MS Warning

Thanks, I’ll try it, and the dumping of the email address and adopting another. Will that do the trick?

It might - but without a thorough knowledge of your situation it’s impossible to say. I hope you can find a local expert - the very best of luck to you!

Thanks. :smiley:

David, I’ve been using protonmail (Proton Mail: Get a private, secure, and encrypted email account | Proton) for a while now. It’s based in Switzerland and claims to be very secure. I like it so much I have a paid account, but the free one is great and might be what you’re looking for. The only difficulty might be two-factor authentication.

FYI I did a small risk assessment on what David reported (with assumptions). On your point about impersonation / knowledge compromise I realised in my analysis it is perfectly possible the attacker will now know David posts on SF and therefore will have access to all the personal info posted - including this thread.

Therefore I’ve sent him my analysis by PM. It’ll be up to him whether he wants to share it sometime, hopefully for the benefit of others, or hopefully just report back ‘alls well’.

Or possibly I can just do a general advice in a thread one day.


Excellent, @larkswood12 .

I’m being a little persistent as something very similar happened to my father in law about a year ago, culminating in the scanners getting access to various accounts. We were on the case pretty quickly, the police got involved and he eventually got the money back. But it’s very much better to prevent the problem in the first case.

Always useful, even for those of us who are reasonably cautious!

Before I read your message @larkswood12 I should say that I have been in touch with my techie mate who is going to come up here tomorrow to see what can be done. In the meantime he has said that I must change my email password. So I have done that and at the same time changed my email address because anything that comes to the old address will be diverted to the new one.

@_Brian was your Father-in-Law’s money in an account on the computer and was that how they managed to steal it? I’ll check my accounts just to be sure but I think with no record of them on the computer it should be OK.

I’ll go and check your message now @larkswood12

No… They used data they had captured from and about him to access the accounts directly.

OK then, even more reason for me to check this evening. :worried:

I saw this on Twitter earlier…



Good news is no interferance in bank accounts, changed email with one but problems with doing so with other and neither make it easy to change passwords.

Well of course, otherwise I would have already changed it for you!

What I mean is neither offer the clear path to legitimately change the passwords. Nowhere could I see the path to do so despite the common urging to regularly do such a thing. So I have left messages, no replies so far. Could it be that there is no need once a person has avoided the same or similar ones in differing situations?

Still waiting for Eddie to come, but in the meantime, I have been able to get Netflix back, by re-signing in with my gmail address after I managed to change it in the marathon chat yesterday.
So with the click of a button I have re-started my membership. Not sure if it was the hacker or a Netflix foul up that caused the problem. Perhaps a bit of both.

With a new Orange email addresse and a new Orange password, I will see what Eddie has to say with the, still only 3, dossiers which have been affected by the hacker.

I might suggest to him that I disconnect the 2 external hard drives whenever I don’t need access to them. Problem is that I do use them often, I can come here or on the other forum without them, and do email stuff, but if I want to check or refer to anything, they would have to go back in. I might wear out the connections over time. :worried:

The (UK) National Cyber Security Centre argue that setting a strong password (i.e. one unlikely to be ‘cracked’) which is not changed regularly can be better than setting a weak password which is changed regularly. So as long as the password is a good strong one (letters including capitals, numbers, and digits) then it should be Ok not to regularly change it - only change when necessary, such as a suspected security incident.

In any case just about all banks do not just rely on a single password to carry out a new transaction such as set up an account. There’s additional authentication credentials usually requested, e.g. memorable word.

Edit - NCSC also suggest using three words as a password e.g. carrot camel wood, it’s length then making it fairly unbreakable.

NCSC also advocate use of a password manager - a program which will set the passwords for you for each site - you then use only one (strong) password to access the password manager. Perhaps your computer friend can advise?

Or, you can also have your browser store the password - that is probably OK for most browsers nowadays.

Good! From the sound of it, I don’t think the MS account compromise has anything to do with your attacker. Netflix have recently stopped password sharing between devices so maybe it was something to do with that?

Good! Then your email account was not compromised - hopefully your friend can cast light on the ‘3 dossier’ phenomenon.

Remember your attacker still knows your original ‘old’ email address, so if you use the original address as an ID to sign in to some service, then the attacker still has one out of two pieces of info. (Hopefully they won’t be able to guess the other piece i.e. password).

I don’t see the need as your machine is not compromised. Though of course they are not much use as a backup if they’re next to the machine itself - both likely to burn in the fire! (or be nicked). Are your external drives encrypted / passworded?

Sounds like you have only had the MS account compromised so all seems OK.

Stay aware and prosper!

1 Like

As for choosing a password, @larkswood12 confirms what I’ve read: bigger is better, because the threat is less from people guessing it that from machines cycling through the possible characters and cracking it.

I know people who use Bible verses, but a better solution is - for example - the first 3 or 4 words from your favourite book, poem, song — or the first word in each of the first 3 or 4 pages/chapters/verses. As long as you get 26-20 characters, I believe that would be enough.

Ahh… password entropy :nerd_face:

Obligatory xkcd cartoon:

Here’s an interesting read if you’re into this kind of stuff… zxcvbn: realistic password strength estimation - Dropbox

Edited to add: And here’s an online checker using the tool mentioned above (although I’m not keen on putting my actual password into a website to check it, so perhaps switch it for something equal but different)… Password Tester | Test Your Password Strength | Bitwarden

1 Like

@Porridge @Gareth

Good stuff. Let’s not forget dictionary attacks!

Question - What’s the problem with this password?


It obeys all the rules - capital, number, letter, special character. :slight_smile:

But we wouldn’t use it.

From SANS -

Given enough hardware and enough time, any password can be cracked by brute force. But there are simpler and very successful ways to learn passwords without such expense. Password crackers employ what are known as dictionary-style attacks. Since encryption methods are known, cracking utilities simply compare the encrypted form of a password against the encrypted forms of dictionary words (in many languages), proper names, and permutations of both. Therefore a password whose root in any way resembles a known word is highly susceptible to a dictionary attack.

A good password therefore cannot have a word or proper name as its root. A strong password policy should direct users to generate passwords from something more random, like a phrase or the title of a book or song. By concatenating a longer string (taking the first letter of each word, or substituting a special character for a word, removing all the vowels, etc.), users can generate sufficiently long strings which combine alphanumeric and special characters in a way which dictionary attacks will have great difficulty cracking. And if the string is easy to remember, then the password should be as well.

Also, let’s not forget have I been pwned!

People - you can check your email (if you trust the site of course).

1 Like

There’s an example we use in France


Work out where it comes from, it’s not hard. :slightly_smiling_face: