Did you know most passwords can be guessed if you know some key birthdays, car rego, nicknames or similar?

I have turned on Two factor authentication for every thing I can and suggest you think about it as well.


The recent Optus hack was not the only one. Often things we share might give the hint to our passwords

Random Passwords and Two factor authentication are not that hard. I generate 50 random passwords and randomly select which one I use.

I do not share passwords between sites

there are a lot of very good secure apps for generating and storing passwords securely
Norton one on play store
(https://play.google.com/store/apps/details?id=com.symantec.mobile.idsafe&hl=en&version=6.6.2-391&path=pwd-gen)
If your bank doesn't ask them to!
Accountants report spike in hackers lodging false tax returns, superannuation claims (https://www.abc.net.au/news/2022-09-30/accountants-report-hackers-lodging-false-tax-returns-super-claim/101488108)

Can't say that passwords bother me too much. When I want money I just go to the Mrs and show my driver's licence as identification. Never had a problem. She did spot once that the driver's licence was close to expiry and she told if I let it expire she would not accept it for identification. Been vigilant ever since.

Ps CBA has Net code. It does ask for one at your first log on and when you make transfers and payments. It doesnt require it for trusted devices you have already used a Net Code for

Bendigo bank is very helpful and easy as well.

Link (https://www.commbank.com.au/support.digital-banking.explain-netcode-sms.html)

I have a memory like a sieve But it is highly unlikely that I will ever forget my old army service number, That and a few letters seems to be secure "So Far"[thumbsupbig]

I generally don't have a problem remembering passwords / PIN numbers (provided they are not too over-complicated). My problem is more remembering WHICH password or PIN I have used for each different application / account / program / website etc - and I never use the same password / PIN twice.

I use an app called Dashlane which works across most platforms and in most programs. You can store your own passwords in it, and / or it will generate strong passwords for you to use (separate password for each application / site etc). You only have to remember one master password to access all others when required (or on iPhone and others similarly equipped, you can set it to use facial recognition to allow passwords to be used or accessed). And believe me - NOBODY is ever going to be able to "guess" my master password that gets me access into this app.

If you run all apple gear as I currently do, there is also a very good password storage system within the apple operating systems which can be set to work across all your devices if you have them linked to icloud. It does not have a strong password generator as Dashlane does though - and does not work outside the "apple" environment, whereas Dashlane seems to work well on all platforms.

Password Manager App for Home, Mobile, Business | Dashlane (https://www.dashlane.com/)

Trout - delete that post, you've almost given away half the effort to crack a password by that statement (unless it was a lie [biggrin] )

I have a memory like a sieve But it is highly unlikely that I will ever forget my old army service number, That and a few letters seems to be secure "So Far"[thumbsupbig]

Did you shout it out every time we got that cash envelope like us Matlows did[bigwhistle] I did use mine for a few years[thumbsupbig]

Did you shout it out every time we got that cash envelope like us Matlows did[bigwhistle] I did use mine for a few years[thumbsupbig]

I had to look up that spelling, I've always spelled it "matelot" - but it appears your spelling is an alternative which I've never seen before.

I had to look up that spelling, I've always spelled it "matelot" - but it appears your spelling is an alternative which I've never seen before.

Your right- it was a cunning test I made for you [biggrin]

There's a school of thought that the benefits of different complex passwords for every use are more inclined to make you record them in an unsafe manner such as writing them down or using an unprotected file on your computer. The old chestnut of the password stuck to the bottom of the keyboard because someone in security decided that the most secure option is to have a 16 character password comprised of special characters and which must be changed once a month comes to mind. Multi factor authentication is a very good addition but has its shortcomings as well (try logging on to the Qantas web site from the other side of the world when you have left your phone at home and are using a work one).
I use a tiered system where many sites such as parts suppliers have a similar passphrase to log on and I can live with the risk of someone ordering Land Rover parts on my behalf. Most e-commerce sites such as Amazon and Ebay that store card details have a different passphrase and I can remember all those, similarly Bank accounts have separate passphrases. Other higher importance and less frequently used passwords are managed by an offline password management system on my server which is backed up regularly. I quite like the look of the Dashline manager and might investigate it further, implementing that gives me protection against losing the offline password manager but comes at the cost of transferring that risk to the company who makes the product.

