Home News Forum Articles
  Welcome back Join CF
You are here You are here: Home | Forum | Password managers.

You are currently viewing our boards as a guest which gives you limited access to view most of the discussions, articles and other free features. By joining our Virgin Media community you will have full access to all discussions, be able to view and post threads, communicate privately with other members (PM), respond to polls, upload your own images/photos, and access many other special features. Registration is fast, simple and absolutely free so please join our community today.


Welcome to Cable Forum
Go Back   Cable Forum > Computers & IT > Internet Discussion

Password managers.
Reply
 
Thread Tools
Old 07-08-2017, 10:54   #16
Damien
Remoaner
Cable Forum Team
 
Damien's Avatar
 
Join Date: Mar 2004
Posts: 32,206
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Damien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver blingDamien has a lot of silver bling
Re: Password managers.

Quote:
Originally Posted by Qtx View Post
There is more of a chance that the sites you visit will get compromised and your username/passwords stolen from those, than your password manager.
I think this is the critical point. Nothing is 100% secure but you shouldn't let perfect be the enemy of good. Most people are not the target of sophisticated attacks and you're order of magnitude more likely to have accounts compromised by using a shared password across sites than having someone hack a password manager then bother trying to break the encryption on your stored password set. Most password managers encrypt your data with your master password.

Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.
Damien is offline   Reply With Quote
Advertisement
Old 07-08-2017, 13:03   #17
tweetiepooh
Virgin Media Employee
 
tweetiepooh's Avatar
 
Join Date: Sep 2005
Location: Winchester
Services: Staff MyRates BB: VM XXL TV: VM XL Phone : VM XL
Posts: 3,107
tweetiepooh has a bronzed appealtweetiepooh has a bronzed appeal
tweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appealtweetiepooh has a bronzed appeal
Re: Password managers.

I use LastPass and pay for Premium. I can use the same tool on Windows, Linux, Android. I install, login and all my passwords are available. Nice and easy. I can also "share" logins but keep the password secure - so I have setup Dropbox for each of the kids, then shared the password securely with them and setup the client on their PC's.

LastPass can autochange the password on some sites making that task a little easier, you can generate a OTP pad so you can get into your account should you forget your password. For some devices it can store a key on the device so you can use that device to access your account if you forget the password. It supports some 2FA mechanisms. You can also store secure notes. Another good feature is you can force master password entry for some records.

I don't know what my password is for many sites now, it's a random string of letters, numbers, symbols as long as the site will allow.

I do NOT keep my bank login in there though. And that also has a card reader and response mechanism to do things once logged in anyway.
__________________
I work for VMO2 but reply here in my own right. Any help or advice is made on a best-effort basis. No comments construe any obligation on VMO2 or its employees.
tweetiepooh is offline   Reply With Quote
Old 09-08-2017, 17:03   #18
Qtx
CF's Worst Nightmare
 
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
Qtx has a bronzed appealQtx has a bronzed appeal
Qtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appeal
Re: Password managers.

Quote:
Originally Posted by Damien View Post
Most of these 'hackers' are script kiddies buying data breaches in bulk and automating e-mail/password combinations against a multitude of sites. They deal in volume with each credential worth less than a penny. They don't have the time or will to concentrate on any specific person. Having a unique password and enabling 2 factor will prevent 99% of the risk.

Even keeping them on a notepad in the home is good.
First, if you do keep passwords in notepad, please don't call the file passwords.txt . Lots of malware automatically look for such filenames.


2 factor was completely bypassed with LastPass due to a bug/implementation error. There are lots of cases of 2FA being bypassed even with Google services. Then there is the difference between an auth app and an SMS message as the mobile phone system allows anyone to use the SS7 protocol to intercept the SMS 2 factor messages of any number. I say anyone but you need a connection to the phone system or a VOIP account somewhere that allows it or has a badly configured system, of which there are a few out there.


As for LastPass, the 2 factor auth issue was fixed in february:


Quote:
LastPass has patched a severe vulnerability in their password manager that allowed attackers to bypass the company's two-factor authentication (2FA) system.
According to the Martin Vigo, founder of Triskel Security and the security researcher who discovered this flaw, the vulnerability can only be exploited when an attacker has already compromised the user's LastPass master password.
While this sounds like a non-issue, it is not. The main purpose why 2FA was invented to begin with was to act as a second layer of protection just for these cases, where the attacker has managed to guess or get hold of the user's password.
This means Vigo's attack could have been used to nullify LastPass 2FA altogether, stripping away this second layer of protection.
LastPass used user password to derive QR code URLs

According to Vigo's technical write-up, the entire issue at the heart of this vulnerability was the fact that LastPass was storing the 2FA secret seed [in the form of a QR code] under an URL that was derived from the user's password.
This meant that the attacker only had to compute and retrieve this QR code, stored under a local URL, and he would have been able to determine the 2FA secondary code and access the user's LastPass passwords trove.
In a bug report filed with LastPass, Vigo detailed a successful attack he performed locally:
- Attacker lures user on any website vulnerable to an XSS (cross-site scripting) bug
- Because the attacker can derive the QR code URL from the user's existing password, he uses the XSS attack to load and save the QR code image
- Attacker scans QR code with Google Authenticator, which LastPass uses for 2FA operations
- Attacker gets the 2FA code and access the user's account
madukes1 pimp frame02250 alezam5 stanleyboo23 < when a person is forced to use a number in their password. Now a capital letter is often forced....just capitalise the first letter and re-use. This often repeated bad habit is what password managers stop when they create passwords for you, rather than you storing your own thought up passwords.

Last edited by Qtx; 09-08-2017 at 17:21.
Qtx is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 10:41.


Server: osmium.zmnt.uk
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.