Lastpass hacked

[Down]

....... Oops. I take it this is bad?

 

Eh, I use a pre-paid credit card anyway

I'm sure amazon is very careful with how they handle your credit card information. I'm sure they're constantly getting assaulted and taking measures to prevent any kind of issue.

It's just a matter of principle. It just seems bonkers to me to leave that kind of information stored on the internet.

[Nosebleed]

Buy a safe and drill it to the wall

Put all your passwords in there

?????

Profit

 

I did this years ago when I my house got robbed and it's been doing great. 

Not even my parents know the combination.

 

As for credit cards, I never once used my real card info on the internet.

Like Rooke, I only use prepaid cards that expire after a time (which I set myself) and have a transaction limit.

Even when transfering money to friends I will always use a temporary card, never my real one.

[nohman]

You installed a safe in your wall?

Is that where you keep your loli stash hidden from your parents? 

[Nosebleed]

Lol I did install a safe on my wall.

Trust me, getting robbed is one of the worst things you can experience and buying a safe was like primal instinct after.

Knowing your house was broken in and is unsafe, I couldn't get jackshit sleep when it happened. I hope no one ever experiences something like it.

 

As for loli porn, it's all on my hard drive in some hidden folders

 

And am I the only one that memorizes most of their passwords?

[solidbatman]

Lol I did install a safe on my wall.

Trust me, getting robbed is one of the worst things you can experience and buying a safe was like primal instinct after.

Knowing your house was broken in and is unsafe, I couldn't get jackshit sleep when it happened. I hope no one ever experiences something like it.

 

As for loli porn, it's all on my hard drive in some hidden folders

 

And am I the only one that memorizes most of their passwords?

[nohman]

I used to not to, kept most of them in my head - but that's when I only have like 3 or 4 different passwords for most of the sites I frequented. 

For some unnecessary reason, I started using random strings and characters for my passwords so I had to start storing them somewhere, and after the puush vulnerability, I started to physically write them down.

[Nosebleed]

Makes sense. I guess I'm a little old fashioned when it comes to password creation.

Should probably change that.

[Bolverk]

Nosebleed you're hardcore with your safes

[Meat_Bun1]

So what? Just because they assume it can't be broken now, doesn't mean it can't be or won't be in the future.

That is what cryptography is all about: a race between security programmers and hackers. The security people try to make an unbreakable encryption algorithm while the hackers come up with ways to break them as quickly as possible. This cycle will probably continue indefinitely.

 

Since encryption isn't perfect, we give up a little security for accessibility for things like shopping, banking, etc. If people are so afraid of their passwords being hacked, they can get through life without doing any transactions online.

 

As a side note, people will always notice the few attacks that succeed but almost never note the ones that fail. After all, the expectation is to thwart attacks, which is impossible to maintain forever...

 

EDIT: Just for laughs and to put things in perspective, (http://xkcd.com/1539/)

[sanahtlig]

I have to agree that the prospect of a civilization-destroying nuclear exchange is probably more likely than me suffering irreparable and unrecoverable harm from Lastpass being hacked, now or in the future.  It's important to put risks in perspective, especially when there's clear and compelling benefits for taking these risks.  Security is all about balancing risks and convenience.  Considering risks apart from convenience is just as foolish and shortsighted as considering convenience while ignoring the risks.  I migrated to Lastpass because I deemed that doing so would improve both security AND convenience compared to what I was doing before.  The right decision was obvious.

[Abyssal Monkey]

That is what cryptography is all about: a race between security programmers and hackers. The security people try to make an unbreakable encryption algorithm while the hackers come up with ways to break them as quickly as possible. This cycle will probably continue indefinitely.

 

Since encryption isn't perfect, we give up a little security for accessibility for things like shopping, banking, etc. If people are so afraid of their passwords being hacked, they can get through life without doing any transactions online.

 

As a side note, people will always notice the few attacks that succeed but almost never note the ones that fail. After all, the expectation is to thwart attacks, which is impossible to maintain forever...

 

EDIT: Just for laughs and to put things in perspective, (http://xkcd.com/1539/)

You picked the wrong comic.  This one is far more relevant to this thread and password strength in general:

 

 

I had a friend who worked IT for a loans company.  They're heavily regulated, and they have to follow strict password guidelines.  These guidelines prevent them from using password managers, so instead they tape sticky notes with passwords to their monitors and work surfaces (they're forced to maintain multiple passwords for different purposes, and to change them every 3 months or so).

 

My brother works for a bank, and while they do have him change his passwords every 3 months, its mainly for internal security reasons.  To even log in to the system, they have an authenticator that changes a random string of 12 digits every minute as a second step.  Also, about the security guidelines, you really don't need to worry about it because even they can't access their own encrypted database.  Their password database is encrypted such that they can't access it, and the only time it is accessed is to do a simple key verification.  The reason the help line operators can't tell you your password is because they in fact can't even access it themselves, not because they are bound by some silly restriction.

 

Really, I laugh at this entire discussion, putting aside whether it should exist or not (capitalism says yes) and how silly the people are for using it (I think it's fairly dumb personally), the fact remains that most password hacking is done via phishing and not brute force anymore, really making this service truly obsolete in the grand scheme of things.  If you make your password "FluffyKitten", it has a 99.9999% chance of never getting brute forced in it's lifetime and when it does get hacked, it's guaranteed to be from a keylogger or phishing.  The reason why people say "diversify your passwords" is because if one does inexplicably leak you know where it was leaked from and because they either phished or keylogged only that website, can't try and guess your password on say something like amazon where people do frequently store sensitive information, or your bank account which can be accessed online anymore.'

