Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
TheWarlock

LastPass failed to provide the security to safeguard a user’s passwords “as advertised”.

Recommended Posts

16 minutes ago, Curufinwe_wins said:

Of course, encrypting your cold storage is better than not encrypting it, but most encryption methods fall in the 'keep your younger brother from snooping' not in the 'keep someone that actually cares/knows what they are doing from spying'.

Not really, AES 512 is currently completely unbreakable. It doesn't matter who targets you, they can't decrypt that without the password.

19 minutes ago, Curufinwe_wins said:

Since I would also argue targeted attacks (which are the only ones that fall in the second bin) are rare enough to not generally concern yourself about, I do actually think it's generally safe enough (for most people at least) to use physically recorded non-encrypted storage.

I disagree, "most people" are likely to end up losing that storage or leave it unattended. People use their passwords at work and in general outside their home, losing it is a real concern. If it's just a text file, losing it means giving away your passwords to whomever finds it. If it's properly encrypted, that's not a problem.


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
6 hours ago, TheWarlock said:

Came across this article today on forbes.com and was recently thinking about signing up for LastPass to actually keep track of my passwords because I'm looking to get away from just having Google Chrome remember all of my passwords for obvious reasons, is there anyway to really keep track of your passwords securely?

 

what are these obvious reasons to note use the save passwords on chrome? its stored by google.


if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to post
Share on other sites
6 hours ago, imreloadin said:

It has to pass through the RAM at some point...

The new Ryzrn pro and Epyc CPUs have encryption built into the chip so even things stored in ram will be encrypted.

 

https://developer.amd.com/sev/


if you want to annoy me, then join my teamspeak server ts.benja.cc

Link to post
Share on other sites
35 minutes ago, Curufinwe_wins said:

But no, I don't personally store passwords this way, I just think cold local storage (a prime example of security through obscurity in the digital space) is a far better method than most people give credit. Particularly with targeted crime being so relatively low.

Well, this is true, as long as you store it in a safe location. Otherwise its just like having an unencrypted text document on your harddrive. The moment your system gets broken into your passwords are out - as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

 

There's a better option though: you can use OTP with U2F sticks or other 2FA solutions. I have my U2F stick around my neck that's paired with my key manager. Everytime I unlock my keymanager I need both my password and my stick that is also paired with a fingerprint locked Authenticator app that requires my stick to be held against my phone in order for it to generate a valid key to unlock my passwords. Sure, you can just put a gun to my head or be a bit more sophisticated and hack me to get my password and after that you'll have to knock me out to unlock my phone and get a hold of my U2F stick. You can't social engineer your way into this, keyloggers are useless and you can only target me personally.

 

At that point it is ALWAYS just a matter of determination and time until your security is broken. If someone wants to get to you no matter what he or she will.

Link to post
Share on other sites
1 minute ago, The Benjamins said:

The new Ryzrn pro and Epyc CPUs have encryption built into the chip so even things stored in ram will be encrypted.

This is not how this works ...

Link to post
Share on other sites
25 minutes ago, Sauron said:

Not really, AES 512 is currently completely unbreakable. It doesn't matter who targets you, they can't decrypt that without the password.

I disagree, "most people" are likely to end up losing that storage or leave it unattended. People use their passwords at work and in general outside their home, losing it is a real concern. If it's just a text file, losing it means giving away your passwords to whomever finds it. If it's properly encrypted, that's not a problem.

Which is where PHYSICAL comes into play. AES 512 is still only as secure as the people/password behind it (as social engineering experiments/hack databases routinely point out)

 

And you don't bring it outside your house. It isn't flipping hard. The point I was making from the beginning was that having just a physical storage of your password, in a nominally secured location (even just in a locked house) is far from the worst you can do, and far better than many digital encryption schemes once you account for how stupid most people are at managing their digital records.

12 minutes ago, bowrilla said:

Well, this is true, as long as you store it in a safe location. Otherwise its just like having an unencrypted text document on your harddrive. The moment your system gets broken into your passwords are out - as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

 

There's a better option though: you can use OTP with U2F sticks or other 2FA solutions. I have my U2F stick around my neck that's paired with my key manager. Everytime I unlock my keymanager I need both my password and my stick that is also paired with a fingerprint locked Authenticator app that requires my stick to be held against my phone in order for it to generate a valid key to unlock my passwords. Sure, you can just put a gun to my head or be a bit more sophisticated and hack me to get my password and after that you'll have to knock me out to unlock my phone and get a hold of my U2F stick. You can't social engineer your way into this, keyloggers are useless and you can only target me personally.

