Jump to content

LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

TheWarlock
6 hours ago, imreloadin said:

It has to pass through the RAM at some point...

The new Ryzrn pro and Epyc CPUs have encryption built into the chip so even things stored in ram will be encrypted.

 

https://developer.amd.com/sev/

if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to comment
Share on other sites

Link to post
Share on other sites

35 minutes ago, Curufinwe_wins said:

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.

Well, this is true, as long as you store it in a safe location. Otherwise its just like having an unencrypted text document on your harddrive. The moment your system gets broken into your passwords are out - as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

 

There's a better option though: you can use OTP with U2F sticks or other 2FA solutions. I have my U2F stick around my neck that's paired with my key manager. Everytime I unlock my keymanager I need both my password and my stick that is also paired with a fingerprint locked Authenticator app that requires my stick to be held against my phone in order for it to generate a valid key to unlock my passwords. Sure, you can just put a gun to my head or be a bit more sophisticated and hack me to get my password and after that you'll have to knock me out to unlock my phone and get a hold of my U2F stick. You can't social engineer your way into this, keyloggers are useless and you can only target me personally.

 

At that point it is ALWAYS just a matter of determination and time until your security is broken. If someone wants to get to you no matter what he or she will.

Use the quote function when answering! Mark people directly if you want an answer from them!

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, The Benjamins said:

The new Ryzrn pro and Epyc CPUs have encryption built into the chip so even things stored in ram will be encrypted.

This is not how this works ...

Use the quote function when answering! Mark people directly if you want an answer from them!

Link to comment
Share on other sites

Link to post
Share on other sites

11 minutes ago, bowrilla said:

This is not how this works ...

what works?

 

just stating that new CPUs have the ability to encrypt ram, so no other process can scan the ram.

 

https://developer.amd.com/sev/

if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to comment
Share on other sites

Link to post
Share on other sites

25 minutes ago, Sauron said:

Not really, AES 512 is currently completely unbreakable. It doesn't matter who targets you, they can't decrypt that without the password.

I disagree, "most people" are likely to end up losing that storage or leave it unattended. People use their passwords at work and in general outside their home, losing it is a real concern. If it's just a text file, losing it means giving away your passwords to whomever finds it. If it's properly encrypted, that's not a problem.

Which is where PHYSICAL comes into play. AES 512 is still only as secure as the people/password behind it (as social engineering experiments/hack databases routinely point out)

 

And you don't bring it outside your house. It isn't flipping hard. The point I was making from the beginning was that having just a physical storage of your password, in a nominally secured location (even just in a locked house) is far from the worst you can do, and far better than many digital encryption schemes once you account for how stupid most people are at managing their digital records.

12 minutes ago, bowrilla said:

Well, this is true, as long as you store it in a safe location. Otherwise its just like having an unencrypted text document on your harddrive. The moment your system gets broken into your passwords are out - as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

 

There's a better option though: you can use OTP with U2F sticks or other 2FA solutions. I have my U2F stick around my neck that's paired with my key manager. Everytime I unlock my keymanager I need both my password and my stick that is also paired with a fingerprint locked Authenticator app that requires my stick to be held against my phone in order for it to generate a valid key to unlock my passwords. Sure, you can just put a gun to my head or be a bit more sophisticated and hack me to get my password and after that you'll have to knock me out to unlock my phone and get a hold of my U2F stick. You can't social engineer your way into this, keyloggers are useless and you can only target me personally.

 

At that point it is ALWAYS just a matter of determination and time until your security is broken. If someone wants to get to you no matter what he or she will.

Certainly true. While mainly an illustration point, I did make explicit references that merely storing a piece of paper is particularly susceptible to irl targeted attacks (while being quite strong against non-targeted attacks). And yes, those are better solutions without a doubt.

LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Note 10+ - Surface Book 2 15"

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

Not sure what it's going to take before people realize that storing anything important on a cloud service is moronic. Just another example of the majority prioritizing laziness above logic.

What does windows 10 and ET have in common?

 

They are both constantly trying to phone home.

Link to comment
Share on other sites

Link to post
Share on other sites

19 minutes ago, Curufinwe_wins said:

Which is where PHYSICAL comes into play. AES 512 is still only as secure as the people/password behind it (as social engineering experiments/hack databases routinely point out)

Which is why we encrypt our passwords with it and we remember the master password by heart.