Passphrases are better than passwords and are easier to remember than a random string of numbers. They give a longer and more complex password that is more resistant to brute force attacks and as long as you don't choose something that is obviously related to your life/history/hobbies is hard to guess. For example I doubt that someone would guess if I were to use "0hWh@taFeeling" as a passphrase although it might not be as effective for a Hilux driver :-)

Regards,
Tote

There's a school of thought that the benefits of different complex passwords for every use are more inclined to make you record them in an unsafe manner such as writing them down or using an unprotected file on your computer. The old chestnut of the password stuck to the bottom of the keyboard because someone in security decided that the most secure option is to have a 16 character password comprised of special characters and which must be changed once a month comes to mind. Multi factor authentication is a very good addition but has its shortcomings as well (try logging on to the Qantas web site from the other side of the world when you have left your phone at home and are using a work one).
I use a tiered system where many sites such as parts suppliers have a similar passphrase to log on and I can live with the risk of someone ordering Land Rover parts on my behalf. Most e-commerce sites such as Amazon and Ebay that store card details have a different passphrase and I can remember all those, similarly Bank accounts have separate passphrases. Other higher importance and less frequently used passwords are managed by an offline password management system on my server which is backed up regularly. I quite like the look of the Dashline manager and might investigate it further, implementing that gives me protection against losing the offline password manager but comes at the cost of transferring that risk to the company who makes the product.

Passphrases are better than passwords and are easier to remember than a random string of numbers. They give a longer and more complex password that is more resistant to brute force attacks and as long as you don't choose something that is obviously related to your life/history/hobbies is hard to guess. For example I doubt that someone would guess if I were to use "0hWh@taFeeling" as a passphrase although it might not be as effective for a Hilux driver :-)

Regards,
Tote
thatSfanstick$#tOTE

I list my passwords but in an encrypted file in Word. the encryption is by Trend Micro.

I cannot understand why there is this demand for multi factor ID as if your licence and passport and or medicare are gone then you have the problem.

Most of the problem for those of us who have been told by Optus that only our name address DOB and email have been hacked is Phishing , and we are always alert to this. Our email and password for a book shop in Canada was "pawned" years ago and so we are used to crap emails. I just hope Optus is not speaking with forked tongue or actually knows the true extent of the data hacked.

I cannot see how 2 factor helps in these circumstances.

At present we have one Apple account between 2 Ipods and 2 phones and if we introd 2 factor ID , for sure it goes to the wrong device and needs phone calls to find. I was able to delete it before the time expired.

2 factor iD is usually required for particular websites such as electricity suppliers myGov. Why I don't know as I would be grateful if someone paid my bill. If someone cut off my power I would soon know!

I also do not see why you should change all your passwords on non Optus accounts, as they have not been compromised and any hacker would have the same problem as me when I forget one. I changed my password on my Optus account even though they said don't bother!

I think the most elegant solution I have seen is on one of my bank accounts where the password is a number and the order of the keyboard on the screen changes randomly. Could be overpowered I guess with a very powerful computer.
Regards PhilipA

thatSfanstick$#tOTE
Mods, swear filter dodge! $100.00 fine?[tonguewink]

I list my passwords but in an encrypted file in Word. the encryption is by Trend Micro.

I cannot understand why there is this demand for multi factor ID as if your licence and passport and or medicare are gone then you have the problem.

Most of the problem for those of us who have been told by Optus that only our name address DOB and email have been hacked is Phishing , and we are always alert to this. Our email and password for a book shop in Canada was "pawned" years ago and so we are used to crap emails. I just hope Optus is not speaking with forked tongue or actually knows the true extent of the data hacked.

I cannot see how 2 factor helps in these circumstances.

At present we have one Apple account between 2 Ipods and 2 phones and if we introd 2 factor ID , for sure it goes to the wrong device and needs phone calls to find. I was able to delete it before the time expired.

2 factor iD is usually required for particular websites such as electricity suppliers myGov. Why I don't know as I would be grateful if someone paid my bill. If someone cut off my power I would soon know!

I also do not see why you should change all your passwords on non Optus accounts, as they have not been compromised and any hacker would have the same problem as me when I forget one. I changed my password on my Optus account even though they said don't bother!

I think the most elegant solution I have seen is on one of my bank accounts where the password is a number and the order of the keyboard on the screen changes randomly. Could be overpowered I guess with a very powerful computer.
Regards PhilipA

Multi Factor authentication in its purest form is the combination of multiple ways to authenticate yourself, as an example, something you know (password) something you have (card, token) and something you are (fingerprint, iris scan, facial recognition) these multiple factors make it much more difficult to gain access to a secured resource, although we've all seen the movies where the chap's finger is cut off and presented to the fingerprint reader. The risk for electricity suppliers is that electricity bills can be used as a reference for establishing 100 points of ID to get a licence or passport and it's a bad look for them if people can download documents from their website, oh, and they care deeply about your privacy /sarcasm off
Agree if you have differing passwords then there is little need to change them across services but most security advice is given at the lowest common denominator (the person who uses their pet's name for all their passwords)

Regards,
Tote

Yes agree. It never ceases to amaze me that people who are "phished" don't seem to do the most elementary check of actual sender on the email.
A pretty common one is the Australia Post/ fedex/whatever package is coming.

One of my friends who I thought was reasonable savvy had his hard disk locked.

