LastPass.com Breach
LastPass.com Breach
If you use LastPass you should read this blog post announcing they were breached: https://blog.lastpass.com/2015/06/lastp ... tice.html/
You should probably change your password. And, if you haven't already, consider using 2 Factor Authentication (there is a link in the blog post explaining how.)
You should probably change your password. And, if you haven't already, consider using 2 Factor Authentication (there is a link in the blog post explaining how.)
Re: LastPass.com Breach
Great. I literally just started using this service 3 days ago, after a BH recommended it.
Thanks for sharing.
Thanks for sharing.
Re: LastPass.com Breach
It could be worse. You could have put a large lump sum into TSM only to watch the stocks sharply declining a few days later.neuro84 wrote:Great. I literally just started using this service 3 days ago, after a BH recommended it.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
Could have been (much) better. You could have gone with KeePass which only stores your encrypted info locally, as on your computer or external drive. I knew a breach of this sort would be possible with LastPass which is why I decided against any service where my information would leave my control. KeePass is an outstanding PW manager IMO.
Re: LastPass.com Breach
For perspective, here is an ArsTechnica report (http://arstechnica.com/security/2015/06 ... passwords/) on the breach. Overall, your data should be very safe.
Re: LastPass.com Breach
Ah, the magic words: "should be". Just like my name, SS #, DOB, address, and other pertinent personally identifying information "should have been" safe with Anthem. Until it wasn't. I would never trust my financial future to a cloud based password manager. Not ever.tech_arch wrote:For perspective, here is an ArsTechnica report (http://arstechnica.com/security/2015/06 ... passwords/) on the breach. Overall, your data should be very safe.
- TimeRunner
- Posts: 1938
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: LastPass.com Breach
"Did you salt that password hash 60,000 times, or maybe it was only 50,000. To tell you the truth, I forgot myself in all this excitement."
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Re: LastPass.com Breach
Ahhhhhh I was just about to buy this.
Man is there anything out there that is both safe AND convenient? I currently have Keepass on my home computer and on a jump drive. I take the jump drive with me anywhere I need to access this information. I am okay with that, but it is kind of cumbersome. I tried to have my family members do this method and they refused. What are their best options? I was looking at lastpass and 1password.
Man is there anything out there that is both safe AND convenient? I currently have Keepass on my home computer and on a jump drive. I take the jump drive with me anywhere I need to access this information. I am okay with that, but it is kind of cumbersome. I tried to have my family members do this method and they refused. What are their best options? I was looking at lastpass and 1password.
-
- Posts: 21
- Joined: Sun Feb 08, 2015 11:21 pm
- Location: Arizona
Re: LastPass.com Breach
IMHO, LastPass is still one of your safest options, as long as you are using a strong password for your vault and you don't use this same password anywhere else. I agree it is probably less safe than if you only had a single copy of your encrypted password database stored in only one location that is presumably kept as secure as possible, but that's an awfully lot less convenient. I use LastPass from my PC, laptop, work computer, Windows Phone, iPad, and occasionally from my parents' computers while visiting them.
Keep in mind:
The vault is always encrypted on the LastPass servers, using your strong password. LastPass never receives your password.
The locally cached copies of your vault (which you may have if you've chosen to install the browser add-ons or standalone app) are also encrypted on disk at all times.
LastPass said that the vaults were not accessed in this particular attack. If I recall, a few years back, there was an attack where the attackers did potentially have access to the vaults -- but as always, they'd only have your encrypted vault and would need to know your e-mail and guess your password to decrypt.
Using LastPass or other similar password vaults/keepers is WAY more secure than trying to remember the password to each service you use, because it lets you use cryptographically random, long, unique passwords for each of your accounts.
Keep in mind:
The vault is always encrypted on the LastPass servers, using your strong password. LastPass never receives your password.
The locally cached copies of your vault (which you may have if you've chosen to install the browser add-ons or standalone app) are also encrypted on disk at all times.
LastPass said that the vaults were not accessed in this particular attack. If I recall, a few years back, there was an attack where the attackers did potentially have access to the vaults -- but as always, they'd only have your encrypted vault and would need to know your e-mail and guess your password to decrypt.
