Go Back   Rangefinderforum.com > Cameras / Gear / Photography > Rangefinder Forum > Help / Feedback forum

Help / Feedback forum This area should address site improvements and help with the forum.

Reply
 
Thread Tools Search this Thread Display Modes

vBulletin Hacked
Old 11-04-2015   #1
Sarcophilus Harrisii
Brett Rogers
 
Sarcophilus Harrisii is offline
Join Date: Jun 2009
Posts: 2,666
vBulletin Hacked

I note RFF is powered by vBulletin.
FYI in case it impacts the forum and members.
https://nakedsecurity.sophos.com/201...ebsite-attack/
  Reply With Quote

Old 11-04-2015   #2
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Hacking vBulletin, what do you get?

Most of us on the RFF don't even have real names, no SS or financial info. Still a PITA.
  Reply With Quote

Old 11-04-2015   #3
majid
Fazal Majid
 
majid's Avatar
 
majid is offline
Join Date: May 2006
Location: San Francisco
Posts: 611
Passwords that are reused on other, more sensitive sites, if they are easy enough to crack. Not sure if vBulletin uses phpass salted hashed passwords, which are harder to brute-force.
  Reply With Quote

Old 11-04-2015   #4
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
There are seemingly endless possibilities for nefarious activities for platforms with well-know (publicized problems).

majid's example is the most obvious threat. If you use your RFF password on other sites, it would be prudent to change it here and on the other sites as well.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-04-2015   #5
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by majid View Post
Passwords that are reused on other, more sensitive sites, if they are easy enough to crack. Not sure if vBulletin uses phpass salted hashed passwords, which are harder to brute-force.
Ah PHP and security.
  Reply With Quote

Old 11-05-2015   #6
Jim-st
Registered User
 
Jim-st's Avatar
 
Jim-st is offline
Join Date: May 2009
Location: Fort William & Glasgow, Scotland
Posts: 429
Anyone use 1Password?

I purchased it a while back, after the Adobe hack, but never got round to installing it. It looks quite complicated, and I wonder if maybe it's just as vulnerable as any other web resource seems to be

Anyone use it: if so how have you found it?

Anyone think it's worth avoiding: if so, why?
__________________
Jim
.............................................

Leica CL & M9 : GX80 & GF1 : LX-100 : Trip 35 : Vito CLR : iPod Touch : Epson 3800 : Lenses....
  Reply With Quote

Old 11-05-2015   #7
oftheherd
Registered User
 
oftheherd's Avatar
 
oftheherd is offline
Join Date: Aug 2003
Posts: 7,920
Quote:
Originally Posted by majid View Post
Passwords that are reused on other, more sensitive sites, if they are easy enough to crack. Not sure if vBulletin uses phpass salted hashed passwords, which are harder to brute-force.
Unfortunately, if a hacker can get to a hash of a password, a brute force attack is an easy solution with today's cracking programs and equipment, and doesn't take but hours, not the days or months of yesteryear.

Changing passwords often is the only helpful solution.
__________________
My Gallery
  Reply With Quote

Old 11-05-2015   #8
Tompas
Wannabe Künstler
 
Tompas's Avatar
 
Tompas is offline
Join Date: Feb 2010
Location: Ostfriesland - Northwestern Germany
Posts: 551
Quote:
Originally Posted by Jim-st View Post
Anyone use 1Password?

I purchased it a while back, after the Adobe hack, but never got round to installing it. It looks quite complicated, and I wonder if maybe it's just as vulnerable as any other web resource seems to be

Anyone use it: if so how have you found it?

Anyone think it's worth avoiding: if so, why?
I didn't want to spend money on a password managing application, and more important, I don't trust closed source software in general and especially not for sensitive stuff like passwords.

So I use MacPass, https://github.com/mstarke/MacPass

Works, source code is available, and costs nothing. For OS X only, though. (But for Windows there are equivalent applications. MacPass is "a native OS X port of KeePass".)
__________________
-- Thomas
  Reply With Quote

Old 11-05-2015   #9
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
Quote:
Originally Posted by Jim-st View Post
Anyone use 1Password?
...
Anyone use it: if so how have you found it?

