Reply To: Account hacked

[vzzbuckz]

NorthernLass wrote:

My friend who does cyber security says that the best password is 3 random words and don’t bother with fancy characters. Also, never use public wifi!

The ‘3 random word’ model is advocated because the level of entropy is high (longer passwords are harder to brute force) but people find it very difficult to come up with random words. A tool called ‘Diceware’ is available that generates three random words for you. You still need a password manager though as you have to have a different ‘3 random word’ combination for each site you visit.

Agree with public wi-fi but if you do need to use it, you should use a paid-for VPN like Express VPN or Nord VPN. The reason for this is that airports are notorious places where hackers put up fake wi-fi sites. People join these site but think the connection to their favourite websites is encrypted so they are ok. The problem is that the fake wi-fi also has a fake DNS server, so http://www.ba.com is not really sending you to ba.com. Most sites generate a hidden session key when you connect, so you don’t have to log in every time, and when you are connected to that dodgy wi-fi site, the owner will sniff that session key and then use it in what’s called a replay attack; this will allow them to log into your ba.com account without a username and password. (You connect to dodgy wi-fi, you connect to ba.com, the hacker’s DNS intercepts this, steals the session key your browser generates, forwards you to ba.com as though nothing has happened. They then connect to ba.com with your stolen session key and change your email address etc).

So general lesson is: use a paid-for VPN if on public wi-fi and use a password manager.