Password Managers...

Hollywood · Jan 24, 2022

RD Mercer said:
I have some friends that won’t even use online banking, because they are worried about it.

Even if you have no online exposure, there have still been a lot of companies, public utilities, and even government agencies that were hacked or had ransomware attacks. Your bank could be attacked and even if they are "backed up", it could still cause a disruption. Anything is possible and may or not be likely, but the posts in this thread are very helpful for us to assess our own needs.

One thing brought up was that most people are fairly careful with their financial passwords but sometimes not as careful with others. It is just as important to protect your email password as it could be used to reset many passwords.

TairikuOkami · Jan 24, 2022

Hollywood said:
Your bank could be attacked and even if they are "backed up", it could still cause a disruption.

Not to mention that with an online account, the user can quickly check all info and even receive notifications. Without an account, he is oblivious to what is going on and by the time he checks at the bank or receives a written notification, his account can be empty.

Hollywood · Jan 24, 2022

TairikuOkami said:
Not to mention that with an online account, the user can quickly check all info and even receive notifications. Without an account, he is oblivious to what is going on and by the time he checks at the bank or receives a written notification, his account can be empty.

I agree. Online has more advantages then possible fraud. I am fairly careful with my computer but I hope that if there was a widespread vulnerability I would hear about it and maybe it be patched before I was a victim. ....hopefully :)

Winuser · Jan 24, 2022

RD Mercer said:
I have some friends that won’t even use online/phone app banking, because they are worried about it. I use both, because if there’s a withdrawal over $25, or credit card charges over $25.00 my bank shoots me a text immediately. Whereas if you don’t bank online, you have to depend on your bank to call you, or wait till you get your next statement at the end of the month to see if anyone is hacked your account.

I have my credit cards setup the same way.

TheMystic · Jan 25, 2022

Devlin1888 said:
Im no one and im really not that exciting :) Who wants my crap xD

Most people are like that. Yet they still have contributions to make and corporations, hackers and intelligence love it.

TheMystic · Jan 25, 2022

The-Hive said:
I think it is quite easy to get paranoid about security I got a good enough for me system without going overboard

It is also quite easy to call precautions as paranoia, and taking those isn't going overboard. There are ample examples of how corporations have abused the data they have collected with absolute zero respect for people's privacy.

Corporations care only for their profitability and follow certain practices only to comply with law, and not to respect user privacy. A classic example in recent times is Johnson & Johnson. This company was fully aware of the risks that their products carried, yet they continued selling them despite the fact that the target market primarily comprised babies. What kind of an evil company is that?

This isn't the 1st company in history to do that. There is enough documentation on how tobacco companies did a similar thing (they still do) despite their internal documents clearly pointing towards the health risks their products presented. Not everyone who smokes gets cancer. But would you call someone advising against smoking as paranoid? Or those advising against smoking as going overboard?

TheMystic · Jan 25, 2022

markw51 said:
Which banks force you to change passwords? Here in the UK the banks I use certainly don't force me to change passwords, they don't even suggest I change them after a certain period of time!! I guess a password, ID number, memorable phrase and biometric login is good enough for them...

The banks you use or even the entire banking system in the UK is just a fraction of the global banking industry. So it is neither a representative sample nor a benchmark for others to follow. To think that the methods adopted by these banks can be extrapolated to the whole banking industry is another example of a blind assumption.

TheMystic · Jan 25, 2022

Fortitude said:
What changed your mind?

Keepass 2 is perfectly fine for my needs. I don't want to be paranoid. Otherwise I would question whether my browser is spying on me, whether my ISP is listening in, whether the end to end encryption is what it's said to be, whether a hacker at the other end is reading my password etc. etc.

You would be better placed for your own safety if you do than assuming they are all as safe as they claim to be.

Haydon · Jan 25, 2022

Somehow I doubt that a password manager will help with login security and covid

I use it only for the former :)

pparks1 · Jan 25, 2022

I use a password manager, specifically LastPass. I have the family plan and everybody (wife, son, daughter) is using it. I'm quite comfortable with it as they don't actually store my password, but rather they store a hash of the password that requires my email address an my master password to decrypt it and that happens locally on my machine.

Biggest advantage here for me, is that wife and I can have emergency access to either others valuts, so in the event that something happens to either one of us, we have a fighting chance of dealing with shutting down accounts, bills, credit cards, etc....Just one less thing to have to fight when you have lost a spouse.

We let it generate secure passwords for site, so honestly I don't really know what any of my password are anymore And I try to use MFA in as many places as I possibly can.

Quandary · Jan 25, 2022

@pparks1 That is all good, but LastPass or most other password managers have an online account for you in their system. You supply your userid and master password (the same one used for local access) to get into that site. This is one method of getting into your vault.

Any competent online system will have your password stored in encrypted/hashed format that makes them "virtually" impossible to decrypted. There have been reports of incompetent system, even some large organizations, storing passwords in plain text, but I have never heard of a password manager doing this. I am comfortable with my master password being stored on their system.

pparks1 · Jan 25, 2022

Quandary said:
@pparks1 That is all good, but LastPass or most other password managers have an online account for you in their system. You supply your userid and master password (the same one used for local access) to get into that site. This is one method of getting into your vault.

