn't matter how strong your password is. The hacker will just get your data straight from their database.

Like I said, the best thing you can do for your online security is not randomizing your usernames, but making sure that the products you use online are at least as secure, as your strongest password. The server your browser talks to is actually the weakest link, not your username,

And having a "weak" password for non-critical e-mail is not really a bad thing, other than opening yourself up to being used to spam other people.
So, spamming other people is a good thing then? What if somebody does send you an email with sensitive info?

I do not recommend it, but am intelligent enough to realize that there are many many thousands of people who will not use a strong password to access their regular email.
There is no good reason to use a bad password for your email or for anything else for that matter. If somebody is too stupid to realize that, or too lazy to memorize 8 mnemonic characters, I just don't see how your advice to set up a whole new account with yet another password is going to help.

DavidScubadiver said: People's hotmail accounts are broken into routinely, and used to spam others. I do not know why that happens, or if hotmail has done anything to fix it, but, yes, some e-mail accounts are easier than others to hack into.

Having a strong password is great. Having a strong username and password is twice as great. If you are filling in your passwords with a program, and the password is 18 random characters anyway, whats the point of having a "jon" username? Plus, plenty of institutions limit your password or your user name to 8 characters, so I am more comfortable having randomized usernames and randomized passwords.

And having a "weak" password for non-critical e-mail is not really a bad thing, other than opening yourself up to being used to spam other people. I do not recommend it, but am intelligent enough to realize that there are many many thousands of people who will not use a strong password to access their regular email.


Unless a person is specifically targeting you secure usernames and passwords are nearly worthless (they won't hurt but aren't overly helpful either), a decent key logger is going to get the data one way or the other. Secure password keepers help assuming their encryption hasn't been broken, but if it goes into a web page there is a real risk of it being stolen.

It is far more important to have a secure operating system, network, and browser. Private login information is compromised through database breaches (not much you can do about) and malware installed on the users computer. As far as email accounts sending out spam they were either made specifically to send spam or compromised through some form of key logger or stolen from saved information in the owners favorite browser (I have seen working password stealers for current versions of IE firefox and chrome for less than $100).



I teach folks to use a pass phrase rather then one word or someing so Th36Nx9E8VDiAW that they can't remember it and its easy to make it more then eight charactors that way. Do some charactor replacements with numbers or speical charactors and its easy to remember.
summersday becomes summ3rsD@y
forthofjuly becomes f0rthofJu1y

Is it a perfect method - no. But its better then using 12345678

Dazarath said: OP, what's your suggestion for people when they lose their thumbdrive or their hard drive fails and they can't even remember their username because it's a 20-character strong password lookalike?I use roboform on my desktop and on my thumb drive, so when I lose my thumb drive, I can still access everything from my desktop. And when I lose my desktop, I can still access everything from my thumb drive. I happen to also use roboform for the web as well, so I can access everything I need from any computer in the world should I have a great need and find myself without my thumbdrive. Of course, there is a risk that my password is compromised by the use of a keylogging program if I have to enter my roboform web password using a keyboard which is why I would only do it in an emergency.

What I am recommending makes perfect sense. Given that many sites don't allow you to use a password over 8 characters long, I think it is smarter to have a username that is also complex. I doubt anybody will hack even an 8 character strong password, but since *I* can't remember such a password, and have to have multiple passwords with different components, and am required to *change* passwords by various institutions, I do not even bother trying to remember anything. One password for roboform which lets me autofill any site, and I let the software generate the passwords and usernames, and security answers. Using roboform on my thumbdrive completely defeats the keyloggers, which is why I prefer to use it when I am not at home. I am not worried about a keylogger on my home p.c.

dcwilbur said: DavidScubadiver said: Answers to many security questions are easy to guess, especially if someone knows you...Studies show that in many incidents of identity theft, the culprit knows the victim - often a roommate, ex-boyfriend, ex-spouse, relative, etc. In the time that it would take to break in to my accounts online, the person could have torn a few checks out of the back of my checkbook or made off with a credit card or two out of my sock drawer or even found my little list of passwords that I keep under my deskpad at work (just kidding about that last one). Point is, those who would know you well enough to hack in to your accounts also probably have close access to other means to steal from you.

I'm a train wreck waiting to happen. I use the same username and password for as many accounts as possible. It is just too much trouble to do otherwise.


