Jump to content

Microsoft Edge vulnerability could let people hijack your Twitter (or any other) account

Nowak
12 minutes ago, Blade of Grass said:

What's the alternative to using a password manager? How do you suggest making, and remembering, all the unique cryptographically secure passwords for each site that you use?

Type random caps, lower case, numbers, and punctuation until it's long enough, and keep a list of them in an encrypted document

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Ryan_Vickers said:

Type random caps, lower case, numbers, and punctuation until it's long enough, and keep a list of them in an encrypted document

How do you handle scaling to multiple devices? Mobile? Then how do you deal with versioning? 

15" MBP TB

AMD 5800X | Gigabyte Aorus Master | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to comment
Share on other sites

Link to post
Share on other sites

2 hours ago, Blade of Grass said:

What's the alternative to using a password manager? How do you suggest making, and remembering, all the unique cryptographically secure passwords for each site that you use?

1 hour ago, Ryan_Vickers said:

Type random caps, lower case, numbers, and punctuation until it's long enough, and keep a list of them in an encrypted document

 

^^ This is exactly what I do. My passwords are made using a password generator creating 10-50 characters long. I keep them in certificate encrypted document with a [undisclosed] character long password that I can remember. I keep that document under close guard (for reasons that some of those passwords are for things that can land me in trouble if they are compromised) basically it stays on my at all times.  I have like 3 pages double columned  of passwords to keep track off so this helps me a lot.

That is my alternative. :D 

 

24 minutes ago, Blade of Grass said:

How do you handle scaling to multiple devices? Mobile? Then how do you deal with versioning? 

I use a Windows Mobile phone so scaling is not an issue for me. In mobile Word the document will scale the column to page width and run the document long when scrolling so I just find what I want and select, copy and paste. Fairly simple.

COMMUNITY STANDARDS   |   TECH NEWS POSTING GUIDELINES   |   FORUM STAFF

LTT Folding Users Tips, Tricks and FAQ   |   F@H & BOINC Badge Request   |   F@H Contribution    My Rig   |   Project Steamroller

I am a Moderator, but I am fallible. Discuss or debate with me as you will but please do not argue with me as that will get us nowhere.

 

Spoiler

  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

Reputation is a Lifetime to create but seconds to destroy.

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "to teach is to learn"

 

 CHRISTIAN MEMBER 

 

 
 
 
 
 
 

 

Link to comment
Share on other sites

Link to post
Share on other sites

43 minutes ago, Blade of Grass said:

How do you handle scaling to multiple devices? Mobile? Then how do you deal with versioning? 

I don't understand the purpose of versioning in this case

Multiple devices (so long as they are PCs) is no issue. Mobile is quite a pain but the key is to not need to log in to too many things xD

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

 

Quote

I use a Windows Mobile phone so scaling is not an issue for me. In mobile Word the document will scale the column to page width and run the document long when scrolling so I just find what I want and select, copy and paste. Fairly simple.

What do you use to decrypt the document on your windows phone?

 

So you trust the software that you use to encrypt/decrypt the encrypted file, but you don't trust a password manager, which is almost essentially the same, but with a dedicated UI and some sort of CSV/DB backing it instead? 

I'm not sure I get the logic behind this, there's even open-source password managers out there if your issue is in the software being closed source. 

53 minutes ago, Ryan_Vickers said:

I don't understand the purpose of versioning in this case

Multiple devices (so long as they are PCs) is no issue. Mobile is quite a pain but the key is to not need to log in to too many things xD

I guess it's dependent on how you sync/access across devices, versioning could be a complete non-issue depending on your work flow. 

 

Many people (including myself) need to be able to access a number of things on the go—critical things like banking/investing, AWS, etc—not being able to access my accounts is just not an option. There's also just things of convenience like social media which is nice to be able to access. 

15" MBP TB

AMD 5800X | Gigabyte Aorus Master | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to comment
Share on other sites

Link to post
Share on other sites

3 minutes ago, Blade of Grass said:

I guess it's dependent on how you sync/access across devices, versioning could be a complete non-issue depending on your work flow. 

 

Many people (including myself) need to be able to access a number of things on the go—critical things like banking/investing, AWS, etc—not being able to access my accounts is just not an option. There's also just things of convenience like social media which is nice to be able to access. 

