What amateurs can learn from security pros about staying safe online

[steelyman]

I'm not sure any OS is invulnerable to security violations (including Linux, we had experience all the way down to patching the kernel to support hardware access we needed). Windows just has such an entrenched user base it attracts more attention from the bad guys.

The practices that are being discussed in this thread and articles are a good idea, regardless. It's good to be vigilant.

[DEC-1982]

It was my understanding that LastPass was hacked in the last couple of months.

[Sarah in SC]

Quote:

Originally Posted by DEC-1982 It was my understanding that LastPass was hacked in the last couple of months.

Yep, there was a good thread about it, on the forum, if you want to check it out.

[ejman]

Quote:

Originally Posted by Sarah in SC Yep, there was a good thread about it, on the forum, if you want to check it out.

Thank you, I guess I'll continue to keep my passwords in a little inconspicuous notebook. I guess this is also why I've never felt comfortable using financial services sites like Mint that ask for all the passwords for one's financial life in order to aggregate the results.

[imoldernu]

A few questions about a password keeper:

With 5 computers and a tablet, in three different locations, all synced with Chrome, how does this work? Separate on each computer?

Over 30 years, have signed on to many hundreds, maybe thousands of websites. Does a password keeper have to be changed for every website individually?

What kind of security does this provide when there are sites that have personal information, based on an email address where someone already has info on the original password... if I haven't gone back to that site for many years?

In simple terms, how does a password protector help protect from long forgotten, unvisited websites?

As it stands today, I can go back and sign on to sites that I visited from AOL, back in 1985.

[Rick_Head]

Quote:

Originally Posted by DEC-1982 It was my understanding that LastPass was hacked in the last couple of months.

I guess us "amateurs" can learn as much from IT "experts" as we can from "financial experts advisors".

[audreyh1]

Quote:

Originally Posted by DEC-1982 It was my understanding that LastPass was hacked in the last couple of months.

Exactly - I wondered why this didn't give anyone pause.

[DEC-1982]

Quote:

Originally Posted by ejman Thank you, I guess I'll continue to keep my passwords in a little inconspicuous notebook. I guess this is also why I've never felt comfortable using financial services sites like Mint that ask for all the passwords for one's financial life in order to aggregate the results.

+1

I think any site that has a gazillion passwords is probably a huge magnet for hackers. The balance is towards the hacker; any of these sites has to protect itself against every possible hack, while the hacker has to get just one or two breaks.

[gauss]

Quote:

Originally Posted by Rick_Head I guess us "amateurs" can learn as much from IT "experts" as we can from "financial experts advisors".

It seems that more than a few IT professionals parrot the talking points from the OS vendors without a lot of critical thought.

Kind of a well-paid, "information conduit" role.

[MRG]

Quote:

Originally Posted by gauss It seems that more than a few IT professionals parrot the talking points from the OS vendors without a lot of critical thought. Kind of a well-paid, "information conduit" role.

Many have practiced that skill for years. The industry loves new shiny objects! "Don't worry about that old hard learned lesson, it's new technology. What could go wrong?"

[sengsational]

Quote:

Originally Posted by audreyh1 Exactly - I wondered why this didn't give anyone pause.

Well, probably because the reporting on the story was hyped to sell magazines and get clicks.

What they didn't report was that even if everything LastPass had was handed to hackers on a silver platter, the only risk to having your passwords compromised (i.e. decrypting a vault) would be to the silly person who didn't use a long and unguessable pass phrase. Everyone with a brain would still have all their passwords 100% secure. LastPass has information (email addresses) we'd rather not hand over to the hackers, but the breach was not as dire as presented by the hypemasters.

[Options]

Quote:

Originally Posted by sengsational Well, probably because the reporting on the story was hyped to sell magazines and get clicks. What they didn't report was that even if everything LastPass had was handed to hackers on a silver platter, the only risk to having your passwords compromised (i.e. decrypting a vault) would be to the silly person who didn't use a long and unguessable pass phrase. Everyone with a brain would still have all their passwords 100% secure. LastPass has information (email addresses) we'd rather not hand over to the hackers, but the breach was not as dire as presented by the hypemasters.

Emphasis added

Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere.

See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't:

http://www.nytimes.com/interactive/2...quiz.html?_r=0

[zinger1457]

Reply in bold, this applies to LastPass only.

Quote:

Originally Posted by imoldernu A few questions about a password keeper: With 5 computers and a tablet, in three different locations, all synced with Chrome, how does this work? Separate on each computer? LastPass keeps an encrypted file locally on each computer, there is also an encrypted file stored on the LastPass server. All the local LastPass files on your computers sync with the file stored on the LastPass server. So any web site login saved in LastPass on one computer will be shared on all your computers. LastPass is free for Windows but I believe there is a cost for tablets/phones (android). Over 30 years, have signed on to many hundreds, maybe thousands of websites. Does a password keeper have to be changed for every website individually? In short yes. When you log into a web site that isn't already stored in LastPass it will always ask you if you want to store it in LastPass, you're not require to. If you do LastPass will store whatever user name/password was used to log in to that site. What kind of security does this provide when there are sites that have personal information, based on an email address where someone already has info on the original password... if I haven't gone back to that site for many years? LastPass doesn't protect you from any website that gets hacked and the hackers get access to login information. It does make it easy to create and manage unique difficult passwords for each site so that no two sites use the same password, it's up to you to change the passwords frequently. In simple terms, how does a password protector help protect from long forgotten, unvisited websites? LastPass can't help you with old login accounts that aren't managed by LastPass. The key is to use LastPass to create unique difficult passwords for all sites that you do use. As it stands today, I can go back and sign on to sites that I visited from AOL, back in 1985. As stated above when you login to one of those sites after installing LastPass it will ask you if you want to store the login information in LastPass. It would be a very good idea at that time to not only save it but use LastPass password generator to create new passwords for you.

