#passwords

california@diaspora.permutationsofchaos.com

How did #LastPass master #passwords get compromised?

TL;DR: It appears that LastPass #infrastructure has been compromised, all other explanations being rather unlikely. And, surprisingly, it isn’t given that the attackers actually know these master passwords.

The question is why is the master password stored in the cloud in clear text?

Source: https://palant.info/2021/12/29/how-did-lastpass-master-passwords-get-compromised/

#hack #security #software #danger #warning #news #bug

phil_stracchino@pluspora.com

It's forced password reset time at work again.

And I think this is an opportune time for a reminder that A PASSWORD THAT YOU CANNOT REMEMBER IS USELESS.

The best passwords are ones that you can remember, but that cannot be easily guessed or bruteforced. And that means they need to be meaningful to you in some way, but meaningless and non-obvious to anyone else. It should not be a piece of public-record information, it should not refer to something that everyone knows about you, it should not be a common dictionary word.
But also, it shouldn't be line noise.

Unfortunately what a lot of administrators who have little or no practical experience in the real world, or are simply following rules written by people with a similar lack of real world understanding, often tend to do is something like this:
1. Find the list of available password constraints.
2. Go down the rule list and just check every box. Because why would they be there if you weren't supposed to use them?
3. Set password expiry to the shortest allowed interval.

This isn't a recipe for secure passwords. It's a recipe for forcing people to write down passwords on sticky notes on their desks. Or message it to themselves on their phones. Somewhere, ANYWHERE, that they can copy it from when ever they need it, because they can't remember what this month's there-was-a-cat-fight-on-the-keyboard password is.
And if you can copy your password whenever you need it, it's likely someone else with physical access can as well. It becomes less a question of "How strong a password did you choose" and more one of "How well did you hide your password".

To a large extent, as long as you're not using common dictionary words, password complexity rules are of rather little value. As long as a brute-force password scanner is including "special" (non-alphanumeric) characters in its keyspace anyway, it matters not one whit whether your password contains two of them, fourteen, or none. It matters not in the slightest whether your password contains short repeats or runs of characters. A brute-force password scanner is going to try every possible permutation anyway. Once you're already avoiding simple dictionary attacks and making an attacker scan an extended keyspace, THE ONLY meaningful parameter in the strength of a password is its length. And that means that a reasonably-obfuscated password that you can actually remember and type from memory without errors is just as strong, in the real world, as one that looks as though someone closed their eyes and dumped a bucket of billiard balls over your keyboard. Probably stronger, because you don't have to write it down or otherwise record it.

The real heart of this is that we need to move away from passwords. They are a lousy means of security. We're starting to see wider use of biometric authentication, but biometric security has its own drawbacks too — if your biometric "credentials" are successfully spoofed, how do you change them?

Two-factor authentication is becoming more widely used, but it's not perfect and it's not foolproof, and some forms — one-time-code verification via SMS, for example — can easily be bypassed by means such as SIM-swapping attacks. It is a truism of security that the strongest security schemes combine three factors — something you have, something you know, and something you are.

But if you're relying on ONE factor — something you know — and then making that one thing so cryptic and arcane that the average person cannot practically be expected to remember it without writing it down somewhere, then you don't have security any more. You have security theater.

#security #passwords

georgehank@pluspora.com

Die spinnen, die bei Hetzner:

Invalid characters, allowed are: A-Z a-z 0-9 ä ö ü ß Ä Ö Ü ^ ! $ % / ( ) = ? + # - . , ; : ~ * @ [ ] { } _ ° §

Na, ihr kommt bestimmt drauf, wo nur diese Zeichen erlaubt sind. Genau, beim PASSWORT.

Mein Verbrechen? KeepassXC's Password Generator hat mir ein "<" in's Passwort geschummelt. Schlingel.

#hetzner #passwords #alleskaputt

danie10@squeet.me

The Postmortem Password Problem - Google, LastPass, Bitwarden, etc allow you to set Emergency Contacts

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if we drop dead tomorrow. For many of us, important documents, photos, financial information and other data will be locked behind a login prompt. Your payment methods will also expire shortly after you have, which could lead to data loss if not handled promptly. The most obvious way to address this is to give a trusted party access in case of emergency.

The article below is food for thought certainly, but not comprehensive at all in terms of what services offer this. Emergency contacts are trusted users you nominate, who will either gain access by default if you are not using the account for a period and fail to respond to prompts, or else they can request access. A good password manager will quickly enable the accesses they need to get to photos, documents, social media accounts, etc. It's your choice, but it's worth also considering from your family's perspective too. Or yes you could save the master password on a piece of paper in your safe (assuming your family knows what to find where - you've planned all that haven't you...).
https://hackaday.com/2021/09/01/the-postmortem-password-problem/

See The Postmortem Password Problem

#technology #death #passwords

Image/photo

Death and passwords: two things we just can’t avoid. With so much of our lives tied up in cloud services nowadays, there’s good reason to worry about what happens to these accounts if w…


https://gadgeteer.co.za/postmortem-password-problem-google-lastpass-bitwarden-etc-allow-you-set-emergency-contacts

danie10@squeet.me

These are the Best Free Password Managers: Bitwarden, KeePass, and more!

Having a password manager is one of the best courses of action if you want to keep your online presence secure, and it’s one of the very first recommended apps we should be installing on our phones. It has been known for a long time that keeping the same password (or just slight variations of the same password) across several websites, is insecure as once someone manages to get their hands on your password, they can have easy access to all of your other accounts.

But some things you need to consider are:
* 2FA for app - very necessary now to prevent someone taking control of your password manager itself
* Sync across devices - not only for convenience but also as backup if primary device gets lost
* Automated backups - certainly needed if not syncing across devices
* Cross-Platform - to auto-fill on desktop browser, iOS, Android
* Independent audits - essential to know the app has been independently tested and verified
* 2FA Auto-Fill - nice to have for many sites that now use 2FA and where you don't want to run a separate 2FA app

See Best Free Password Manager: Bitwarden, KeePass, LastPass and more!

#technology #security #passwords #passwordmanager

Image/photo

Tired of using the same password for everything? Looking for free password managers to manage all your passwords? We have you covered!


https://gadgeteer.co.za/these-are-best-free-password-managers-bitwarden-keepass-and-more

mjcarman@pluspora.com

Unless you're a technological ascetic your login credentials will be part of a data breach. There are too many services, too many half-assed security measures, too many bugs in underlying libraries and protocols, too many novel attack vectors, and too many bad actors and too much attack surface to not be caught up in a breach sooner or later. The only questions are when it will happen and which service will be compromised.

If you're lucky the service will notice the breach quickly and notify you to change your password. If you're unlucky your credentials could be out there for months or years without knowing about it. There are services like have i been pwned? that will tell you whether or not your email address has shown up in a leak but that information by itself is useless. You need to know the site/service associated with the credentials and they don't tell you that – not for free, anyway. That's why I'm excited about what Chrome is doing here. It's not quite a pro-active notification to go reset your password, but as long as you access a site regularly you should find out that your credentials for that site have been compromised and need to be changed.

This is why you should never reuse passwords. Get a password manager and use it to generate and manage strong, unique passwords for every account you have. That way when your credentials leak from one service they can't be used to access other services as well. Your strongest password should probably be your email account, since that's the usual channel for resetting a forgotten password. If someone gets access to your email they can probably get access to virtually everything else.

https://www.bleepingcomputer.com/news/google/google-chrome-to-warn-if-logins-are-found-in-a-data-breach/

#security #passwords #chrome