Hey Guys,
I have a hypothetical question about password security. Please bear with me because I’m not near as smart about this stuff as you.
Like many of you, I have set up a user account on about 50 different web sites all ranging from A-Z, you name it. With very little exception I use the same ID and PW on all these sites. It wasn’t until recently that I noticed that about 5-10 of them transmit the logon page unencrypted because the site doesn’t deal with sensitive information.
So here is the question. Is it possible for a hacker to “follow you around from site to site” until you log on to one of those sites that doesn’t encrypt the login page, get your ID and PW, then start trying to use them at sites like E-Trade, etc. until they eventually find your money?
I hope not, but if so how would you handle this situation?
Thanks
It would be rare for a hacker to focus on one individual and follow them around. It would be more likely your ID and PW would end up in a list of hacked accounts after one of the sites that you use them on was compromised. A hacker could use that that list of ID/PW’s to gain access to any other sites, which may include sites that you’ve used your ID/PW combo on. In this case, encryption won’t matter one bit. By using the same ID/PW on multiple sites, you’re essentially leaving copies of your “key” all over the place, some encrypted, some not.
That’s why unique IDs and secure passwords are a must.
They wouldn’t follow you manually, but they might programmatically.
Let me explain.
If your PC is infected, they will steal your login credentials – all the logins and passwords they can find – and try them on the various sites like TD Ameritrade, etc. This is why people recommend using different credentials for every site you login to.
It happens all the time.
Thomas J. Raef
“We Watch Your Website – so you don’t have to!”
http://www.wewatchyourwebsite.com
traef@wewatchyourwebsite.com
Thomas is right. However, the use of encryption by a website isn’t likely to have much effect on whether the malware will be able to capture your credentials.
https: is key when you’re using Wi-Fi (especially unencrypted Wi-Fi in a cafe or other public place) or when you have some reason to believe that your employer is monitoring your Internet traffic. In these cases, encryption will ensure that no one is sniffing around.
There are some tools out there for managing multiple passwords and securing the information with a single master password. I’ve also heard that some people use schemes to incorporate something about the website into a common password. So, for example if your password is “rosebud,” you might use “rosebudbad” for badwarebusters.org and “rosebudgoo” for Google. This wouldn’t protect you against a hacker examining your passwords manually, but it would help against the kind of automated attack that Thomas described.