Good Sam Community

1492 · ‎Jun-16-2015

And enable the recommended two-factor authentication immediately. See article Hack of cloud-based LastPass exposes hashed master passwords.

I received the notification email this evening, though only have a test account with LastPass, and do not use it to store any of my personal passwords. In fact, I will not store passwords on any online service, as it potentially gives hackers that much more direct access to all your personal data/passwords in the event your master password is breached. Which should not be used without two-factor authentication.

Personally, I prefer a password management app such as KeePass, storing the encrypted database locally. Though passwords stored on virtually any app, even KeePass, can potentially be captured from malware such as a keylogger. Yet you have more options to protect the master password and password database locally. For instance, KeePass has the ability to input master password through Windows secured desktop.

Doing so, I was not able to breach the master password using a couple of popular keyloggers as a security test I ran some time ago. However, I was able to capture individual passwords from KeePass, when transferring them using Windows clipboard(copy and paste), or manually inputting them from a hard or soft keyboard.

Furthermore, I was also able to capture the critical credentials when logging in to LastPass from a browser, which allowed access to my test passwords stored online using a popular keylogger. Highlighting the importance of two-factor authentication. Yet can be of limited effectiveness in the event of a malware breach on the local system.

Surprisingly, I was not able to capture any passwords from keyloggers using Firefox's built in password database, which is what I'm using for online account access, except for banking/financial accounts. But does not mean its necessarily the most secured solution, as an undiscovered browser vulnerability could breach its password security. Which is why I keep Firefox password database and profile hardened using a separate strong 256 bit AES encryption.

Further highlighting the dangers of keylogger rootkit malware, which can be notoriously difficult to detect. None of my top rated AV software could identify or flag their activity. Only Malwarebytes Free was successful in doing so.

Keyboard encryption apps were also able to block password capture from the keyloggers I tested. However, they were only effective if the app loaded ahead of the keylogger. Otherwise, malware was able to capture the clipboard which rendered the apps useless. Which just emphasizes the importance of having a layered security approach to lock down your system, as there are no perfect solutions to guard against hackers.

garry1p · ‎Jun-18-2015

I use strong passwords with financial and medical accounts and one or two variations of easy to remember for the rest.

There is no way I could possibly remember the strong passwords so I back them up on a jump drive just in case. I also change them every 3 to 6 months.

I opened a LastPass account but never used it I decided I should trust only myself with that kind of information.

Garry1p

1990 Holiday Rambler Aluma Lite XL
454 on P-30 Chassis
1999 Jeep Cherokee sport

Pirate1 · ‎Jun-17-2015

I use lastpass because I can use it on my chromebook, cellphone, laptop, and desktop. What is the alternative to give the synced access to all of my passwords across all those platforms?

magicbus · ‎Jun-17-2015

300-400 passwords... when I worked for one of the largest computer companies in the world we used to have lots of passwords and had to change them every 30 days. Then they changed everything... one password for everything BUT it had to be a phrase of at least 25 characters with at least one upper, one number and one symbol, changed every 30 days. Man that made things easier for the brain.

Many companies use single password because they are using a central logon facility like LDAP just so their employees can have only one password and not spend all day signing onto different systems.

Do I trust the folks at rv.net and trawlerforum.com to not be able to peek at my password? No, so it is different from my "money" passwords. Do I care if the folks at rv.net manage to get into my trawlerforum.com account? Not in the least. So in the end I have a couple of really strong passwords for my "money" accounts and only 2 or 3 for everything else.

Dave

Current: 2018 Winnebago Era A
Previous: Selene 49 Trawler
Previous: Country Coach Allure 36

fj12ryder · ‎Jun-17-2015

I have many passwords because I use and access many sites, many of which require a password. Some of them I'll visit once or twice a year, which makes remembering a password problematic. Most of my shopping is done on line, book purchasing/borrowing, music and video, several different car/truck/motorcycle forums, game and support forums, game streaming services, medical records/forums. Those are just the ones off the top of my head.

I don't watch television but about 2 hours/week, so the internet is my amusement.

Howard and Peggy

"Don't Panic"

2oldman · ‎Jun-17-2015

I don't have to remember too many anymore. Chrome does that for me. I don't have many.. 3 or 4 depending on the site requirements.

The GF can't remember more than about 2 passwords, and she refuses to store them anywhere. Hence, there are many services she cannot, and does not use, like banking. Her passwords are so secure she cannot use her own computer.

"If I'm wearing long pants, I'm too far north" - 2oldman

Old-Biscuit · ‎Jun-17-2015

What is it that everyone is doing that requires 300-400 passwords :H

I have a password for on-line banking, one for SSN and one for VA Medical that I have to remember..........anything else is remembered by this computer cause ain't nothing in them that isn't already public knowledge.

What in the word requires that many passwords and protection in private life?

Work..that was their problem

I'm so glad my life is simple :B

Is it time for your medication or mine?