20 minutes ago, Curufinwe_wins said:

And you don't bring it outside your house. It isn't flipping hard.

Again, people need their passwords when they aren't home. Since the only reason to avoid that would be using a plain text file, the solution is to not use a plain text file. Problem completely solved without limiting where you can carry your password database. It isn't flippin' hard.

22 minutes ago, Curufinwe_wins said:

The point I was making from the beginning was that having just a physical storage of your password, in a nominally secured location (even just in a locked house) is far from the worst you can do, and far better than many digital encryption schemes once you account for how stupid most people are at managing their digital records.

User error is just as bad for a piece of paper as it would be for an encrypted db. At least an encrypted db shields you from some of those mistakes. A piece of paper with plain text on it is 0 security, anything you can add to its security makes it better.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

38 minutes ago, bowrilla said:

as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

if someone breaks into my house, they are going to take my TV, computer, tablets, laptops, i doubt they are going to go after a journal or even a random harddrive in a drawer. also at the point passwords no longer matter...

🌲🌲🌲

 

 

 

◒ ◒ 

Link to comment
Share on other sites

Link to post
Share on other sites

24 minutes ago, Sauron said:

Which is why we encrypt our passwords with it and we remember the master password by heart.

Again, people need their passwords when they aren't home. Since the only reason to avoid that would be using a plain text file, the solution is to not use a plain text file. Problem completely solved without limiting where you can carry your password database. It isn't flippin' hard.

User error is just as bad for a piece of paper as it would be for an encrypted db. At least an encrypted db shields you from some of those mistakes. A piece of paper with plain text on it is 0 security, anything you can add to its security makes it better.

See below.  No, actually people don't NEED most passwords (the type they don't have memorized anyways) while they are away from home. NEED refers to the inability to function without it. Not, 'this is a mild to moderate inconvenience to me as a person, and reduces my functionality until I get them back'.

 

No, because encrypted files on devices that have connectivity with the rest of the world have many more abusable points of failure than simply having the physical item in one location isolated. Ask literally any company which is more secure, cold offline data storage or hot encrypted storage. The answer is cold offline storage. That's one of the biggest if not THE biggest reasons why tape systems are still in use.

 

The only point of failure in that situation is if a person, looking for the notebook (most burglaries wouldn't even bother looking at a notebook) , breaks into your house. At that point, they already have all your personal information (probably before even breaking in) and have done sufficient amounts of study that your user/master passwords would probably be decipherable through social engineering regardless.

 

20 minutes ago, Arika S said:

if someone breaks into my house, they are going to take my TV, computer, tablets, laptops, i doubt they are going to go after a journal or even a random harddrive in a drawer. also at the point passwords no longer matter...

Unless of course you are in an exceptionally rare/odd situation where the your specific data is the ONLY thing they want, in which case (as mentioned by myself and others above), yes physically writing down passwords is bad. But as you say, and as I have said numerous times here, most people simply aren't interesting/important enough for that to be a serious consideration.

 

 

AGAIN Obviously, with all other factors equal, encryption is better than nothing, but in this case all other factors aren't equal. A piece of paper in a safe (or less obviously in a different obscure and locked location) that also uses a cipher is better than a plain text piece of paper next to your desk.

LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Note 10+ - Surface Book 2 15"

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to comment
Share on other sites

Link to post
Share on other sites

2 minutes ago, Curufinwe_wins said:

See below.  No, actually people don't NEED most passwords (the type they don't have memorized anyways) while they are away from home. NEED refers to the inability to function without it. Not, 'this is a mild to moderate inconvenience to me as a person, and reduces my functionality until I get them back'.

I'm out of my house most of my day, if I ever need to look at a password it's not at home. I don't understand why it's so hard for you to accept that, and why it matters since it is a solved problem if you just use a password manager.

4 minutes ago, Curufinwe_wins said:

No, because encrypted files on devices that have connectivity with the rest of the world have many more abusable points of failure than simply having the physical item in one location isolated.

