Troy Hunt: Password reuse, credential stuffing and another billion records in Have I been pwned
55 replies, posted
Always give your email address it's own password- my old old email has been pwned 4 times over which explains why I got locked out.
[QUOTE=StrawberryClock;52197240]Most people here should consider starting to use a password manager. I had about 150 accounts floating around online most of which used the same 4-5 passwords and usernames. Over a couple of weeks I changed every single one of them to have a unique password with the help of lastpass.[/QUOTE]
LastPass makes life so much easier.
[IMG]http://i.imgur.com/xgK1oXS.png[/IMG]
:ok:
I lost once 400$ because of shit LastPass has put into my trading interface UI. So fuck that.
[QUOTE=Fourier;52201128]I lost once 400$ because of shit LastPass has put into my trading interface UI. So fuck that.[/QUOTE]
What?
[editline]8th May 2017[/editline]
Like, stocks trading?
[QUOTE=StrawberryClock;52197240][...] lastpass.[/QUOTE]
[QUOTE=Kinversulath;52198946][...] Lastpass. [...][/QUOTE]
[QUOTE=Axznma;52201008]LastPass [...][/QUOTE]
Just a heads-up: [URL="https://www.heise.de/security/meldung/Lastpass-schliesst-weitere-Sicherheitsluecken-3662883.html"]LastPass does not have a good security track record[/URL][URL="https://archive.is/KlRMn"].[/URL] (Use [URL="www.bing.com/translator/"]Bing Translator[/URL] for a likely decent translation, once it comes back.)
[QUOTE=The Dovahneer;52199205]i use unique passwords but store them in a plaintext obscure text document in a random folder while keeping a flash drive backup
am i risk[/QUOTE]
That's both unnecessarily insecure and inconvenient :v:
An offline password manager like KeePass (2) makes it a lot easier to handle this data and also encrypts it.
[editline]edit[/editline]
It's probably still safer than what most people do, though.
If you don't mind typing passwords manually, consider just using a paper list. That's pretty much unhackable.
[QUOTE=Tamschi;52201775]Just a heads-up: [URL="https://www.heise.de/security/meldung/Lastpass-schliesst-weitere-Sicherheitsluecken-3662883.html"]LastPass does not have a good security track record[/URL][URL="https://archive.is/KlRMn"].[/URL] (Use [URL="www.bing.com/translator/"]Bing Translator[/URL] for a likely decent translation, once it comes back.)
That's both unnecessarily insecure and inconvenient :v:
An offline password manager like KeePass (2) makes it a lot easier to handle this data and also encrypts it.
[/QUOTE]
LastPass seems the most convenient of the lot though, unless I'm missing something. An app version to sync between devices is [b]critical[/b] these days. What sort of compromise is there for something like KeePass in that regard? Genuinely asking since I've been putting off getting a password manager for now.
A comment in a password manager overview article (linked in the article of the OP) recommends RoboForm. Thoughts anyone?
[QUOTE=NGC;52202058]LastPass seems the most convenient of the lot though, unless I'm missing something. An app version to sync between devices is [b]critical[/b] these days. What sort of compromise is there for something like KeePass in that regard? Genuinely asking since I've been putting off getting a password manager for now.
A comment in a password manager overview article (linked in the article of the OP) recommends RoboForm. Thoughts anyone?[/QUOTE]
KeePass has a sync function, but it's offline-ish. If you copy your database file, you can sync subsequent changes between them manually. It's probably possible to script that, but it's more complicated than with other solutions for sure.
You can also synchronise the file e.g. using [URL="https://syncthing.net/"]Syncthing[/URL], but that can still cause a conflict (which can be manually resolved using the database sync I mentioned though, but with Syncthing I think not from a single end).
For auto-filling, [URL="http://keefox.org/"]KeeFox[/URL] works pretty well with some configuration. You should probably set it to only do that after confirmation though. For Chrome there's [URL="https://chrome.google.com/webstore/detail/chromeipass/ompiailgknfdndiefoaoiligalphfdae"]chromeIPass[/URL], but I haven't tried that.
KeePass has fairly good semi-automatic form filling support too, especially if you install [URL="https://addons.mozilla.org/de/firefox/addon/url-in-title/?src=search"]an[/URL] [URL="https://chrome.google.com/webstore/detail/url-in-title/ignpacbgnbnkaiooknalneoeladjnfgb"]addon[/URL] that adds the URL to the browser window title. This is mapped to Ctrl+Alt+A by default if enabled I think. If you press Ctrl+V while you have a login selected, the program will type {USERNAME}{TAB}{PASSWORD}{ENTER}, but you can change this globally and/or per entry. You might want to remove the {ENTER} to make it not auto-submit for example. This should be safer than browser integration because there's an 'air gap' that can only be crossed in one direction, but ideally set KeePass to only match the URLs if you use this.