The worst I have had is credit card details hacked about 3 times. "falcon" told me that one was intercepted in a Thai telecommunications exchange,and the others were intercepts to websites.
Regards PhilipA

Did you shout it out every time we got that cash envelope like us Matlows did[bigwhistle] I did use mine for a few years[thumbsupbig]

Yep, NO number NO pay is a bloody good incentive to remember it[biggrin]

Trout - delete that post, you've almost given away half the effort to crack a password by that statement (unless it was a lie [biggrin] )

Mate you were most likely not even born when I got issued that number and without knowing the rank, date of enlistment and FULL name it is nigh impossible to find someones service number.
Drivers licence, passport and medicare numbers are easy pickings, Service numbers are somewhat harder to find[thumbsupbig]

I had to look up that spelling, I've always spelled it "matelot" - but it appears your spelling is an alternative which I've never seen before.

Got me too, Ron. I've never seen "Matlow" previously.

^^ One never stops learning. [bigsmile]

............... and something you are (fingerprint, iris scan, facial recognition) these multiple factors make it much more difficult to gain access to a secured resource, although we've all seen the movies where the chap's finger is cut off and presented to the fingerprint reader...............

My brother works with some very clever computer guys in the tele-comms industry and one of them said not to use biometrics as if you think changing your licence, passport, account number, etc. is difficult, imagine the difficulty changing a bio marker!

I tried using a photo on my phones FACE ID bio metrics- You may need to cut my face or thumb off[biggrin]

Interesting security risk is that the phone back up includes that data of course!

MY GOV. MY GOV ID and Two factor authentication applications I have on my phone have a device specific tag/certificate meaning duplication to a new device does take a lot more than a mirror duplication happily[thumbsupbig]

I can remotely wipe my phone- Call me Mr Paranoid

^^ One never stops learning. [bigsmile]
Or in this case, two. [bigwhistle]

Or in this case, two. [bigwhistle]

Are you inferring that you were aware of the existence of "Matlow"? [wink11]

I tried using a photo on my phones FACE ID bio metrics- You may need to cut my face or thumb off[biggrin]

Interesting security risk is that the phone back up includes that data of course!

MY GOV. MY GOV ID and Two factor authentication applications I have on my phone have a device specific tag/certificate meaning duplication to a new device does take a lot more than a mirror duplication happily[thumbsupbig]

I can remotely wipe my phone- Call me Mr Paranoid

I think too much responsibility is placed on customers, as there is a scam going around where crims hijack an email and change the bank account number but not the name, and the bank will process payments even though the two don't match! Also I watched a doco about scams in the UK and quite a lot seems to be done with inside help from bank employees, shop employees and postal workers.

Had an interesting discussion with a data security expert for the Qld govt while camping on Saturday.
He said the main problem with the Optus hack was not what ID it required, but the fact the verification details were retained rather than being deleted.
He said retaining details meant Optus had a duty of care to keep them safe. He also said the Optus breach was not that difficult, but wouldn't say how it was done.
He also said he tells Qld govt bodies to delete the verification details, and ask for them again if it is necessary to reverify.
So the result is stringent verification plus deleted details.
Apparently one problem is federal terrorism legislation passed in 2017 forces telcos to retain identification details for up to 2 years after an account ends, which can mean up to 6 years.
So Optus, and probably all telcos, are storing that information to comply with federal laws and so become attractive targets for hackers. So maybe Optus is being unfairly blamed for trying to comply with federal laws.
Sounds like the laws need to be changed to cut the retention times and increase deletion.

On 26/9 Optus emailed me saying that my name address, DOB and home address were hacked and in bold " No ID document numbers or details have been affected" Last night I get a text saying "Cyberattack update: Confirming only the licence number on your Driver Licence was exposed, not the card number.. Your State or Teritory government willprovide advice on any action that you may need to take via their website" I wonder which is correct. I have entered a chat with Optus but don't anticipate any answer. This is really ****ty. At the time I wondered if they actually knew or may have lied . So I am in limbo. Regards PhilipA

I'm a grain grower who sells grain to grain buyers. Quite some years ago most grain buyers agreed to centralise their grower details with a 3rd party business although my prime buyer maintains their own details. That 3rd party this year upgraded their online system then requested growers by email to log onto their new system with their existing logon to check their details. However they set the new system to require additional indentification proof such as a driver's licence, Medicare or passport number at the initial logon. Well before the Optus incident I declined to hand over any such indentification on the basis that they have no right to require such information from me and my providing such information increases the risk of identify theft. I don't know how this will progress especially in light of the Optus incident but I don't need to update any personal information at this time, indeed I've not needed to update my details since the 3rd party arrangement commenced. Grain buyers pay direct to the grower, not to the 3rd party.