No. They. Don't. You type your passwords in on your computer, if someone is so completely in control of your computer to get a memory dump without you noticing they can also keylog you, even if you read the password off a piece of paper. If they only have access to your drive's data, an encrypted password database is effectively random noise as far as they're concerned. It doesn't matter if they have it. It only matters if they also have your master password, which requires complete access to your computer in the first place.

10 minutes ago, Curufinwe_wins said:

The only point of failure in that situation is if a person, looking for the notebook (most burglaries wouldn't even bother looking at a notebook) , breaks into your house. At that point, they already have all your personal information (probably before even breaking in) and have done sufficient amounts of study that your user/master passwords would probably be decipherable through social engineering regardless.

No less than gaining full access to your computer would have taken them.

Don't ask to ask, just ask... please 🤨

sudo chmod -R 000 /*

Link to comment
Share on other sites

Link to post
Share on other sites

8 hours ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

Security through obscurity is better. Just store everything in a plaintext file that's named nudes or something... wait we don't want people to click on it... um in that case homework will do xD

Link to comment
Share on other sites

Link to post
Share on other sites

It seems like RAM is the gateway to a lot of these exploits. Spectre and Meltdown used a RAM exploit, this can store password accessible within RAM. It seems like a very niche exploit but interesting none the less.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, The Benjamins said:

what works?

 

just stating that new CPUs have the ability to encrypt ram, so no other process can scan the ram.

 

https://developer.amd.com/sev/

While this is all interesting, there are still two things to note:

 

1) that generated key needs to be stored somewhere. It surely could rely solely in a CPU register but registers can be accessed from Ring 0 or beyond. If you can access other programs (protected) memory addresses, you're certainly Ring 0 because everything with lower privileges can't access memory directly but has to use OS functions to access its own memory addresses. If you're Ring 0 you have acces to (almost) all memory addresses and cpu registers. If the key is there somewhere it's vulnerable. Once you're Ring 0 in theory you can also compromise even higher privileged levels up to UEFI level with the right attack vectors. At that point you can basically only destroy your drive and mainboard – they can potentially never be trusted again. This malware has already been proven.

 

AMD states in their white paper that the AMD Secure Processor is a 32bit ARM Cortex A5 on the SoC. It has already been proven that a "Co Processor" that "shouldn't be accessible" from the outside can be compromised. If I remember correctly that has been shown and presented at Black Hat conference in 2018 or 2017 (not quite sure though about the date). The white paper also states that the security subsystem uses a NIST SP 800-90 compliant random generator but not precisely which standard iteration. Earlier revisions had severe flaws in their concepts that could be exploited as presented in 2014 by Matthew Green. SME encryption needs to be utilized by the OS by setting the 47th address bit to 1 in the page table. It is possible that as soon as you have Ring 0 access you can just manipulate the system for setting all addresses' 47th bit to 0. 

 

2) Even if we assume, that the key is securely protected and cannot be accessed (and ignoring the possibility to manipulate the kernel), I still do wonder if SME wold provide ANY security at all once you gain Ring 0 access since the OS is always capable of reading and writing memory. If SME will never disclose unencrypted data, a computer would only produce gibberish. At some point data needs to be in the clear. That means once at Ring 0 you can still read data from memory addresses of any program. That means SME will only provide protection against cold boot attacks and other attacks on the physical level but not from the running system itself.

Use the quote function when answering! Mark people directly if you want an answer from them!

Link to comment
Share on other sites

Link to post
Share on other sites

This is no big surprise, of course the Vault is stored in Memory how else is it going to be accessed?

When you key in your Master Password that decrypts the Application data, But the Vault in Memory is still encrypted.

 

I understand what the Article is saying, if you had access to the Master Password and the encrypted data in the RAM you "could" decrypt the Vault.

 

That would require physical access to the machine and the Master Password.

Accessing the machine remotely with Trojan tools is the only alternative.

 

It is still more secure than saving all your passwords into a text file or using Google Chrome to store your passwords.