Anyone think it's worth avoiding: if so, why?
I use 1Password.

I use it on two Mac's and two iOS devices. It will sync to iCloud reliably and quickly. It will use the thumbprint functionality in iOS. 1Password also runs on Windows and Android OS. I have no experience with these platforms.

I strongly recommend it. It is not that complicated. Unfortunately most web sites don't support 100% of 1PAssword's automated abilities. The copy/paste functionality means manual use is not difficult.

The only disadvantage is the time it takes resetting the usernames and passwords for all your accounts. This is tedious yet unavoidable considering the risk associated with weak passwords or using the same username and password for all accounts.

All IT systems and Apps are vulnerable in some way. However, if you use the longest PW a particular log-in site supports, the password would be rather inconvenient to decrypt (although government agencies could eventually decrypt it). Criminals will go for lower hanging fruit.

Here are some examples of passwords randomly generated by 1Password - RX8obkZDRuoekGdkQ4fFYBGY and sW=uiDhdf8MB;?pDqDJp3R%F.

The most vulnerable aspect of 1Password is the master password one selects to open the App. This has to be long and easily to remember, but not obvious and easy to type. One strategy is to use two short unrelated phrases like - pancakestastegreatPorschesarefast.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-05-2015   #10
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by willie_901 View Post
Here are some examples of passwords randomly generated by 1Password - RX8obkZDRuoekGdkQ4fFYBGY and sW=uiDhdf8MB;?pDqDJp3R%F.
Those long passwords really are not necessary. This cartoon, kind of summarizes the reality.

http://www.rangefinderforum.com/foru...1&d=1446742563
  Reply With Quote

Old 11-05-2015   #11
sevo
Fokutorendaburando
 
sevo is offline
Join Date: Oct 2008
Location: Frankfurt, Germany
Posts: 6,364
Quote:
Originally Posted by willie_901 View Post
Here are some examples of passwords randomly generated by 1Password - RX8obkZDRuoekGdkQ4fFYBGY and sW=uiDhdf8MB;?pDqDJp3R%F.

The most vulnerable aspect of 1Password is the master password one selects to open the App. This has to be long and easily to remember, but not obvious and easy to type. One strategy is to use two short unrelated phrases like - pancakestastegreatPorschesarefast.
That strategy works for passwords as well, and is much superior to cryptic passwords like the above, as the latter are near impossible to memorize or enter manually, at least if you choose a length equivalent to a safe passphrase.
  Reply With Quote

Old 11-05-2015   #12
ChrisLivsey
Registered User
 
ChrisLivsey's Avatar
 
ChrisLivsey is offline
Join Date: Jul 2007
Posts: 2,066
Quote:
Originally Posted by sevo View Post
That strategy works for passwords as well, and is much superior to cryptic passwords like the above, as the latter are near impossible to memorize or enter manually, at least if you choose a length equivalent to a safe passphrase.
But many sites require numbers and punctuation to be in the password and limit the length so phrases, although I agree can be safe, are not available.
__________________
Fishing for shadows in a pool.
Louis Macneice

http://www.flickr.com/photos/red_eyes_man/
  Reply With Quote

Old 11-05-2015   #13
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by ChrisLivsey View Post
But many sites require numbers and punctuation to be in the password and limit the length so phrases, although I agree can be safe, are not available.
They mean well, thinking is, "what could a few capitals and number hurt?"
  Reply With Quote

Old 11-05-2015   #14
ColSebastianMoran
( IRL Richard Karash )
 
ColSebastianMoran's Avatar
 
ColSebastianMoran is offline
Join Date: Sep 2010
Posts: 2,364
Here are some important and effective steps for personal security:
- Use a different password for every web site. So one hack doesn't expose you to risks elsewhere.
- Use a password manager program to make that practical. I use 1Password.
- Make up fictitious answers to the security questions and keep notes. Who ever thought "mother's maiden" would be a good security question.

In addition, I recommend:
- Remove Flash and Java from your system
- To visit web sites requiring Flash, install Google Chrome browser which updates Flash continuously and runs it in a "sandbox."