2007 DODGE 3500 QC SRW 5.9L CTD In-Bed 'quiet gen'
2007 HitchHiker II 32.5 UKTG 2000W Xantex Inverter
US NAVY------USS Decatur DDG31

1492 · ‎Jun-17-2015

Only tested the open source KeePass and LastPass. If I'm not mistaken, does RoboForm integrate in the browser, and thus able to bypass the clipboard? If so, it'll likely fair as well as using Firefox integrated password manager? Except for how the master password is input, potentially vunerable if not done so using a secure method, such as Windows Secure Desktop. In which case, could be game over for any app should hackers capture the master password, and get ahold of the database.

Personally, I don't use Firefox master password option, which is used by the browser for providing basic encryption for stored passwords. Instead, using open passwords which can be read by the user. But since Firefox profile is separately encrypted using strong encryption, requiring master password input through Secure Desktop, no one without the key would be able to even load Firefox in the first place. So no access to the passwords.

Of course, concerns of captured passwords would only be an issue if a system was infected with keylogger malware, which the user may very well not even be aware of a breach. In which case, even the traditional pen and paper method would be insecure, as you need to input the data into the browser. And a good practice to routinely scan your system to insure no such keylogger rootkits exist, which have apparently been the gateway for hackers to breach highly publicized customer accounts such as Target.

fj12ryder · ‎Jun-17-2015

As long as you have access to, and can run Roboform, and access to the list of passwords.

I don't use the Everywhere feature of Roboform. When we travel I put the password list on a thumb drive for use in the toyhauler.

Howard and Peggy

"Don't Panic"

Robin1953 · ‎Jun-17-2015

I might get hit by a car tomorrow. You pays your money and you takes your chances. That is the way it is and the way it has always been. I have used Roboform since 1995. I use their everywhere feature as well. Is it secure...yea as secure as anyone else. When I worked for the State Treasurer in his IT department he told me he wanted his system to be 100% secure. I told him the only way to guarantee that was to pull the plug out of the wall. The best anyone can do is make it as tough as you can and hope the bad guys will go looking for easier targets.

2015 Grand Design Solitude 320X
2016 Ram 3500 DRW and Cummins

LittleBill · ‎Jun-17-2015

fj12ryder wrote:
An excellent example of why storing sensitive data "in the cloud" is not necessarily the best idea.

All my passwords, over 300 so memorizing is out of the question, are stored locally with Roboform. Also Roboform enters the passwords so the clipboard doesn't get used, and no typing the passwords so safe from keyloggers. The master password could be gotten but not any of the others. Screen capture software would work, but really that is a bit of a stretch.

1492, have you worked with Roboform any and tested its capabilities? I'd be curious to know how it fared.

Nothing is perfect, but sometimes you just have to do the best you can.

if you get the master password for roboform, your done, you can read every single password in roboform, at least the version i am using

fj12ryder · ‎Jun-17-2015

An excellent example of why storing sensitive data "in the cloud" is not necessarily the best idea.

All my passwords, over 300 so memorizing is out of the question, are stored locally with Roboform. Also Roboform enters the passwords so the clipboard doesn't get used, and no typing the passwords so safe from keyloggers. The master password could be gotten but not any of the others. Screen capture software would work, but really that is a bit of a stretch.

1492, have you worked with Roboform any and tested its capabilities? I'd be curious to know how it fared.

Nothing is perfect, but sometimes you just have to do the best you can.

Howard and Peggy

"Don't Panic"

bob_nestor · ‎Jun-17-2015

sch911 wrote:
Always thought passwords should be stored in one's brain, which short of torture or waterboarding is pretty secure. Why do people use these things? Laziness?

When I worked in Defense the rules were every account one had on classified computers had to have a different password which needed to be changed every 90 days and couldn't be reused. The company extended this rule to all computers, even the unclassified ones. It's virtually impossible to keep up with all the passwords especially when one has accounts on a dozen or more systems. And to make matters even worse, if you wrote the password down or stored it in a file or password keeper app and that password was for a classified account, the record of the password was itself classified and had to be treated as such.

The hilarious part of this was the Corporate Security Officer had to have access to every classified computer's BIOS and Administrator accounts. Realizing she couldn't remember the thousands of passwords required and couldn't meet the requirement of changing them every 90 days she created an except to the rule for herself. All her passwords on all computers were set the same and never changed!

TakingThe5th · ‎Jun-17-2015

I too have many passwords to remember and have to write them down, but I write down clues instead of passwords to remind me. No matter where or how I store them I get that extra layer of protection.

TakingThe5th - Chicago, Western Suburbs
'05 Ford F350 Crew 6.0 DRW Bulletproofed. Pullrite Super 5th 18K 2100 hitch.
'13 Keystone Cougar 333MKS, Maxxfan 7500, Progressive EMS-HW50C, Grey Water System.

bwanshoom · ‎Jun-17-2015

sch911 wrote:
Always thought passwords should be stored in one's brain, which short of torture or waterboarding is pretty secure. Why do people use these things? Laziness?

Good operational security dictates not reusing passwords for more than one account. It also says one should use a complex password.

I have upwards of 400 logins at various places. My memory is not what it used to be so remembering 400 complex passwords is impossible.

2010 Cougar 322 QBS
2008 Chevy Silverado 2500HD LMM CC/SB 4x4 LTZ
Pullrite SuperGlide 18K

Good Sam Community

LastPass Hacked! Change Master Password Now!