Passwords? (Almost) forget about them

SauRoNZA said:
I assume you mean employees of the companies hosting the password data?
Click to expand...

Yes.

No it shouldn't be possible as they are encrypted to hell and gone although anything is crackable. Then again the source where said password belongs is equally vulnerable.
Click to expand...

How does one know this? Who audits this?

Why do you say the source is equally vulnerable?

Did Adobe encrypt passwords? Because I keep getting emails from them asking me to change my passwords on other services, if I reused the same password.
 
I mean if you worry about the company hosting your "Password service" and how they are audited you should asking the same question of ANY place where you enter a password and how they are encrypted and audited.

The greatest reason using the same password everywhere is that the lowest common denominator that stores your password in plain text and transmits it as such opens up every single other place with the same password, regardless what encryption they use and who audits them.
 
I have the premium version of Lastpass. Most of my passwords are 64 characters long.
 
SauRoNZA said:
I mean if you worry about the company hosting your "Password service" and how they are audited you should asking the same question of ANY place where you enter a password and how they are encrypted and audited.
Click to expand...

Sure. But in this case the service hosts all my passwords. If it's compromised, I'm affected in a serious way. When I memorise and use different passwords on different services, I spread the risk. And as said a password hosting service makes for a much more lucrative target.

The greatest reason using the same password everywhere is that the lowest common denominator that stores your password in plain text and transmits it as such opens up every single other place with the same password, regardless what encryption they use and who audits them.
Click to expand...

Sure. Just that passwords do get leaked out - as per the Adobe example. Re-using the same password on important accounts is dangerous, but that's not why I brought them up. If Adobe was in charge of securing my password cloud solution I'd now be frantically changing all my passwords on all my services.
 
Does LastPass support two-factor or multifactor authentication?

Yes. LastPass currently offers:

1. Google Authenticator - a free multifactor option that uses your smart phone as the 2nd factor.

2. Grid - a free multifactor option styled after a battleship grid

3. Sesame - a part of our Premium package, a program that generates a one time password when logging in

4. YubiKey - a part of our Premium package, a separate physical device, purchased through Yubico, that generates a random one time password when logging in.

5. Fingerprint Reader support on limited devices as a part of our Premium package.

6. Smartcard authentication on limited devices as part of our Premium package.

7. Support for Windows biometric framework.
Click to expand...

Nice
 
Space_Chief said:
OK, this makes it a great target for hacking or social engineering.

Can rogue employees not get access to the passwords? And who audits these services?
Click to expand...

I get your point, but the lastpass website says this:

Local-Only
Decryption

All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.
Click to expand...

Lastpass would have to shut their business down if a single breach ever happened, so they are heavily incentivised to make their service as secure as possible. They would never build their service in such a way that a rogue employee could access user passwords.
 
Last edited:
Zyzzyva said:
I get your point, but the lastpass website says this:
Lastpass would have to shut their business down if a single breach ever happened, so they are heavily incentivised to make their service as secure as possible. They would never build their service in such a way that a rogue employee could access user passwords.
Click to expand...

Wouldn't it be cheaper and/or more secure just to host a TrueCrypt volume (of a small size) on an obscure FTP server somewhere? Even say in a free MediaFire account? Then use the two factor key of TrueCrypt - say a file on your PC or thumb drive or on your gmail account or a different server (e.g a JPEG of a kitten) and a single password? That way you get the benefit of security through obscurity, and you get access to your data anywhere? Alternatively just keep a portable TC with volume on a USB stick. Second authentication could be an obscure keyfile on your PC or a server somewhere.

As a bonus one could hide the TC volume in a video file, as so:
https://www.demworks.org/blog/2013/05/steganograohy-go-hiding-truecrypt-volumes-movie-files
 
Last edited:
Space_Chief said:
Wouldn't it be cheaper and/or more secure just to host a TrueCrypt volume (of a small size) on an obscure FTP server somewhere? Even say in a free MediaFire account? Then use the two factor key of TrueCrypt - say a file on your PC or thumb drive or on your gmail account or a different server (e.g a JPEG of a kitten) and a single password? That way you get the benefit of security through obscurity, and you get access to your data anywhere? Alternatively just keep a portable TC with volume on a USB stick. Second authentication could be an obscure keyfile on your PC or a server somewhere.

As a bonus one could hide the TC volume in a video file, as so:
https://www.demworks.org/blog/2013/05/steganograohy-go-hiding-truecrypt-volumes-movie-files
Click to expand...

Keepass can do all of that.

But yeah, if you have the knowledge there are ways to be more secure, especially through obscurity as you say, but for most people lastpass or keepass get them 99.9% of way which is far better than than using short memorized passwords.

One option is to use a cloud based service like lastpass for remembering non critical website logins, and a self hosted option like keepass or truecrypt for critical things like credit card numbers and bank logins. Spreading things around is probably a good idea.
 
Last edited:
Space_Chief said:
Wouldn't it be cheaper and/or more secure just to host a TrueCrypt volume (of a small size) on an obscure FTP server somewhere? Even say in a free MediaFire account? Then use the two factor key of TrueCrypt - say a file on your PC or thumb drive or on your gmail account or a different server (e.g a JPEG of a kitten) and a single password? That way you get the benefit of security through obscurity, and you get access to your data anywhere? Alternatively just keep a portable TC with volume on a USB stick. Second authentication could be an obscure keyfile on your PC or a server somewhere.

As a bonus one could hide the TC volume in a video file, as so:
https://www.demworks.org/blog/2013/05/steganograohy-go-hiding-truecrypt-volumes-movie-files
Click to expand...

Lastpass fills forms, allows autologin to sites (if you're authenticated with lastpass), etc. Browser integration works well. TC certainly cuts the middle man out but makes the administration your problem. Good luck getting in to the TC file if your password for that is sabotaged or lost.
 
Last edited by a moderator:
Only problem I've had with passwords like "asd;lkfhiahdKJDH*U&^*&^_++///"kjasjshdfkMERUD_" is if you are ever at a PC where you haven't installed the password software and you need or want to log in to something.
 
Carnajo said:
Only problem I've had with passwords like "asd;lkfhiahdKJDH*U&^*&^_++///"kjasjshdfkMERUD_" is if you are ever at a PC where you haven't installed the password software and you need or want to log in to something.
Click to expand...

There is no need to make them that difficult, just a bit harder than usual.
 
You must log in or register to reply here.
Back
Top
Sign up to the MyBroadband newsletter
X