Using LastPass or other similar password vaults/keepers is WAY more secure than trying to remember the password to each service you use, because it lets you use cryptographically random, long, unique passwords for each of your accounts.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: LastPass.com Breach
This "breach" really is no big deal
It'd be near impossible to get your data anyways because lastpass themselves can't access it
It'd be near impossible to get your data anyways because lastpass themselves can't access it
Systems Engineer
Re: LastPass.com Breach
A commonly stated aphorism is "the only things that are truly secure are unusable".Gemini wrote:Ahhhhhh I was just about to buy this.
Man is there anything out there that is both safe AND convenient?
Personally the idea of putting my password file out on the 'cloud' makes me break out into a cold sweat. There are just too many things that could go wrong.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: LastPass.com Breach
If it's not cloud available, its a pain to use. If it is cloud available, then its at risk of brute force attacks after breach.
The only "safe" method is to create a system where brute forcing takes longer than your lifespan to crack, and then rotate passwords.
Problem with that is remembering your long password.
The only "safe" method is to create a system where brute forcing takes longer than your lifespan to crack, and then rotate passwords.
Problem with that is remembering your long password.
Systems Engineer
Re: LastPass.com Breach
That cant be true for sure, employees have access to thr data otherwise how can they provide support etc...Angelus359 wrote:This "breach" really is no big deal
It'd be near impossible to get your data anyways because lastpass themselves can't access it
Re: LastPass.com Breach
You can use your favorite songs, e.g.,Angelus359 wrote:If it's not cloud available, its a pain to use. If it is cloud available, then its at risk of brute force attacks after breach.
The only "safe" method is to create a system where brute forcing takes longer than your lifespan to crack, and then rotate passwords.
Problem with that is remembering your long password.
Yesterday*all*my*troubles*seemed*so*far*away
is long and memorable.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
I'm sure someone will chime in to tell me why this isn't as secure as I think it is, but keep my KeePass file synched in Dropbox. You can set up KeePass to require both a password and a key file. If you lose either you can't open it. So I keep the file that requires the password in the cloud, and I keep the key file local on each machine I want to access the file on. If someone can crack the password, it doesn't matter since they can't recreate the key file.Gemini wrote:Ahhhhhh I was just about to buy this.
Man is there anything out there that is both safe AND convenient? I currently have Keepass on my home computer and on a jump drive. I take the jump drive with me anywhere I need to access this information. I am okay with that, but it is kind of cumbersome. I tried to have my family members do this method and they refused. What are their best options? I was looking at lastpass and 1password.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: LastPass.com Breach
This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.
There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
Re: LastPass.com Breach
Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?ThankYouJack wrote:This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.
There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
Such as?ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: LastPass.com Breach
What would be the downside? I'd be more concerned about losing my phone than the consequence of someone logging into BH as me.VictoriaF wrote:Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?
I always wanted to be a procrastinator.
Re: LastPass.com Breach
Not sure what Jack means but I use Keepass and store the file in a Dropbox folder which synchs on all my devices. There is an Android Keepass app that can open the KP database.stan1 wrote:Such as?ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
I always wanted to be a procrastinator.
-
- Posts: 846
- Joined: Mon Mar 03, 2014 11:56 pm
Re: LastPass.com Breach
Using keepass with Dropbox is less secure than lastpass, lol
It's still doing the same thing!
Oh, as to lastpass providing support... They can't reset your password. If you lose it, its gone.
It's still doing the same thing!
Oh, as to lastpass providing support... They can't reset your password. If you lose it, its gone.
Systems Engineer
Re: LastPass.com Breach
The iPhone would store hundreds of your passwords, not just the Bogleheads one. It the phone is lost or stolen all these passwords would be compromised. On the other hand, if you don't put passwords on the iPhone, you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.Sidney wrote:What would be the downside? I'd be more concerned about losing my phone than the consequence of someone logging into BH as me.VictoriaF wrote:Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
Possibly, although they would have to be targeting my drop box folder (probably a less rich target), know or figure out the name of the db file amongst all the other chaff in the folder and finally, they wouldn't get user names for accounts - I don't store those with passwords.Angelus359 wrote:Using keepass with Dropbox is less secure than lastpass, lol
It's still doing the same thing!