I see a couple of comments above about 1Password. I think it's about as secure as you can get. And, I think it's well worth the effort

Head Bartender, it's important that you change your password at the vBulletin site.

Keep safe, everyone!
__________________
Col. Sebastian Moran, ret. (not really)

In Classifieds Now: Nothing.
Use this link to leave feedback for me.

Named "Best heavy-game shooter in the Eastern Empire." Clubs: Anglo-Indian, Tankerville, and Bagatelle Card Club.
Sony E/FE, Nikon dSLR, and iPhone digital. Misc film.
Birds, portraits, events, family. Mindfulness, reflection, creativity, and stance.
  Reply With Quote

Old 11-05-2015   #15
ColSebastianMoran
( IRL Richard Karash )
 
ColSebastianMoran's Avatar
 
ColSebastianMoran is offline
Join Date: Sep 2010
Posts: 2,364
Quote:
Originally Posted by photomoof View Post
Those long passwords really are not necessary. This cartoon, kind of summarizes the reality.

http://www.rangefinderforum.com/foru...1&d=1446742563
That cartoon is right on the mark. Any dictionary word, even with numeric substitutions, is weak.

I let 1Password make up most passwords (random strings). Or I make up my own random strings including upper and lower case, numbers, and anything else the site requires, and let 1Password keep track.

Phrases like "CorrectHorseBatteryStaple" are strong passwords (not in anyone's dictionary).
__________________
Col. Sebastian Moran, ret. (not really)

In Classifieds Now: Nothing.
Use this link to leave feedback for me.

Named "Best heavy-game shooter in the Eastern Empire." Clubs: Anglo-Indian, Tankerville, and Bagatelle Card Club.
Sony E/FE, Nikon dSLR, and iPhone digital. Misc film.
Birds, portraits, events, family. Mindfulness, reflection, creativity, and stance.
  Reply With Quote

Old 11-05-2015   #16
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by ColSebastianMoran View Post
That cartoon is right on the mark. Any dictionary word, even with numeric substitutions, is weak.

I let 1Password make up most passwords (random strings). Or I make up my own random strings including upper and lower case, numbers, and anything else the site requires, and let 1Password keep track.

Phrases like "CorrectHorseBatteryStaple" are strong passwords (not in anyone's dictionary).
And if you are on vacation, and have just lost everything into a canal in Venice, you will be glad you can remember the password to your bank, when you all you have left is your wife's iPhone.
  Reply With Quote

Old 11-05-2015   #17
sevo
Fokutorendaburando
 
sevo is offline
Join Date: Oct 2008
Location: Frankfurt, Germany
Posts: 6,364
Quote:
Originally Posted by ChrisLivsey View Post
But many sites require numbers and punctuation to be in the password and limit the length so phrases, although I agree can be safe, are not available.
In these cases I tend to complain about their password validator - demanding numbers and punctuation means that they don't use any of the current libraries (which calculate the bit depth of the password), but some massively outdated or home-grown password check.
  Reply With Quote

Old 11-05-2015   #18
Jim-st
Registered User
 
Jim-st's Avatar
 
Jim-st is offline
Join Date: May 2009
Location: Fort William & Glasgow, Scotland
Posts: 429
Quote:
Originally Posted by willie_901 View Post

I strongly recommend it. It is not that complicated. Unfortunately most web sites don't support 100% of 1PAssword's automated abilities. The copy/paste functionality means manual use is not difficult.

The only disadvantage is the time it takes resetting the usernames and passwords for all your accounts. This is tedious yet unavoidable considering the risk associated with weak passwords or using the same username and password for all accounts.
Thanks Willie, and ColSebastian: I'm logged in here now with a new 1Password-generated password, and yes, it was a bit laborious setting it up, but I'll just proceed on an ad hoc basis and try to cover those sites where I'd be most to someone finding financial info on me as a priority.

It'll take a while, but I'll persevere. It's something I shoulda done long ago!

My bank (like most, I think) probably has one of the weakest login-security systems around, so it will be interesting to see how 1Password goes with it
__________________
Jim
.............................................

