You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
OK, thanks.
If I've understood this correctly (unlikely 🙂 ) it's only the MFA for lastpass itself I ned to worry about with this incident. So I've been through the process to reactivate the app (generating a new QR code) but I don't think I have to do that for all the other services I use that use MFA. Well I hope not anyway.
Maybe a stupid question, but if the logins (username + password) leaked from LastPass use 2FA e.g. My banking apps, is the risk reduced?
Yes, as long as you didn't have anything relating to the MFAs also stored in LastPass along with the user names and passwords
Immediately switching on MFA for all the apps and websites you use (have stored in LastPass) is probably one of the quickest and easiest ways to reduce any risk. That's the first thing I did after the first breach.
So One Time Passcodes, biometrics (so long as they are applied for all access mechanisms not just for a single device) authenticator apps. All that stuff.
roverpig
Full MemberOK, thanks.
If I’ve understood this correctly (unlikely 🙂 ) it’s only the MFA for lastpass itself I ned to worry about with this incident. So I’ve been through the process to reactivate the app (generating a new QR code) but I don’t think I have to do that for all the other services I use that use MFA. Well I hope not anyway.
I think if you were using the lastpass authenticator app to store them, it'll be all of them (sorry)
edit - and you had "Save accounts to the cloud" enabled
see here
Thanks. No I didn't have "save to cloud" enabled and the only site that used the lastpass app for authentication was lastpass itself, so I think that means I only need to reauthenticate that app. Still seems to be unnecessarily confusing though.
This keeps rumbling along nicely. Serious money in the form of crypto has been going missing. Security researchers believe it is due to the lastpass breach.
https://krebsonsecurity.com/2023/09/experts-fear-crooks-are-cracking-keys-stolen-in-lastpass-breach/
What an utter disaster!
More fool them, would you leave your bank account login on a password manager?
Especially one that had a widely publicised hack however long ago
Awkward, I'm on bitwarden but I have exactly that: bank details written down in the notes section.
There's just so much information to remember, how else do I do it
personally I think it's safer on a scrap of paper squirrelled away some where at home. preferable without the words 'bank details' written on it with big letters
chances of being burgled, and then finding the paperwork and then working out it's bank details and then working out which bank is smaller than stuff getting hacked online
Remember how once upon a time you could remember however many dozen phone numbers?
That.
Password managers are a janky fix with a huge weakness in that if you get the master password you get the keys to the kingdom. If you don't have MFA it's not really secure.
If you don’t have MFA it’s not really secure.
And depending on the MFA and how good a target you appear to be it isnt necessarily secure then either.
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases. Probably. Fingers crossed.
There’s just so much information to remember, how else do I do it
All the inconsequential stuff goes in a manager so login details for here, chain Reaction etc.
Never save card details to websites.
Stuff that could cause serious problems, will be a short list, remember/write down those three or four. eg bank, PayPal, Google/apple Facebook (wouldn't bother me but a lot of people use it or similar for a lot).
squirrelking
Free Member
Remember how once upon a time you could remember however many dozen phone numbers?That
Nope it's nothing like that at all.
@Dangeourbrain. Yeah, that's the conclusion I've come to. I'll clean bitwarden up as I write things down on paper
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases.
Its definitely my preferred approach. If for no other reason than if they have compromised your computer you are buggered whether you keep the password file locally or not.
this is why things like biometrics, 2FA is the way forwards. I don't have to remember anything to be able to log securely into my bank, just have my phone and be me!!There’s just so much information to remember, how else do I do it
Honestly don't know why anyone is still using LP at this stage given what's happened 🤷♂️ 😂
personally I think it’s safer on a scrap of paper squirrelled away some where at home. preferable without the words ‘bank details’ written on it with big letters
chances of being burgled, and then finding the paperwork and then working out it’s bank details and then working out which bank is smaller than stuff getting hacked online
We have a firesafe with all bank account stuff in it (and passports etc).
footflaps
We have a firesafe with all bank account stuff in it (and passports etc).
