View Single Post
Old 09-08-2017, 17:03   #18
Qtx
CF's Worst Nightmare
 
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
Qtx has a bronzed appealQtx has a bronzed appeal
Qtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appeal
Re: Password managers.

Quote:
Originally Posted by Damien View Post
Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.
First, if you do keep passwords in notepad, please don't call the file passwords.txt . Lots of malware automatically look for such filenames.


2 factor was completely bypassed with LastPass due to a bug/implementation error. There are lots of cases of 2FA being bypassed even with Google services. Then there is the difference between an auth app and an SMS message as the mobile phone system allows anyone to use the SS7 protocol to intercept the SMS 2 factor messages of any number. I say anyone but you need a connection to the phone system or a VOIP account somewhere that allows it or has a badly configured system, of which there are a few out there.


As for LastPass, the 2 factor auth issue was fixed in february:


Quote:
LastPass has patched a severe vulnerability in their password manager that allowed attackers to bypass the company's two-factor authentication (2FA) system.
According to the Martin Vigo, founder of Triskel Security and the security researcher who discovered this flaw, the vulnerability can only be exploited when an attacker has already compromised the user's LastPass master password.
While this sounds like a non-issue, it is not. The main purpose why 2FA was invented to begin with was to act as a second layer of protection just for these cases, where the attacker has managed to guess or get hold of the user's password.
This means Vigo's attack could have been used to nullify LastPass 2FA altogether, stripping away this second layer of protection.
LastPass used user password to derive QR code URLs

According to Vigo's technical write-up, the entire issue at the heart of this vulnerability was the fact that LastPass was storing the 2FA secret seed [in the form of a QR code] under an URL that was derived from the user's password.
This meant that the attacker only had to compute and retrieve this QR code, stored under a local URL, and he would have been able to determine the 2FA secondary code and access the user's LastPass passwords trove.
In a bug report filed with LastPass, Vigo detailed a successful attack he performed locally:
- Attacker lures user on any website vulnerable to an XSS (cross-site scripting) bug
- Because the attacker can derive the QR code URL from the user's existing password, he uses the XSS attack to load and save the QR code image
- Attacker scans QR code with Google Authenticator, which LastPass uses for 2FA operations
- Attacker gets the 2FA code and access the user's account
madukes1 pimp frame02250 alezam5 stanleyboo23 < when a person is forced to use a number in their password. Now a capital letter is often forced....just capitalise the first letter and re-use. This often repeated bad habit is what password managers stop when they create passwords for you, rather than you storing your own thought up passwords.

Last edited by Qtx; 09-08-2017 at 17:21.
Qtx is offline   Reply With Quote