Leica CL & M9 : GX80 & GF1 : LX-100 : Trip 35 : Vito CLR : iPod Touch : Epson 3800 : Lenses....
  Reply With Quote

Old 11-06-2015   #19
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
The cartoon is completely irrelevant.

The goal is not to create zero risk. The goal is to reduce risk by many orders of magnitude.

The whole point of 1Password and similar Apps is one does not have to remember any passwords. The App remembers them for you.

You only have to remember a single password... the password that opens the App. On some devices some of these Apps can opened using a thumbprint.

It is a mild inconvenience to copy and paste the long, each unique, difficult to memorize password into each web-site's log-in form. Reducing risk is rarely convenient.

As I pointed out earlier, even the strongest 1Password can be decrypted by people with access to state-of-the-art technologies. Criminals and vandals prefer to take advantage of accounts they can compromise with much less effort and cost.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-06-2015   #20
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
Quote:
Originally Posted by photomoof View Post
And if you are on vacation, and have just lost everything into a canal in Venice, you will be glad you can remember the password to your bank, when you all you have left is your wife's iPhone.
So how is this different than 30 years ago if you lost everything in a canal?
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-06-2015   #21
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by willie_901 View Post
So how is this different than 30 years ago if you lost everything in a canal?
30 years ago getting money was tough (experience in Spain), now with Skype and the internet it is easy, unless you lock yourself out with crazy passwords you can't remember.

While 1password does have an iOS version, is it in the cloud, or on one's device? I personally don't like passwords written down anywhere, when money is involved.
  Reply With Quote

Old 11-06-2015   #22
majid
Fazal Majid
 
majid's Avatar
 
majid is offline
Join Date: May 2006
Location: San Francisco
Posts: 611
Quote:
Originally Posted by willie_901 View Post
The goal is not to create zero risk. The goal is to reduce risk by many orders of magnitude.

The whole point of 1Password and similar Apps is one does not have to remember any passwords. The App remembers them for you.
A company that makes password managers is also a fat, juicy target for hackers. LastPass was hacked and some of its databases compromised. Even the NSA could not keep its top-secret documents secure, and RSA, the company eponymous with security, had the master key for its SecurID tokens stolen. I would not take a vendor's self-interested assertions that "we are secure, trust us" at face value.

In the case of 1Password, the key extension algorithm they use (PBKDF2) is not state of the art (scrypt or Argon2 would be preferable). They use AES-256-CBC, which is way out of date (Google won't even accept it as a valid cipher for HTTP/2 in Chrome). None of that inspires confidence, and that's even before the fact they have no independent security audit of their software.

I don't have access to vBulletin source code, but web searches suggest use a fairly bad md5(md5(password) + salt) hash scheme. On paper the dual D700 GPUs on my Mac Pro should be able to try about 18 Billion password combinations per second using something like hashcat, so it would be able to brute-force any 8-character password in about 4 hours.
  Reply With Quote

Old 11-07-2015   #23
Saul
fighting inertia
 
Saul's Avatar
 
Saul is offline
Join Date: Dec 2010
Location: Baltimore MD
Posts: 484
Quote:
Originally Posted by majid View Post
A company that makes password managers is also a fat, juicy target for hackers. LastPass was hacked and some of its databases compromised. Even the NSA could not keep its top-secret documents secure, and RSA, the company eponymous with security, had the master key for its SecurID tokens stolen. I would not take a vendor's self-interested assertions that "we are secure, trust us" at face value.

In the case of 1Password, the key extension algorithm they use (PBKDF2) is not state of the art (scrypt or Argon2 would be preferable). They use AES-256-CBC, which is way out of date (Google won't even accept it as a valid cipher for HTTP/2 in Chrome). None of that inspires confidence, and that's even before the fact they have no independent security audit of their software.

