Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
TheWarlock

LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

Recommended Posts

29 minutes ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

I'm sorry, but having a physical, unencrypted piece of paper with your passwords on it is the single worst and least secure way of remembering them. Using a proper, local password storage solution with adequate cryptography is both secure and convenient. The issue detailed in the article is most definitely not the same as having your passwords in a plain text file and the issue is non existent if you close the password manager when you're done with it - it never crossed my mind to leave it running in the background, and even then at the very least an attacker would require my user password and physical or remote access to my pc to abuse this vulnerability.


sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
15 minutes ago, Rohith_Kumar_Sp said:

make sure you have backups, i had my drive fail on me with my entire PWD's lost, i somehow managed to recovered it after trying the drive again after a week and let the drive detect for about an hour and copied that file the first chance i got, after that incident i created a LastPass account.

Oh yeah, i have back ups... ;)

 


Tech News Posting Guidelines - READ BEFORE POSTING | Community Standards | Forum Staff

LTT Folding Users Tips, Tricks and FAQ | F@H Contribution | My Rig | Project Steamroller

 

Spoiler

 †  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "the best way to learn is to teach" ~ Benjamin Jantz

 

I am a StarCitizen are you? My ships: Aegis Eclipse, Aegis Sabre, Aegis Gladius, Aopoa Nox, KI P52 Merlin, KI P72 Archimedes and the RSI Constellation Aquila.

 

My Phones are a Nokia Lumia 925 with WM10 and a Microsoft Lumia 950 XL with WM10 running the Fast Ring insider updates. Broke :(

Samsung Note 9 and a Samsung S9+

 

About Myself:   https://linustechtips.com/main/profile/229093-sansvarnic/?tab=field_core_pfield_46

 

 CHRISTIAN MEMBER 

 

 

Link to post
Share on other sites

Is there a more, techy, explanation of this flaw?

 

Rather than 'the master password occasionally sits in memory'

 

Link to post
Share on other sites
28 minutes ago, solonovamax said:

yes, but the cpu does also need to access programs on my hard disk. These are read off the disk. I don't think it would be that hard to do something like that (on the other hand, I can't entirely say for sure, as I don't fully know how they work and/or are coded)

It goes CPU > Registers (Like cache) > RAM > Drive. The processor fetches data from this hierarchy if I remember correctly. 

Link to post
Share on other sites
45 minutes ago, imreloadin said:

Considering this has to do with having the application open in the background so your master password is stored actively in your RAM all you have to do is not use anything with a browser extension and just close out of the application when you're done. I use KeePass and it's not that hard to do, just launch it when I need to enter a password, copy/paste it into the website, and close out of KeePass. Seriously though this is just basic computer usage information, if I type something in it's obviously stored in the RAM of your computer while that application is open.

It's not even the LastPass browser extension that's affected, it's the separate "LastPass for Applications" that you download and install on your PC, and is only available to premium users.

 

This:

ae840000fd.png


[Out-of-date] Want to learn how to make your own custom Windows 10 image?

 

Desktop: Intel i7-7700K 5GHz | Gigabyte Z170N | EVGA 1080 ACX 3.0 SC | 16GB Trident Z 3200MHz | 256GB 840 EVO | 960GB Corsair Force LE | EVGA P2 650W | Custom Loop

Laptop: Intel M-5Y10c | Intel HD Graphics | 8GB RAM | 250GB Micron SSD | Asus UX305FA

Server: Intel Pentium G3258 | MSI Z87 G45 | 16GB G.Skill Sniper | 2x1TB Western Digital HDDs

Link to post
Share on other sites
1 hour ago, SansVarnic said:

All my passwords are on a secured word document kept in a thumbdrive.

 

 

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

Call me "old school", but I have mine on tape along with other confidential documents. Then that is kept on my person or in a safe.

Link to post
Share on other sites

At least the cited paper doesn't blow this story up to misleading point like the Forbes article or the OP. 

 

Fact 1: everything your computer does goes through RAM. EVERYTHING! There's no way around it. No matter what you type into it, it will at some point be stored in RAM. 

 

Fact 2: if someone has access to your unlocked system or gains physical access to your computer's internals, you're doomed and your security is done for good.

 

Fact 3: using encryption doesn't mean you can take a dump at common sense. Accessing the memory addresses of another program requires a lot (!) of privileges, in fact this requires you basically root/admin privileges and in some cases that's not even enough (talking about Kernel-level access). If there's malware installed on your system that was able to run with root/admin privileges, then you screwed yourself over hard - shotgun level hard and afterwards pulling the trigger. 

 

The original paper states that attempts were made to sanitize memory entries after use. Some residues somehow stayed behind even after being freed. The question now is: how did this happen. This could have many reasons but to exploit these leaks an attacker needs to have already access to your system. At that point you're already done.

 

You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever.

 

This isn't as big as Forbes is trying to make it look like.