 

CPU | AMD Ryzen 7 7700X | GPU | ASUS TUF RTX3080 | PSU | Corsair RM850i | RAM 2x16GB X5 6000Mhz CL32 MOTHERBOARD | Asus TUF Gaming X670E-PLUS WIFI | 
STORAGE 
| 2x Samsung Evo 970 256GB NVME  | COOLING 
| Hard Line Custom Loop O11XL Dynamic + EK Distro + EK Velocity  | MONITOR | Samsung G9 Neo

Link to comment
Share on other sites

Link to post
Share on other sites

https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/

 

ZDNet reached out to the companies that were tested and they all gave responses. LastPass claims to have fixed the issue while the other companies all had various explanations that amount to someone having admin-level access to your system is likely able to bypass a lot of security measures. ISE also says that their tests aren't meant to criticize the password managers.

 

For better or worse, password managers are still one of the best ways to handle multiple, truly unique, passwords.

Link to comment
Share on other sites

Link to post
Share on other sites

this post was brough to you by KeePass, cause leaving your keys with someone else who isn't you is just plain retarded

Edit: nevermind, not the type of breach i was expecting

One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

 

<>EVs are bad, they kill the planet and remove freedoms too some/<>

Link to comment
Share on other sites

Link to post
Share on other sites

my friend CONSTENTLY said i should use lastpass for managing my passwords...

i said no since it's an extremely bad idea to give your password to someone regardless how it's going to handled...

i don't even use the chrome password saver (nor the default google one on android), i just remember them, like how everyone should.

i know that it's not a solution for everyone but it's the best way to keep it safe. hell i took memory training courses so i could remember short phrases (bacisly passwords)

didn't help with my current memory problem (having the worlds worst memory) but it's better then forgetting my password and being locked out of my account

*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/Tncs9N

 

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, Salv8 (sam) said:

my friend CONSTENTLY said i should use lastpass for managing my passwords...

i said no since it's an extremely bad idea to give your password to someone regardless how it's going to handled...

i don't even use the chrome password saver (nor the default google one on android), i just remember them, like how everyone should.

i know that it's not a solution for everyone but it's the best way to keep it safe. hell i took memory training courses so i could remember short phrases (bacisly passwords)

didn't help with my current memory problem (having the worlds worst memory) but it's better then forgetting my password and being locked out of my account

No, everyone should not "just remember" passwords. It is quite literally impossible for the human brain to remember multiple long strings of random numbers and letters. If a password is not random is not secure. Having non-randomized passwords is a very bad security practice. Anyone that thinks their "unique" non-randomized password scheme is secure would be in a rude awakening if anyone really wanted to target their accounts.

Link to comment
Share on other sites

Link to post
Share on other sites

15 hours ago, WereCatf said:

At least with Keepass there's a very simple solution: simply exit Keepass when you don't actively need it. POOF -- problem gone.

Simply locking KeePass will do the same (or close to), the derived key is discarded. This is why KeePass can take multiple seconds to unlock depending on your configuration, it needs to perform the entire KDF again.

Quote

When locking the workspace, KeePass closes the database file and only remembers its path.

This provides maximum security: unlocking the workspace is as hard as opening the database file the normal way.

 

15 hours ago, aezakmi said:

Avoid using internet connected password managers.

Use the right tool for the task.

Password managers are designed to securely store passwords while something like an encrypted document would have this as an afterthought. Any solution you derive will not be as rigorously checked as a decent password manager and probably leaves some form of unencrypted data somewhere in the form of temporary files, clipboard data or non-zeroed memory.

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, Derangel said:

No, everyone should not "just remember" passwords. It is quite literally impossible for the human brain to remember multiple long strings of random numbers and letters. If a password is not random is not secure. Having non-randomized passwords is a very bad security practice. Anyone that thinks their "unique" non-randomized password scheme is secure would be in a rude awakening if anyone really wanted to target their accounts.

i used to have a password that no joke was this:

hellothisismypassworditsextramlyhardtocracksinceitsaphrasewithoutspacesorcommas

putting that into https://howsecureismypassword.net/ says it would take 5 TRIGINTILLION YEARS to crack it

all i had to do was remember the phrase and i was set, in fact people do this every day without realizing it, quote your fav line from a tv show or movie without looking it up online.

mine is "SHUT UP WESLEY!" from star trek next gen.

in fact, many including LTT (https://www.youtube.com/watch?v=t8SQo3R7qeU) recommend doing this since it's easier to remember then random numbers and letters.

