To ask you to take responsibility for your own internet security?

[ElderlyKoreanLady]

Between having seen the list and the responses to Justine's thread, it's quite obvious that some people just don't grasp the very basics.

MN has been subjected to something that could happen to pretty much any site if the hacker is creative enough and I personally think they've handled it admirably. But they can't be responsible for an individual user's level of vulnerability.

Now, I'm not suggesting everyone learn how to set up VPNs and all that, but basic security is a must people.

Do not use the same password for everything.

Change passwords often.

Use complex passwords.

Use an email address that does not require your personal information to obtain.

I have to disagree Teenage, but granted, I should have said 'in my opinion' rather than stating it as fact

TeenageMutant I stand corrected, thanks for that link, it's made me rethink things! I'll change my passwords again apart from my MN one (which I'll change again when I'm sure they're not still phishing).

I know I'm being hideously naive, but if I only use this email address and password for MN and others (like Amazon, banking etc) are linked to other emails and have more complex passwords, what could happen if someone has my details from here?

Genuine question btw! I lack the imagination to know what could happen!

DJ then probably nothing too terrible can happen if the attacker literally just has your mn info and nothing else. But it depends exactly what the attacker did, and we may not yet entirely know that. If the attack involved installing malware on your own devices, then potentially they can see and interfere with anything subsequently done on that device.

Get good security software. And keep it patched! That is the one, single, solitary, most important thing to do that will protect you online. Nothing can give you total, permanent protection, but that's your best start.

And I'm with Teenage re complex passwords, sorry op :)

The advice on passwords is good, but it is important to remember that there are different levels of security needed for different things. Anything linked to your money online, or anything else that important, you need a very robust password.
But for MN, which lets face it, any information about you is what you'e freely shared openly online, doesn't really require high security. They don't hold your credit card details, or your address or much in the way of personal details. If you have a simple enough password for MN that is only for MN, then so what, really? What does it matter that someone has it?

It's the people who use the same email addresses with the same passwords for multiple things that need to rethink, and quickly, because they are vulnerable to these kind of things. If someone gets your email and password from here and its the same one for your paypal, they can access that too, for example.

I won't take it personally Puntastic

Will look into it at some point though. I've been taught as recently as a few weeks ago that a combination of upper and lower case rather than all one or the other greatly increases password security. If this isn't the case and I don't have to piss about trying to remember which letters of my passwords are caps, I'll be very happy!

The thing is, ok, that using different character sets raises the entropy in your password - higher-entropy passwords are more resistant to brute force attacks. Plus, it makes the password feel stronger so you feel better protected, right?

Trouble is, brute force attacks aren't the most significant attack vector by a long shot (as we've seen here, phishing/malware etc is much more prevalent and in those scenarios, password entropy doesn't make any difference whatsoever - if the attacker has nicked your password, he's nicked your password and that's it). And because computing power is getting cheaper and cheaper all the time (according to Moore's Law), creating a password that's invulnerable to brute force is already all but impossible, and only gets harder as time goes on.

So. Focusing on entropy in passwords, to the exclusion of all else eg usability, is the wrong move. Overall, it's better to focus on strategies that protect you better eg installing good security software and keeping it patched, avoiding reuse of passwords between sites especially when they protect information you care about, and creating passwords that are not trivial to guess but not impossible to remember either.

I would be vaguely interested in where you were taught this password advice, though, if you're able to share?

Twas a part of a course I attended - an intro session for a volunteer position I accepted last month.

Your explanation makes sense though. Perhaps that advice is still given in order to provide a bit of protection against less technical criminals?

Yep, possibly attackers do come in all shapes and sizes and levels of expertise - script kiddies through to nation states...

I'm just going to leave this xkcd.com comic here...

Ah that's good thanks Puntastic.

I'm confident my security stuff is all up to date, but I think I will set up new email accounts for social media and stuff with no financial details.