 

At that point it is ALWAYS just a matter of determination and time until your security is broken. If someone wants to get to you no matter what he or she will.

Certainly true. While mainly an illustration point, I did make explicit references that merely storing a piece of paper is particularly susceptible to irl targeted attacks (while being quite strong against non-targeted attacks). And yes, those are better solutions without a doubt.


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites

Not sure what it's going to take before people realize that storing anything important on a cloud service is moronic. Just another example of the majority prioritizing laziness above logic.


What does windows 10 and ET have in common?

 

They are both constantly trying to phone home.

Link to post
Share on other sites
19 minutes ago, Curufinwe_wins said:

Which is where PHYSICAL comes into play. AES 512 is still only as secure as the people/password behind it (as social engineering experiments/hack databases routinely point out)

Which is why we encrypt our passwords with it and we remember the master password by heart.

20 minutes ago, Curufinwe_wins said:

And you don't bring it outside your house. It isn't flipping hard.

Again, people need their passwords when they aren't home. Since the only reason to avoid that would be using a plain text file, the solution is to not use a plain text file. Problem completely solved without limiting where you can carry your password database. It isn't flippin' hard.

22 minutes ago, Curufinwe_wins said:

The point I was making from the beginning was that having just a physical storage of your password, in a nominally secured location (even just in a locked house) is far from the worst you can do, and far better than many digital encryption schemes once you account for how stupid most people are at managing their digital records.

User error is just as bad for a piece of paper as it would be for an encrypted db. At least an encrypted db shields you from some of those mistakes. A piece of paper with plain text on it is 0 security, anything you can add to its security makes it better.


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
38 minutes ago, bowrilla said:

as soon as someone is breaking into your house, your folder is gone either as long as it is not stored in a good safe.

if someone breaks into my house, they are going to take my TV, computer, tablets, laptops, i doubt they are going to go after a journal or even a random harddrive in a drawer. also at the point passwords no longer matter...

Link to post
Share on other sites
24 minutes ago, Sauron said:

Which is why we encrypt our passwords with it and we remember the master password by heart.

Again, people need their passwords when they aren't home. Since the only reason to avoid that would be using a plain text file, the solution is to not use a plain text file. Problem completely solved without limiting where you can carry your password database. It isn't flippin' hard.

User error is just as bad for a piece of paper as it would be for an encrypted db. At least an encrypted db shields you from some of those mistakes. A piece of paper with plain text on it is 0 security, anything you can add to its security makes it better.

See below.  No, actually people don't NEED most passwords (the type they don't have memorized anyways) while they are away from home. NEED refers to the inability to function without it. Not, 'this is a mild to moderate inconvenience to me as a person, and reduces my functionality until I get them back'.

 

No, because encrypted files on devices that have connectivity with the rest of the world have many more abusable points of failure than simply having the physical item in one location isolated. Ask literally any company which is more secure, cold offline data storage or hot encrypted storage. The answer is cold offline storage. That's one of the biggest if not THE biggest reasons why tape systems are still in use.

 

The only point of failure in that situation is if a person, looking for the notebook (most burglaries wouldn't even bother looking at a notebook) , breaks into your house. At that point, they already have all your personal information (probably before even breaking in) and have done sufficient amounts of study that your user/master passwords would probably be decipherable through social engineering regardless.

 

20 minutes ago, Arika S said:

if someone breaks into my house, they are going to take my TV, computer, tablets, laptops, i doubt they are going to go after a journal or even a random harddrive in a drawer. also at the point passwords no longer matter...

Unless of course you are in an exceptionally rare/odd situation where the your specific data is the ONLY thing they want, in which case (as mentioned by myself and others above), yes physically writing down passwords is bad. But as you say, and as I have said numerous times here, most people simply aren't interesting/important enough for that to be a serious consideration.

 

 

AGAIN Obviously, with all other factors equal, encryption is better than nothing, but in this case all other factors aren't equal. A piece of paper in a safe (or less obviously in a different obscure and locked location) that also uses a cipher is better than a plain text piece of paper next to your desk.