Probably the most sensible solution for storing a crypto seed phrase TBH.
The use case for things like Lastpass is where you need those details readily from wherever in the world you happen to be and on whatever device you are using.
All the inconsequential stuff goes in a manager so login details for here, chain Reaction etc.
Never save card details to websites.Stuff that could cause serious problems, will be a short list, remember/write down those three or four. eg bank, PayPal, Google/apple Facebook (wouldn’t bother me but a lot of people use it or similar for a lot).
I understand the reasoning, but I think there's a couple of things to consider. Firstly that accounts which you think are inconsequential could provide information to gain access to more sensitive accounts. Secondly is that one of the advantages of password managers is that you can use passwords with high entropy easily. There's no way I'm typing in passwords of the same complexity on a regular basis - which means either a) using less secure passwords, b) checking important accounts less regularly, or most likely c) both.
I'm not saying change what you do, just worth being aware of the downsides.
This is why I try and use PP for everything, I only have to memorise one high entropy password and use 2FA.
Then I let the browser choose random passwords for all the other sites (but it doesn't know PP). If you get my browser password cache, you can't actually spend any money...
There’s no way I’m typing in passwords of the same complexity on a regular basis
How are you accessing whatever manager you use? I assume that's not behind a your email address and date of birth...
How are you accessing whatever manager you use? I assume that’s not behind a your email address and date of birth…
typing in passwords *plural* of the same complexity.
typing in passwords *plural* of the same complexity.
OK, I see the distinction but I'm not sure I see the point. Typing in 1 16 character password twenty times a day isn't significantly worse than 4 five times each is it?
Or is it the recall you're taking issue with? That I can understand becomes commensuratly more difficult but even then a lot of that is repetition and familiarity.
If only it was 4, I can think of over a dozen just for financial things, and there's loads more which are, if anything, more important to keep secure.
If that story is factual - why are the hackers only going after crypto (which I'll never believe is actually real money)? And not normal bank accounts? of which there is no doubt more info stored in LastPass than crypto keys.
Its much harder to trace crypto currency back to an individual and fewer controls on transfers. I'd imagine emptying bank accounts on a large scale gets picked up as unusual activity very quickly.
Still using LastPass but I never store bank details there and everything that could be 2fa'd is. I've also changed all the important passwords since the breach. The people who lost crypto appear to have not moved their crypto between wallets once it was clear there had been a breach.
Also much easier to move crypto into, for instance, a sanctioned Russian bank account.
If that story is factual – why are the hackers only going after crypto (which I’ll never believe is actually real money)?
For crypto seed keys its more fiddly to change the password than it would be for a bank account.
Plus dont think any bank accounts now without 2fa.
Im surprised anyone thought giving all their passwords to a company to be kept online was a good idea in the first place.
dyna-ti
Full MemberIm surprised anyone thought giving all their passwords to a company to be kept online was a good idea in the first place.
It is a good idea, which is why Google, Apple, Microsoft and many other companies provide this service.
Otherwise it is next to impossible to use unique secure passwords for each site and service across all of your different devices.
The problem in this case was not the idea, but that the company providing the services had poor security policies in place.
It is a good idea, which is why Google, Apple, Microsoft and many other companies provide this service.
That doesnt make it a good idea. It just makes it one people like to use to try and lock people into their services.
The problem in this case was not the idea, but that the company providing the services had poor security policies in place.
The problem is when you provide this service you are creating a motherlode which all the top notch hackers will go after. They just need to get lucky once.
Storm-0558 being a good example of a compromised machine and then being able to get something from the logs.
Or GCHQ hacking the Belgium telephone system. Allegedly.
dissonance
That doesnt make it a good idea. It just makes it one people like to use to try and lock people into their services.
That's one way of looking at it I guess.
I humbly suggest it's the opposite; it's a good feature, people want it and will dump things that don't support it.
Also not sure how it would be used to lock people in, since the password lists can be exported and imported to different services.