I prefer using it offline, but at least in theory this system covers most applications.
It's definitely a lot less convenient than most/all password manager as a service solutions though, if you only want to use it online. Personally I don't trust anything that's a website to handle my passwords at all.
What would be a good password manager to use? Lot of people have mentioned a few but I don't know what one to pick personally. Nor would I know a way to create a secure master password either, that would be easy to remember.
[QUOTE=BrosefStachin;52202697]What would be a good password manager to use? Lot of people have mentioned a few but I don't know what one to pick personally. Nor would I know a way to create a secure master password either, that would be easy to remember.[/QUOTE]
Use a pass[I]phrase[/I], just something that's reasonably long and not easy to guess from your personal information.
Here's a relevant xkcd:
[URL="https://xkcd.com/936/"]Password Strength
[t]https://imgs.xkcd.com/comics/password_strength.png[/t][/URL]
but also (first part of)
[URL="https://xkcd.com/792/"]Password Reuse
[t]https://imgs.xkcd.com/comics/password_reuse.png[/t][/URL]
Basically as long as it's long enough you're good.
You can use a more memorable sensible-ish sentence if you ideally make it a little bit longer and/or not English, too.
For offline use, I'm pretty sure KeePass 2 is the best (but not necessarily the easiest) that's currently around.
It's not very strong if your computer gets infected though, since there are a few approaches a local attacker can use to dump your database or grab your master password. (This goes for anything that's not hardware-based, though 2-factor-authentication usually is fairly strong due to phone OS limitations.)
I kind of wish people would stop posting that xkcd comic in literally every single conversation about passwords
it's been reposted so many times that it's practically common sense to everyone.
if you can't figure out a good password on your own you probably aren't smart enough to follow the advice of some comic to begin with, or you're too lazy to care, to be honest. You'd have to be a bit dense to think like, "dragon" as an example for everything or something is OK.
[editline]9th May 2017[/editline]
That and [B]online[/B]-based password managers
Jesus Christ, every single person who uses those, just, what are you thinking.
If you really need syncing, remember the ones you use across devices, manually interchange everything else.
[QUOTE=J!NX;52205072]I kind of wish people would stop posting that xkcd comic in literally every single conversation about passwords
it's been reposted so many times that it's practically common sense to everyone.
if you can't figure out a good password on your own you probably aren't smart enough to follow the advice of some comic to begin with, or you're too lazy to care, to be honest. You'd have to be a bit dense to think like, "dragon" as an example for everything or something is OK.
[editline]9th May 2017[/editline]
That and [B]online[/B]-based password managers
Jesus Christ, every single person who uses those, just, what are you thinking.
If you really need syncing, remember the ones you use across devices, manually interchange everything else.[/QUOTE]
Even if LastPass isn't ideal, isn't it a net benefit overall to use an online password vault if it makes you change every single​ password to be unique as opposed to not using one and just reusing the same few passwords?
[QUOTE=NGC;52202058]LastPass seems the most convenient of the lot though, unless I'm missing something. An app version to sync between devices is [b]critical[/b] these days. What sort of compromise is there for something like KeePass in that regard? Genuinely asking since I've been putting off getting a password manager for now.
A comment in a password manager overview article (linked in the article of the OP) recommends RoboForm. Thoughts anyone?[/QUOTE]
I like to use Dropbox (with two-factor) with KeePass. Though I use KeePassXC on my desktop because autofill. That way I can use it across devices
With that xkcd comic if you just shove a random special character in the middle of a word (not one which is a letter replacement i.e. let/ter rather than l3tter) it becomes pretty immune to dictionary attacks too.
At the end of the day where that xkcd comic falls completely flat is the differing password requirements from site to site. Lots of sites won't even let you have a password that's longer than say 20 characters, not to mention number, case and special character requirements/restrictions.
[QUOTE=LordLoss;52205470]At the end of the day where that xkcd comic falls completely flat is the differing password requirements from site to site. Lots of sites won't even let you have a password that's longer than say 20 characters, not to mention number, case and special character requirements/restrictions.[/QUOTE]
Just about every German bank has a password character limit of [I]5[/I] (and usually a harsh restriction on characters).
