Domestic/Divorce "Hacking" - Specific things you check . . .

[~Wendy~]

This is a good discussion. I live for these cases and have been able to successfully regain control of social media and webmail accounts. With regard to portmanteau passwords, telling a client to use a phrase they can easily remember seems to work thus far. How do you feel about RoboForm? Dashlane?

 

[britechguy]

armed with just a handful of background information, basic social engineering skills and a bit of low cunning.

Which, other than the first one, is not something that a lot of people are armed with. In domestic situations, it's generally not even necessary to "hack" when you're in the same house, have access to the same computer, and everyone's been using password memory in browsers. Most spouses who are suspicious can get more than "low cunning," that's for sure, but it's not that difficult to put up substantial roadblocks with ease.

After someone's password is changed AND 2FA is added where not present, that's pretty much all that can be done. I don't know what else one would suggest other than abandoning all accounts, and no sane person is going to do that.

I still cannot fathom what you would have me do, or suggest to a client to do. And since a huge number of people, when faced with this situation, finally stop using one through four "set passwords" for everything, just the password changes, done correctly, become a really confounding factor. And if someone were to do a password recovery, I haven't seen that without a notification going with it in years. If push were to come to shove, then I'd suggest changing it twice, maybe three times, using some "dummies" for times one and two, settling on the final one for the third, as very often password recovery also requires giving one or two of the most recently used passwords (Google does it this way, for one).

 

[britechguy]

How do you feel about RoboForm? Dashlane?

I've already mentioned the use of a password manager, and if someone prefers to have really randomized and not-humanly-memorable passwords generated by same, then I have no problem with that at all.

My experience is that very few people do want passwords they cannot recall with any ease. I know I absolutely don't. It's really a matter of personal preference.

But if someone were to portmanteau something akin to Tech9752Nibble*Sally as their password for Technibble where the fixed elements are things that it is very unlikely for anyone other than the person doing the creating to know, I'm way more than comfortable that this is a password that's every bit as secure as anything generated by a password manager. Length, and lack of ability for some random person on the street or even a close loved one to construct, is far more pivotal to password security than anything else. I just don't see any utility in passwords like *54$#99@++Gi because one pretty much has to depend on a password manager, constantly, in order to use them. There are times when you are away from your own machine, sometimes even your own phone (if your password manager is on both), where you need to hop on to someone else's machine and log in to something. For myself, and my clients, I want that to be possible without the need for the password manager when they are "in a pinch." The password manager is a backup for their memory, but their memory of "their formula" lets them guess their own password, when necessary, usually within a couple of tries.

 

[~Wendy~]

There are times when you are away from your own machine, sometimes even your own phone (if your password manager is on both), where you need to hop on to someone else's machine and log in to something

Agreed, but I would not sign in on someone else's machine anyway. I tend to agree with your concept in general, but I like using one with such complexity at my age. My contemporaries have these cumbersome notebooks with all their passwords on them they carry from place to place and it's cringe worthy.

 

[britechguy]

My contemporaries have these cumbersome notebooks with all their passwords on them they carry from place to place and it's cringe worthy.

Presuming you mean literal notebooks, I used to cringe about that a lot more than I do these days. The old adage that physical security is the first and most important kind applies here. When is the last time you lost your wallet, as an example. Those notebooks can be very secure indeed if all they contain is passwords, even if they do get lost. I have a number of senior clients (for the most part) who keep just these kinds of logs, but they virtually never put the login id in them, just the password, and that's even if they have a couple to more than a couple of login ids they use. Finding a password notebook that's lost with a listing of services, not even the URLs for same, and passwords sans any login id information is not catastrophic. And it can't be hacked via any electronic means. But if you keep physical control of it, and don't allow shoulder surfing, it's pretty darned secure.

But, the reason I favor password managers is I want that information to be available to me, when I want it, on both the computer and my smartphone.

I cannot count the number of times, over the decades, when I've logged in to email on machines at friend's homes and even in internet cafes when such existed. I wouldn't hesitate to even log in to my credit card accounts that way, though I haven't in recent years, and for those accounts with 2FA on them I wouldn't worry much at all.

Much of what gets called hacking isn't hacking, it's just another crime of convenience. Having a password like 1234 on anything, and where a login would be easy to guess or already known (e.g., email, anyone who thinks their email address is private, particularly in their extended circle, is delusional) is just asking for someone, at some time, to log in to it that isn't you.

Historically, and currently, the problem is that people don't even take minimal precautions with passwords because they value ease of remembering them over all else. Heck, I'd be thrilled if most people reused a single password everywhere, provided it were something like Canola&Pepper837, that they never told a single soul that password, and that they change it (everywhere) if they're part of a breach.

The issue is really that far too many use truly worst practices that make it just so darned easy for anyone who knows them even slightly well (and even those who don't) to break in with almost zero effort.

If you throw in 2FA, it makes the password less important, but not unimportant.

 

[Markverhyden]

I try to stay out of divorce wars. And that's what can happen if one allows the customer to reel you in. I've had several calls, interesting enough all Apple owners (LOL), for what I would call "security" work. Things like neighbor spying on network, ex-husband accessing iMac, North Korean intelligence hacking her iPhone (yes that was what it was about), son hacking wireless network because there's cert and other errors in the logs, etc, etc.

Some have been people who over reacted to something they didn't understand. Others I'm firmly convinced that they were clinically paranoid, like the latter two above.

In situations like the OP I tell them then need to change "everything". PIN codes, passwords, security questions and answers. And I try to get as little involved as possible in the process itself. Like call the bank and CC's for assistance in resetting things.

For relatively secure passwords that are easier to remember I tell people to think about a particular song, poem, speech, etc that they really like and pull 2-3 words from it to form a base password. But it must be something that you haven't discussed with anyone about how important that song, poem, speech, etc is. Then you can Portmanteau it, maybe a little L33T as well to customize it for the specific site. Of course never reuse it elsewhere. I've even gone so far as tell them to create new email address(s) for things like billing, subscriptions, etc rather than keep using their personal one.

 

[britechguy]

Well, the client didn't turn out to be either clinically paranoid or otherwise unreasonable.

In fact, as the session progressed and he watched what I was done, including adding 2FA to his Yahoo account, he came out and spontaneously said, "I really think, now, that she probably had my old password." [Mind you, this is pretty much what I said to him at the outset, though my angle was that it was very likely in browser password management and it didn't matter if she "had it" or not, all she needed to do was hop on the computer, fire up the browser, and go. The fact that I could, and did, do exactly this and he was logged in to his email when the browser came up . . .].

The surprising thing was how much he had already done that needed to be done. He actually ditched the modem-router from his ISP that he had been using, purchased a new third-party device, and set up his network again himself (old SSID, but new password). He had set a Windows 10 account password, and it was very long. His new Yahoo password, which he'd also done (two times, he said) was probably 18 characters long. He put a pin on his tablet himself, too.

I did all sorts of scans and everything came up clean. Also triggered the latest Win10 Feature update since he was still on 20H2.

He's now got a password manager and is in the process of deleting all browser-stored passwords. He's got a revised version of the Portmanteau Method in writing, and I emphasized to him that elements need to be chosen based on things he knows that no one else knows, and most of us can think of a number of those in relation to ourselves.

But there was nothing that indicated that this was a "sloppy user" who never paid attention to anything until "the divorce situation" arose. He did what a very great many users do, and trusted that he didn't need to armor himself against his own spouse. When things get ugly, that changes.

I think he really just wanted someone to check that nothing obvious was wrong and to advise him on how to most quickly and easily armor himself up. That mission is accomplished. There was virtually no "divorce grousing" during the session, either. I heard more about it in one voicemail he left than I did in the just under 2 hours I was with him live.

But I now have a checklist of the things I will always check in the future should this sort of request be made again. And I appreciate the input of one and all, as there were several additions to that checklist that came from that input.

 

[cypress]

Very nice, it's good to know that everything turned out well. I've been approached on this by a couple past clients in the past. They did want some shady stuff done because they suspected the spouse of cheating. I politely declined.

 

[britechguy]

They did want some shady stuff done because they suspected the spouse of cheating. I politely declined.

Had I gotten this vibe, in even the slightest way, I would have done the same.

I can't exactly say why, but from the first contact it seemed clear to me that this guy wanted nothing more than to protect himself. And that's the way things turned out in reality.

Even the request, that I declined, with regard to forensic evidence was about proving "something shady" had happened, not instigating it.

 

[brandonkick]

And that will be the client's job. He'll be explicitly told to do that, but it's definitely not my job to actually do it.

I appreciate all of the input, even warning me away, but I've already committed, so this may turn out to be a "once burned, twice shy" thing afterward, but I'm not backing out of an appointment I've already made.

Which is what I meant, though I suppose I see how it could be read that I recommended for you specifically to do it.