@dissonance true, 2fa isn't perfect but it does make things more secure if you use it properly.
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases. Probably. Fingers crossed.
There's a good argument for that and as long as its properly secured then why not?
Nope it’s nothing like that at all.
@multi21 huh. Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
squirrelking
@multi21 huh. Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
Your example was remembering 12 phone numbers, those each being 4-6 digit numbers.
Whereas even just looking at banking I have at least sites to try and remember. some are email login, some are a customer number, some are the account number, on some the memorable number is 5 digits, on others it's 6 but mustn't be the same as the memorable date, some have a digital secure key and other similarly named but must be different keys too.
And the other problem is I'm only using a lot of them one a month or every few months to check nothings awry.
It is very very different to remembering your mates phone number that you call every week.
In fact I have over 500 different passwords in my vault.
Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
My browser is currently remembering 174 passwords for me....
Mine is remembering 526, (well 525 now as one shouldn't have been there) none of which are "useful". sure you could piece together quite a lot about me from those sites but mostly it's stuff it would be quicker and easier to pick up from the electoral register and scrape from various social media's etc.
In honesty of those 500+ sites I would probably be comfortable with setting them all to "password" except for some reason my login for ratemypotato.com needs to be 16 characters minimum and contain at least one kanji two Arabic words and a protocuneform numeral, backed up by recovery questions more sensitive than any data I'm ever going to submit to the site.
None of those sites should have anything I'd consider to be a problem if they got compromised.
On top of that I've 3 banking logins, 2 pension ones, Dr's surgery, 3 Google logins, ebay, amazon PayPal and two airlines all of which are either written somewhere and/or I know. Partly it helps that I'm good at remembering junk so the random user name and password for my bank account sticks despite rarely using them these days.
I humbly suggest it’s the opposite; it’s a good feature, people want it and will dump things that don’t support it.
That doesnt make it a good feature security wise*.
It makes it a convenient feature and as anyone who deals with security will say its always a balancing act between security and convenience.
Anything which involves security centralised is always going to attract the attackers and depending on how good the goods look you will get top notch criminals. Another good recent example is MoveIt. Supposedly very secure document transfer and hence lots of companies use it. Which made it a very good target since once compromised you could search for users and then loot whatever they have and then figure out if its good or not.
Also not sure how it would be used to lock people in, since the password lists can be exported and imported to different services.
Because people are lazy and many are technically unskilled. So given a choice of sticking with chrome or trying firefox if everything is saved in chrome they will stay there.
*it does get messy between is it better to have that or having people use Password123! but thats separate and goes back to is it better to have local password safes.
My browser is currently remembering 174 passwords for me…
All banking apps? Wow, you have bigger problems...
None of those sites should have anything I’d consider to be a problem if they got compromised.
Maybe have a read around some of the more sophisticated social engineering attacks, especially for impersonating you to third parties/relatives, rather than a direct attack on you.
On top of that I’ve 3 banking logins, 2 pension ones, Dr’s surgery, 3 Google logins, ebay, amazon PayPal and two airlines all of which are either written somewhere and/or I know. Partly it helps that I’m good at remembering junk so the random user name and password for my bank account sticks despite rarely using them these days.
I think I probably have over 50 logins[0] for things which you'd class as too important to store. 40+ character passwords, I'm good at remembering things, but I've got better things to store in my head than 2000 randomly generated characters.
[0] probably a *massive* underestimation
I don’t get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.
Do MFA implementations really allow 2 successful authorisations using the same code just because it's within a short timeframe?
That would seem to purposefully open it up to this sort of attack which is mad.
A key logger should never be able to get you past MFA.
40+ character passwords, I’m good at remembering things, but I’ve got better things to store in my head than 2000 randomly generated characters.
This but I have a terrible memory 🤣
Why the hell are you using 40 character passwords?
What possible utility does that serve?
Maybe have a read around some of the more sophisticated social engineering attacks, especially for impersonating you to third parties/relatives, rather than a direct attack on you.
