+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast
Results 16 to 30 of 48
IT News Thread, eBay hacked! in Other News; Passwords stored externally? Colour me paranoid, but no thanks. I'd prefer to keep them locally on my machine....
  1. #16


    Join Date
    Jan 2012
    Posts
    2,597
    Thank Post
    929
    Thanked 344 Times in 264 Posts
    Rep Power
    211
    Passwords stored externally? Colour me paranoid, but no thanks. I'd prefer to keep them locally on my machine.

  2. #17
    Norphy's Avatar
    Join Date
    Jan 2006
    Location
    Harpenden
    Posts
    2,275
    Thank Post
    51
    Thanked 280 Times in 218 Posts
    Blog Entries
    6
    Rep Power
    114
    I can see the attraction in services like LastPass and the like but I wonder how long it will be before we see a headline like

    LastPass password database stolen


    Everyone will be royally screwed then

  3. #18

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,944
    Thank Post
    862
    Thanked 1,442 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Quote Originally Posted by Garacesh View Post
    Passwords stored externally? Colour me paranoid, but no thanks. I'd prefer to keep them locally on my machine.
    The passwords aren't stored externally - only an encrypted dump of them, with the decryption key stored on the device. They tell you repeatedly not to lose your master password, because if you do, you're stuffed - they've no way of getting to them.

    Still, no system is perfect short of memorising a unique password for every site, so whichever route you go (LastPass/KeePass) it's fundamentally weaker than that - as ever with security, you have to choose where on the spectrum of convenience <--> security you're happy. LastPass is plenty good enough for me, others prefer to be a bit further up the security end of things, others prefer to be closer to convenience ("my password is 'password' everywhere I go so I can never forget").

    EDIT: A bit more on LastPass in this article.
    Last edited by sonofsanta; 21st May 2014 at 03:47 PM.

  4. #19

    jinnantonnixx's Avatar
    Join Date
    Mar 2011
    Location
    In the Calamatorium.
    Posts
    1,958
    Thank Post
    109
    Thanked 482 Times in 331 Posts
    Blog Entries
    2
    Rep Power
    281
    Damn. I'm up to 'password7' already. 'password8' here we come. Where will it end?

  5. Thanks to jinnantonnixx from:

    sonofsanta (21st May 2014)

  6. #20


    Join Date
    Jan 2012
    Posts
    2,597
    Thank Post
    929
    Thanked 344 Times in 264 Posts
    Rep Power
    211
    Quote Originally Posted by sonofsanta View Post
    The passwords aren't stored externally - only an encrypted dump of them, with the decryption key stored on the device. They tell you repeatedly not to lose your master password, because if you do, you're stuffed - they've no way of getting to them.

    Still, no system is perfect short of memorising a unique password for every site, so whichever route you go (LastPass/KeePass) it's fundamentally weaker than that - as ever with security, you have to choose where on the spectrum of convenience <--> security you're happy. LastPass is plenty good enough for me, others prefer to be a bit further up the security end of things, others prefer to be closer to convenience ("my password is 'password' everywhere I go so I can never forget").
    Very true, but Keepass works the same way, the database has a 'Master Password' which acts as the decryption key for the database.
    Difference is, the Keepass database is stored on my machine whereas LastPass is stored on the web. Sure, that's not infallible and it would be possible for a miscreant to access my machine and take my passwords, but chances are if that happened it would be a 'happy accident' as a result of other malware, rather than a targeted attack for specifically my credentials.

    Think how many people will be trying to crack into the LastPass databases..? Considerably more, I'd hypothesise.

  7. #21

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,944
    Thank Post
    862
    Thanked 1,442 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Quote Originally Posted by Garacesh View Post
    Very true, but Keepass works the same way, the database has a 'Master Password' which acts as the decryption key for the database.
    Difference is, the Keepass database is stored on my machine whereas LastPass is stored on the web. Sure, that's not infallible and it would be possible for a miscreant to access my machine and take my passwords, but chances are if that happened it would be a 'happy accident' as a result of other malware, rather than a targeted attack for specifically my credentials.

    Think how many people will be trying to crack into the LastPass databases..? Considerably more, I'd hypothesise.
    Ah, that's where we differ - I have much more faith that LastPass know what they're doing in terms of security than I have faith in myself

  8. #22


    Join Date
    Jan 2012
    Posts
    2,597
    Thank Post
    929
    Thanked 344 Times in 264 Posts
    Rep Power
    211
    Quote Originally Posted by sonofsanta View Post
    Ah, that's where we differ - I have much more faith that LastPass know what they're doing in terms of security than I have faith in myself
    Touché

    I guess I just see an online service as a bigger point of failure than my personal machine.

    Lots more people will be attacking LP than my PC, there's always 'disgruntled employees', spear phishing, physical device compromise, or even the physical servers being taken (which admittedly could happen to my machine, but is less likely, as LastPass would have much more 'value' due to the thousands of passwords it holds, rather than my 20 or so that are unique to me and might not really offer much use, besides eBay, PayPal and my bank, I guess.)
    Last edited by Garacesh; 21st May 2014 at 03:56 PM.

  9. Thanks to Garacesh from:

    sonofsanta (21st May 2014)

  10. #23

    Join Date
    Jan 2012
    Posts
    678
    Thank Post
    264
    Thanked 98 Times in 81 Posts
    Rep Power
    27
    Quote Originally Posted by sonofsanta View Post
    "However, the database did not contain financial information or other confidential personal information."

    No, only my full name, date of birth and full home address. There's nothing can be done with that

    Another appropriate time to point out how marvellous https://lastpass.com/ is.
    How does that stop them getting your password when they compromise the database containing the customer data though?