I had to stop reading here and respond. YOU ARE SO RIGHT !!!!!!
In my reading so far, beyond all this super secure password stuff, nobody has mentioned the programmers (here and other countries) that depending upon the company can see your password.

I know as I worked in a company with passwords used by customers. Until I finally convinced them over a few years to encrypt them, the passwords were in plain text in the db, accessable by about 30 employees. You have to wonder who wouldn't give them away for $1,000
How many of those same customers used the same password for their bank, etc. I was like that once, now I like others encrypt with a master password and have different passwords for every site (about 200 or so).

Should an employee go rogue, I will limit damage to their employer site only.


Dazarath said: OP, what's your suggestion for people when they lose their thumbdrive or their hard drive fails and they can't even remember their username because it's a 20-character strong password lookalike?

In a sense you are correct, they need to use 2 thumb drives, like all their data they need to back it up. However you are correct as I don't even bother with a thumb drive, I just don't log into anything when not at home, not even FW !! OMG !!
Employers (about 70% of them) record what you do and see online, and public sites are just begging for man-in-the-middle exploits, and library computers have keyloggers already installed.
Its a dangerous would out there folks.

1. Generate random passwords: very good idea,

2. Generate random userids: potentially good idea,

3. Generating random answers to security questions: maybe a good idea,

4. Generate e-mails that has random userid: not such a good idea. Although a separate e-mail account might be a good idea. You are far better of protecting the security of e-mail account is a strong password, security questions, and no backdoor. You seal the backdoor to ensure that the last-resort unlocking of the e-mail account goes to a phone or e-mail that you control.

At some point, you are doing security with obscurity.

If a potential attacker wanted to get your userid, probably the easiest method would be social engineering. Therefore, 2 and 4 are adding no value.

Also, no matter how random the e-mail addy, or the secrutiy of the e-mail, a potential attacker can bypass all that by intercepting the wire. So ensure that you use https.

I like having a separate e-mail account. It allows me to have all of my "financial" e-mail in one place without being buried in spam and personal crap.
It also has the benefit of making it impossible for anybody to even spoof my e-mail because there really is nobody who knows my e-mail address since it is only used with my financial institutions. Not saying this is a real risk. Its just an added benefit. Downside is I don't check that e-mail as often as my regular e-mail so I won't see any alerts that are sent to that mailbox until I manually log on to look for them. Of course, that is also a benefit.

I do not worry about keyloggers at work because I don't type in my passwords. Roboform, from my thumb drive, fills in the form directly.

DavidScubadiver said:
I do not worry about keyloggers at work because I don't type in my passwords. Roboform, from my thumb drive, fills in the form directly.


To protect against Key loggers I use and recommend the KeyScrambler plug-in for Firefox and IE. It encrypts everything one types while running hidden on the background. I do use Roboform at home and reach the DB online as needed.

DavidScubadiver said: Downside is I don't check that e-mail as often as my regular e-mail so I won't see any alerts that are sent to that mailbox until I manually log on to look for them. Of course, that is also a benefit.



This is the only thing stopping me from doing it.

I spent a couple hours today going through and redoing all my passwords (using a random generator) and logging them in a central location (using one of the programs mentioned in your original post). I've never had a problem with account security, but I also used to waste a lot of time when I forgot passwords trying to remember security questions and whatever. I've got nearly 50 username/password combinations, some of which were saved in the browser. I took the opportunity to use stronger passwords so hopefully I won't have any future problems related to that.

One other thing to keep in mind is that you should not let your "browser" remember your passwords. While there is no doubt some way to make those passwords secure, it seems as though there are easier ways to "crack" browser encrypted passwords than cracking such programs as roboform or keepasss.

Drieendertig, just make sure that central location is secure

Cheapoking, thanks for the plug-in suggestion. Though that one does not work for the mac, I am more concerned about a logger at work or on public computers, so I will have to see if it works for my portable firefox program on my thumb drive. I just added the add blocker to my firefox browser. Can not believe I did not have that one earlier.

tester99 said: Test for passwordsfunny website.

a@QQ231j90 is 100% secure.
a@QQ231j90qq is 0% secure.

Also, if you do have an email account where important private data is sent, be sure you connect to it via SSL. Be sure your email client connects to the POP account via SSL.