I always wanted to be a procrastinator.
Re: LastPass.com Breach
Yep, that's syncing the encrypted data file over the cloud. LastPass does have a big bulls eye painted on them because of the type of data they store. I think I can go along with the idea that an individual who is not high profile is probably better off with a properly encrypted file on Dropbox than LastPass. High profile individuals who might be targeted for a spear phishing attack might be better off on LastPass (celebrity or holder of intellectual property/insider information such as a C-level executive, director of international sales, etc.) although I'm pretty sure such individuals should follow the Hillary Clinton model of putting their own server in the basement rather than using the cloud.Sidney wrote:Not sure what Jack means but I use Keepass and store the file in a Dropbox folder which synchs on all my devices. There is an Android Keepass app that can open the KP database.stan1 wrote:Such as?ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: LastPass.com Breach
Of course you can. I read them all the time without logging in.VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
I always wanted to be a procrastinator.
Re: LastPass.com Breach
Are you saying you want LastPass to put in a backdoor so they can reset your master password?Angelus359 wrote:
Oh, as to lastpass providing support... They can't reset your password. If you lose it, its gone.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
Re: LastPass.com Breach
VictoriaF wrote:Let's say that you have a complex password to access the Bogleheads site: $$&D@#se93w34@$seiw3bnaSEEE133s or something similarly memorable. You travel to Spain and want to access the Bogleheads on your iPhone via WiFi at your hotel. Will you store your passwords on the iPhone? What if your iPhone is lost or stolen?ThankYouJack wrote:This is why I never store important passwords on the cloud based password manager. I don't care how many times it's been hashed, salted or peppered. There's always a chance for a breach, brute force, man-in-the-middle, or a number of other things that could go wrong.
There are programs that store the encrypted files locally and sync all of your devices over wifi. It's very convenient and more secure.
Victoria
Speaking of which... LastPass also enables access to be restricted by country. Obviously, hackers can work around that if they knew what the country was. With multiple financial and banking sites long strong passwords (no redundancy) seemingly require something on paper of hanging a mini USB around your neck or on your keychain. I see the paper or secondary USB approach as more of a hazard than additional security.
Re: LastPass.com Breach
Touché!Sidney wrote:Of course you can. I read them all the time without logging in.VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
I had the same reasoning against LastPass. You can sync your KeePass file across PCs via Google Drive/Dropbox, but again, you are putting that into the cloud, although you'd have to be specifically targeted for your password file. In that case you should use a 'keyfile' together with a password.2015 wrote:Could have been (much) better. You could have gone with KeePass which only stores your encrypted info locally, as on your computer or external drive. I knew a breach of this sort would be possible with LastPass which is why I decided against any service where my information would leave my control. KeePass is an outstanding PW manager IMO.
P.S. As an exercise, I tried cracking a WinRAR password once (a year ago or so). I think it went at something like 8 guesses/second. Would've taken many, many years to go through all combinations to guess an 8-character password. Today's crackers are more efficient, but it would still take them a long time to brute-force LastPass passwords.
Re: LastPass.com Breach
I use KeePass and keep my database file synced in the cloud with Dropbox. My master password is 20+ characters long, complicated, and not used anywhere else, so I don't worry about anyone cracking it unless I had a keylogger installed on one of my devices.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: LastPass.com Breach
1passwordstan1 wrote:Such as?ThankYouJack wrote:
There are programs that store the encrypted files locally and sync all of your devices over wifi.
I would think there are others too. I'm surprised Keepass doesn't have this option
Re: LastPass.com Breach
My two cents.
The best reasonable option is to use Keepass and store the database file on your local PC. You can keep a backup on a private cloud storage, such as Google Drive or even Dropbox, but do not keep a publicly accessible link and do not allow syncing.
Do not re-use passwords across sites.
Do not use dictionary words as your password.
Do not use phrases from songs as your password.
Use the generated random password from Keepass. It should be 20+ characters long, upper-case, lower-case, digits.