Link to post
Share on other sites

This is mostly a hard Fake News/Clickbait. If you have READ access to the memory, you can easily just keylog someone's computer.  This is interesting for the NSA/CIA/Pick your 3 letter agency, but there'll be some minor upgrades to a few programs to address a weakness. The fact KeePass showed up in their discussions means losing your passwords is the least of your problems.

Link to post
Share on other sites
4 minutes ago, bowrilla said:

You can bet that the developers will look into this and fix the issues by maybe switching frameworks, using different libraries or whatever.

It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways.


Hand, n. A singular instrument worn at the end of the human arm and commonly thrust into somebody’s pocket.

Link to post
Share on other sites
1 minute ago, WereCatf said:

It's not really possible to fix it: all the passwords in the database are encrypted, so the manager needs to have the key to decrypt them with. Either the manager would have to keep asking for the key every single fricking time you want to access any of the usernames/passwords in the database, or it just has to remain like it is. Can't have it both ways.

The issue are memory leaks that persist even after the program was terminated. There were attempts to prevent this but some leaks persist. This can be fixed. Whe your database is unlocked it is unlocked. Most password managers lock themselves after a certain period of time of inactivity. 

Link to post
Share on other sites

The claim that it's no more secure than a plain text file is very much false. All that was found in the research was that your passwords can sometimes exist in your computer's RAM, which would require administrator privileges for an attacker to extract. That is a valid attack case against a password manager, but that is not remotely the same as having a plaintext file that exists on the file system.

 

The gold standard that the researchers are proposing is that a password is only loaded into memory when needed for autofilling, and it is immediately overwritten with bogus data once the fill is complete. According to the article, LastPass, and several of the other password managers, do attempt to do this, but miss some cases.

1 hour ago, SansVarnic said:

All my passwords are on a secured word document kept in a thumbdrive.

 

 

Anytime you give up sensitive information to another party you increase your risk of losing control of your stuff.

I dont care what kind of promise of security they offer. 

While not insecure, that is less secure against this particular attack than the password managers surveyed in this study, because all of your passwords will be present in memory for the duration that Word is open. I don't know about how Word handles it, but I suspect that the memory isn't scrubbed at all either, and it almost certainly uses fewer than 100,000 iterations of PBKDF2 to convert the password to an encryption key (100,000 iterations is a lot, but that is what LastPass and 1Password use).

Moreover, to use your passwords, you will use the clipboard, and any process can read the clipboard and get your password.

 

The point of my post is that while this is an issue that should be addressed, password managers are still significantly better than the alternatives, and many of those alternatives, such as using an encrypted word document, still offer a good level of security.

A password manager is still several orders of magnitude better than using the same password or set of passwords everywhere.


I don't work for Floatplane Media, so any Floatplane comments that I make are my own and may be incorrect or in conflict with the official view.

 

For Floatplane support, please use the wizard linked in this topic

Link to post
Share on other sites

I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password!  

 

I rate this a 0.5/10 security threat. 

Link to post
Share on other sites
4 hours ago, Sauron said:

I'm sorry, but having a physical, unencrypted piece of paper with your passwords on it is the single worst and least secure way of remembering them. Using a proper, local password storage solution with adequate cryptography is both secure and convenient. The issue detailed in the article is most definitely not the same as having your passwords in a plain text file and the issue is non existent if you close the password manager when you're done with it - it never crossed my mind to leave it running in the background, and even then at the very least an attacker would require my user password and physical or remote access to my pc to abuse this vulnerability.

Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days).

 

In fact, the requirements for physical access to your computer and physical access to the password locker in both cases are then nearly identical.

25 minutes ago, Chett_Manly said:

I'm a Last Pass user, not worried at all about this. If someone is managing to pull data from my computer's RAM, I got bigger problems to deal with then that they might get my Last Pass master password!  

 

I rate this a 0.5/10 security threat. 

It in and of itself it isn't an big issue, but recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one. With that said. Just through this publicity forcing the companies to address the loophole is a good thing and benefits everyone. Just like most discovered vulnerabilities these days haven't been seen in the wild before they are identified as weaknesses (and hopefully patched as well before that point.)


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites
3 minutes ago, Curufinwe_wins said:

Uhh hyperbole a little bit. Physical unencrypted piece of paper that is offline and within a location that is, at least in theory, secured, is dramatically less bad or less secure than a number of other methods you could use. Including these programs in their current implementation (at least from non-targeted attacks, which make up the hyper majority of data theft these days).

Right, I suppose posting them on facebook is worse. The piece of paper won't be in a safe though, it will be in your pocket if you want to remember your passwords outside of your house.

 

No, these programs aren't nearly as bad as that. In fact, I'd argue that they're perfectly safe, and this vulnerability is completely negated if you close the password manager when you're done with it. An easy fix is to just remove the background service function. A targeted attack is necessary to exploit it though; you need physical or remote access to the computer with your user account.