I don't have access to vBulletin source code, but web searches suggest use a fairly bad md5(md5(password) + salt) hash scheme. On paper the dual D700 GPUs on my Mac Pro should be able to try about 18 Billion password combinations per second using something like hashcat, so it would be able to brute-force any 8-character password in about 4 hours.
Majid,

Your knowledge in this subject greatly impresses me! It also makes the whole idea of personal security sound like a hopeless oxymoron. This thread encouraged me to do more searching last night to specifically compare LastPass and 1Password in order to ramp up my own password game. After reading numerous reviews and forum threads both these software solutions were highly recommended and I was leaning towards LastPass but now, after reading your thoughts.... I mean, if the NSA can be hacked, what's the point?
  Reply With Quote

Old 11-07-2015   #24
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
Quote:
Originally Posted by photomoof View Post
30 years ago getting money was tough (experience in Spain), now with Skype and the internet it is easy, unless you lock yourself out with crazy passwords you can't remember.

While 1password does have an iOS version, is it in the cloud, or on one's device? I personally don't like passwords written down anywhere, when money is involved.
It supports iOS and Android devices. It syncs one of three ways – DropBox, iCloud or using your home/office WiFi network. The latter does not involve the Cloud. The only way to sync between OS X, iOS and Android is via the internal non-Cloud option.

One of the main liabilities for on-stite hacking are written passwords people hide (usually on a Post-It) someplace.

As majid points out, short passwords are trivial to decript. However he did not mention the computational time increases exponentially as the password becomes longer. This is exactly the reason why password management Apps are valuable.

Here's a link to see how password length affects decryption time. Obviously you don't enter one of your actual passwords, just one with a similar number of characters.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-07-2015   #25
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
Quote:
Originally Posted by Saul View Post
Majid,

I mean, if the NSA can be hacked, what's the point?
First, there are many ways besides password hacking to gain unauthorized access. The most common is human engineering. The Verizon 2015 Data Breach Investigations Report shows nine methods dominate IT security problems. This report is a collaboration with the Secret Service (wire fraud) and several European security agencies.

Second, the bad people will not waste time on decrypting passwords that require days, weeks, months or even years of CPU time when there is an abundance of passwords they can decrypt in minutes. Obviously, if they decide to target you for a specific reason then they will get in. I will speculate you are not a valuable target compared to the NSA.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-07-2015   #26
Saul
fighting inertia
 
Saul's Avatar
 
Saul is offline
Join Date: Dec 2010
Location: Baltimore MD
Posts: 484
[QUOTEI will speculate you are not a valuable target compared to the NSA.[/quote]

How presumptuous of you, sir!
  Reply With Quote

Old 11-07-2015   #27
sevo
Fokutorendaburando
 
sevo is offline
Join Date: Oct 2008
Location: Frankfurt, Germany
Posts: 6,364
Quote:
Originally Posted by willie_901 View Post
As majid points out, short passwords are trivial to decript. However he did not mention the computational time increases exponentially as the password becomes longer. This is exactly the reason why password management Apps are valuable.
Or passphrases - which share the length respectively bit depth, and can nonetheless be memorized.
  Reply With Quote

Old 11-08-2015   #28
majid
Fazal Majid
 
majid's Avatar
 
majid is offline
Join Date: May 2006
Location: San Francisco
Posts: 611
Quote:
Originally Posted by Saul View Post
Your knowledge in this subject greatly impresses me!
It's just the result of reading for a work-related project last week, so still fresh in my mind. All non-brain-dead password systems will use a so-called hash function to secure your password. A good hash function is one that is one-way, i.e. you can't invert the order of operations to find the password from its hash. That said, some hash functions commonly used were not meant to secure passwords, and are too easy to calculate. That means brute-force attempts to guess every possible password can run at high-speed on fast CPUs, on the massively parallel supercomputers-within-our-computers that are called graphics cards, or on cloud services like Amazon web services. Good hash functions are designed to be slow and expensive to calculate, to raise the cost of brute-force, while not imposing too large a burden on legitimate site operators.

Quote:
It also makes the whole idea of personal security sound like a hopeless oxymoron.
No, but you need to start with a realistic assessment of risks. Most of us don't need to worry about the NSA or the Mafia trying to crack our passwords (they have simpler means to do so). We have to worry about sloppy site security and being caught in the dragnet of automated password guessing.