Some have mentioned using a public Dropbox url to sync with the intention of security-through-obscurity, but this is like leaving a key under the house mat. Yes, the Keepass file is well encrypted, but still. I always recommend being very careful about what files you make publicly accessible over cloud storage - and your password manager database is not one of them.
I realize it's a pain to download the Keepass database to your mobile device (using iTunes and a local file) and any other PCs that you use, but that's the price to pay for security.
The best reasonable option is to use Keepass and store the database file on your local PC. You can keep a backup on a private cloud storage, such as Google Drive or even Dropbox, but do not keep a publicly accessible link and do not allow syncing.
Do not re-use passwords across sites.
Do not use dictionary words as your password.
Do not use phrases from songs as your password.
Use the generated random password from Keepass. It should be 20+ characters long, upper-case, lower-case, digits.
Some have mentioned using a public Dropbox url to sync with the intention of security-through-obscurity, but this is like leaving a key under the house mat. Yes, the Keepass file is well encrypted, but still. I always recommend being very careful about what files you make publicly accessible over cloud storage - and your password manager database is not one of them.
I realize it's a pain to download the Keepass database to your mobile device (using iTunes and a local file) and any other PCs that you use, but that's the price to pay for security.
-
- Posts: 5704
- Joined: Wed Oct 08, 2014 7:27 pm
Re: LastPass.com Breach
If your phone is stolen:VictoriaF wrote:
The iPhone would store hundreds of your passwords, not just the Bogleheads one. It the phone is lost or stolen all these passwords would be compromised.
1. You should do a remote swipe (deletes everything on it).
2. Rest assured that the thief would need to know 2 of your passwords to access them
3. Change your financial and some other important passwords if you're still concerned
Re: LastPass.com Breach
Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.surfer1 wrote:Do not use phrases from songs as your password.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)
Re: LastPass.com Breach
VictoriaF wrote:Touché!Sidney wrote:Of course you can. I read them all the time without logging in.VictoriaF wrote: you can't read the Bogleheads in your dental office because you can't possibly remember a password like the one I produced above.
Victoria
While we all like security, a password for Bogleheads and a password for Vanguard have very different requirements IMHO.
Re: LastPass.com Breach
I still haven't seen anyone post anything to make me believe using Keepass synced through Dropbox with a required local key file isn't the best compromise of safety and convenience. Again, even if they can crack the password they can't replicate the key file.
Re: LastPass.com Breach
I use LastPass with YubiKey Authentication. That seems fairly secure to me.
BobK
BobK
In finance risk is defined as uncertainty that is consequential (nontrivial). |
The two main methods of dealing with financial risk are the matching of assets to goals & diversifying.
Re: LastPass.com Breach
This is nothing. It's a non-event, other than that I will probably change my master password, which I intended to do anyway. The LastPass service was designed with the expectation that this sort of "breach" was going to happen. It's not a surprise to anyone, including the developers. That's why your passwords are encrypted before they leave your machine.
I repeat: this is expected, and that expectation informed the design of the service. As long as you used a strong master password, you're fine.
I repeat: this is expected, and that expectation informed the design of the service. As long as you used a strong master password, you're fine.
Darin
Re: LastPass.com Breach
Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.simmias wrote:I still haven't seen anyone post anything to make me believe using Keepass synced through Dropbox with a required local key file isn't the best compromise of safety and convenience. Again, even if they can crack the password they can't replicate the key file.
Darin
Re: LastPass.com Breach
You don't need to make your Keepass file publically accessible to download it to a mobile.surfer1 wrote: Some have mentioned using a public Dropbox url to sync with the intention of security-through-obscurity, but this is like leaving a key under the house mat. Yes, the Keepass file is well encrypted, but still. I always recommend being very careful about what files you make publicly accessible over cloud storage - and your password manager database is not one of them.
In iOS you can just go into your Dropbox app and download it into your Keepass app. In Android you can do the same, or you can give an app permission to access the Dropbox app. In neither case are you making your Keepass database publically available through a URL.
Re: LastPass.com Breach
It depends on what is your definition of 2FA. If you define it as something you have and something you know, it fits the definition quite well. (I know my password and I have my keyfile).Drain wrote: Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.
