Important Customer Security Announcement

[pillboxman]

[Criosdean]

Thanks for letting us know and I hope the matter is resolved quickly.

One area you can improve on is the use of HTTPS protocol(http://en.wikipedia.org/wiki/HTTP_Secure) for logging in! The link in your newsletter for changing your user password is not secure. I know the HTTPS protocol is not perfect but it's better than nothing.

[PaulMoore2013]

[oldfogy]

Yes thanks for the notification, I did mean to reply last week but got distracted.

And yes I do believe these things happen quite often with various sites but they do not bother notifying their members as you have done.
_________________
(If it ain't broke, I can soon fix it)

[philipe]

Thanks for letting us know about this.

[253]

Thanks for letting us know and for doing a great job.

I've got no complaints.
_________________
Triumph Tbird 1700. And now a Bonnie T100.

[stuartb]

As a suggestion - might be worth at least changing the newslettter subject line to make it obvious there is important information within if you have a similar situation again.

I read the newsletter but at busy times, it sits in my inbox for a while before I open it (I opened the newsletter with the information about the breach on Sunday evening).

Thanks
Stuart

[Darren]

[MaFt]

Can you repeat it in next week's newsletter in case people haven't read the last two newsletters or the website or the forum or the twitter feed or the facebook page?

MaFt

[M8TJT]

Shame you don't have phone numbers. You could phone us all individually. That would prevent the server being marked as a spammer

It should not have been necessary to change anything else if the same password/username was not used on other sites. I had shedloads where I had used my 'utility' password, but not on any that really mattered though.

[pcaouolte]

Even though I don't get the time to visit here as often as I would like, I don't do twitter and I don't do facebook, I still became aware of the problem without any significant delay.

Thank you for your honesty and for keeping us informed. Well done!
_________________
Paul

[SteveMPS]

[PaulMoore2013]

Cheers Steve
_________________
1

[DennisN]

At the risk of sounding exactly what I am (dumb, plonker, you name it), I saw the warning very promptly and have not done anything about it. By fortunate coincidence, I applied my new domain name and password to pgpsw at a time when I had the brilliant idea of using different email addresses for everybody so that I could tell when one (or one group) of my relatives or friends had been hacked and was trying to send me nasties. Trouble was, I never did remember who I had for which of the 17 addresses!! Plus which, one of my relatives decided to inform everybody on her address book of my new email address which was exclusively for her, and all her contacts were covered by 15 different ones! But at least I know I didn't use my pgpsw email address for many other places.

Reading this thread has persuaded me that perhaps I should. So.... it seems that 1password is worth using, so I looked at the link and all I got was that it costs $49 and is wonderful. The cost is nothing if it can save me the hassle of passwords, but how the hell do I use it?

Can somebody please give me a rundown on how to use it - I have iMac, two MacBook Pros, iPhone and iPad (and a crappy old Win laptop) and I'm damnned if I have the faintest idea how to sync them all - sometimes they seem to do it, sometimes they don't and I never know how or which (except of course the Win laptop which doesn't do anything except take hours to boot up and run, so I don't). How do I get 1password to work for everything please? If you tell me all I need do is buy the thing and it'll do the business for me, fine. But I have a sneaking feeling I have to buy it, install it on all my devices, then go to every site I belong to and so on and so forth for a long time? Which, given my inbuilt ability to cockup many things, makes me shudder. Incidentally, would this thing work for my online banking - that has my unique ID, a pin number and password - it asks for numbers from my pin for every login and letters from my password too (e.g. pin 3 4 2 1 and password 2 4 6 8).
_________________
Dennis

If it tastes good - it's fattening.

Two of them are obesiting!!

[PaulMoore2013]

Hello Dennis

I'm presuming you mean this link?: http://ramblingrant.co.uk/2013/07/16/1password-forgot-your-password-youre-doing-it-wrong/

The setup process is daunting... and there's no viable way to simplify it. It is however, well worth the effort.

TL;DR - Think of a strong master password, buy and install 1Password and go round every site you use to change the password to something stronger. Job done.

Basic steps are...

1. Think of a long, strong master password. The longer and stronger, the better. Mine is over 50 chars, but that's extreme and probably not recommended (if you forget it, you're in serious trouble). Wait a few days... try to remember it. Now give it a week... if you can still remember it, you're probably safe. Sounds daft but trust me, picking a secure master password is crucial.
2. Buy 1Password for your devices (note iOS and Windows are purchased separately)
3. Decide on your method of storage. On the device only, a file on a USB stick, DropBox/cloud sync etc
4. Install 1Password and any appropriate additions (Dropbox for example)
5. Install free 1Password browser plugins.

#6 can be done in two ways...

Make a list of every site you use (favourites/bookmarks etc) and visit them all, changing the passwords as you go (recommended). You'll quickly learn which sites take security seriously during this step. If passwords are stored securely, there is never, ever a reason to restrict length or which characters you can use.

or...

As and when you next login to a site, click "Save" when prompted by 1Password. Then, regularly open the 1Password application and view the strength bar of your password. If it's low, go back and change it.

From this point on... the next time you need to login anywhere, just hit CTRL + \ (Windows) or Control/Cloverleaf Key + \ (Mac) and you're done.

Syncing...

With Dropbox, your data is seamlessly and almost instantly uploaded. Depending on the speed of your connection & app configuration, subsequent downloads of those updates to your other devices can take anywhere from 10 seconds to a minute. Desktop applications & associated plugins update automatically. On mobile devices (certainly where Android is concerned, not sure about iPhone) it's a manual process. Go into settings and hit "Sync". It will connect to Dropbox, download a copy of your keychain and update 1Password. If you're 3G, it will be slow to update... taking several minutes. HSDPA/7.2Mbps connections will be similar to that of a normal connection (30 seconds to a minute).

Banking...

I use Halifax. The first screen (username & password) are handled by 1Password. The next page requires random chars from a memorable word, as you described. 1Password doesn't handle these natively, as it can only determine field names... not their respective values. However, I use the secure notes feature to store this information for quick reference. It's subjected to the same encryption as normal usernames/passwords, so it's no more/less secure than the rest of the application.

Last quick point relates to memorable information. Many sites (even supposedly secure ones) ask for mothers maiden name, first pet's name, DOB or similar. Never enter real information here... they are inherently insecure. Instead, generate a random password as you would any other password field... and store it in 1Password.

Consider this...

Your bank asks you for your mothers maiden name and DOB in order to reset your password, should you ever forget your ultra secure password. You then register with a seemingly innocuous-looking forum to chat about the latest GPS update... which also asks for your mother's maiden name and DOB. Hackers look for common denominators in data... and email addresses and answers to personal questions are a goldmine. If you've used the same email address with your bank and the forum (which is likely), they now have anything necessary to gain access to your account. The Halifax refer to it as a "memorable word" rather than anything specific like "first pet's name", so it's marginally safer... but not much.

I'm yet to come across anything which 1Password can't accommodate in some form or another. I'm led to believe the Apple version v4 is a huge leap forward compared to v3 on Windows, so they may well have addressed a lot of what I've mentioned.
_________________
1

We see you’re using an ad-blocker. We’re fine with that and won’t stop you visiting the site.
Have you considered making a donation towards website running costs?.
Or you could disable your ad-blocker for this site. We think you’ll find our adverts are not overbearing!