Certain things are too important to trust to anything, password manager or not. Even if my document was stolen and decrypted my bank would not be accessible.  In fact, I would never do banking on a mobile device in general.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

1 hour ago, Blade of Grass said:

So you trust the software that you use to encrypt/decrypt the encrypted file, but you don't trust a password manager, which is almost essentially the same, but with a dedicated UI and some sort of CSV backing it instead? 

I'm not sure I get the logic behind this, there's even open-source password managers out there if your issue is in the software being closed source. 

I guess it's dependent on how you sync/access across devices, versioning could be a complete non-issue depending on your work flow. 

 

Many people (including myself) need to be able to access a number of things on the go—critical things like banking/investing, AWS, etc—not being able to access my accounts is just not an option. There's also just things of convenience like social media which is nice to be able to access. 

Not really trust so much as I use what I have.

I was using the phone as an example for the scaling. I dont normally use my mobile to bank unless it is an immediate need.

As for the document I keep it on an encrypted drive with other files I have/use, I access it when I need it then I just copy and paste my password to the login. Its not a streamlined process but it works for me because I desire that level of control. Using a password manager takes away some of that control.

58 minutes ago, Ryan_Vickers said:

Certain things are too important to trust to anything, password manager or not. Even if my document was stolen and decrypted my bank would not be accessible.  In fact, I would never do banking on a mobile device in general.

Absolutely agree.

I had my tablet stolen about a year ago, which is where I used to keep the document, because of the fact I kept it the way it was I had time to change everything. I don't imagine the document was ever cracked but I am glad of the precautions I took.

COMMUNITY STANDARDS   |   TECH NEWS POSTING GUIDELINES   |   FORUM STAFF

LTT Folding Users Tips, Tricks and FAQ   |   F@H & BOINC Badge Request   |   F@H Contribution    My Rig   |   Project Steamroller

I am a Moderator, but I am fallible. Discuss or debate with me as you will but please do not argue with me as that will get us nowhere.

 

Spoiler

  

 

Character is like a Tree and Reputation like its Shadow. The Shadow is what we think of it; The Tree is the Real thing.  ~ Abraham Lincoln

Reputation is a Lifetime to create but seconds to destroy.

You have enemies? Good. That means you've stood up for something, sometime in your life.  ~ Winston Churchill

Docendo discimus - "to teach is to learn"

 

 CHRISTIAN MEMBER 

 

 
 
 
 
 
 

 

Link to comment
Share on other sites

Link to post
Share on other sites

14 hours ago, Ryan_Vickers said:

Certain things are too important to trust to anything, password manager or not. Even if my document was stolen and decrypted my bank would not be accessible.  In fact, I would never do banking on a mobile device in general.

Sometimes that's not a possibility :P sometimes you have an immediate need to access banking (move money, pay someone, pay something) 

13 hours ago, SansVarnic said:

Not really trust so much as I use what I have.

But how is it any different from using a password manager, besides being less convenient? 

Quote

Using a password manager takes away some of that control.

How so?

 

15" MBP TB

AMD 5800X | Gigabyte Aorus Master | EVGA 2060 KO Ultra | Define 7 || Blade Server: Intel 3570k | GD65 | Corsair C70 | 13TB

Link to comment
Share on other sites

Link to post
Share on other sites

19 hours ago, Ryan_Vickers said:

Type random caps, lower case, numbers, and punctuation until it's long enough, and keep a list of them in an encrypted document

But that's what a password manager (at least Keepass2) is.

It's just that it has a proper GUI and database structure for it, plus additional security features.

 

 

I really don't see why you would use something like a password protected Word document for your passwords when a proper password manager is more secure and convenient.

Link to comment
Share on other sites

Link to post
Share on other sites

  • 1 month later...
On 4/29/2017 at 2:11 PM, LAwLz said:

But that's what a password manager (at least Keepass2) is.

It's just that it has a proper GUI and database structure for it, plus additional security features.

 

 

I really don't see why you would use something like a password protected Word document for your passwords when a proper password manager is more secure and convenient.

Convenient?  Certainly.  But more secure?  I don't think so... there have been enough stories of flaws an leaks from password mangers for me to steer clear of them.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

8 minutes ago, Ryan_Vickers said:

Convenient?  Certainly.  But more secure?  I don't think so... there have been enough stories of flaws an leaks from password mangers for me to steer clear of them.