I'm not worried about someone brute forcing or guessing my keyfile. You would have a better chance of just guessing the 6 digit number that is normally used for 2FA.
Re: LastPass.com Breach
I'm actually a LastPass user, but noted that several KeyPass users in this thread lamented using a cloud service like Dropbox to sync the necessary file to all devices, with some saying the process had no advantage over using a cloud based password service.
I can't help but suggest BitTorrent Sync for this. It lets you sync to all your devices without putting it up on the cloud. (The devices need to be awake at the same time as the most recently updated one in order for the sync to work, since there's no "always on" cloud storage.) I think KeePass users should consider it.
I can't help but suggest BitTorrent Sync for this. It lets you sync to all your devices without putting it up on the cloud. (The devices need to be awake at the same time as the most recently updated one in order for the sync to work, since there's no "always on" cloud storage.) I think KeePass users should consider it.
Re: LastPass.com Breach
The devices needing to be awake at the same time is a bit of a hassle. And on iOS you actually need to open up the BitTorrent Sync app for syncing to occur (unless that has changed with a recent update).Ice-9 wrote: I can't help but suggest BitTorrent Sync for this. It lets you sync to all your devices without putting it up on the cloud. (The devices need to be awake at the same time as the most recently updated one in order for the sync to work, since there's no "always on" cloud storage.) I think KeePass users should consider it.
With Dropbox you know you'll be able to get the most up to date version as long as you have internet access.
-
- Posts: 75
- Joined: Tue Aug 12, 2014 10:19 am
Re: LastPass.com Breach
Trust the math.
I'm not changing my password (other then on my usual schedule). Good luck brute forcing the hash. I don't recall the exact amount of entropy, but it's 80+ bits. Estimators that don't know how the password was generated think it's 120 bits.
Your password material is only as secure as the math used to hash and encrypt it. Doesn't matter whether you used LastPass or KeePass or 1Password. If you don't trust the math don't use any of them.
I'm not changing my password (other then on my usual schedule). Good luck brute forcing the hash. I don't recall the exact amount of entropy, but it's 80+ bits. Estimators that don't know how the password was generated think it's 120 bits.
Your password material is only as secure as the math used to hash and encrypt it. Doesn't matter whether you used LastPass or KeePass or 1Password. If you don't trust the math don't use any of them.
Last edited by CAP_theorem on Tue Jun 16, 2015 11:48 am, edited 1 time in total.
- TimeRunner
- Posts: 1938
- Joined: Sat Dec 29, 2012 8:23 pm
- Location: Beach-side, CA
Re: LastPass.com Breach
I use Lastpass along with Google Authenticator app on my smartphone. Like Yubikey, etc, it's something you know (username/pw) and something you have (the Auth software which generates a new code every 30 seconds with my instance of the Auth software tied to Lastpass). It seems like a good combo, and I like LP's security model.
Of course LP is a target. So is the US Treasury and US OPM. Well, OK, maybe not the best example.
Of course LP is a target. So is the US Treasury and US OPM. Well, OK, maybe not the best example.
One cannot enlighten the unconscious. | "All I need are some tasty waves, a cool buzz, and I'm fine." -Jeff Spicoli
Re: LastPass.com Breach
But what is the advantage over simply having your primary password be long and strong?jchef wrote:It depends on what is your definition of 2FA. If you define it as something you have and something you know, it fits the definition quite well. (I know my password and I have my keyfile).Drain wrote: Isn't a key file just another long, static password? If so, it's inadequate as a second authentication factor. But I've never used one, so perhaps I'm misunderstanding what it is.
I'm not worried about someone brute forcing or guessing my keyfile. You would have a better chance of just guessing the 6 digit number that is normally used for 2FA.
I think keyfiles were probably useful in the days when password rules severely limited strength and there were no options for second factors. The keyfile was essentially your "true" password. But if a keyfile is just another strong password, it is not a substitute for a legitimate second factor.