I feel you can use simple common sense when it comes to passwords and logins. People are not going to hack your accounts randomly by guessing your logins and pw's by brute force attacks, unless you use extremely common logins and pw's. Most likely, they will see your paypal address on an eBay page or something of the sort, and go from there. If you use passwords with capitals and numbers, you should be fine. As stated before however, if a real hacker wants your info, he can probably get it...but 99% of the identity theft/hackers/spammers are praying on the stupid/uninformed/gullible people. They are not gonna get anyone from FW hopefully...unless it is LOA then thats fine with me

riznick said: Also, if you do have an email account where important private data is sent, be sure you connect to it via SSL. Be sure your email client connects to the POP account via SSL.how does one ensure that?

xmatrikx said: Most likely, they will see your paypal address on an eBay page or something of the sort, and go from there.That is why I recommend a separate e-mail account for your banking. By the way, make certain you are familiar with how one resets your e-mail account password and then determine how easy it is to be hacked. Just click "forgot my password" and follow the prompts. Remember, anybody who has an email address from any site you purchased from, has your full address and zipcode because it was provided by you for shipping (a good reason to have things shipped to the office if they are small

DavidScubadiver said: riznick said: Also, if you do have an email account where important private data is sent, be sure you connect to it via SSL. Be sure your email client connects to the POP account via SSL.how does one ensure that?

Most public email providers have an https version of the login page, and an SSL or only allow an SSL connection for POP3 access. Without https/SSL your login info is sent in plain text and it is easy to grab.

There is another disadvantage to using something like ?Th36Nx9E8VDiAW@gmail.com as your email address.

When your FI clumsily sends an email to every customer which includes the email address of every customer, yours becomes easy to identify

Dugggg, no more easily identified than many of the FWF handles I noticed when that happened!

LOL, touché!

Ah, a good topic. You can find much info on Steve Gibson's site.

Perfect Passwords- a password generating page. "Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again."

Perfect Paper Passwords, PPP design- "The trouble with a username and password is that they never change. We create them, write them down or memorize them, then use them over and over again. What has been needed is an inexpensive system that provides something which changes every time it is used. GRC's Perfect Paper Passwords system offers a simple, safe and secure, free and well documented solution that is being adopted by a growing number of security-conscious Internet facilities to provide their users with state-of-the-art cryptographic logon security."

This guy published great security podcasts with transcripts available. You can search the transcripts by googling: "passwords site:grc.com" or go the the list--Security Now

Well, sure you can use tokens to log on to etrade and other sites but I certainly do not want to generate and input random numbers for all of my banks. At least not until I know a person that has been hacked. For me there is no inconvenience to using roboform and so i do so. Indeed I got it for free by signing up for some free services years ago. I don't know if they still offer that though.

DavidScubadiver said: I like having a separate e-mail account. It allows me to have all of my "financial" e-mail in one place without being buried in spam and personal crap.
It also has the benefit of making it impossible for anybody to even spoof my e-mail because there really is nobody who knows my e-mail address since it is only used with my financial institutions. Not saying this is a real risk. Its just an added benefit. Downside is I don't check that e-mail as often as my regular e-mail so I won't see any alerts that are sent to that mailbox until I manually log on to look for them. Of course, that is also a benefit.

I do not worry about keyloggers at work because I don't type in my passwords. Roboform, from my thumb drive, fills in the form directly.


Keyloggere can have a feature to save everything that was put in the Clipboard.

Again, yet another level of obscurity which leads you into a false sense of security.

Spamalot, Roboform does not copy your passwords onto the clipboard, does it?

Skipping 129 Messages...
dimatkach said:
Username is not a weak link, because it is useless without a password. If the password is strong enough, the user name can be 'jon', it's perfectly fine.

Suppose your username is dimatkach everywhere. Anyone could very easily do a DoS attack on you, simply by visiting a number of mainstream banks and other sites, and deliberately guess your password wrong ~3-5 times. Your account will be locked. A determined attacker could even block you from the tedious unlocking process by scripting the attack.

I had to go through a very lengthy and tedious password recovery process every time I needed to login to a particular bank. I wondered whether someone was being malicious, or if I happened to have a username that someone else likes to use.

The takeaway is to use a random and different username for every account. And for privacy, it's better to not have all accounts associated to each other by a common UID anyway.



Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

TRUSTe online privacy certification

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2014