Forum menu
Remember how once upon a time you could remember however many dozen phone numbers?
That.
Password managers are a janky fix with a huge weakness in that if you get the master password you get the keys to the kingdom. If you don't have MFA it's not really secure.
If you don’t have MFA it’s not really secure.
And depending on the MFA and how good a target you appear to be it isnt necessarily secure then either.
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases. Probably. Fingers crossed.
There’s just so much information to remember, how else do I do it
All the inconsequential stuff goes in a manager so login details for here, chain Reaction etc.
Never save card details to websites.
Stuff that could cause serious problems, will be a short list, remember/write down those three or four. eg bank, PayPal, Google/apple Facebook (wouldn't bother me but a lot of people use it or similar for a lot).
squirrelking
Free Member
Remember how once upon a time you could remember however many dozen phone numbers?That
Nope it's nothing like that at all.
@Dangeourbrain. Yeah, that's the conclusion I've come to. I'll clean bitwarden up as I write things down on paper
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases.
Its definitely my preferred approach. If for no other reason than if they have compromised your computer you are buggered whether you keep the password file locally or not.
this is why things like biometrics, 2FA is the way forwards. I don't have to remember anything to be able to log securely into my bank, just have my phone and be me!!There’s just so much information to remember, how else do I do it
Honestly don't know why anyone is still using LP at this stage given what's happened 🤷♂️ 😂
personally I think it’s safer on a scrap of paper squirrelled away some where at home. preferable without the words ‘bank details’ written on it with big letters
chances of being burgled, and then finding the paperwork and then working out it’s bank details and then working out which bank is smaller than stuff getting hacked online
We have a firesafe with all bank account stuff in it (and passports etc).
footflaps
We have a firesafe with all bank account stuff in it (and passports etc).
Probably the most sensible solution for storing a crypto seed phrase TBH.
The use case for things like Lastpass is where you need those details readily from wherever in the world you happen to be and on whatever device you are using.
All the inconsequential stuff goes in a manager so login details for here, chain Reaction etc.
Never save card details to websites.Stuff that could cause serious problems, will be a short list, remember/write down those three or four. eg bank, PayPal, Google/apple Facebook (wouldn’t bother me but a lot of people use it or similar for a lot).
I understand the reasoning, but I think there's a couple of things to consider. Firstly that accounts which you think are inconsequential could provide information to gain access to more sensitive accounts. Secondly is that one of the advantages of password managers is that you can use passwords with high entropy easily. There's no way I'm typing in passwords of the same complexity on a regular basis - which means either a) using less secure passwords, b) checking important accounts less regularly, or most likely c) both.
I'm not saying change what you do, just worth being aware of the downsides.
This is why I try and use PP for everything, I only have to memorise one high entropy password and use 2FA.
Then I let the browser choose random passwords for all the other sites (but it doesn't know PP). If you get my browser password cache, you can't actually spend any money...
There’s no way I’m typing in passwords of the same complexity on a regular basis
How are you accessing whatever manager you use? I assume that's not behind a your email address and date of birth...
How are you accessing whatever manager you use? I assume that’s not behind a your email address and date of birth…
typing in passwords *plural* of the same complexity.
typing in passwords *plural* of the same complexity.
OK, I see the distinction but I'm not sure I see the point. Typing in 1 16 character password twenty times a day isn't significantly worse than 4 five times each is it?
Or is it the recall you're taking issue with? That I can understand becomes commensuratly more difficult but even then a lot of that is repetition and familiarity.
If only it was 4, I can think of over a dozen just for financial things, and there's loads more which are, if anything, more important to keep secure.
If that story is factual - why are the hackers only going after crypto (which I'll never believe is actually real money)? And not normal bank accounts? of which there is no doubt more info stored in LastPass than crypto keys.
Its much harder to trace crypto currency back to an individual and fewer controls on transfers. I'd imagine emptying bank accounts on a large scale gets picked up as unusual activity very quickly.
Still using LastPass but I never store bank details there and everything that could be 2fa'd is. I've also changed all the important passwords since the breach. The people who lost crypto appear to have not moved their crypto between wallets once it was clear there had been a breach.
Also much easier to move crypto into, for instance, a sanctioned Russian bank account.
If that story is factual – why are the hackers only going after crypto (which I’ll never believe is actually real money)?
For crypto seed keys its more fiddly to change the password than it would be for a bank account.
Plus dont think any bank accounts now without 2fa.
Im surprised anyone thought giving all their passwords to a company to be kept online was a good idea in the first place.
dyna-ti
Full MemberIm surprised anyone thought giving all their passwords to a company to be kept online was a good idea in the first place.