The point of a second factor is to help protect you in case your primary factor is stolen. A keyfile can be stolen the same ways a password can be. It is not really "something you have" in the sense that people mean. If you use a Yubikey, for example, the Yubikey produces one-time passwords that only it could produce. They prove that the person attempting to authenticate has the single, specific, only device that could produce them. This is not the case with a keyfile, since it can be intercepted during transmission and then replicated.
Having something like Google Authenticator on your smartphone is similar to the Yubikey example. The one-time codes it gives you serve as proof that you have that specific phone in your possession.
Darin
Re: LastPass.com Breach
The same advantage as using Google Authenticator or a Yubikey. If someone gets hold of my database and knows my password that's still not enough for them to open the database. They need something else.Drain wrote: But what is the advantage over simply having your primary password be long and strong?
True. But your phone running Google Authenticator can also be stolen.A keyfile can be stolen the same ways a password can be.
Perfect security doesn't exist, but you can still takes steps to strengthen your security. By using a keyfile, I'm comfortable loading my Keepass database into the cloud. Because if someone breaks into the cloud, steals the database and for some reason knows the database password, they still don't have enough to open the database. They don't have the keyfile, because I don't store the it in the cloud.
- Epsilon Delta
- Posts: 8090
- Joined: Thu Apr 28, 2011 7:00 pm
Re: LastPass.com Breach
Because there are only so many songs in the world, and it's not enough.VictoriaF wrote:Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.surfer1 wrote:Do not use phrases from songs as your password.
Victoria
One estimate is that counting garage bands and all there are only 97 million, perhaps a million available on iTunes, probably a couple of thousand that have made the charts.
A clever brute force attack will start with the songs on the charts and work out from there, but you're example was the Beatles, so it's one of the first 100 or so they try. Game over. But even 97 million songs is only 27 bits.
You'll argue that you modified the song by use asterisk for space. But how many ways can you modify the song. Different characters for space, using first letters, second letters, camel case, backward, ... . Can you even come up with a thousand? That would be another 10 bits. So we're up to 37 bits. Current estimates is that you need 60 bits to protect against criminal gangs.
Your song is a weak password, as long as the people attacking it know that you used a song as the base and modified it in some way. They can know this either because you tell them how you pick a password, or because there are popular websites that tell people this is a good way to pick a password. The attacker simply bets that some people follow that advice and breaks the passwords of some of the people who do.
Re: LastPass.com Breach
I don't need to choose the title of a song as my password, it can be a line (or two). If we have 100m songs, and each song has an average of 10 unique lines, we have 1B lines. I can combine lines of different songs, I can add symbols at the end and beginning of songs, I can increase the number of spaces between words from 1 to 2. I want to make the brute force on songs as difficult as the brute force on random text.Epsilon Delta wrote:Because there are only so many songs in the world, and it's not enough.VictoriaF wrote:Why not? A phrase from a song seems like an ideal passphrase. It's long. You can easily remember it. It does not have to be your favorite song so that you won't accidentally mention it in Facebook. You can customize it, e.g., by inserting special characters between words as I did above, so that a hacker trying all possible songs would still have to guess the wild card.surfer1 wrote:Do not use phrases from songs as your password.
Victoria
One estimate is that counting garage bands and all there are only 97 million, perhaps a million available on iTunes, probably a couple of thousand that have made the charts.
A clever brute force attack will start with the songs on the charts and work out from there, but you're example was the Beatles, so it's one of the first 100 or so they try. Game over. But even 97 million songs is only 27 bits.
You'll argue that you modified the song by use asterisk for space. But how many ways can you modify the song. Different characters for space, using first letters, second letters, camel case, backward, ... . Can you even come up with a thousand? That would be another 10 bits. So we're up to 37 bits. Current estimates is that you need 60 bits to protect against criminal gangs.
Your song is a weak password, as long as the people attacking it know that you used a song as the base and modified it in some way. They can know this either because you tell them how you pick a password, or because there are popular websites that tell people this is a good way to pick a password. The attacker simply bets that some people follow that advice and breaks the passwords of some of the people who do.
Victoria
Inventor of the Bogleheads Secret Handshake |
Winner of the 2015 Boglehead Contest. |
Every joke has a bit of a joke. ... The rest is the truth. (Marat F)