i knew one dude used to have the password supersayiangodsupersayiangoku because for him it easily to remember since he liked dragon ball

in fact your password will more likely get cracked if it is just a jumble of randomly chosen letters and numbers since it's an algorithm that can be examined to figure out what the password is, this way it's easier to remember and harder to crack.

in fact here are some excellent facts

https://www.lifehacker.com.au/2012/08/your-clever-password-tricks-arent-protecting-you-from-todays-hackers/

https://www.csoonline.com/article/3228106/password-security/want-stronger-passwords-understand-these-4-common-password-security-myths.html

https://www.wired.com/2014/08/passwords-microsoft/

while it's impossible for the human brain to remember multiple long strings of random numbers and letters that make up passwords, it isn't hard to remember

mydaughersnameiskellyandiloveherwithallmyheart since it hits close to home with parents.

*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/Tncs9N

 

Link to comment
Share on other sites

Link to post
Share on other sites

26 minutes ago, Salv8 (sam) said:

i used to have a password that no joke was this:

hellothisismypassworditsextramlyhardtocracksinceitsaphrasewithoutspacesorcommas

Ever heard of dictionary based attack? Its extremely easy with English, i probably could get away with it because we have so many words that its impossible to make a dictionary that contains every single Hungarian word....

Link to comment
Share on other sites

Link to post
Share on other sites

23 minutes ago, Salv8 (sam) said:

i used to have a password that no joke was this:

hellothisismypassworditsextramlyhardtocracksinceitsaphrasewithoutspacesorcommas

putting that into https://howsecureismypassword.net/ says it would take 5 TRIGINTILLION YEARS to crack it

all i had to do was remember the phrase and i was set, in fact people do this every day without realizing it, quote your fav line from a tv show or movie without looking it up online.

mine is "SHUT UP WESLEY!" from star trek next gen.

in fact, many including LTT (https://www.youtube.com/watch?v=t8SQo3R7qeU) recommend doing this since it's easier to remember then random numbers and letters.

i knew one dude used to have the password supersayiangodsupersayiangoku because for him it easily to remember since he liked dragon ball

in fact your password will more likely get cracked if it is just a jumble of randomly chosen letters and numbers since it's an algorithm that can be examined to figure out what the password is, this way it's easier to remember and harder to crack.

in fact here are some excellent facts

https://www.lifehacker.com.au/2012/08/your-clever-password-tricks-arent-protecting-you-from-todays-hackers/

https://www.csoonline.com/article/3228106/password-security/want-stronger-passwords-understand-these-4-common-password-security-myths.html

https://www.wired.com/2014/08/passwords-microsoft/

while it's impossible for the human brain to remember multiple long strings of random numbers and letters that make up passwords, it isn't hard to remember

mydaughersnameiskellyandiloveherwithallmyheart since it hits close to home with parents.

That will protect you from random "drive-by" level hacks, but if someone is directly targeting you anything you can easily memorize is a security hole. Social engineering and examining previous passwords exposed from various security breaches will be used to figure out your password scheme. With how often websites are hacked these days personal password schemes are a lot easier for people to figure out if they really want to target someone.

Link to comment
Share on other sites

Link to post
Share on other sites

I might have to evolve my password security

 

And by that, I mean taking them off any form of tech and onto good old-fashioned pen and paper.

The Workhorse (AMD-powered custom desktop)

CPU: AMD Ryzen 7 3700X | GPU: MSI X Trio GeForce RTX 2070S | RAM: XPG Spectrix D60G 32GB DDR4-3200 | Storage: 512GB XPG SX8200P + 2TB 7200RPM Seagate Barracuda Compute | OS: Microsoft Windows 10 Pro

 

The Portable Workstation (Apple MacBook Pro 16" 2021)

SoC: Apple M1 Max (8+2 core CPU w/ 32-core GPU) | RAM: 32GB unified LPDDR5 | Storage: 1TB PCIe Gen4 SSD | OS: macOS Monterey

 

The Communicator (Apple iPhone 13 Pro)

SoC: Apple A15 Bionic | RAM: 6GB LPDDR4X | Storage: 128GB internal w/ NVMe controller | Display: 6.1" 2532x1170 "Super Retina XDR" OLED with VRR at up to 120Hz | OS: iOS 15.1

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×