If I was you I would change my licence number, just to be sure.
On 26/9 Optus emailed me saying that my name address, DOB and home address were hacked and in bold " No ID document numbers or details have been affected" Last night I get a text saying "Cyberattack update: Confirming only the licence number on your Driver Licence was exposed, not the card number.. Your State or Teritory government willprovide advice on any action that you may need to take via their website" I wonder which is correct. I have entered a chat with Optus but don't anticipate any answer. This is really ****ty. At the time I wondered if they actually knew or may have lied . So I am in limbo. Regards PhilipA

In NSW they will change your card number only and it costs $29 to be refunded by Optus , maybe one day in the far far future. STOP PRESS . I apparently am being given an Equifax account for one year to check whether anyone tries to steal my identity. Of course I went through the motions and applied only for the Optus special number not to work, so more time on the phone tomorrow. Regards PhilipA

In NSW they will change your card number only and it costs $29 to be refunded by Optus , maybe one day in the far far future. STOP PRESS . I apparently am being given an Equifax account for one year to check whether anyone tries to steal my identity. Of course I went through the motions and applied only for the Optus special number not to work, so more time on the phone tomorrow. Regards PhilipA
Vic roads rego due- when online it offered two 2 factor verification methods. Bravo Zulu Vic Roads I would say

Optus business phone account for two weeks 4 years ago. The phones which did not work and cost me $$$$$$$$$ got all my details. :bat::bat::bat::bat:

such is life [bighmmm]

Being one "of those guys" that was on the internet way before 99,9% of the population had even heard of it and Tim had not invented HTML/HTTP yet I also have a very old email address. After many decades of warding of spam a couple of years ago my accounts were leaked "somewhere" and since then it got harder and harder for me to keep simple passwords since hackers have tried to hack my apple id, amazon, ebay etc.

Usually these are scripted attempts where a person is not actively doing things so the recent trend of emails being send immediately after a change and my non existent sleeping pattern has helped me to always be one step ahead of those guys by resetting the password immediately but the attempts kept coming. Not only did that make logging into stuff extremely hard since you fall into the black hole of "we see you are logging in from an unexpected location" etc. etc. but it also made remembering passwords an impossibility. I never trust anything cloud, unless I run it myself so it took quite some time for me to switch to a password manager.

I since have switched to a password manager, to bitwarden, which has a community server you can run yourself so only you has access to your data. My life has since become MOSTLY easier but in certain situations you need to actually type a password it has become a number of factors harder... The beauty of bitwarden, imho, is that it has a OTP function built in so that two factor authentication through that has become a breeze. All I need to do is have my password manager unlocked, type CMD-L (on a mac) to fill in the login form and the application also puts the OTP code on the clipboard so when the screen jumps to: enter your two factor authorization code all I have to do is CMD-V (or paste) and hit enter to log in. With two factor auth on most accounts all those hacking attempts have ceased.
More secure, and faster logins. Just to bad that some only work with sms as two factor auth codes :(

ie. I rate bitwarden, two factor can be a hassle but can be mitigated with a password manager.

Cheers,
-P

What is the juice on what this bloke has to say about Two-Factor authentication. ? - much (most....) goes so high over my head it doesn't ruffle the hair...

- Lots of info on other subjects, such as de-googled and Linux OS phones.

ALL comments welcome !

2FA is a Big Tech Scam! You Must Resist! - YouTube (https://www.youtube.com/watch?v=ChKpf5HjcSY)


EDIT: - Would this be a case for "burner" mobiles - like is available in USA ? A totally anonymous phone with no documented connection to the owner. Yep, am a tad paranoid over tracking etc.

For a password to provide any protection it must be at least 10 characters long. Does not matter what the characters are. Cracking it is a simple process and the software to do so is readily available on the net for about £5

The person attempting to crack the password is a business like any other and so there is a time cost/ benefit part of the equation for cracking the password

In simple terms the more characters the longer it takes to crack the password. It is at about 10 characters that it becomes uneconomic to keep going with the attempt to crack the password

A 5 character password can be cracked in about 4 minutes. The more characters take longer as the time taken is exponential

What is the juice on what this bloke has to say about Two-Factor authentication. ? - much (most....) goes so high over my head it doesn't ruffle the hair...

- Lots of info on other subjects, such as de-googled and Linux OS phones.

ALL comments welcome !

2FA is a Big Tech Scam! You Must Resist! - YouTube (https://www.youtube.com/watch?v=ChKpf5HjcSY)


EDIT: - Would this be a case for "burner" mobiles - like is available in USA ? A totally anonymous phone with no documented connection to the owner. Yep, am a tad paranoid over tracking etc.

Burner phones will never happen in Australia, the legislation tying (potential ) internet connections to people is too strong. This is not to say that it is effective, just stating that to get a phone without ID tying it to the owner is pretty difficult and probably is only achievable via forged ID documents, so not legal.

Regards,
Tote