Absolutely, but none of those that I'm aware of are more likely to be achievable* by knowing I've bought a set of frilly knickers in a size 6'4" bloke from crc directly activity there vs pulling the photo of me in said knickers from John's publicly viewable Facebook account with the tag line "dangeourbrain's new chain reaction panties".
That's the thing, most of that data isn't secure because it's not secret, its all over the Internet if I cared to look because other people besides me have access to and publish it already.
Using the data scraped from a number of sites could you possibly convince my bank you're me but have lost all my passwords, possibly. (They have policies and training in place to minimise that that but it's possible, people are the weak link in anything regardless of how well trained they're are only human.)
Could you get the same info from publicly available sources that wouldn't require any significant effort, yep. (I appreciate my flippancy may not have been obvious in the previous post, I'm not likely to actually set the passwords to the same and or obvious thing)
If you're not trying it on with the bank but rather a relative - (as an example) my semi estranged FIL living in Algeria with his business-cum-life partner and her two medically dependent children who is desperately in need of £5k cash deposited into said partner's bank account because his accounts have been frozen by the tax man - are you more likely to succeed in doing this by knowing his just eat transactions or by seeing a photo of the blue shirt I bought him as a gift last year?
That's the thing with social engineering attacks, what makes them work is the social bit, it's knowing the weather where I am today or that I'm likely to be hungover nephew's 18th last night and so on.
My life isn't private, not any more or less than anyone else's, I'd love to pretend it was but that horse bolted so long ago it's grandchildren are now due the knackers yard.
Maybe if we all stopped pretending you can bottle the wind we'd actually be a lot more secure because the illusion you can prevent this sort of stuff on your own is genuinely damaging.
*well unless you want to ask the folks at chain reaction if I bought a bike from them last year since my order history is no longer accessible on line.
What possible utility does that serve?
That I'll get at least one green and three yellow boxes on guess one.
Why the hell are you using 40 character passwords?
What possible utility does that serve?
Okay, let's say your passwords are a mere 20 characters. That's still 1000 randomly generated characters to remember.
I'll admit, 40+ is really "because I can", but I'd always want a minimum of 16 for anything, and probably 24+ for a lot of things.
@dangerbrain Not sure to say if username checks out, or can I join your facebook group/onlyfans 😉
Assuming for a minute you're not Sir Richard Moore why? All you're doing is making things *less* secure by reducing your ability to recall those passwords thereby increasing your reliance on services like last pass.
Assuming for a minute you’re not Sir Richard Moore why?
In a funny coincidence, Moore's Law. 8 character passwords used to be considered reasonably secure - they're now crackable in 5 minutes. 16 is really a minimum for good security practice.
All you’re doing is making things *less* secure by reducing your ability to recall those passwords thereby increasing your reliance on services like last pass.
Even in the aftermath of the lastpass breach, no security professionals are recommending that you give up on password managers.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
And the complete opposite of what's considered best practice. Especially the changing them regularly bit.
As for 16 characters, even phrases work for that so as long as your passphrase isn't 'FirstDirectPassword' then it's still going to take an inordinate amount of time to crack. My work password is apparently in the order of 6 trillion years. You can easily remember a phrase or set of words you associate with something.
Eg. Santander - first part of the word is Santa aka St Nick, when you were at uni you knew a guy called Nick who once had a girlfriend called Jenni; 'NickBiffedJenni' or maybe you know more details; 'JenniPeggedNick'.
By making passwords stupidly long, complex and disposable you're having to rely on third parties to keep them secure (if you want to be able to use them outside). What if the next ransom attack is someone getting a database of master passwords (but not their actual passwords) and holding every single person to ransom?
That's where I work from, that and there are plenty of places I don't give a shit about anyone getting into as the most they will learn is my email address (which is already on plenty of spam lists) so yes, I use an easy to remember generic password. Who cares?
Even in the aftermath of the lastpass breach, no security professionals are recommending that you give up on password managers.