LINK-> Kurald Galain:  The Night Eternal 

Top 5820k, 980ti SLI Build in the World*

CPU: i7-5820k // GPU: SLI MSI 980ti Gaming 6G // Cooling: Full Custom WC //  Mobo: ASUS X99 Sabertooth // Ram: 32GB Crucial Ballistic Sport // Boot SSD: Samsung 850 EVO 500GB

Mass SSD: Crucial M500 960GB  // PSU: EVGA Supernova 850G2 // Case: Fractal Design Define S Windowed // OS: Windows 10 // Mouse: Razer Naga Chroma // Keyboard: Corsair k70 Cherry MX Reds

Headset: Senn RS185 // Monitor: ASUS PG348Q // Devices: Galaxy S9+ - XPS 13 (9343 UHD+) - Samsung Note Tab 7.0 - Lenovo Y580

 

LINK-> Ainulindale: Music of the Ainur 

Prosumer DYI FreeNAS

CPU: Xeon E3-1231v3  // Cooling: Noctua L9x65 //  Mobo: AsRock E3C224D2I // Ram: 16GB Kingston ECC DDR3-1333

HDDs: 4x HGST Deskstar NAS 3TB  // PSU: EVGA 650GQ // Case: Fractal Design Node 304 // OS: FreeNAS

 

 

 

Link to post
Share on other sites
2 minutes ago, Curufinwe_wins said:

See below.  No, actually people don't NEED most passwords (the type they don't have memorized anyways) while they are away from home. NEED refers to the inability to function without it. Not, 'this is a mild to moderate inconvenience to me as a person, and reduces my functionality until I get them back'.

I'm out of my house most of my day, if I ever need to look at a password it's not at home. I don't understand why it's so hard for you to accept that, and why it matters since it is a solved problem if you just use a password manager.

4 minutes ago, Curufinwe_wins said:

No, because encrypted files on devices that have connectivity with the rest of the world have many more abusable points of failure than simply having the physical item in one location isolated.

No. They. Don't. You type your passwords in on your computer, if someone is so completely in control of your computer to get a memory dump without you noticing they can also keylog you, even if you read the password off a piece of paper. If they only have access to your drive's data, an encrypted password database is effectively random noise as far as they're concerned. It doesn't matter if they have it. It only matters if they also have your master password, which requires complete access to your computer in the first place.

10 minutes ago, Curufinwe_wins said:

The only point of failure in that situation is if a person, looking for the notebook (most burglaries wouldn't even bother looking at a notebook) , breaks into your house. At that point, they already have all your personal information (probably before even breaking in) and have done sufficient amounts of study that your user/master passwords would probably be decipherable through social engineering regardless.

No less than gaining full access to your computer would have taken them.


...is there a question here? 🤔

sudo chmod -R 000 /*

What is scaling and how does it work? Asus PB287Q unboxing! Console alternatives :D Watch Netflix with Kodi on Arch Linux Sharing folders over the internet using SSH Beginner's Guide To LTT (by iamdarkyoshi)

Sauron'stm Product Scores:

Spoiler

Just a list of my personal scores for some products, in no particular order, with brief comments. I just got the idea to do them so they aren't many for now :)

Don't take these as complete reviews or final truths - they are just my personal impressions on products I may or may not have used, summed up in a couple of sentences and a rough score. All scores take into account the unit's price and time of release, heavily so, therefore don't expect absolute performance to be reflected here.

 

-Lenovo Thinkpad X220 - [8/10]

Spoiler

A durable and reliable machine that is relatively lightweight, has all the hardware it needs to never feel sluggish and has a great IPS matte screen. Downsides are mostly due to its age, most notably the screen resolution of 1366x768 and usb 2.0 ports.

 

-Apple Macbook (2015) - [Garbage -/10]

Spoiler

From my perspective, this product has no redeeming factors given its price and the competition. It is underpowered, overpriced, impractical due to its single port and is made redundant even by Apple's own iPad pro line.

 

-OnePlus X - [7/10]

Spoiler

A good phone for the price. It does everything I (and most people) need without being sluggish and has no particularly bad flaws. The lack of recent software updates and relatively barebones feature kit (most notably the lack of 5GHz wifi, biometric sensors and backlight for the capacitive buttons) prevent it from being exceptional.

 

-Microsoft Surface Book 2 - [Garbage - -/10]

Spoiler

Overpriced and rushed, offers nothing notable compared to the competition, doesn't come with an adequate charger despite the premium price. Worse than the Macbook for not even offering the small plus sides of having macOS. Buy a Razer Blade if you want high performance in a (relatively) light package.

 

-Intel Core i7 2600/k - [9/10]

Spoiler

Quite possibly Intel's best product launch ever. It had all the bleeding edge features of the time, it came with a very significant performance improvement over its predecessor and it had a soldered heatspreader, allowing for efficient cooling and great overclocking. Even the "locked" version could be overclocked through the multiplier within (quite reasonable) limits.

 

-Apple iPad Pro - [5/10]

Spoiler

A pretty good product, sunk by its price (plus the extra cost of the physical keyboard and the pencil). Buy it if you don't mind the Apple tax and are looking for a very light office machine with an excellent digitizer. Particularly good for rich students. Bad for cheap tinkerers like myself.