[editline]9th May 2017[/editline]
[QUOTE=J!NX;52205072]I kind of wish people would stop posting that xkcd comic in literally every single conversation about passwords
it's been reposted so many times that it's practically common sense to everyone.
[...][/QUOTE]
I partially agree, but considering how often other sites suggest using something truly random it shouldn't hurt.
[QUOTE=StrawberryClock;52205291]Even if LastPass isn't ideal, isn't it a net benefit overall to use an online password vault if it makes you change every single​ password to be unique as opposed to not using one and just reusing the same few passwords?[/QUOTE]
thats why you use an offline manager of/c
you can still change them all and make every one of them unique all the same
it's literally the exact same thing but offline
[QUOTE=J!NX;52206012]thats why you use an offline manager of/c
you can still change them all and make every one of them unique all the same
it's literally the exact same thing but offline[/QUOTE]
That's not what I'm asking, though. My question is even if an online vault may be less secure inherently, isn't it more secure than NOT having unique passwords? LastPass is hella convenient.
Also, from my limited research the biggest point of contention seems to be not that it's online (because everything is encrypted) but that it's an add-on and thus more vulnerable.
There doesn't seem to be any real consensus whether LastPass should truly be avoided or not (most reasons against it seem ideological rather than practical) and most seem to agree that it's probably better for non-tech-savvy mom-and-pop type of people to use LastPass rather than use nothing, as long as you use 2 factor auth, disable autofill and use a really strong master password.
Like, if my odds of getting hijacked are now 10 000-to-1 instead of 100 000-to-1 if I use LastPass, it's still WAY better than the 100-to-1 odds of not using anything, right?
I feel like people that recommend against LastPass have legitimate reasons but they tend to make it seem like you're better off just keeping your old shitty reused passwords when in reality it's probably safer by at least two orders of magnitude.
So with that taken into account, what's better in your opinion: doing nothing or using LastPass?
[QUOTE=StrawberryClock;52206050]That's not what I'm asking, though. My question is even if an online vault may be less secure inherently, isn't it more secure than NOT having unique passwords? LastPass is hella convenient.
So with that taken into account, what's better in your opinion: doing nothing or using LastPass?[/QUOTE]
This is basically going out of ones way to force me to agree with you, since its clear any manager is better than no manager, except conveniently ignoring offline managers for the sake of argument shows that you have to create a scenario where its ok. It creates imaginary reasons to support using something.
Sorry but no I'm not going to argue in hypothetical arguments just to justify using an online manager. Yeah sure lets trust some faceless entity with my security measures, I'm sure that'll work great.
at the end of the day there are [U]ALTERNATIVES[/U], you shouldn't go out of your way to justify the "convenient" online storage method. It isn't "All or nothing". That's why people recommend lastpass, because people should not start pretending its the only thing that exists, because there are better methods.
And yes, you could still think of one very strong password and then a method of making it unique, you can still do "Site join date" and "Site name shortened" spliced together to make "18562f0a0c6e" as a password and no ones going to really guess it, or you can you know, make yourself immune to both online manager leaks AND brute force by... using an offline manager
[QUOTE]they tend to make it seem like you're better off just keeping your old shitty reused passwords when in reality it's probably safer by at least two orders of magnitude.[/QUOTE]
[U]that's why they recommend an offline manager [/U]
[QUOTE=J!NX;52206061]This is such a stupid hypothetical
it's basically going out of ones way to force me to agree with you[/QUOTE]
It wasn't my goal, I'm literally wondering if it would be better for my mom to use LastPass or not because there's no way I'm gonna be able to get her to use anything less user friendly than that. I can barely get her to understand how to make a new folder for God's sake.
I've seen quite a few "security experts" (dunno what else to call them) say that while LastPass isn't perfect, it's better than nothing so when I'm asking you the same question and you can't answer it properly other than "but but FACELESS CORPORATION" consider me disappointed.
I'm not deliberately ignoring offline password managers, you're ignoring how much more convenient and user-friendly LastPass is.
[QUOTE=StrawberryClock;52206100]It wasn't my goal, I'm literally wondering if it would be better for my mom to use LastPass or not because there's no way I'm gonna be able to get her to use anything less user friendly than that. I can barely get her to understand how to make a new folder for God's sake.
I've seen quite a few "security experts" (dunno what else to call them) say that while LastPass isn't perfect, it's better than nothing so when I'm asking you the same question and you can't answer it properly other than "but but FACELESS CORPORATION" consider me disappointed.
