I got hacked - Please learn from my mistake!

[bertschb]

My account was hacked yesterday. I learned about it by getting a PM from somebody asking how to pay for an item that I was selling. I've never listed anything for sale on VAF. I immediately made a post on the thread that had the scam listing warning folks that my account was hacked and this was a scam but the guy that hacked my account deleted my posts. I tried to change my password but by then he had already changed it so I was no longer able to post. I sent a message to the mods during this time telling them what happened but didn't hear back. Probably because I was actually no longer logged in.

I ended up sending an email to Doug (forum owner) and he called me this morning to verify I am who I say I am. Doug was super nice and apologized for the hassle but it was my fault. My account has now been restored.

This is what I learned:
Don't use a simple password for ANY accounts!


I've always used very secure passwords for my financial accounts but didn't bother for things like forums. I belong to more than 100 forums and use a six or eight digit password for them. I don't have a criminal mind so I thought a simpler password was sufficient for forums when all we do is share our thoughts. I had no idea somebody would take my identity and try to sell things under my userid.

Like many of you, it's a MAJOR hassle keeping track of hundreds of passwords so I tried to keep it simple for "low risk" accounts like forums, etc. Not any more. I will spend the rest of the day today changing passwords across all my accounts. I've told my wife many times over the years that I hope I live long enough to see the day when passwords are no longer needed. Hey, I can dream...

My apologies to the folks who replied to "my" posts yesterday for items that the hacker tried to sell using my account. I tried hard to stop the sale but was not able to. Learn from my ignorance. Use a complex password even for simple accounts that appear to pose no risk to you.

 

[Dad's RV-10]

Start reading about password managers.

There are many out there. I use 1Password.

 

[FlyGuy65]

Thanks for sharing. Like you, I didn't see the need for a complex pw here at VAF, but now I can see it was far more hassle to clean up after a hack than to just use a strong pw now.

 

[Stevea]

Use a password manager. On line or local (to your device)...your choice. The password files are encrypted. Also, most come with a random password generator (because people aren't good at thinking of random passwords, even though we think we are).

After that, use a different password for EVERYTHING.....every web sight, every financial link....everything! And make each password as long and complex (upper case, lower case, symbols, numbers...etc) as the web site will allow.

After that, you only have to remember one password to get into the password manager. It too needs to be reasonably complex, but still something you can remember.

 

[rv8ch]

Brian, this is very common, sadly. The other posters are right - use a password manager or your password save feature in your web browser or if you use a Mac, keychain.

Identity theft can start small and grow - and the bad guys have time and are patient. Please be sure to use a new password for every site, and make it at least a little bit complex - not just a dictionary word. If one site is compromised, you want to ensure that the bad guys can't get to all your accounts.

The bad guys are trying to hack us to feed their children, so are very motivated. As I've written many times, do not underestimate them, or you will lose your money. I've seen it, and it can be tragic.

 

[Brantel]

I switched to the password manager Keeper a few years ago (provided for free by my work) and it has changed my family’s life around passwords.

I was amazed at how simple I was making it for crooks to take advantage of our family.

We now use super complex passwords that I don’t even know what they are but Keeper does. Now we never reuse passwords for multiple accounts.

 

[blaplante]

1) don't trust Windows, Internet Explorer, etc. to "remember" your passwords. Gee, why? Well I've never heard about Windows getting hacked, right? [ha ha sarcasm]

2) When I worked in tech, the guys in tech recommended KeePass (keepass.info) to me as a local password manager. So it isn't keeping your passwords on the Internet (hack target), and you can keep your encrypted password file on a USB stick... which means

a) you can pull the usb stick when not in use. Hacking the USB stick that isn't connected to a computer will be a real challenge

b) you can take it with you. Recently I was on vacation. I might need some password. I copied my file to another USB stick and brought that with me.

 

[bertschb]

Just to clarify...

I'm a retired IT worker. I understand the importance of strong passwords. I use them on my financial accounts and change them frequently. Never had a problem.

Where I failed was not recognizing that "simple" non-financial accounts like a forum could be used maliciously. I was trying to keep passwords for these types of accounts (I have hundreds of them) simpler.

BTW, some password managers have also been hacked which is why I don't use one.

 

[johnbright]

Same post appeared on Dynon forum

Same post appeared on Dynon forum. I commented on it as a scam.

https://forum.flydynon.com/threads/fs-two-dynon-sv-d1000.15034/
.