 

 

Link to post
Share on other sites
8 hours ago, kuddlesworth9419 said:

It's called paper and pencil. It's the most secure way or documenting your passwords as far as I care. If you are storing your passwords on your PC you are doing something wrong.

Security through obscurity is better. Just store everything in a plaintext file that's named nudes or something... wait we don't want people to click on it... um in that case homework will do xD

Link to post
Share on other sites

It seems like RAM is the gateway to a lot of these exploits. Spectre and Meltdown used a RAM exploit, this can store password accessible within RAM. It seems like a very niche exploit but interesting none the less.

Link to post
Share on other sites
1 hour ago, The Benjamins said:

what works?

 

just stating that new CPUs have the ability to encrypt ram, so no other process can scan the ram.

 

https://developer.amd.com/sev/

While this is all interesting, there are still two things to note:

 

1) that generated key needs to be stored somewhere. It surely could rely solely in a CPU register but registers can be accessed from Ring 0 or beyond. If you can access other programs (protected) memory addresses, you're certainly Ring 0 because everything with lower privileges can't access memory directly but has to use OS functions to access its own memory addresses. If you're Ring 0 you have acces to (almost) all memory addresses and cpu registers. If the key is there somewhere it's vulnerable. Once you're Ring 0 in theory you can also compromise even higher privileged levels up to UEFI level with the right attack vectors. At that point you can basically only destroy your drive and mainboard – they can potentially never be trusted again. This malware has already been proven.

 

AMD states in their white paper that the AMD Secure Processor is a 32bit ARM Cortex A5 on the SoC. It has already been proven that a "Co Processor" that "shouldn't be accessible" from the outside can be compromised. If I remember correctly that has been shown and presented at Black Hat conference in 2018 or 2017 (not quite sure though about the date). The white paper also states that the security subsystem uses a NIST SP 800-90 compliant random generator but not precisely which standard iteration. Earlier revisions had severe flaws in their concepts that could be exploited as presented in 2014 by Matthew Green. SME encryption needs to be utilized by the OS by setting the 47th address bit to 1 in the page table. It is possible that as soon as you have Ring 0 access you can just manipulate the system for setting all addresses' 47th bit to 0. 

 

2) Even if we assume, that the key is securely protected and cannot be accessed (and ignoring the possibility to manipulate the kernel), I still do wonder if SME wold provide ANY security at all once you gain Ring 0 access since the OS is always capable of reading and writing memory. If SME will never disclose unencrypted data, a computer would only produce gibberish. At some point data needs to be in the clear. That means once at Ring 0 you can still read data from memory addresses of any program. That means SME will only provide protection against cold boot attacks and other attacks on the physical level but not from the running system itself.

Link to post
Share on other sites

This is no big surprise, of course the Vault is stored in Memory how else is it going to be accessed?

When you key in your Master Password that decrypts the Application data, But the Vault in Memory is still encrypted.

 

I understand what the Article is saying, if you had access to the Master Password and the encrypted data in the RAM you "could" decrypt the Vault.

 

That would require physical access to the machine and the Master Password.

Accessing the machine remotely with Trojan tools is the only alternative.

 

It is still more secure than saving all your passwords into a text file or using Google Chrome to store your passwords.

 


CPU | Intel i7-8086K Overclocked 5.4Ghz @ 1.44v | GPU | EVGA 1080 FTW2 Overclocked 2190Mhz | PSU | Corsair RM850i | RAM | 4x8GB Corsair Vengeance 3200MHz |MOTHERBOARD | Asus ROG Maximus X Formula | STORAGE | 2x Samsung EvO 256GB NVME  | COOLING | Hard Line Custom Loop D5 Pump Monsta 480mm Radiator  | MONITOR | Acer Predator X34 | OS | Windows 10

Link to post
Share on other sites

https://www.zdnet.com/article/critical-vulnerabilities-uncovered-in-popular-password-managers/

 

ZDNet reached out to the companies that were tested and they all gave responses. LastPass claims to have fixed the issue while the other companies all had various explanations that amount to someone having admin-level access to your system is likely able to bypass a lot of security measures. ISE also says that their tests aren't meant to criticize the password managers.

 

For better or worse, password managers are still one of the best ways to handle multiple, truly unique, passwords.

Link to post
Share on other sites

this post was brough to you by KeePass, cause leaving your keys with someone else who isn't you is just plain retarded

Edit: nevermind, not the type of breach i was expecting


One day I will be able to play Monster Hunter Frontier in French/Italian/English on my PC, it's just a matter of time... 4 5 6 7 8 9 years later: It's finally coming!!!