Nothing beats passwords on paper stored inside a deceased 20GB HDD.

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Dabombinable said:

Nothing beats passwords on paper stored inside a deceased 20GB HDD.

For security I suppose, true, especially if the platters are smashed xD 

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

On ‎26‎/‎04‎/‎2017 at 7:25 AM, Marshall212 said:

... and that kids is why I use chrome :)

you could probably do this in chrome, nothing to stop a website loading an iframe then using JavaScript to post a tweet, assuming you were logged in. 

 

i haven't tested this but it seems doable.

                     ¸„»°'´¸„»°'´ Vorticalbox `'°«„¸`'°«„¸
`'°«„¸¸„»°'´¸„»°'´`'°«„¸Scientia Potentia est  ¸„»°'´`'°«„¸`'°«„¸¸„»°'´

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, Ryan_Vickers said:

For security I suppose, true, especially if the platters are smashed xD 

I haven't completed the project yet (lost the locking tool for my grinder), but I intend to have it so that the cover is held in place using magnets from the drive (which are strong AF), and the screws ground down until they don't hold the lid, but still look like they are and have never been removed. Getting them to feel like a HDD when picked up will be the problem though.

"We also blind small animals with cosmetics.
We do not sell cosmetics. We just blind animals."

 

"Please don't mistake us for Equifax. Those fuckers are evil"

 

This PSA brought to you by Equifacks.
PMSL

Link to comment
Share on other sites

Link to post
Share on other sites

37 minutes ago, Dabombinable said:

I haven't completed the project yet (lost the locking tool for my grinder),

You don't need one, wear a pair of gloves and unscrew the disc like you are opening a jar of jam.  I haven't used a grinder tool in decades.

Grammar and spelling is not indicative of intelligence/knowledge.  Not having the same opinion does not always mean lack of understanding.  

Link to comment
Share on other sites

Link to post
Share on other sites

52 minutes ago, Ryan_Vickers said:

Convenient?  Certainly.  But more secure?  I don't think so... there have been enough stories of flaws an leaks from password mangers for me to steer clear of them.

It's more secure because with a password manager you can have very complex passwords and a unique one for each website.

Also, I specifically said Keepass2 because it has not had any vulnerability exploited, and the general structure of it is far more safe than for example Lastpass.

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, LAwLz said:

It's more secure because with a password manager you can have very complex passwords and a unique one for each website.

How is doing that unique to a password manager?  I do that now by hand.

Just now, LAwLz said:

Also, I specifically said Keepass2 because it has not had any vulnerability exploited, and the general structure of it is far more safe than for example Lastpass.

Well that's good

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

45 minutes ago, Ryan_Vickers said:

How is doing that unique to a password manager?  I do that now by hand.

How do you do i by hand? By writing it down on a piece of paper?

Link to comment
Share on other sites

Link to post
Share on other sites

Just now, LAwLz said:

How do you do i by hand? By writing it down on a piece of paper?

I make up a very long password with random lower case, upper case, numbers, and symbols and store it in an encrypted file

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

36 minutes ago, Ryan_Vickers said:

I make up a very long password with random lower case, upper case, numbers, and symbols and store it in an encrypted file

Congratulations, you're dong basically what Keepass2 does, except it uses a proper database structure and a wide variety of security features such as:

  • DPAPI (passwords are encrypted and read protected in-memory in Windows)
  • Possibly better crypto than whichever programs you use (both in terms of the crypto used, as well as for example anti-bruteforce protection)
  • Automatic locking of the database after a period of inactivity, or when you lock your user account, or other such things.
  • Automatically clear the clipboard after a certain amount of time.
  • Passwords are not shown in clear text by default, so if someone is looking over your shoulder, or if someone sees your screen in some other way they will not see your password.
  • The master password window can be (if enabled in the options) created in a new, secure and sandboxed, desktop process (the same way the UAC prompt is created).
  • and many more things.

What's important to remember is that Keepass is just a local database and a program to interpret it. It's not like LastPass where you save all your passwords in the cloud and then use a logic to their site to fetch the database, which then gets parsed by some plugin which interacts with the website you're on.

 

Keepass is basically what you're already doing, with an encrypted file on your desktop and (probably) clear text passwords saved in that, but on steroids and a nice user interface.