7 minutes ago, Curufinwe_wins said:

recent vulnerabilities with manipulating speculation (and further seeming to indicate that almost all methods of speculative execution are vulnerable to attack in some way or another) to access other parts of system ram, even without administrative privileges makes it one.

Speculative execution vulnerabilities make everything a vulnerability, if you get pwned by specter they could just as well keylog all your passwords (or dump your clipboard if you use that).


sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

Easy fix: dont be a dumb-ass and install/open anything without thinking, and use noscript and adblock* on your browser.... 9_9

 

(* "But that is like stealing and yada yada yada...." I dont care, if ad companies wont return to reality with their practices [no flashing, moving, loud, etc ads] and fix their sh!t security ASAP they deserve to be blocked.)

Link to post
Share on other sites
5 hours ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

Lmao, do you put this paper in a safe? This is actually the worst possible way to record password.


Magical Pineapples


 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
Link to post
Share on other sites
25 minutes ago, Sauron said:

Right, I suppose posting them on facebook is worse. The piece of paper won't be in a safe though, it will be in your pocket if you want to remember your passwords outside of your house.

 

No, these programs aren't nearly as bad as that. In fact, I'd argue that they're perfectly safe, and this vulnerability is completely negated if you close the password manager when you're done with it. An easy fix is to just remove the background service function. A targeted attack is necessary to exploit it though; you need physical or remote access to the computer with your user account.

Speculative execution vulnerabilities make everything a vulnerability, if you get pwned by specter they could just as well keylog all your passwords (or dump your clipboard if you use that).

I'm not suggesting you move the paper out of your house, ever. Because why would you? I'm thinking about the senior citizens that keep passwords in a notebook in their house that never moves from the house, which generally speaking is better for them than these programs are (for many security reasons).

 

This vulnerability may be negated by closing the program (and forcing the ram to actually be dumped not just cached), but the same type of people who generally find themselves infiltrated by those broad spectrum non-targeted exploits (as in trying to get YOUR information, instead of trying to get the information of EVERYONE who uses the program) in the first place, are the same type of people who don't have the common sense to close shit when they are done with it. I mean lol, if people actually closed their browsers when they were done with it, banks (and the like) wouldn't bother instituting time out periods on websites with critical information etc.

 

An example of a targeted attack, by that thought process is someone breaking into YOUR home after studying your comings and goings etc. Or digitally doing the equivalent. Those attacks, particularly within digital space are still quite rare, because most people simply aren't that important or interesting.


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites
2 minutes ago, Curufinwe_wins said:

I'm not suggesting you move the paper out of your house, ever. Because why would you?

I log in to things when I'm out, don't you?


sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites

So, if your PC is already not secure by having crap on it that scans your memory, you're potentially exposing your passwords. Cool.

 

Keepass has a ton of security features that, quite frankly, should be enabled by default.

Like erasing clipboard after x second, master password on secure desktop and closing itself automatically after x seconds/minutes of idling.

Anyone who care about safety has those enabled (plus many other options...).

So honestly, as a Keepass user, I'm not worried.

Your passwords are only as secure as you make them to be. 

 

Also, this has been known for a long time for Keepass.
https://keepass.info/help/base/security.html#secmemprot


CPU: Intel Core i7 875k / GPU: Radeon HD7970 GHz 3GB  / RAM: Crucial Ballistix Sport 8GBx2 DDR3-1600
MOBO: ASUS P7P55D-e LX / SSD: Intel 520 120GB / Case: Cooler Master HAF912 / PSU: Corsair TX850w / OS: Windows 10 Pro

Link to post
Share on other sites
3 minutes ago, Sauron said:

I log in to things when I'm out, don't you?

If I can't remember a password for something when I'm out and about... I simply do without. Honestly.

 

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites
1 minute ago, Curufinwe_wins said:

If I can't remember a password for something when I'm out and about... I simply do without. Honestly.

Good for you, I for one need it sometimes.

2 minutes ago, Curufinwe_wins said:

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.

What about cold local storage, but the file is also encrypted? That's what KeePass is. At worst, using this vulnerability they would know your master password for KP, and at that point it's as good as a text file - but that's pretty unlikely.


sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux F.A.Q Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
8 minutes ago, Sauron said:

Good for you, I for one need it sometimes.

What about cold local storage, but the file is also encrypted? That's what KeePass is. At worst, using this vulnerability they would know your master password for KP, and at that point it's as good as a text file - but that's pretty unlikely.

Of course, encrypting your cold storage is better than not encrypting it, but most encryption methods fall in the 'keep your younger brother from snooping' not in the 'keep someone that actually cares/knows what they are doing from spying'. 

 

Since I would also argue targeted attacks (which are the only ones that fall in the second bin) are rare enough to not generally concern yourself about, I do actually think it's generally safe enough (for most people at least) to use physically recorded non-encrypted storage.

 

Also KeePass isn't really cold storage, unless you have a separate non-connected device that holds the repository. In which case, bravo.


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×