Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 07-28-2015, 09:58 AM   #21
Thinks s/he gets paid by the post
steelyman's Avatar
 
Join Date: Feb 2011
Location: Triangle
Posts: 3,218
I'm not sure any OS is invulnerable to security violations (including Linux, we had experience all the way down to patching the kernel to support hardware access we needed). Windows just has such an entrenched user base it attracts more attention from the bad guys.

The practices that are being discussed in this thread and articles are a good idea, regardless. It's good to be vigilant.
__________________

__________________

steelyman is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 07-28-2015, 01:58 PM   #22
Recycles dryer sheets
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 348
It was my understanding that LastPass was hacked in the last couple of months.
__________________

__________________
DEC-1982 is offline   Reply With Quote
Old 07-28-2015, 03:25 PM   #23
Moderator
Sarah in SC's Avatar
 
Join Date: Sep 2005
Location: Charleston, SC
Posts: 13,456
Quote:
Originally Posted by DEC-1982 View Post
It was my understanding that LastPass was hacked in the last couple of months.
Yep, there was a good thread about it, on the forum, if you want to check it out.
__________________
“One day your life will flash before your eyes. Make sure it's worth watching.”
Gerard Arthur Way

Sarah in SC is offline   Reply With Quote
Old 07-28-2015, 06:40 PM   #24
Thinks s/he gets paid by the post
 
Join Date: Feb 2007
Posts: 1,905
Quote:
Originally Posted by Sarah in SC View Post
Yep, there was a good thread about it, on the forum, if you want to check it out.
Thank you, I guess I'll continue to keep my passwords in a little inconspicuous notebook. I guess this is also why I've never felt comfortable using financial services sites like Mint that ask for all the passwords for one's financial life in order to aggregate the results.
__________________
ejman is online now   Reply With Quote
Old 07-28-2015, 07:43 PM   #25
Thinks s/he gets paid by the post
imoldernu's Avatar
 
Join Date: Jul 2012
Location: Peru
Posts: 4,616
A few questions about a password keeper:

With 5 computers and a tablet, in three different locations, all synced with Chrome, how does this work? Separate on each computer?

Over 30 years, have signed on to many hundreds, maybe thousands of websites. Does a password keeper have to be changed for every website individually?

What kind of security does this provide when there are sites that have personal information, based on an email address where someone already has info on the original password... if I haven't gone back to that site for many years?

In simple terms, how does a password protector help protect from long forgotten, unvisited websites?

As it stands today, I can go back and sign on to sites that I visited from AOL, back in 1985.
__________________
imoldernu is offline   Reply With Quote
Old 07-28-2015, 09:28 PM   #26
Recycles dryer sheets
 
Join Date: Aug 2014
Location: Western Canada
Posts: 393
Quote:
Originally Posted by DEC-1982 View Post
It was my understanding that LastPass was hacked in the last couple of months.
I guess us "amateurs" can learn as much from IT "experts" as we can from "financial experts advisors".
__________________
I'm not crazy. Honest, the judge had me tested.
Rick_Head is offline   Reply With Quote
Old 07-28-2015, 09:39 PM   #27
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,467
Quote:
Originally Posted by DEC-1982 View Post
It was my understanding that LastPass was hacked in the last couple of months.
Exactly - I wondered why this didn't give anyone pause.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 07-29-2015, 07:31 AM   #28
Recycles dryer sheets
 
Join Date: May 2015
Location: Atlanta suburbs
Posts: 348
Quote:
Originally Posted by ejman View Post
Thank you, I guess I'll continue to keep my passwords in a little inconspicuous notebook. I guess this is also why I've never felt comfortable using financial services sites like Mint that ask for all the passwords for one's financial life in order to aggregate the results.
+1

I think any site that has a gazillion passwords is probably a huge magnet for hackers. The balance is towards the hacker; any of these sites has to protect itself against every possible hack, while the hacker has to get just one or two breaks.
__________________
DEC-1982 is offline   Reply With Quote
Old 07-29-2015, 07:34 AM   #29
Thinks s/he gets paid by the post
gauss's Avatar
 
Join Date: Aug 2011
Posts: 1,708
Quote:
Originally Posted by Rick_Head View Post
I guess us "amateurs" can learn as much from IT "experts" as we can from "financial experts advisors".
It seems that more than a few IT professionals parrot the talking points from the OS vendors without a lot of critical thought.

Kind of a well-paid, "information conduit" role.
__________________
gauss is offline   Reply With Quote
Old 07-29-2015, 09:33 AM   #30
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Apr 2013
Posts: 5,570
Quote:
Originally Posted by gauss View Post
It seems that more than a few IT professionals parrot the talking points from the OS vendors without a lot of critical thought.