They'd also tell you first and foremost to restrict what data is where
50+ sites with sensitive personal data sounds like a *lot* of sites.
Do they really need that data? Do you need them to have that data? Do you need the service they provide?
It could be the answer for all those sites is yes yes yes but if any of them is no removing the data is massively more secure than any password.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
And the complete opposite of what’s considered best practice. Especially the changing them regularly bit.
Weaker, reused passwords are definitely not recommended or good practice.
As for "changing regularly", I didn't say that. But the reason that that practice fell out of favour was because it led to people using terrible passwords.
Kamakazie
Full Member
I don’t get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.Do MFA implementations really allow 2 successful authorisations using the same code just because it’s within a short timeframe?
That would seem to purposefully open it up to this sort of attack which is mad.
A key logger should never be able to get you past MFA
Yes it would normally work because the algorithm for authenticator apps is based on the time and a seed code. An app/site could log and restrict reuse of the code but it's not a standard part of how it works.
This is one of the reasons I prefer to use sms for my 2fa codes.
This is one of the reasons I prefer to use sms for my 2fa codes.
Not sure that would really help - I think a bunch of the sms implementations are based on the same logic - they just send you the code rather than it being calculated on your local device. Still a time window of validity.
Hardware keys are really the way forward, but limited support for them currently.
Aidy
Not sure that would really help – I think a bunch of the sms implementations are based on the same logic – they just send you the code rather than it being calculated on your local device. Still a time window of validity.
Hardware keys are really the way forward, but limited support for them currently
ah yes that's true, it does however protect you from have the seeds leaked as part of your vault
This is one of the reasons I prefer to use sms for my 2fa codes.
Hopefully you arent a good target since sms or rather the phone companies ability to not hand over your number to someone else is notoriously bad.
If someone has keylogged your computer you are screwed since at that level of compromise there is plenty of other options available assuming you are interesting enough to target personally.
As for “changing regularly”, I didn’t say that.
What did you mean by "easily rotated" then?
As for your other points, an overly complex password you can't easily remember is as useful as one written on a bit of paper. I never said it should be weak or used for multiple applications (unless said applications are inconsequential) but 40 characters is way beyond reasonable and just complexity for complexity's sake.
I never said it should be weak or used for multiple applications
Not sure what you meant by "the complete opposite" of "complex" and "non-reused" then.
What did you mean by “easily rotated” then?
... that they can be easily rotated? Easily isn't the same as regularly. I'm not suggesting you're one of them, but there's certainly a *massive* group of people who never change passwords because of the effort involved in devising and remembering a new one, even when they've been recommended to because of data breaches.
40 characters is way beyond reasonable
Sounds ideal, who wants a password that will be reasonable to crack?
Yeah. That's sort of how I got there. As soon as you get to the point where you can't remember all the passwords you need for a reasonable degree of security, why *wouldn't* you have overkill passwords?
Because 18 digits gives you a 6 trillion year cracking time and can be made of three easy to remember words.
Your approach gives you a 300 quindecillion year cracking time (assuming only upper and lower case characters). Great, how is that practically any better than 6 trillion years?
How much easier is it to remember a 3 word passphrase than 6-7 words?
Why do you think a password safe with a single point vulnerability is better than just making it simple to remember but still more than adequately secure?
Fling a random special or numeric character in there and you're sorted.
Cracking time source:
https://www.security.org/how-secure-is-my-password/
I should probably reiterate that I'm not against password managers per-se but I've never come across one that wasn't compromised in some way by either being non-portable or relied on an online database that the user has no control over. My policy was to keep my most critical passwords out of them but then what's left? A few forums and e-commerce sites that hold, at most, my address (I try not to leave open card details that can be used to make purchases by anyone other than me). Well forums are going to tell someone very little if anything so that's not a worry leaving the e-commerce as a plausible if unlikely vector if they can guess how PayPal was funded for a given transaction.