Phones: iPhone 4S/SE | LG V10 | Lumia 920

Laptops: Macbook Pro 15" (mid-2012) | Compaq Presario V6000

Link to post
Share on other sites

my friend CONSTENTLY said i should use lastpass for managing my passwords...

i said no since it's an extremely bad idea to give your password to someone regardless how it's going to handled...

i don't even use the chrome password saver (nor the default google one on android), i just remember them, like how everyone should.

i know that it's not a solution for everyone but it's the best way to keep it safe. hell i took memory training courses so i could remember short phrases (bacisly passwords)

didn't help with my current memory problem (having the worlds worst memory) but it's better then forgetting my password and being locked out of my account


*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites
21 minutes ago, Salv8 (sam) said:

my friend CONSTENTLY said i should use lastpass for managing my passwords...

i said no since it's an extremely bad idea to give your password to someone regardless how it's going to handled...

i don't even use the chrome password saver (nor the default google one on android), i just remember them, like how everyone should.

i know that it's not a solution for everyone but it's the best way to keep it safe. hell i took memory training courses so i could remember short phrases (bacisly passwords)

didn't help with my current memory problem (having the worlds worst memory) but it's better then forgetting my password and being locked out of my account

No, everyone should not "just remember" passwords. It is quite literally impossible for the human brain to remember multiple long strings of random numbers and letters. If a password is not random is not secure. Having non-randomized passwords is a very bad security practice. Anyone that thinks their "unique" non-randomized password scheme is secure would be in a rude awakening if anyone really wanted to target their accounts.

Link to post
Share on other sites
15 hours ago, WereCatf said:

At least with Keepass there's a very simple solution: simply exit Keepass when you don't actively need it. POOF -- problem gone.

Simply locking KeePass will do the same (or close to), the derived key is discarded. This is why KeePass can take multiple seconds to unlock depending on your configuration, it needs to perform the entire KDF again.

Quote

When locking the workspace, KeePass closes the database file and only remembers its path.

This provides maximum security: unlocking the workspace is as hard as opening the database file the normal way.

 

15 hours ago, aezakmi said:

Avoid using internet connected password managers.

Use the right tool for the task.

Password managers are designed to securely store passwords while something like an encrypted document would have this as an afterthought. Any solution you derive will not be as rigorously checked as a decent password manager and probably leaves some form of unencrypted data somewhere in the form of temporary files, clipboard data or non-zeroed memory.

Link to post
Share on other sites
3 minutes ago, Derangel said:

No, everyone should not "just remember" passwords. It is quite literally impossible for the human brain to remember multiple long strings of random numbers and letters. If a password is not random is not secure. Having non-randomized passwords is a very bad security practice. Anyone that thinks their "unique" non-randomized password scheme is secure would be in a rude awakening if anyone really wanted to target their accounts.

i used to have a password that no joke was this:

hellothisismypassworditsextramlyhardtocracksinceitsaphrasewithoutspacesorcommas

putting that into https://howsecureismypassword.net/ says it would take 5 TRIGINTILLION YEARS to crack it

all i had to do was remember the phrase and i was set, in fact people do this every day without realizing it, quote your fav line from a tv show or movie without looking it up online.

mine is "SHUT UP WESLEY!" from star trek next gen.

in fact, many including LTT (https://www.youtube.com/watch?v=t8SQo3R7qeU) recommend doing this since it's easier to remember then random numbers and letters.

i knew one dude used to have the password supersayiangodsupersayiangoku because for him it easily to remember since he liked dragon ball

in fact your password will more likely get cracked if it is just a jumble of randomly chosen letters and numbers since it's an algorithm that can be examined to figure out what the password is, this way it's easier to remember and harder to crack.

in fact here are some excellent facts

https://www.lifehacker.com.au/2012/08/your-clever-password-tricks-arent-protecting-you-from-todays-hackers/

https://www.csoonline.com/article/3228106/password-security/want-stronger-passwords-understand-these-4-common-password-security-myths.html

https://www.wired.com/2014/08/passwords-microsoft/

while it's impossible for the human brain to remember multiple long strings of random numbers and letters that make up passwords, it isn't hard to remember

mydaughersnameiskellyandiloveherwithallmyheart since it hits close to home with parents.


*Insert Witty Signature here*

System Config: https://au.pcpartpicker.com/list/yJ2cQV

5U The Waifu (my new in-progress server): https://linustechtips.com/main/topic/1130931-5u-the-waifu-my-new-server/

 

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×