Is it better to use LastPass rather than nothing, yes or no?[/QUOTE]
If it's truly needed, then I would use it, but keep everything that use as your primary emails offline so that if there was ever a leak, the main email isn't compromised and can still be recovered, just with 2 step enabled
that way you're immune to any issues it might make if a leak actually somehow managed to happen. Even if the worst possible thing happens like someone getting through the lastpass stuff the main email required to recover it all is safe and sound.
Lastpass is incredibly simple to use, "just works", and is relatively safe. Your password vault is encrypted, Lastpass the company can't access your shit, it has 2 factor and geo fencing, it generates passwords that are secure and fit whatever site's requirements, it's easily tweaked, and it works across all devices, along with it being free (the paid version offers bonuses you don't need, especially now that mobile support is free).
Security wise the only issue is that it's a browser addon, but if malware wanted to nab your passwords it could do it regardless of if it was a browser addon or offline program (read your clipboard, inject into your browser and get info you type into forms, read your keyboard inputs, etc.).
Lastpass is what I recommend to friends, family and coworkers because a toddler could use it and it doesn't require me to set it up for them. Hell, I use it. Even when Lastpass got hacked nothing was taken that could be used as the vaults are heavily encrypted, and Lastpass went overkill on security afterwards.
[QUOTE=J!NX;52206116]If it's truly needed, then I would use it, but keep everything that use as your primary emails offline so that if there was ever a leak, the main email isn't compromised and can still be recovered, just with 2 step enabled
that way you're immune to any issues it might make if a leak actually somehow managed to happen. Even if the worst possible thing happens like someone getting through the lastpass stuff the main email required to recover it all is safe and sound.[/QUOTE]
Thank you for your answers, I was genuine in my questioning. I've just been getting paranoid lately because I felt like no matter what I do it would never be enough to make my accounts "reasonably" secure. I have been thinking about taking off my "main" accounts from LastPass and the good news is I remember my new passwords pretty well thanks to the advice from that XKCD comic so I'll be doing that soon.
[QUOTE=SleepyAl;52206140]Lastpass is incredibly simple to use, "just works", and is relatively safe. Your password vault is encrypted, Lastpass the company can't access your shit, it has 2 factor and geo fencing, it generates passwords that are secure and fit whatever site's requirements, it's easily tweaked, and it works across all devices, along with it being free (the paid version offers bonuses you don't need, especially now that mobile support is free).
Security wise the only issue is that it's a browser addon, but if malware wanted to nab your passwords it could do it regardless of if it was a browser addon or offline program (read your clipboard, inject into your browser and get info you type into forms, read your keyboard inputs, etc.).
Lastpass is what I recommend to friends, family and coworkers because a toddler could use it and it doesn't require me to set it up for them. Hell, I use it. Even when Lastpass got hacked nothing was taken that could be used as the vaults are heavily encrypted, and Lastpass went overkill on security afterwards.[/QUOTE]
I would have switched away from LastPass if it seemed like the consensus on Facepunch was that it was too unsecure as I usually trust people here that are more savvy than I am. I was just not looking forward to it as it too me a LONG time to change all my account passwords and I was panicking at the thought of having to learn the subtleties of a new program that wasn't as convenient on top of not being able to recommend it to my family.
Can I finally let out a sigh of relief, at least for now?
password managers are an awful idea. why not just remember them in your own brain hole? not easy but humans are very good at remembering repetitive actions. it also helps to create smaller passwords and combine them. that is the only time i would recommend writing down your password, the first two characters of each in order.
if you can learn an entire language you can learn your own few (pass)words.
[QUOTE=dot.rich;52206456]password managers are an awful idea. why not just remember them in your own brain hole? not easy but humans are very good at remembering repetitive actions. it also helps to create smaller passwords and combine them. that is the only time i would recommend writing down your password, the first two characters of each in order.
if you can learn an entire language you can learn your own few (pass)words.[/QUOTE]
Dude, my passwords are around 30+ characters long and different for each site. Having to remember which passwords for which site, and having to type them out (not only on a computer, but also my phone) is such a hassle. I would rather just be able to press ctrl+v and have a problem type it all
[editline]9th May 2017[/editline]
Here's a character from one of the many services I use. Try typing this out on mobile:
w/\J`u'W6`'H8afxQSP_BX2PWz@p]#H'78-j&L3av53Lu;~(8sXFT2]C<fMu/J9;XEYcFe
Sorry, you need to Log In to post a reply to this thread.