Kind of a well-paid, "information conduit" role.
Many have practiced that skill for years. The industry loves new shiny objects! "Don't worry about that old hard learned lesson, it's new technology. What could go wrong?"
__________________
MRG is online now   Reply With Quote
Old 07-30-2015, 01:05 PM   #31
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,832
Quote:
Originally Posted by audreyh1 View Post
Exactly - I wondered why this didn't give anyone pause.
Well, probably because the reporting on the story was hyped to sell magazines and get clicks.

What they didn't report was that even if everything LastPass had was handed to hackers on a silver platter, the only risk to having your passwords compromised (i.e. decrypting a vault) would be to the silly person who didn't use a long and unguessable pass phrase. Everyone with a brain would still have all their passwords 100% secure. LastPass has information (email addresses) we'd rather not hand over to the hackers, but the breach was not as dire as presented by the hypemasters.
__________________
sengsational is offline   Reply With Quote
Old 07-30-2015, 08:36 PM   #32
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by sengsational View Post
Well, probably because the reporting on the story was hyped to sell magazines and get clicks.

What they didn't report was that even if everything LastPass had was handed to hackers on a silver platter, the only risk to having your passwords compromised (i.e. decrypting a vault) would be to the silly person who didn't use a long and unguessable pass phrase. Everyone with a brain would still have all their passwords 100% secure. LastPass has information (email addresses) we'd rather not hand over to the hackers, but the breach was not as dire as presented by the hypemasters.
Emphasis added

Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere.

See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't:

http://www.nytimes.com/interactive/2...quiz.html?_r=0
__________________
Options is offline   Reply With Quote
Old 07-30-2015, 10:02 PM   #33
Thinks s/he gets paid by the post
zinger1457's Avatar
 
Join Date: Jul 2007
Posts: 1,452
Reply in bold, this applies to LastPass only.

Quote:
Originally Posted by imoldernu View Post
A few questions about a password keeper:

With 5 computers and a tablet, in three different locations, all synced with Chrome, how does this work? Separate on each computer?

LastPass keeps an encrypted file locally on each computer, there is also an encrypted file stored on the LastPass server. All the local LastPass files on your computers sync with the file stored on the LastPass server. So any web site login saved in LastPass on one computer will be shared on all your computers. LastPass is free for Windows but I believe there is a cost for tablets/phones (android).


Over 30 years, have signed on to many hundreds, maybe thousands of websites. Does a password keeper have to be changed for every website individually?

In short yes. When you log into a web site that isn't already stored in LastPass it will always ask you if you want to store it in LastPass, you're not require to. If you do LastPass will store whatever user name/password was used to log in to that site.

What kind of security does this provide when there are sites that have personal information, based on an email address where someone already has info on the original password... if I haven't gone back to that site for many years?

LastPass doesn't protect you from any website that gets hacked and the hackers get access to login information. It does make it easy to create and manage unique difficult passwords for each site so that no two sites use the same password, it's up to you to change the passwords frequently.

In simple terms, how does a password protector help protect from long forgotten, unvisited websites?

LastPass can't help you with old login accounts that aren't managed by LastPass. The key is to use LastPass to create unique difficult passwords for all sites that you do use.

As it stands today, I can go back and sign on to sites that I visited from AOL, back in 1985.

As stated above when you login to one of those sites after installing LastPass it will ask you if you want to store the login information in LastPass. It would be a very good idea at that time to not only save it but use LastPass password generator to create new passwords for you.
__________________
zinger1457 is offline   Reply With Quote
Old 07-30-2015, 10:45 PM   #34
Thinks s/he gets paid by the post
Katsmeow's Avatar
 
Join Date: Jul 2009
Posts: 3,396
Quote:
Originally Posted by Options View Post
Emphasis added

Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere.

See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't:

http://www.nytimes.com/interactive/2...quiz.html?_r=0
I use Roboform not Lastpass, but I haven't been worried about it because Roboform doesn't have the master password that I use to gain access to my passwords. Yes, someone could hack Roboform and get the file with all my passwords, but they couldn't get into it because Roboform itself doesn't have the master password to the file.
__________________
Katsmeow is offline   Reply With Quote
Old 07-30-2015, 11:27 PM   #35
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,723
Quote:
Originally Posted by ejman View Post
Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.
You could use clamscan
__________________
Sunset is offline   Reply With Quote
Old 07-31-2015, 12:17 AM   #36
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,723
Quote:
Originally Posted by Sunset View Post
You could use clamscan
ClamAV is the website for it.
__________________
Sunset is offline   Reply With Quote
Old 07-31-2015, 08:50 AM   #37
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,832
Quote:
Originally Posted by Options View Post
Emphasis added

Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere.

See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't:

http://www.nytimes.com/interactive/2...quiz.html?_r=0
KeePass is great too, but suffers from the same vulnerablility as LastPass...if they key a keylogger on your machine, the keys to the kingdom are lost. But that's a risk the KeePass and LasPass user have deemed acceptable for the convenience of having passwords at the ready.