 

Logically, the LastPass system is for convenience, and should exist by all means under capitalism, but it is also completely flawed in it's own creation.  By having even one more place store a password, you are inherently making the password more vulnerable.  This is the reason why spies most often use one time use cryptokeys because they are near impossible to break, as the more you use it, the more it shows repetiveness and the easier it is to crack.  

 

Personally, I use a single junk password for all my gaming and other needs, because anymore, I would much rather rely on a one time second step verification code than a hard to remember password.

 

edit: Further thought reminded me that this existed.  Have fun playing password crossword people.

[Meat_Bun1]

Ah, yes. I remember that one too. I just chose the one I did because I saw today's comic and some people were posting about storing other information in places like Facebook and Amazon. Still, your comic is much more relevant.

[sanahtlig]

Regarding that comic, I'm not sure that estimate at crackability is accurate?  The Arstechnica article said that an arbitrary non-weak master password would hold out for a while against even a GPU capable of 10k guesses per second.

[Kelebek1]

It is accurate, although I don't know how he got that entropy. But if it is, 2^44 = 17592186044416 possible combinations, / 1000 for 1000 guesses/sec = 17592186044.416. You can google that number with "seconds to years." It's 557.475 years. Same deal for the first one, 268435.456 seconds is 3.10689 days. 10K guesses/sec for the first one would be 55 years.

[sanahtlig]

It is accurate, although I don't know how he got that entropy. But if it is, 2^44 = 17592186044416 possible combinations, / 1000 for 1000 guesses/sec = 17592186044.416. You can google that number with "seconds to years." It's 557.475 years. Same deal for the first one, 268435.456 seconds is 3.10689 days. 10K guesses/sec for the first one would be 55 years.

[Bolverk]

Btw, keep in mind that comic is talking about brute force cracking of passwords. When crackers are using dictionary attacks and rainbow tables. They can try words from a dictionary or try combinations that are commonly used, that can drastically reduce the amount of needed tries. So adding more stuff to the password length doesn't really automatically make it a lot safer. Some people really lack creativity with their passwords though 

 

Look at my brilliant password!!: Password321

Amazing, 1 capital letter, 7 normal letters and 3 numbers. wow.

[Abyssal Monkey]

Btw, keep in mind that comic is talking about brute force cracking of passwords. When crackers are using dictionary attacks and rainbow tables. They can try words from a dictionary or try combinations that are commonly used, that can drastically reduce the amount of needed tries. So adding more stuff to the password length doesn't really automatically make it a lot safer. Some people really lack creativity with their passwords though 

 

Look at my brilliant password!!: Password321

Amazing, 1 capital letter, 7 normal letters and 3 numbers. wow.

[sanahtlig]

I still can't wrap my head around why people would voluntarily cause their passwords to be less safe by using a service like this.

[Mr Poltroon]

I've just been using variations of the same passwords.

The important stuff has a password made up of all my 20 or so passwords mangled together in a logical (to me) order.

In the meanwhile the rest is made up of a number of my passwords joined together given how important that particular security is. More important stuff has more passwords, less important has less.

 

My problem isn't remembering the passwords (which is easy, they're a combination of phone numbers relevant words and there's even a question and answer there somewhere) it's remembering which passwords corresponds to what.

[Kendjin]

I use lastpass. Once my account starts spamming assume they've cracked it. Until then gonna trust them.

[sanahtlig]

One day, when USB authenticator devices (or alternate out-of-band solutions) have reached mainstream levels of acceptance, I'll add that to my security routine.  For the time being that isn't practical, as adoption and support is low; I don't think my iPad for example would be compatible with the USB keys currently on the market.  2-factor authentication (something you know and something you have) is the only true way to secure your identity.  Using it just to secure my Lastpass account would be kind of silly, as Lastpass STILL isn't the weakest link in my security.

 

What people here are neglecting is that Lastpass's true security flaw (and the flaw of ANY password manager) isn't its vulnerability to remote hacking.  Its true flaw is vulnerability to LOCAL hacking--i.e., someone gets access to your device and visits protected sites / views your password information while you're logged in.  THAT is what I tend to worry about, as most security fallbacks aren't configured to thwart local attacks.

 

And THAT is how I can identify that the detractors in this thread have no idea what they're talking about, since they miss the obvious elephant in the room and instead harp on the little details that don't actually matter.  Intelligent decision-making is knowing what to attend to.  The common heckler is incapable of this, which is why I tend to ignore them and do my own research.

[Kendjin]

Oh I use two factor as well

[atorq]

Why would you need to use something like Lastpass when the browser asks you every time if you want to save the password? Or is that incredibly unsafe or something I'm too lazy to care about?

[Bolverk]

Clarify, because if you want to rephrase that as "Making a password longer doesn't make it more secure" I'm going to faceplant through my monitor into your face for being incredibly silly.  No matter what, length is far more beneficial than anything else.  Companies just don't want to double the size of that oh so big 30gb plain text file to allow people to have 32 digit passwords, so they instead force the retarded option of all these symbols.  I was a fan of Archeage when they let me make a 512 digit password.  Guess what, noone is ever going to hack that shit, just type a simple sentence and you have a permanently secured account.

 

True story: For about 4 years while I played runescape, my password was 135792684, and I was never hacked once despite it being incredibly stupid and simple from a thought standpoint: count up the odd number on the numpad then go counterclockwise from 2 around the evens.  It was incredibly useful to make it a password that I didn't need to see my keyboard for at night, because if I woke my parents they would send me back to bed because it was past midnight.  I was like 8 years old at the time.

 

I still can't wrap my head around why people would voluntarily cause their passwords to be less safe by using a service like this.

[sanahtlig]

Why would you need to use something like Lastpass when the browser asks you every time if you want to save the password? Or is that incredibly unsafe or something I'm too lazy to care about?