It is a good idea, which is why Google, Apple, Microsoft and many other companies provide this service.
Otherwise it is next to impossible to use unique secure passwords for each site and service across all of your different devices.
The problem in this case was not the idea, but that the company providing the services had poor security policies in place.
It is a good idea, which is why Google, Apple, Microsoft and many other companies provide this service.
That doesnt make it a good idea. It just makes it one people like to use to try and lock people into their services.
The problem in this case was not the idea, but that the company providing the services had poor security policies in place.
The problem is when you provide this service you are creating a motherlode which all the top notch hackers will go after. They just need to get lucky once.
Storm-0558 being a good example of a compromised machine and then being able to get something from the logs.
Or GCHQ hacking the Belgium telephone system. Allegedly.
dissonance
That doesnt make it a good idea. It just makes it one people like to use to try and lock people into their services.
That's one way of looking at it I guess.
I humbly suggest it's the opposite; it's a good feature, people want it and will dump things that don't support it.
Also not sure how it would be used to lock people in, since the password lists can be exported and imported to different services.
@dissonance true, 2fa isn't perfect but it does make things more secure if you use it properly.
A single password database stored on your computer is less of s honey pot for hackers than a cloud based database of millions of password databases. Probably. Fingers crossed.
There's a good argument for that and as long as its properly secured then why not?
Nope it’s nothing like that at all.
@multi21 huh. Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
squirrelking
@multi21 huh. Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
Your example was remembering 12 phone numbers, those each being 4-6 digit numbers.
Whereas even just looking at banking I have at least sites to try and remember. some are email login, some are a customer number, some are the account number, on some the memorable number is 5 digits, on others it's 6 but mustn't be the same as the memorable date, some have a digital secure key and other similarly named but must be different keys too.
And the other problem is I'm only using a lot of them one a month or every few months to check nothings awry.
It is very very different to remembering your mates phone number that you call every week.
In fact I have over 500 different passwords in my vault.
Must be getting old then, I have no trouble remembering my work laptop Bitlocker password and network login plus my regularly used banking passwords, login details and whatever else.
My browser is currently remembering 174 passwords for me....
Mine is remembering 526, (well 525 now as one shouldn't have been there) none of which are "useful". sure you could piece together quite a lot about me from those sites but mostly it's stuff it would be quicker and easier to pick up from the electoral register and scrape from various social media's etc.
In honesty of those 500+ sites I would probably be comfortable with setting them all to "password" except for some reason my login for ratemypotato.com needs to be 16 characters minimum and contain at least one kanji two Arabic words and a protocuneform numeral, backed up by recovery questions more sensitive than any data I'm ever going to submit to the site.
None of those sites should have anything I'd consider to be a problem if they got compromised.
On top of that I've 3 banking logins, 2 pension ones, Dr's surgery, 3 Google logins, ebay, amazon PayPal and two airlines all of which are either written somewhere and/or I know. Partly it helps that I'm good at remembering junk so the random user name and password for my bank account sticks despite rarely using them these days.
I humbly suggest it’s the opposite; it’s a good feature, people want it and will dump things that don’t support it.
That doesnt make it a good feature security wise*.
It makes it a convenient feature and as anyone who deals with security will say its always a balancing act between security and convenience.
Anything which involves security centralised is always going to attract the attackers and depending on how good the goods look you will get top notch criminals. Another good recent example is MoveIt. Supposedly very secure document transfer and hence lots of companies use it. Which made it a very good target since once compromised you could search for users and then loot whatever they have and then figure out if its good or not.
Also not sure how it would be used to lock people in, since the password lists can be exported and imported to different services.
Because people are lazy and many are technically unskilled. So given a choice of sticking with chrome or trying firefox if everything is saved in chrome they will stay there.
*it does get messy between is it better to have that or having people use Password123! but thats separate and goes back to is it better to have local password safes.
My browser is currently remembering 174 passwords for me…
All banking apps? Wow, you have bigger problems...
None of those sites should have anything I’d consider to be a problem if they got compromised.
Maybe have a read around some of the more sophisticated social engineering attacks, especially for impersonating you to third parties/relatives, rather than a direct attack on you.
On top of that I’ve 3 banking logins, 2 pension ones, Dr’s surgery, 3 Google logins, ebay, amazon PayPal and two airlines all of which are either written somewhere and/or I know. Partly it helps that I’m good at remembering junk so the random user name and password for my bank account sticks despite rarely using them these days.
I think I probably have over 50 logins[0] for things which you'd class as too important to store. 40+ character passwords, I'm good at remembering things, but I've got better things to store in my head than 2000 randomly generated characters.