Your post implies that there is additional risk having the LastPass vault stored on LastPass' servers. We disagree on that point because I am as sure as I can be that even if 100% of the data that LastPass holds were handed over to hackers, the hackers would not be able to access my passwords. The system design is such that they (LastPass) simply do not have a way to decrypt the vault. So comparing a scheme where passwords are "protected" by a cloud service as opposed to LastPass who, with a gun to their head, could not produce my passwords, I think is not valid.

But if I didn't have LastPass, I'd use KeePass, save it's vault to my google drive so I'd have home grown synch capability. DIY synch is a minus, but being open source is a plus. I'd need another open source toolto keep up with LastPass: KeePass2Android. Another plus is yours is free, and mine is 10 a year if I want to use the mobile client. Gee, I've almost talked myself into switching...not for security reasons at all, like I said, I'm chill with security, but I really like the idea of open source; all indications are that LastPass has done what they said, and did it right, but nothing like looking at the code for myself.
__________________
sengsational is offline   Reply With Quote
Old 07-31-2015, 05:29 PM   #38
Full time employment: Posting here.
 
Join Date: Aug 2007
Posts: 892
I used KeePass and on the Mac and it sucked. Maybe it's better now. I went over to LastPass and have been happy. I'm not worried about the issues for reasons mentioned here. Before I settled on LastPass, I spent sometime understanding how they are storing your data. Based on this, I believe reports of the breaches are overhyped.

Plus, even if somebody did get my actual password, all of my important sites have two-factor authentication. It wouldn't do anybody a bit of good having my password and I'd be notified immediately, giving me plenty of time to change my passwords. This really is a non-issue, but use whatever works best for you.
__________________
Eat, Drink and Be Merry.
tulak is offline   Reply With Quote
Old 07-31-2015, 08:09 PM   #39
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by sengsational View Post
KeePass is great too, but suffers from the same vulnerablility as LastPass...if they key a keylogger on your machine, the keys to the kingdom are lost.

...Your post implies that there is additional risk having the LastPass vault stored on LastPass' servers. We disagree on that point because I am as sure as I can be that even if 100% of the data that LastPass holds were handed over to hackers, the hackers would not be able to access my passwords. The system design is such that they (LastPass) simply do not have a way to decrypt the vault. So comparing a scheme where passwords are "protected" by a cloud service as opposed to LastPass who, with a gun to their head, could not produce my passwords, I think is not valid...

..
Nope. Have you used KeePass? Logins/PW's are cut and pasted, with the ability for the clipboard to empty in just a few seconds. Would be much harder to capture than a "breach" of any cloud-based operation, as shown by my link of supposedly safe sites above. Sure, nothing on the planet is 100% foolproof, but the chances of a juicy target like a cloud-based PM getting hacked/breached are much higher than a keylogger targeting my little machine, particularly with the precautions I take. I and anyone else using a portable PM are tiny potatoes compared to the enormous riches awaiting anyone who can hack a cloud-based PM. I'm neither rich or interesting enough for someone to waste their time hacking or keylogging me.

If hackers will go after an organization like Anthem, you can bet someone somewhere is constantly trying to hack/breach any and all cloud-based PM's.

I'm aware that the vault on LastPass supposedly cannot be unencrypted by LP. However, if it's so foolproof, why did hackers bother to attempt to breach LP at all? Why did LP send out a warning regarding it? I am personally simply not comfortable with their assurances. Further, the fact that hackers were able to cover any amount of ground with LP is evidence of some vulnerability somewhere. I agree it's a personal preference, and given my conservative nature, I take no chances, no matter how remote, especially with something as important as PW's. YMMV
__________________
Options is offline   Reply With Quote
Old 08-02-2015, 03:18 PM   #40
Thinks s/he gets paid by the post
sengsational's Avatar
 
Join Date: Oct 2010
Posts: 3,832
Hackers go after any site where they can get email addresses. And I'm sure some LastPass users have guessable master pass phrases, so that's an additional hacker motive.

We agree that there seems to be no way to keep hackers out of "juicy" targets, and I understand wanting to keep your passwords local, and in a form that can't be brute force decrypted. You referenced a bunch of hacked sites (no shortage of examples there), that's enough proof for most people that nothing stored in the cloud is safe.
__________________

__________________
sengsational is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can 95% Safe = 100% Safe? halo FIRE and Money 3 10-14-2008 07:56 PM
Diversification Is For Amateurs sarahsays FIRE and Money 41 05-31-2008 10:53 AM
Staying in a motel ... no really - staying! calmloki Life after FIRE 11 09-20-2007 06:29 PM
LEARN- STOCKS & ONLINE TRADING whattolearn FIRE and Money 42 06-23-2005 05:41 PM
"Is the Safe Withdrawal Rate TOO Safe?" Nords FIRE and Money 13 10-20-2004 11:36 AM

 

 
All times are GMT -6. The time now is 10:33 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.