 

[DennisRhodes]

bertschb, just curious if the PM you got was to purchase a Garmin 396, because I saw a reply from bertschb that said "i have PMd you " but never received anything but had already seen the possible scam under that name in a post before. Anyway I changed my passwords also . Sorry you were hacked but not surprised in this day . Watch out for two pictures of a G 396 that may be posted for sale by the scammer under my name. Gee,what people will do for $250.

 

[bertschb]

bertschb, just curious if the PM you got was to purchase a Garmin 396,

Sorry, I don't recall. I know he posted at least 2 items for sale.

This whole episode started when I got an email from VAF saying my mailbox was nearly full. That alone got my attention quickly because I knew it wasn't close to being full.

When I opened my Inbox, I saw several messages to and from "me" regarding items being sold and folks trying to make arrangements for payments. I panicked and moved as fast as I could to warn these people it was a scam. I made several posts in the classified threads the hacker started letting people know it was a scam. But, by then he had my login credentials and deleted my warning posts.

I then tried contacting the mods but by then I was no longer logged in.

 

[fr0gpil0t]

When sites are hacked files of usernames and passwords are sold on the dark webs. Other hackers then take those usernames and passwords and then try and access other websites etc. There are plenty of tools available to automate these activities.

I like many would use the same password for forum sites but it turns out it is a risk if a single site gets hacked. I noticed vansairforce.net until relatively recently did not use https which means passwords were easier to intercept.

I now use the built in password mgr on Safari to automatically generate unique 16-20 char or turn on multi-factor authentication (MFA) for financial websites. MFA is where you get a text code sent to you as part of the login process. Safari also flags when you have common passwords or passwords from hacked accounts. I'm sure the other passwords mgrs do the same.

Unfortunately there are a lot of gangs out there trying to scam you or get access to your financial accounts. So even a password to a forum site can be valuable info.

 

[GalinHdz]

FWIW, A long time ago I learned this method for creating passwords. Create and memorize a unique to you statement. An example is "I am a pilot" but write it as I@maP1lot. Then add an additional 3 letters for each log in. VAF can be "I@maP1lotVAF", Dynon can be "I@maP1lotDYN", Garmin can be "I@maP1lotGAR", etc. Another variation is to do this backwards. VAF can be VAFI@maP1lot, Dynon can be DYN1I@maP1lot, Garmin can be GARI@maP1lot, etc. This way you just need to remember the 3 unique characters and you have strong different passwords for each login.

The stronger you make the unique statement, the stronger your passwords will be. But don't make it so strong you forget how to type it.

 

[Draker]

Probably more important than using complex passwords is not sharing them on other sites, because once one gets hacked and the password list shared, they try those username/password combinations everywhere under the sun. Have a strict policy of one password for each site, and stick to it!

 

[Flying Canuck]

FWIW, A long time ago I learned this method for creating passwords. Create and memorize a unique to you statement. An example is "I am a pilot" but write it as I@maP1lot. Then add an additional 3 letters for each log in. VAF can be "I@maP1lotVAF", Dynon can be "I@maP1lotDYN", Garmin can be "I@maP1lotGAR", etc. Another variation is to do this backwards. VAF can be VAFI@maP1lot, Dynon can be DYN1I@maP1lot, Garmin can be GARI@maP1lot, etc. This way you just need to remember the 3 unique characters and you have strong different passwords for each login.

The stronger you make the unique statement, the stronger your passwords will be. But don't make it so strong you forget how to type it.

I've used something similar to this, but it has a vulnerability. If your base password is compromised, then you've also had all of them compromised since the website is what make the password unique for that site. If you do use this method, use a nonsense phrase or complex set of characters to make your base password.

I'm a fan of 3 disconnected words to build password bases. Use a website like randomwordgenerator.com. For example, I just got soul cell tidy. Nobody will ever be able to guess this and it is easy to remember.

 

[Tooch]

So I just changed my password on this site. Interesting that I wasn't even notified by email that I was changing my password. Other sites do this. This would be a good thing for this forum to do. It would not give the scammers much time to do make up their fake postings.

 

[GalinHdz]

I've used something similar to this, but it has a vulnerability. If your base password is compromised, then you've also had all of them compromised since the website is what make the password unique for that site. If you do use this method, use a nonsense phrase or complex set of characters to make your base password.

I'm a fan of 3 disconnected words to build password bases. Use a website like randomwordgenerator.com. For example, I just got soul cell tidy. Nobody will ever be able to guess this and it is easy to remember.

Six of each or 1/2 a dozen. The concept is the same, a unique to you base password with different extensions for each website. The password for one website is not the same for other websites.