The first step is to identify which passwords matter and which ones don't. If your RFF account gets hacked, the consequences are less dire than if its's your online banking. It's thus worth less time and effort spent securing. Pick secure passwords (use punctuation, not just alphanumerics, and don't use dictionary words or names). Don't reuse passwords for anything that matters. You should also definitely turn on two-factor authentication on anything that matters (and consider switching to more security-conscious providers if they don't offer 2FA):
https://twofactorauth.org/

One other thing worth mentioning: most sites will allow you to reset a lost password by email. If your email itself is compromised, it doesn't matter how strong your passwords are, and most ISPs or webmail providers have shockingly poor security - their poorly paid and trained customer service reps can easily be fooled ("socially engineered") into giving the keys to your email to a smooth-tongued stranger:
http://krebsonsecurity.com/2014/09/w...ity-seriously/

Quote:
This thread encouraged me to do more searching last night to specifically compare LastPass and 1Password in order to ramp up my own password game. After reading numerous reviews and forum threads both these software solutions were highly recommended and I was leaning towards LastPass but now, after reading your thoughts.... I mean, if the NSA can be hacked, what's the point?
I was referring to Edward Snowden, of course. He didn't hack the NSA, he just (ab)used privileges he had as a contract sysadmin, and convinced people there to give him their passwords (clearly the NSA didn't use 2FA for internal use, tsk, tsk). If there is one place on Earth that should be paranoid about security, it is the NSA, and the fact they failed at it shows no one is immune. Similar with the RSA SecurID hack - those keys are used by most large corporations to guard access to their IT, and the vendor couldn't even protect its own security, when that is their core business.

That's why I take an extremely jaundiced view of alleged security solutions. When a vendor like AgileBits makes excessively optimistic (i.e. hubristic) claims about the security of its 1Password software, my BS detectors red-line, and I automatically assume they are either liars, or worse so incompetent that they don't realize the extent of their incompetence (the Dunning-Kruger effect). In short: I would not trust either 1Password or LastPass. If you use Mac OS X or iOS, or Google Chrome, or Firefox, you have perfectly decent password-management and sync functionality built-in (at least for non-critical sites like RFF), why would you want to add a third-party vendor making unsubstantiated claims about the security of their solution?
  Reply With Quote

Old 11-08-2015   #29
majid
Fazal Majid
 
majid's Avatar
 
majid is offline
Join Date: May 2006
Location: San Francisco
Posts: 611
And of course endpoint security, which is probably the biggest risk for most people. If your computer was infected by malware, you can assume there is a keylogger capturing your passwords. This is primarily a concern for Windows users, but there is no fundamental reason why Macs should be immune either, and Apple has been very complacent with security vulnerabilities that have been reported its way. iOS is significantly stronger than desktop OSes, as long as you don't jailbreak it.
  Reply With Quote

Old 11-08-2015   #30
photomoof
Fischli & Weiss Sculpture
 
photomoof's Avatar
 
photomoof is offline
Join Date: Mar 2008
Posts: 786
Quote:
Originally Posted by majid View Post
Apple has been very complacent with security vulnerabilities that have been reported its way. iOS is significantly stronger than desktop OSes, as long as you don't jailbreak it.
Apple simply does not publicly react to every report, but they issue security updates quite often. There have been reports of a remote jailbreak, but personally I doubt its veracity. Macs are immune unless you disable security in your preferences, but because of companies who refuse to play well with Apple like Adobe, users are in theory vulnerable.

Adobe forces one to load software that Apple considers a security risk at the highest settings (only load apps from the app store). Adobe flash and the like, which are not in the app store, and are used as a disguise for malware, are just plain stupid. There is nothing on the web I need flash to run.

At this point I keep nothing on my phone, and it bricks if you try passwords.

IMO keeping passwords involving large sums of money anywhere is crazy. Keep it in your head. If you die, and your executor really needs to get in, there are well established methods.
  Reply With Quote

Old 11-08-2015   #31
willie_901
Registered User
 
willie_901's Avatar
 
willie_901 is offline
Join Date: Dec 2005
Posts: 5,325
Quote:
Originally Posted by majid View Post
...

