Cable Forum
Page 2 of 2 1 2
Show 100 post(s) from this thread on one page

Cable Forum (https://www.cableforum.uk/board/index.php)
-   Internet Discussion (https://www.cableforum.uk/board/forumdisplay.php?f=25)
-   -   Password managers. (https://www.cableforum.uk/board/showthread.php?t=33705223)

Damien 07-08-2017 09:54
Re: Password managers.
 
Quote:
Originally Posted by Qtx (Post 35910933)
There is more of a chance that the sites you visit will get compromised and your username/passwords stolen from those, than your password manager.
I think this is the critical point. Nothing is 100% secure but you shouldn't let perfect be the enemy of good. Most people are not the target of sophisticated attacks and you're order of magnitude more likely to have accounts compromised by using a shared password across sites than having someone hack a password manager then bother trying to break the encryption on your stored password set. Most password managers encrypt your data with your master password.

Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.

tweetiepooh 07-08-2017 12:03
Re: Password managers.
 
I use LastPass and pay for Premium. I can use the same tool on Windows, Linux, Android. I install, login and all my passwords are available. Nice and easy. I can also "share" logins but keep the password secure - so I have setup Dropbox for each of the kids, then shared the password securely with them and setup the client on their PC's.

LastPass can autochange the password on some sites making that task a little easier, you can generate a OTP pad so you can get into your account should you forget your password. For some devices it can store a key on the device so you can use that device to access your account if you forget the password. It supports some 2FA mechanisms. You can also store secure notes. Another good feature is you can force master password entry for some records.

I don't know what my password is for many sites now, it's a random string of letters, numbers, symbols as long as the site will allow.

I do NOT keep my bank login in there though. And that also has a card reader and response mechanism to do things once logged in anyway.

Qtx 09-08-2017 16:03
Re: Password managers.
 
Quote:
Originally Posted by Damien (Post 35911180)
Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.
First, if you do keep passwords in notepad, please don't call the file passwords.txt . Lots of malware automatically look for such filenames.


2 factor was completely bypassed with LastPass due to a bug/implementation error. There are lots of cases of 2FA being bypassed even with Google services. Then there is the difference between an auth app and an SMS message as the mobile phone system allows anyone to use the SS7 protocol to intercept the SMS 2 factor messages of any number. I say anyone but you need a connection to the phone system or a VOIP account somewhere that allows it or has a badly configured system, of which there are a few out there.


As for LastPass, the 2 factor auth issue was fixed in february:


Quote:
LastPass has patched a severe vulnerability in their password manager that allowed attackers to bypass the company's two-factor authentication (2FA) system.
According to the Martin Vigo, founder of Triskel Security and the security researcher who discovered this flaw, the vulnerability can only be exploited when an attacker has already compromised the user's LastPass master password.
While this sounds like a non-issue, it is not. The main purpose why 2FA was invented to begin with was to act as a second layer of protection just for these cases, where the attacker has managed to guess or get hold of the user's password.
This means Vigo's attack could have been used to nullify LastPass 2FA altogether, stripping away this second layer of protection.
LastPass used user password to derive QR code URLs

According to Vigo's technical write-up, the entire issue at the heart of this vulnerability was the fact that LastPass was storing the 2FA secret seed [in the form of a QR code] under an URL that was derived from the user's password.
This meant that the attacker only had to compute and retrieve this QR code, stored under a local URL, and he would have been able to determine the 2FA secondary code and access the user's LastPass passwords trove.
In a bug report filed with LastPass, Vigo detailed a successful attack he performed locally:
- Attacker lures user on any website vulnerable to an XSS (cross-site scripting) bug
- Because the attacker can derive the QR code URL from the user's existing password, he uses the XSS attack to load and save the QR code image
- Attacker scans QR code with Google Authenticator, which LastPass uses for 2FA operations
- Attacker gets the 2FA code and access the user's account
madukes1 pimp frame02250 alezam5 stanleyboo23 < when a person is forced to use a number in their password. Now a capital letter is often forced....just capitalise the first letter and re-use. This often repeated bad habit is what password managers stop when they create passwords for you, rather than you storing your own thought up passwords.


All times are GMT +1. The time now is 11:54.
Page 2 of 2 1 2
Show 100 post(s) from this thread on one page

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.