[Katsmeow]

Quote:

Originally Posted by Options Emphasis added Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere. See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't: http://www.nytimes.com/interactive/2...quiz.html?_r=0

I use Roboform not Lastpass, but I haven't been worried about it because Roboform doesn't have the master password that I use to gain access to my passwords. Yes, someone could hack Roboform and get the file with all my passwords, but they couldn't get into it because Roboform itself doesn't have the master password to the file.

[Sunset]

Quote:

Originally Posted by ejman Looks like very reasonable steps. Apparently from the limited research I've done there is no widely recommended virus scanning software for linux either.

You could use clamscan

[Sunset]

Quote:

Originally Posted by Sunset You could use clamscan

ClamAV is the website for it.

[sengsational]

Quote:

Originally Posted by Options Emphasis added Doesn't matter. It was still a breach. May have been "100% secure" this time but what about the next time. The "pause" it gave me was to confirm the decision I made when selecting a PM to go with KeePass, a PM not on any cloud anywhere. See this for a nice list of the most recent sites people entrusted to ensure their data was 100% secure until it wasn't: http://www.nytimes.com/interactive/2...quiz.html?_r=0

KeePass is great too, but suffers from the same vulnerablility as LastPass...if they key a keylogger on your machine, the keys to the kingdom are lost. But that's a risk the KeePass and LasPass user have deemed acceptable for the convenience of having passwords at the ready.

Your post implies that there is additional risk having the LastPass vault stored on LastPass' servers. We disagree on that point because I am as sure as I can be that even if 100% of the data that LastPass holds were handed over to hackers, the hackers would not be able to access my passwords. The system design is such that they (LastPass) simply do not have a way to decrypt the vault. So comparing a scheme where passwords are "protected" by a cloud service as opposed to LastPass who, with a gun to their head, could not produce my passwords, I think is not valid.

But if I didn't have LastPass, I'd use KeePass, save it's vault to my google drive so I'd have home grown synch capability. DIY synch is a minus, but being open source is a plus. I'd need another open source toolto keep up with LastPass: KeePass2Android. Another plus is yours is free, and mine is 10 a year if I want to use the mobile client. Gee, I've almost talked myself into switching...not for security reasons at all, like I said, I'm chill with security, but I really like the idea of open source; all indications are that LastPass has done what they said, and did it right, but nothing like looking at the code for myself.

[tulak]

I used KeePass and on the Mac and it sucked. Maybe it's better now. I went over to LastPass and have been happy. I'm not worried about the issues for reasons mentioned here. Before I settled on LastPass, I spent sometime understanding how they are storing your data. Based on this, I believe reports of the breaches are overhyped.

Plus, even if somebody did get my actual password, all of my important sites have two-factor authentication. It wouldn't do anybody a bit of good having my password and I'd be notified immediately, giving me plenty of time to change my passwords. This really is a non-issue, but use whatever works best for you.

[Options]

Quote:

Originally Posted by sengsational KeePass is great too, but suffers from the same vulnerablility as LastPass...if they key a keylogger on your machine, the keys to the kingdom are lost. ...Your post implies that there is additional risk having the LastPass vault stored on LastPass' servers. We disagree on that point because I am as sure as I can be that even if 100% of the data that LastPass holds were handed over to hackers, the hackers would not be able to access my passwords. The system design is such that they (LastPass) simply do not have a way to decrypt the vault. So comparing a scheme where passwords are "protected" by a cloud service as opposed to LastPass who, with a gun to their head, could not produce my passwords, I think is not valid... ..

Nope. Have you used KeePass? Logins/PW's are cut and pasted, with the ability for the clipboard to empty in just a few seconds. Would be much harder to capture than a "breach" of any cloud-based operation, as shown by my link of supposedly safe sites above. Sure, nothing on the planet is 100% foolproof, but the chances of a juicy target like a cloud-based PM getting hacked/breached are much higher than a keylogger targeting my little machine, particularly with the precautions I take. I and anyone else using a portable PM are tiny potatoes compared to the enormous riches awaiting anyone who can hack a cloud-based PM. I'm neither rich or interesting enough for someone to waste their time hacking or keylogging me.

If hackers will go after an organization like Anthem, you can bet someone somewhere is constantly trying to hack/breach any and all cloud-based PM's.

I'm aware that the vault on LastPass supposedly cannot be unencrypted by LP. However, if it's so foolproof, why did hackers bother to attempt to breach LP at all? Why did LP send out a warning regarding it? I am personally simply not comfortable with their assurances. Further, the fact that hackers were able to cover any amount of ground with LP is evidence of some vulnerability somewhere. I agree it's a personal preference, and given my conservative nature, I take no chances, no matter how remote, especially with something as important as PW's. YMMV

[sengsational]

Hackers go after any site where they can get email addresses. And I'm sure some LastPass users have guessable master pass phrases, so that's an additional hacker motive.

We agree that there seems to be no way to keep hackers out of "juicy" targets, and I understand wanting to keep your passwords local, and in a form that can't be brute force decrypted. You referenced a bunch of hacked sites (no shortage of examples there), that's enough proof for most people that nothing stored in the cloud is safe.