That's why I take an extremely jaundiced view of alleged security solutions.
There is no such thing as a "security solution". There are only risk reduction strategies.
__________________
Basically, I mean, ah—well, let’s say that for me anyway when a photograph is interesting, it’s interesting because of the kind of photographic problem it states—which has to do with the . . . contest between content and form.
Garry Winogrand
williamchuttonjr.com
  Reply With Quote

Old 11-09-2015   #32
Saul
fighting inertia
 
Saul's Avatar
 
Saul is offline
Join Date: Dec 2010
Location: Baltimore MD
Posts: 484
Quote:
Originally Posted by majid View Post
It's just the result of reading for a work-related project last week, so still fresh in my mind. All non-brain-dead password systems will use a so-called hash function to secure your password. A good hash function is one that is one-way, i.e. you can't invert the order of operations to find the password from its hash. That said, some hash functions commonly used were not meant to secure passwords, and are too easy to calculate. That means brute-force attempts to guess every possible password can run at high-speed on fast CPUs, on the massively parallel supercomputers-within-our-computers that are called graphics cards, or on cloud services like Amazon web services. Good hash functions are designed to be slow and expensive to calculate, to raise the cost of brute-force, while not imposing too large a burden on legitimate site operators.



No, but you need to start with a realistic assessment of risks. Most of us don't need to worry about the NSA or the Mafia trying to crack our passwords (they have simpler means to do so). We have to worry about sloppy site security and being caught in the dragnet of automated password guessing.

The first step is to identify which passwords matter and which ones don't. If your RFF account gets hacked, the consequences are less dire than if its's your online banking. It's thus worth less time and effort spent securing. Pick secure passwords (use punctuation, not just alphanumerics, and don't use dictionary words or names). Don't reuse passwords for anything that matters. You should also definitely turn on two-factor authentication on anything that matters (and consider switching to more security-conscious providers if they don't offer 2FA):
https://twofactorauth.org/

One other thing worth mentioning: most sites will allow you to reset a lost password by email. If your email itself is compromised, it doesn't matter how strong your passwords are, and most ISPs or webmail providers have shockingly poor security - their poorly paid and trained customer service reps can easily be fooled ("socially engineered") into giving the keys to your email to a smooth-tongued stranger:
http://krebsonsecurity.com/2014/09/w...ity-seriously/



I was referring to Edward Snowden, of course. He didn't hack the NSA, he just (ab)used privileges he had as a contract sysadmin, and convinced people there to give him their passwords (clearly the NSA didn't use 2FA for internal use, tsk, tsk). If there is one place on Earth that should be paranoid about security, it is the NSA, and the fact they failed at it shows no one is immune. Similar with the RSA SecurID hack - those keys are used by most large corporations to guard access to their IT, and the vendor couldn't even protect its own security, when that is their core business.

That's why I take an extremely jaundiced view of alleged security solutions. When a vendor like AgileBits makes excessively optimistic (i.e. hubristic) claims about the security of its 1Password software, my BS detectors red-line, and I automatically assume they are either liars, or worse so incompetent that they don't realize the extent of their incompetence (the Dunning-Kruger effect). In short: I would not trust either 1Password or LastPass. If you use Mac OS X or iOS, or Google Chrome, or Firefox, you have perfectly decent password-management and sync functionality built-in (at least for non-critical sites like RFF), why would you want to add a third-party vendor making unsubstantiated claims about the security of their solution?
Thank you for taking the time to respond and further educate me, it is quite appreciated. Because of what you further explained, I'm re-evaluating my desire for a PWM since I only have one truly sensitive site to 'protect' (my bank's) and it has a two-stage authentication sign-in. That password only exists in my memory and I'm comfortable leaving it there. Having no smart phone enables me to have less security issues to worry about and like you pointed out, OS X and Chrome are most likely enough for any non-sensitive site like RRF.

The link for tricking customer support into giving away a password via email will make for interesting reading, no doubt.
  Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



All times are GMT -8. The time now is 20:11.


vBulletin skin developed by: eXtremepixels
Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.

All content on this site is Copyright Protected and owned by its respective owner. You may link to content on this site but you may not reproduce any of it in whole or part without written consent from its owner.