[0] probably a *massive* underestimation
I don’t get your point then? You know they had a keylogger which could be used to capture both the master password and MFA which could both be reused as long as it was within the same 30s window.
Do MFA implementations really allow 2 successful authorisations using the same code just because it's within a short timeframe?
That would seem to purposefully open it up to this sort of attack which is mad.
A key logger should never be able to get you past MFA.
40+ character passwords, I’m good at remembering things, but I’ve got better things to store in my head than 2000 randomly generated characters.
This but I have a terrible memory 🤣
Why the hell are you using 40 character passwords?
What possible utility does that serve?
Maybe have a read around some of the more sophisticated social engineering attacks, especially for impersonating you to third parties/relatives, rather than a direct attack on you.
Absolutely, but none of those that I'm aware of are more likely to be achievable* by knowing I've bought a set of frilly knickers in a size 6'4" bloke from crc directly activity there vs pulling the photo of me in said knickers from John's publicly viewable Facebook account with the tag line "dangeourbrain's new chain reaction panties".
That's the thing, most of that data isn't secure because it's not secret, its all over the Internet if I cared to look because other people besides me have access to and publish it already.
Using the data scraped from a number of sites could you possibly convince my bank you're me but have lost all my passwords, possibly. (They have policies and training in place to minimise that that but it's possible, people are the weak link in anything regardless of how well trained they're are only human.)
Could you get the same info from publicly available sources that wouldn't require any significant effort, yep. (I appreciate my flippancy may not have been obvious in the previous post, I'm not likely to actually set the passwords to the same and or obvious thing)
If you're not trying it on with the bank but rather a relative - (as an example) my semi estranged FIL living in Algeria with his business-cum-life partner and her two medically dependent children who is desperately in need of £5k cash deposited into said partner's bank account because his accounts have been frozen by the tax man - are you more likely to succeed in doing this by knowing his just eat transactions or by seeing a photo of the blue shirt I bought him as a gift last year?
That's the thing with social engineering attacks, what makes them work is the social bit, it's knowing the weather where I am today or that I'm likely to be hungover nephew's 18th last night and so on.
My life isn't private, not any more or less than anyone else's, I'd love to pretend it was but that horse bolted so long ago it's grandchildren are now due the knackers yard.
Maybe if we all stopped pretending you can bottle the wind we'd actually be a lot more secure because the illusion you can prevent this sort of stuff on your own is genuinely damaging.
*well unless you want to ask the folks at chain reaction if I bought a bike from them last year since my order history is no longer accessible on line.
What possible utility does that serve?
That I'll get at least one green and three yellow boxes on guess one.
Why the hell are you using 40 character passwords?
What possible utility does that serve?
Okay, let's say your passwords are a mere 20 characters. That's still 1000 randomly generated characters to remember.
I'll admit, 40+ is really "because I can", but I'd always want a minimum of 16 for anything, and probably 24+ for a lot of things.
@dangerbrain Not sure to say if username checks out, or can I join your facebook group/onlyfans 😉
Assuming for a minute you're not Sir Richard Moore why? All you're doing is making things *less* secure by reducing your ability to recall those passwords thereby increasing your reliance on services like last pass.
Assuming for a minute you’re not Sir Richard Moore why?
In a funny coincidence, Moore's Law. 8 character passwords used to be considered reasonably secure - they're now crackable in 5 minutes. 16 is really a minimum for good security practice.
All you’re doing is making things *less* secure by reducing your ability to recall those passwords thereby increasing your reliance on services like last pass.
Even in the aftermath of the lastpass breach, no security professionals are recommending that you give up on password managers.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
Having more complex, non-reused, easily rotated, passwords is a better compromise.
And the complete opposite of what's considered best practice. Especially the changing them regularly bit.
As for 16 characters, even phrases work for that so as long as your passphrase isn't 'FirstDirectPassword' then it's still going to take an inordinate amount of time to crack. My work password is apparently in the order of 6 trillion years. You can easily remember a phrase or set of words you associate with something.
Eg. Santander - first part of the word is Santa aka St Nick, when you were at uni you knew a guy called Nick who once had a girlfriend called Jenni; 'NickBiffedJenni' or maybe you know more details; 'JenniPeggedNick'.
By making passwords stupidly long, complex and disposable you're having to rely on third parties to keep them secure (if you want to be able to use them outside). What if the next ransom attack is someone getting a database of master passwords (but not their actual passwords) and holding every single person to ransom?
That's where I work from, that and there are plenty of places I don't give a shit about anyone getting into as the most they will learn is my email address (which is already on plenty of spam lists) so yes, I use an easy to remember generic password. Who cares?