 

[Flying Canuck]

Six of each or 1/2 a dozen. The concept is the same, a unique to you base password with different extensions for each website. The password for one website is not the same for other websites.

If the extension for the website is obvious, it doesn't add any security. If I know you use iLuvPLanesVAF here, good chance I can make iLuvPLanesACS work on another obvious site. It just means that the base needs to be strong and if it does get compromised, the rest of them are as good as compromised.

 

[DeltaRomeo]

https://passwordsgenerator.net/

Pretty neat site. And free.
v/r,dr


https://passwordsgenerator.net/

 

[GalinHdz]

If the extension for the website is obvious, it doesn't add any security. If I know you use iLuvPLanesVAF here, good chance I can make iLuvPLanesACS work on another obvious site. It just means that the base needs to be strong and if it does get compromised, the rest of them are as good as compromised.

IF is a big word. If my grandmother had handlebars she would be a motorcycle.

There are over 4.5 million different combinations for just those 3 last characters. And that assumes you figured out the unique phrase which has trillions and trillions of possible combinations. Hence my emphasis to your post "the base needs to be strong". Remember, NOTHING is 100% infallible. The only way to be infallible on the INTERNET it to not use it for anything. Weigh the benefits against the risks, then make your decision.

 

[nohoflyer]

I was just hacked. Exactly the same. Some low-life stole my user name and immediately started to “sell stuff”. I’ve been locked out for about 4 days. Just had Doug reset me.

Bummer.

 

[Webb]

It would also be well advised to do a virus scan on your computer.

 

[nohoflyer]

Using iPad.

 

[bkervaski]

It happened to me right here on VAF and I know better.

We think that with sites like VAF we can get away with simple passwords .. until it happens to you ..

Also, regarding password managers, LastPass was hacked last year and they got a large portion of the hashes ... so password managers aren't necessary the ultimate solution to put your trust in. For those really critical passwords, you just have to memorize them.

Passwordless authentication is coming and in some cases already here, we've already started implementing it at my company for our customers. Microsoft and Google have started.

Won't be too much longer to where we won't have to keep up with a lot of passwords ... just a matter of everybody getting their trust level where it needs to be with Passwordless authentication.

Edit: "Passwordless" in the most simple terms is multi-factor without a password being one of the factors. For example, Authenticator app would be 1 factor. SMS would be another. Email with code another, etc.

 

[Roadjunkie1]

Preventing hacking

It happened to me right here on VAF and I know better.

We think that with sites like VAF we can get away with simple passwords .. until it happens to you .. Also, regarding password managers, LastPass was hacked last year and they got a large portion of the hashes ... so password managers aren't necessary the ultimate solution to put your trust in. For those really critical passwords, you just have to memorize them. Passwordless authentication is coming and in some cases already here, we've already started implementing it at my company for our customers. Microsoft and Google have started. Won't be too much longer to where we won't have to keep up with a lot of passwords ... just a matter of everybody getting their trust level where it needs to be with Passwordless authentication.
Edit: "Passwordless" in the most simple terms is multi-factor without a password being one of the factors. For example, Authenticator app would be 1 factor. SMS would be another. Email with code another, etc.

I just found out about and purchased YubiKey which is a physical piece like a zip drive that you put in your computer and locally authenticate that this is YOU. When I get the time to install it, I will report back as to how it works and how effective it is! Anyone else have experience with this?

 

[bkervaski]

I just found out about and purchased YubiKey which is a physical piece like a zip drive that you put in your computer and locally authenticate that this is YOU. When I get the time to install it, I will report back as to how it works and how effective it is! Anyone else have experience with this?

You didn't mention what you're going to use it for (a password manager?) but the Yubi key in general is widely accepted as a solid solution.

Of course, like anything with hardware, it's only as good as the software the uses it so only trust it as far as you would trust giving your ATM pin to the people who wrote the software that you're using it with.

Also, thanks for the throwback mentioning ZIP drives. This is about the only crowd that's going to know what those are anymore (edit: maybe you meant USB Thumb Drive?)

 

[airguy]

Also, thanks for the throwback mentioning ZIP drives. This is about the only crowd that's going to know what those are anymore

Those were good drives - I remember them well, used a lot of them in a former life.

What happens with the Yubi (or similar) if you lose the dongle/device? How do you verify your authenticity without it?

 

[bkervaski]

Those were good drives - I remember them well, used a lot of them in a former life.

What happens with the Yubi (or similar) if you lose the dongle/device? How do you verify your authenticity without it?

Well, in the most secure scenerio you would be SOL. But depending on the software you use there's probably a complicated verification process to "get back in" just like if you've lost access to an email account that you used for something and have since abandoned or no longer have access to.