It's a great program and I highly recommend you check it out. I think you will like it.

 

Download link.

Download the "Professional Edition". They made some very big changes when they moved from 1.X to 2.X, so they split it into two separate versions. 2.X aka Professional Edition is the new version which has a lot of benefits over 1.X, but they are not compatible with each other.

Link to comment
Share on other sites

Link to post
Share on other sites

21 minutes ago, LAwLz said:

Congratulations, you're dong basically what Keepass2 does, except it uses a proper database structure and a wide variety of security features such as:

  • DPAPI (passwords are encrypted and read protected in-memory in Windows)
  • Possibly better crypto than whichever programs you use (both in terms of the crypto used, as well as for example anti-bruteforce protection)
  • Automatic locking of the database after a period of inactivity, or when you lock your user account, or other such things.
  • Automatically clear the clipboard after a certain amount of time.
  • Passwords are not shown in clear text by default, so if someone is looking over your shoulder, or if someone sees your screen in some other way they will not see your password.
  • The master password window can be (if enabled in the options) created in a new, secure and sandboxed, desktop process (the same way the UAC prompt is created).
  • and many more things.

What's important to remember is that Keepass is just a local database and a program to interpret it. It's not like LastPass where you save all your passwords in the cloud and then use a logic to their site to fetch the database, which then gets parsed by some plugin which interacts with the website you're on.

 

Keepass is basically what you're already doing, with an encrypted file on your desktop and (probably) clear text passwords saved in that, but on steroids and a nice user interface.

It's a great program and I highly recommend you check it out. I think you will like it.

 

Download link.

Download the "Professional Edition". They made some very big changes when they moved from 1.X to 2.X, so they split it into two separate versions. 2.X aka Professional Edition is the new version which has a lot of benefits over 1.X, but they are not compatible with each other.

That sounds like a good system, but I would specifically say "Keepass2" then when you're talking about how good "password mangers" are, since some, if not many of them are not.

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

I use 2 factor on pretty much everything of value.  You can have my passwords, they only get you halfway there.

Workstation:  13700k @ 5.5Ghz || Gigabyte Z790 Ultra || MSI Gaming Trio 4090 Shunt || TeamGroup DDR5-7800 @ 7000 || Corsair AX1500i@240V || whole-house loop.

LANRig/GuestGamingBox: 9900nonK || Gigabyte Z390 Master || ASUS TUF 3090 650W shunt || Corsair SF600 || CPU+GPU watercooled 280 rad pull only || whole-house loop.

Server Router (Untangle): 13600k @ Stock || ASRock Z690 ITX || All 10Gbe || 2x8GB 3200 || PicoPSU 150W 24pin + AX1200i on CPU|| whole-house loop

Server Compute/Storage: 10850K @ 5.1Ghz || Gigabyte Z490 Ultra || EVGA FTW3 3090 1000W || LSI 9280i-24 port || 4TB Samsung 860 Evo, 5x10TB Seagate Enterprise Raid 6, 4x8TB Seagate Archive Backup ||  whole-house loop.

Laptop: HP Elitebook 840 G8 (Intel 1185G7) + 3080Ti Thunderbolt Dock, Razer Blade Stealth 13" 2017 (Intel 8550U)

Link to comment
Share on other sites

Link to post
Share on other sites

1 minute ago, AnonymousGuy said:

I use 2 factor on pretty much everything of value.  You can have my passwords, they only get you halfway there.

That's like saying there's no need to design things to be safe because you wear a hardhat and gloves.  It's all about layers

Solve your own audio issues  |  First Steps with RPi 3  |  Humidity & Condensation  |  Sleep & Hibernation  |  Overclocking RAM  |  Making Backups  |  Displays  |  4K / 8K / 16K / etc.  |  Do I need 80+ Platinum?

If you can read this you're using the wrong theme.  You can change it at the bottom.

Link to comment
Share on other sites

Link to post
Share on other sites

3 hours ago, LAwLz said:

It's more secure because with a password manager you can have very complex passwords and a unique one for each website.

Also, I specifically said Keepass2 because it has not had any vulnerability exploited, and the general structure of it is far more safe than for example Lastpass.

I'd switch to Enpass, but I have yet to get it working in Vivaldi. Although, that was a while ago.

Link to comment
Share on other sites

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


×