    I've used Roboform for years because it does password management along with filling forms etc too, brilliant bit of kit

  11. #24

    Edu-IT's Avatar
    Join Date
    Nov 2007
    Posts
    7,122
    Thank Post
    403
    Thanked 619 Times in 566 Posts
    Rep Power
    180
    If users have rubbish password on their email, which they've used to register for LastPass, can they reset the password, go to the email address, click through to LastPass and get in to everything? Genuine question having not used LP.

  12. #25

    unixman_again's Avatar
    Join Date
    Nov 2011
    Posts
    697
    Thank Post
    26
    Thanked 139 Times in 106 Posts
    Rep Power
    135
    Quote Originally Posted by jinnantonnixx View Post
    Damn. I'm up to 'password7' already. 'password8' here we come. Where will it end?
    You'll need to capitalise the P to conform to the usual password requirements of upper case, lower case and number or symbol.

  13. 2 Thanks to unixman_again:

    jinnantonnixx (21st May 2014), southhamster (22nd May 2014)

  14. #26

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,944
    Thank Post
    862
    Thanked 1,442 Times in 991 Posts
    Blog Entries
    47
    Rep Power
    616
    Quote Originally Posted by Edu-IT View Post
    If users have rubbish password on their email, which they've used to register for LastPass, can they reset the password, go to the email address, click through to LastPass and get in to everything? Genuine question having not used LP.
    You can't reset your password - hence the warnings about not forgetting it.

    The procedure is here: https://lastpass.com/support.php?cmd=showfaq&id=375

    Basically: password hint; one time reset that can only be done on a computer you've previously logged in on; roll back to your old password; delete your account and start over, chump, shouldn't have forgotten your master password.

    EDIT: looks like the revert option does use your email, so there's potential there. But the corollary is that if you use LastPass, you use randomly generated passwords and your email is that less likely to be compromised.
    Last edited by sonofsanta; 21st May 2014 at 04:16 PM.

  15. #27


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,778
    Thank Post
    223
    Thanked 2,633 Times in 1,940 Posts
    Rep Power
    780
    eBay buries its own advisory to change passwords following database hack « Ars Technica

    eBay officials are taking flak for burying news of the password reset issued in response to a hack on the company's corporate network that exposed sensitive data for millions of users.

    More than seven hours after eBay published an advisory that was five clicks removed from end users, the company still made no mention of the breach, said to affect 145 million customers, in e-mails, on its front page, or when users log in to their accounts. The bare-bones post disclosed a breach in February or March that allowed attackers to make off with cryptographically protected passwords. It advised users to change their login credentials. The breach also exposed customers' names, e-mail addresses, home addresses, phone numbers, and dates of birth in a human readable format.

    Given the magnitude of the breach, it's surprising to see an Internet-based company like eBay take so long to directly notify customers and inform them of what steps they should take to protect themselves. The burying of such an important advisory didn't escape the scrutiny of security bloggers such as Graham Cluley or Paul Roberts. Asked to comment on the lack of disclosure, an eBay spokeswoman wrote: "An updated password reset process is currently being rolled out to all our users. It will be available shortly."

  16. #28


    Join Date
    Feb 2007
    Location
    51.405546, -0.510212
    Posts
    8,778
    Thank Post
    223
    Thanked 2,633 Times in 1,940 Posts
    Rep Power
    780
    Quote Originally Posted by Edu-IT View Post
    If users have rubbish password on their email, which they've used to register for LastPass
    If someone uses LastPass, there's absolutely no reason they would need to use a rubbish password - especially with e-mail accounts being a prime target for hackers.



    I don't even know what any of the passwords are for any of my online accounts (inc. e-mail). Each site has its own unique password consisting of random characters and are as long as possible.

  17. #29


    Join Date
    Sep 2007
    Location
    UK
    Posts
    5,394
    Thank Post
    1,417
    Thanked 872 Times in 560 Posts
    Rep Power
    643
    Quote Originally Posted by unixman_again View Post
    You'll need to capitalise the P to conform to the usual password requirements of upper case, lower case and number or symbol.
    You could always capitalise the "a" and have a really strong one... Damn back to my Ebay control panel.

  18. #30
    IrritableTech's Avatar
    Join Date
    Nov 2007
    Location
    West Yorkshire
    Posts
    795
    Thank Post
    84
    Thanked 172 Times in 141 Posts
    Rep Power
    64
    Quote Originally Posted by sonofsanta View Post
    EDIT: looks like the revert option does use your email, so there's potential there. But the corollary is that if you use LastPass, you use randomly generated passwords and your email is that less likely to be compromised.
    You can probably add 2FA into the mix as well on your email account - and if you can't, perhaps you should be thinking about hosting it elsewhere.

SHARE:
+ Post New Thread
Page 2 of 4 FirstFirst 1234 LastLast

Similar Threads

  1. Website hacked...
    By _Bat_ in forum Web Development
    Replies: 8
    Last Post: 27th July 2007, 09:17 AM
  2. The BBC showing off WiFi Hacking
    By Ric_ in forum Jokes/Interweb Things
    Replies: 24
    Last Post: 27th October 2006, 11:33 AM
  3. Are we being hacked?
    By Paul_L in forum General Chat
    Replies: 2
    Last Post: 13th September 2006, 08:31 AM
  4. Replies: 34
    Last Post: 9th May 2006, 12:56 PM
  5. Video demonstrating hacking WEP in 10mins
    By Geoff in forum Wireless Networks
    Replies: 11
    Last Post: 3rd February 2006, 06:40 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •