0

Sorry if this isn't the right place for this..

I recently joined an online gambling website and clicked on live assist. To verify my identity they asked for my username and password. I did not give it to them. I am not really worried about it being a phishing attempt, but my main concern is that he can see my password in plain text. Is this normal procedure/okay/safe? I use a variation of the same password for every website that would be pretty easy to figure out if one tried, because i thought no human would ever see them and everything is supposed to be store encrypted.

I did some research before joining and the website has a good reputation but this just gets my (admittedly ignorant) spidey-sense flashing. This website now has a grand of my $ and is linked to my bank account and has me a bit worried.

Thanks for any wisdom you can share.

Randy
  • 9
  • 1
  • 1
    Your username and password for what? – Vilius Povilaika Sep 12 '19 at 18:47
  • Better switch to a password manager. Then you can copy&paste your password which means your passwords can be arbitrarely long and unique. Don't assume that your password is always properly protected. Many services out there still use md5 or worse to hash passwords. Password reuse is dangerous and commonly exploited. This at least mitigates the threat you describe – BlueWizard Sep 12 '19 at 20:11

1 Answers1

2

You have two big issues here. Let's get the easy one out of the way:

No, they should not ask for your username and password

Since you said you contacted them through their on-website live support, one of two things was happening:

  1. Their website got hacked and you narrowly avoided giving your login credentials (and therefore money) to a hacker
  2. They have poorly developed support infrastructure and poorly trained support employees. If you gave away your credentials something bad may have happened, although you might have been perfectly fine.

Personally I'd probably go with #2 - if a hacker had taken over their website they would have had much more effective ways of collecting your credentials than waiting for you to open the chat and ask for your username/password.

Unfortunately many businesses don't understand the dangers of asking their users for their credentials. There are two main risks in doing this:

  1. Employees are a major source of trouble themselves, and so there is no guarantee that an employee won't steal from a customer if they are given username/password while doing their job, and see an account full of money on the other end.
  2. Regardless, it trains their customers that giving away username/password is okay, making them more vulnerable to future phishing attempts.

So: This is not safe. This is not reasonable. It is however somewhat normal (although shouldn't be). I would at least complain to their support and try to explain why this is such a bad idea, although don't expect them to take you seriously. I would probably try to find a new place to take my money. Onto issue #2

Using an easy-to-guess rule for password generation is not a great idea

You said:

I use a variation of the same password for every website that would be pretty easy to figure out if one tried, because i thought no human would ever see them and everything is supposed to be store encrypted.

This is a very bad assumption. Unfortunately passwords get leaked from websites all the time, and oftentimes in forms that allow hackers to figure out what the password is (presuming it isn't just in plain text, which still happens). As a result you should assume that your password will be seen by people, and therefore pick a password that is completely unique to each account. The best way to do that is with password managers. Obviously many people don't want to put forth the effort to use one, but at the very least if you have an important account (which this would be if it is protecting >$1,000 of your money), it should really have its own strong, unique password.

Community
  • 1
Conor Mancone
  • 30,380
  • 13
  • 92
  • 98
  • Thank you so much for the reply. I thought about a manager, but was wary of putting so much control into one place. Can't the manager just get hacked and then they have access to everything? – Randy Sep 12 '19 at 19:23
  • @Randy that is a very different and much more complicated question. You can start here: https://security.stackexchange.com/questions/279/are-online-password-managers-secure In general, I don't have a problem suggesting them as an overall solution. Most of them work by encrypting the password file with your password (which they do not store at all), which means that, if done right, even the people who run the password manager can't access your passwords. – Conor Mancone Sep 12 '19 at 19:28
  • 1
    @Randy: you do not need to use an _online_ password manager. There are password managers that store (encrypted) the list of passwords in your computer _and only there_. Someone compromising your computer and stealing your encrypted database as well as its password is much harder than either (a) compromising your computer and getting _any_ of your passwords or (b) compromising _any_ of the sites where you use that and get the password you used there. In any case, for most security against online compromises, you could use a physical notebook to store your passwords. – Ángel Sep 12 '19 at 20:05
  • For example: `KeePass` (100 % offline, has audits). Or alternatively: `pass` (CLI software, 100 % offline, based on GPG) – BlueWizard Sep 12 '19 at 20:14
  • The whole discussion stinks a bit, Yes the admin panel can get hacked and the intruder will be allowed to use peer-to-peer functions to connect with users, but It can just be an example of an unusual ("bad") verifying practise. – tungsten Sep 12 '19 at 21:08
  • @tungsten the fact that this might have just been a bad business practice was the main focus of my discussion, I would say. I suggested a hacker but also said that wasn't the most likely explanation (a hacker would have better ways of getting a password than taking over a chat portal). If you feel like I didn't express that clearly then let me know and I'll see what I can do! – Conor Mancone Sep 12 '19 at 21:13
  • @Conor Mancone I meant the confusion whether the OP meant by "manager" a person or a password manager. – tungsten Sep 12 '19 at 21:18