Any competent online system will have your password stored in encrypted/hashed format that makes them "virtually" impossible to decrypted. There have been reports of incompetent system, even some large organizations, storing passwords in plain text, but I have never heard of a password manager doing this. I am comfortable with my master password being stored on their system.

Of course, lastpass has an account for me on their system. Let's say my username is bob@bobross.com. And my password is happylittlebushes^gr3@t. When I setup an account with lastpass.com, I enter in the email that I want to use, and I enter in that password above as my master password. Locally on my computer, the email address, along with the master password are used to generate an authentication hash which is what gets sent to LastPass. So, in my example, my authentication hash might be ( rew8-qr-13refw0a78-32i09r-0fdsa jsakhpiqfhk;jgt42eh98fdsIOd;hf3213#9289redsFui92u4395riadsckdlfjasdfpsdF).

So, a nefarious hacker breaks into the systems at LastPass and they find an account for bob@bobross.com. Bingo, now let's grab his master password and we will know all of his painting secrets. Well, last pass doesn't store his password, the only thing you are going to find is the following hash , rew8-qr-13refw0a78-32i09r-0fdsa jsakhpiqfhk;jgt42eh98fdsIOd;hf3213#9289redsFui92u4395riadsckdlfjasdfpsdF. That hash isn't going to work at the logon prompt.

The only thing that LastPass is storing is encrypted data. They don't have the encryption keys used to encrypt or decrypt your data. Those are only used locally on your computer.

The bigger threat would be somebody hacking into your laptop and installing a key logger or taking over your webcam to record the keystrokes of your email address and your master password. These are the people who may gain access to your vault.

If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

trevo · Jan 25, 2022

LastPass have had a few security incidents over the years...

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

TheMystic · Jan 25, 2022

pparks1 said:
The only thing that LastPass is storing is encrypted data. They don't have the encryption keys used to encrypt or decrypt your data. Those are only used locally on your computer.

If everything is done locally, can you explain how the same master password works on multiple devices?

pparks1 said:
The bigger threat would be somebody hacking into your laptop and installing a key logger or taking over your webcam to record the keystrokes of your email address and your master password. These are the people who may gain access to your vault.

How can the webcam capture keystrokes? During normal use of any laptop, the keyboard is never within the field of view of that camera.

pparks1 said:
If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

That doesn't mean much. It could just be a policy decision.

pparks1 · Jan 25, 2022

TheMystic said:
If everything is done locally, can you explain how the same master password works on multiple devices?

How can the webcam capture keystrokes? During normal use of any laptop, the keyboard is never within the field of view of that camera.

That doesn't mean much. It could just be a policy decision.

Sure, when you visit the website, you are given the page and the method used for hashing your username and your master password is defined. You enter both pieces of information, it runs it through the hashing algorithm and the current answer will be derived. That hash is then sent via SSL to last pass who then verifies your hash against what they have stored for you. If the authentication hashes match, they assume you are who you say you are and they present you the data they have (encrypted) and when it gets to your local machine, with your decryption keys you are able to see it, use it and modify it. When done, it's re-encrypted and then sent back to Last Pass in an ecnrypted state.

Webcam was just a crazy example what people should worry more about. Most webcams won't show the keyboard. But a stand alone webcam on top of a monitor pointed at a strange angle, could.

It's not a policy decision. They could set your password to whatever they wanted. But YOU would have to get lucky enough to pick a username and a master password that hashed corrected to be the exact value they entered for it to work. Good luck.

Quandary · Jan 25, 2022

trevo said:
LastPass have had a few security incidents over the years...

LastPass users warned their master passwords are compromised

Many LastPass users report that their master passwords have been compromised after receiving email warnings that someone tried to use them to log into their accounts from unknown locations.

www.bleepingcomputer.com

That is what was reported, but do you have an explanation on how (not just speculation)? It is not clear from the posting where the point of failure was.

Quandary · Jan 25, 2022

pparks1 said:
Of course, lastpass has an account for me on their system. <snip>

That is exactly what I was saying, just a shorted version. :)

trevo · Jan 25, 2022

Quandary said:
That is what was reported, but do you have an explanation on how (not just speculation)? It is not clear from the posting where the point of failure was.

No I don't, I'm no expert...my point in posting was so that any LastPass users who were unaware of the several security incidents could investigate for themselves.
As I posted earlier, Keepass offline is my password solution.

Winuser · Jan 25, 2022

pparks1 said:
If you want to test the system, have somebody change your lastpass master password to something you don't know. Then call LastPass and beg and plead with them to change your password on your site so that you can get your data back. If you find somebody who can do it, let us know.

I would think that they would tell you that you have to go online and click on the I forgot my password and enter the info asked for. They also might be able to give you a temporary password by asking for your username, email address and if provided, answers to your security questions. I had to go through something like that when my cellular phone account got hacked.

TheMystic · Jan 26, 2022

Winuser said:
I would think that they would tell you that you have to go online and click on the I forgot my password and enter the info asked for. They also might be able to give you a temporary password by asking for your username, email address and if provided, answers to your security questions. I had to go through something like that when my cellular phone account got hacked.

According to what he says and what Lastpass website claims, there is no way to recover the vault if you forget the master password. It doesn't work like how your email works.