As soon as something better comes along believe me, I'm all for it, I just can't see what that would look like in order to get round all the drawbacks of password managers.
@squirrelking The references used on your reference website are all from 2020 before AI really got going. You may want to have a look at some more recent stuff where the recommendation is now for 18 characters or more. ChatGPT and it's friends can crack certain 16 characters quite quickly. See table Here Edit IF AI can crack things quickly those with access to more computing power can find things trivially easy.
The next big thing is passkeys which I'm struggling to get my head around but appears safer than using SMS 2FA.
Recommendation if you're using pass phrases is now 5 words (up from 4 - don't think it was ever 3), and that's only for randomly selected words. Things which are conceivably sentences or meaningful have significantly less entropy.
ChatGPT and it’s friends can crack certain 16 characters quite quickly. See table Here Edit IF AI can crack things quickly those with access to more computing power can find things trivially easy.
Well a specific bespoke password cracking engine rather than generic LLM. They don't detail what hashing scheme they used when hashing their plaintext passwords, so it could have been quite a low bar (eg MD5sum) rather than something much tougher like Salting with BCrypt which would have taken a lot more effort and a lot longer to crack.
Because 18 digits gives you a 6 trillion year cracking time and can be made of three easy to remember words.
So, the thing is that'll be for a random 18 characters. Words are more predictable for the same string length, and therefore more crackable.
Google reckons most people have a vocabulary of 20k to 35k words. Let's be generous and allow a 40k vocabulary from which you're selecting words (that's pretty generous, given as there will be a lot of words in that list that won't be good candidates). Add your random character, and you're looking at an entropy of about 46 bits.
That's about the same as a 7 character password made up truly randomly. Which is crackable today in 4 seconds.
Now, given as you're doing phrases, and not truly random words, and realistically you're picking from a smaller list, that's significantly less than 46 bits of entropy.
That’s about the same as a 7 character password made up truly randomly. Which is crackable today in 4 seconds.
All depends how it's hashed - no salting, MD5sum, very quick. Salted with a decent hash, still going to take some considerable effort as the salting means you can't use hashing tables.
Plus number of rounds, of salting and re-hashing....
Yes, fair point.
Your approach gives you a 300 quindecillion year cracking time
... today. Do we suppose that computing power is going to go down or up over time?
The fundamental problem is that passwords are a shit solution. You can slice up best practices how you like, but best practice is "something else."
So, the thing is that’ll be for a random 18 characters. Words are more predictable for the same string length, and therefore more crackable.
And I'll just stop you there.
That was three words, unrelated and not really connected unless you're some sort of savant.
Still 6 trillion years.
@cougar yes, today. And I totally agree, passwords and by extension clunky mother****ers that need a stupid manager to administer are a shit solution. I'm still waiting on something better. But in the meantime the best you can do is control who has your data as per always.
I used to use some local program to encrypt a USB key with all my passwords until the author decided to just quit one day and not leave a version up that could still encrypt. Now I have to rely on Last pass? Nah, I'll just keep the least commonly used stuff in the safe and memorise the rest.
Well, we have plenty of "something better" already, it's just that there's pushback.
Microsoft Hello for Windows logins for instance. It sounds counterintuitive but it ties a PIN or biometrics to a physical device. A breach is of no use to anyone unless they lob a brick through your window and piss off with your laptop after bolt-cropping your index finger off.
I used to use some local program to encrypt a USB key with all my passwords until the author decided to just quit one day and not leave a version up that could still encrypt.
TrueCrypt?
And I’ll just stop you there.
That was three words, unrelated and not really connected unless you’re some sort of savant.
Still 6 trillion years.
That's not how it works. In passwords, as for other things, length isn't everything.
40,000^3 is much, much less than 94^18.
And obviously, a really lucky algorithm will get your password in one go 😉
But "Password1!" meets all the complexity requirements!
To take it to an extreme, let's assume I have a one word, 18 character password. That's an obviously smaller set of possible passwords I have to check against than every possible permutation of every valid character.