(Keeping this anonymous because I'm worried my security's compromised and don't want to make it worse.) So for about the past six weeks, the log-in process on the Bank of America site has been behaving strangely for me. When I go to the BOA site I see my online userID in the normal way and click on it. That then takes me to the sitekey confirmation page where --weirdly-- my password is now showing up in plaintext on the login page, above the sitekey image. The first time this happened it was displaying my then-current password, which I immediately logged in with and changed. Since then, every time I go to log in I see the old password in plaintext, above the sitekey. When I enter either my then-current or my actually-current password it's rejected and I need to go through the reset process before I can successfully log in. I'm not freaking out, because there's no strange activity in my accounts. But still, it's unnerving. So..... what might be going on here, and what should I do about it? [more inside]
posted by anonymous
on Apr 15, 2014 -
If one wanted to be paranoid about protecting access to critical accounts (bank accounts and the like) what are some steps that you can take short of building your own machine and never using it for any transactions at all other than those to the secure sites?
I have used lAstpass and 1 Password for years but frankly all of the recent revelations of security breaches and key loggers and the like make me wonder if I should consider other options for critical accounts (wondering out loud: is it not likely that the password app manufacturers were not NSA's first targets?)
Some accounts do not allow two step authentication.
posted by dougiedd
on Mar 12, 2014 -
My "throw-away" password is in the list of those compromised by the Adobe hack. It's a common dictionary word that I use for sites that I really don't care about security on: things that I don't even understand why they should be password protected, "test-driving" sites or products where I don't intend to keep using them, and an old email account that was for a blog that I haven't updated in about four years. (And I don't use the account any more). I'm pretty unconcerned about it being compromised. Is there any reason I should
worry? And if I do want to change it, is there any way to find out what all the sites are that I have used it on in the past? [more inside]
posted by lollusc
on Nov 22, 2013 -
Does anyone have a simple method of coming up with a excellent new passwords for every website that you can nevertheless easily remember? I'm thinking some combination of a master password combined with the website url or something like that, but the underlying rule should not be easily guessable by others even if they have a few examples in front of them. Any ideas?
posted by shivohum
on May 1, 2013 -
Instead of the usual "username/password" challenge, some bank websites ask you for a username, and then for some letters from your password -- e.g. 'Type letters 1, 4 and 7 of your password'. I understand that the advantage of this is that you never enter your whole password, thereby making life difficult for keyloggers. But I don't see how it's possible to implement such a system without (effectively) storing the password in plain text on the server, which surely not a good idea. What is this practice called? Do security experts consider it good practice? Can you point me to a paper that explains how it is implemented securely?
posted by beniamino
on Mar 28, 2013 -
What's a better-security alternative to Spam Arrest for challenge-response email?
I received a password reminder email from Spam Arrest today. It included my full password in cleartext, and when I went to change my password to a long semi-random string of hashed characters I discovered that they silently truncate entries to 20 characters, which would have locked me out if they didn't keep everything in the clear to remind me. Frightening. Is there anyone out there who offer C/R email and knows how to store passwords?
posted by migurski
on Sep 8, 2012 -
Please help me find the password management solution I'm hoping exists: the ability to automatically, dynamically sync a specific folder of passwords between accounts w/o involving Dropbox. [more inside]
posted by pavane
on Mar 20, 2012 -
What simple, secure, portable password and secure data management systems do you use? [more inside]
posted by garlic
on May 4, 2011 -
What damage control measures can I do for selling my PC on eBay which was only partially wiped? Yes, I know how stupid this was. [more inside]
posted by anonymous
on Dec 15, 2010 -
Help me design a secure method of keeping my passwords both safe and available. [more inside]
posted by Tehhund
on Sep 23, 2010 -
Gmail security: Someone keeps trying to recover, or change, the password for my gmail account. I'd previously set my gmail recovery option to send me an SMS, and I'm getting a lot of SMSes saying, "Your Google Account recovery code is: ... If you did not request this code, you can safely ignore this message". I've already changed my secret question to be really obscure, but what else should I do to protect my account? Every couple of weeks, I get bombarded with SMSes because someone is trying to access my account. Can I temporarily disable the recovery option? I'm just worried that someone might guess the answer to my secret question by brute force or some other means.
posted by surenoproblem
on Jun 17, 2010 -
SSHFilter: I'm trying to disable authentication by password for SSH users accessing a server from a remote location. By everything I've read it seems like I've done exactly that, but I can still log in from a remote machine using a password only. Help me get that to stop. [more inside]
posted by scrutiny
on Apr 22, 2010 -
What are the legal implications of subpoenaing or obtaining a warrant for digital papers (such as a Gmail or Google Apps account) and finding a password? Could the prosecutor use the password to obtain more information from another digital source, such as another email account or a Facebook account? [more inside]
posted by Michael Pemulis
on Apr 21, 2010 -
Online Security Filter: Welcome email contained plain text password. Specific examples of why this is bad needed. [more inside]
posted by TauLepton
on Nov 23, 2008 -
How does my online banking fob work? Does it get numbers over-the-air or does it generate the according to some math I don't understand?
Background: to access my bank account on the web, I need to use the little electronic fob CitiBank sent me when I registered for online banking. The device generates a six-digit number every minute or so. But where does that number come from? Is the fob generating or receiving it?
posted by subpixel
on Sep 24, 2008 -
I have noticed that there seems to be a split between some banks/financial institutions who maintain complex security around their on-line account access and others who seem to have actively migrated towards a much simpler approach. Is there any evidence that the "simple" approach is either more or less secure than the "complex" one? [more inside]
posted by rongorongo
on Jun 6, 2008 -
I'm going to be doing some pretty extensive travelling next year, and I want to keep my family and friends up to date on my experiences. However, I want to do this in a way that doesn't inform general randoms about my movements... in other words, do password-protected blogs exist? [more inside]
posted by Planet F
on Apr 28, 2008 -
I believe the mail server associated with my domain name is acting as an open relay. Hosting company claims everything's good. How can I double-check? [more inside]
posted by doctorpiorno
on May 15, 2007 -
Why are many financial institutions moving to a two-step login process, where you enter your username on one page and then your password on the next? For instance, Vanguard
. Their rationale is just that it's "more secure", but that's not much of a reason.
posted by smackfu
on Aug 20, 2006 -
I have a desktop that is located in a semi-public place. I have a bios password and a windows password on it. Sometimes I leave it logged out of windows so that I can leave in the middle of a project without restarting everything again. I was wondering how hard it would be to get my data? Short of stealing the actual hardware, is there a way to get past a bios password and access my data without me knowing? (From what I understand, resetting the cmos would clear the password so I would know if someone got in.) Also, is it possible to get in if I leave it logged out of windows with a password? How safe is my data?
posted by D Wiz
on Jun 5, 2006 -