The Yubi by itself doesn't do anything, it's just a piece of hardware very simliar to the chips in your bank cards that plugs into a USB port. You have to use it in conjunction with software that supports it. For example, a password manager. And at that point you STILL have to trust the people behind the password manager have done the right things.

 

[Roadjunkie1]

Those were good drives - I remember them well, used a lot of them in a former life.

What happens with the Yubi (or similar) if you lose the dongle/device? How do you verify your authenticity without it?

Those WERE good drives! I still have some I use!

Buy two and have the second one as a backup.....

 

[bkervaski]

Buy two and have the second one as a backup.....

Unfortunately, they really don't work that way. A "backup" would not have the appropriate key (certificate) to decrypt what the "primary" one encrypted.

 

[Brantel]

Also, thanks for the throwback mentioning ZIP drives. This is about the only crowd that's going to know what those are anymore (edit: maybe you meant USB Thumb Drive?)

I think he did mean thumb drive....

But I do remember Zip Drives! Loved them!

 

[Roadjunkie1]

Thumb vs zip.....?

I think he did mean thumb drive.... But I do remember Zip Drives! Loved them!

I did mean thumb drive! Old habits (and words/phrases) die hard.....! Far out....

 

[airguy]

The Yubi by itself doesn't do anything, it's just a piece of hardware very simliar to the chips in your bank cards that plugs into a USB port. You have to use it in conjunction with software that supports it. For example, a password manager. And at that point you STILL have to trust the people behind the password manager have done the right things.

So physical loss of either the dongle, or the laptop containing the software, pretty much puts you dead in the water. Nope, not for me. I don't need to be THAT tin-foil hat kind of secure.

 

[Aer0bat]

Password Strength

For reference:

 

[Brantel]

For reference:

Pretty sure this would require a site that will allow unlimited authentication attempts as well as a blazing fast connection between the client and the server. Neither of which is likely to be true these days.

 

[rv8ch]

Pretty sure this would require a site that will allow unlimited authentication attempts as well as a blazing fast connection between the client and the server. Neither of which is likely to be true these days.

What happens is that often due to bugs and unpatched vulnerabilities a bad actor is able to get a list of usernames and encrypted passwords, and then they just do an offline decrypt. They don't simulate multiple logins.

There have been 1000s of cases where a huge database of usernames and encrypted passwords have become available to hackers, and they can decypt some of them. They then try these same usernames (email addresses, usually) on all the big websites. When you have millions of accounts, even a very small success rate will give you lots of accounts you can use to further expand your criminal activity.

If you use a weak password on your websites, it's very possible that you have not been hacked just because the bad guys have so many other targets. Kind of like leaving your house unlocked - mostly you'll be fine, since there are many more unlocked houses than bad guys - but if you get unlucky, the bad guys will get your stuff.

 

[Brantel]

If you use a weak password on your websites, it's very possible that you have not been hacked just because the bad guys have so many other targets. Kind of like leaving your house unlocked - mostly you'll be fine, since there are many more unlocked houses than bad guys - but if you get unlucky, the bad guys will get your stuff.

Exactly why I don't use weak passwords (make them at least 20 char long if the site allows it, include numbers, special characters, upper and lower case), don't reuse passwords on multiple accounts, do use 2 factor when available and do use a well known and trusted password manager. I really have no idea what my passwords are for 99% of my accounts. That's the PW manager's job.

The only time this really stinks is when you have to enter a long complex PW into something like a Roku or Smart TV.

 

[Aer0bat]

That was the point of the table. If you don't use a PW manager, then think "passPHRASE", not "passWORD". The key is more characters. "ILoveMyRV7!!!" is 13 characters and safe based on the 15K years it will take to incrementally generate a hash, and it's pretty easy to remember.

 

[rv8ch]

That was the point of the table. If you don't use a PW manager, then think "passPHRASE", not "passWORD". The key is more characters. "ILoveMyRV7!!!" is 13 characters and safe based on the 15K years it will take to incrementally generate a hash, and it's pretty easy to remember.

Now that you have published it, this has become a very bad password.

In fact, now that I have written it, you should not use "aRJT9nnMsxeZcLB3gZyHLYKA" as your password. Sorry about that for those of you that were using this one!

 

[bkervaski]

Now that you have published it, this has become a very bad password.

In fact, now that I have written it, you should not use "aRJT9nnMsxeZcLB3gZyHLYKA" as your password. Sorry about that for those of you that were using this one!

Also, this is NOT apple's website: https://aρρle.com