Argonath RPG - A World of its own
Community => News and Announcements => Topic started by: Teddy on April 08, 2015, 11:44:00 pm
-
Hello,
This is another reminder about your account security. This shouldn't apply to just Argonath but in general any form of digital account you own. Today we live in an era where virtually everything about us exists somewhere on the Internet in a database and to ensure that we aren't the source of that information falling into the wrong hands; or being access by someone with malicious intent; we need to protect our accounts and in turn protect our digital footprint.
Here are the same old common password tips:
* Never share your password with anyone.
* Never use a password that is a plain text word (e.g "password", "cookies", "boobs"), phrase ("Iambred", "Ilovepie"), statement ("thequickbrownfoxjumpedoverthefence"), or personally relatable (pet's name, date of birth, government id, etc)
* Never use the same password on more than one, or two at most, sites. (note for sensitive accounts like banking; use a unique password per account)
* Never store passwords on a non-airgapped machine (does not connect to Internet/Network at any point), or in plain-text.
* Never write passwords down (on paper (wtf is paper?)) in a place they can be easily accessed.
* Change passwords frequently. For sensitive accounts (e.g banking), at least every 30 days; for everything else at least every 90 days.
* Never trust anything with absolute certainty, there is no such thing as absolute security.
Generate Secure Passwords
https://www.random.org/passwords/ (use at least 12 characters)
http://passwordsgenerator.net/ (use at least 12, recommends 16 which is also fine, and ensure "generate client side is selected")
https://identitysafe.norton.com/password-generator/ (right sidebar has generator, use default checkboxes, increase size to at least 12)
https://lastpass.com/generatepassword.php (use 12 length)
Recommended Password Manager: Lastpass
I've been a premium member for over a year now and I use it for everything including my multiple real life bank accounts, credit card sites, and Argonath sites. I generally use randomly generated passwords with at least 20 characters in length. In addition I use Google Authenticator and it requires I authenticate frequently. I've provided below recommended security settings to ensure it's safe. Do note your passwords are stored on the cloud but they are encrypted, and the encryption key is ALWAYS kept on the client side so the server can never decrypt your password. If you don't trust this, don't use it. You must have trust in such a system for it to work.
https://lastpass.com/
Notes: Use 10,000 (45,000 if not planning on using mobile / low end devices) password iterations w/ Google Authenticator. Ensure the setting is enabled requiring authenticated access, require re-two factor authentication to change/view raw passwords, and at least every 7 days on authenticated devices. If you use on a mobile device, ensure it has at least a PIN or password protection; do not use pattern or facial recognition. Change your master password to something incredibly secure that you can remember, and ensure you change the password at least every 30 days, 60 at maximum.
Additional Notes
+ Ensure websites are using SSL (on most browsers you'll see a green lock in the URL). For site's without SSL, ensure it has a unique password.
+ Never enter your password directly from an email. If you get an email from a company, always manually navigate to their site and authenticate.
+ No company, game, or entity will EVER ask you for your password this includes Argonath and it's staff.
-
Recommended Password Manager: Lastpass
I've been a premium member for over a year now and I use it for everything including my multiple real life bank accounts, credit card sites, and Argonath sites. I generally use randomly generated passwords with at least 20 characters in length. In addition I use Google Authenticator and it requires I authenticate frequently. I've provided below recommended security settings to ensure it's safe. Do note your passwords are stored on the cloud but they are encrypted, and the encryption key is ALWAYS kept on the client side so the server can never decrypt your password. If you don't trust this, don't use it. You must have trust in such a system for it to work.
https://lastpass.com/
Password managers are not safe at all.. You have bank accounts, credit cards and everything else up there, and your passwords are random so i doubt that you remember every single one of them (If you did, that would defeat the purpose of the password manager anyway).
I'll try to make a formal definition of the assumption here,
So, the assumption made here is that instead of logging onto x different sites from y different devices (Assuming that using another operating system on the save device qualifies as a separate device), you are less at risk by using a password manager rather than using different passwords for different sites.
But here's the thing, this would imply that using your own x passwords instead of a password manager is less safe. Which would then imply that at least one of your x passwords can be compromised. Yet, by using a password manager that password won't be compromised. But how will you authenticate to the password manager?
Afaik, lastpass does not permit you to login without a master password. This means that you still had to enter your master password on that device.
So if the device has a keylogger, instead of getting your password for your bank, it has your master password, with your password for everything instead. If someone looked over your shoulder to see you type in the password to your bank, he has now seen you type in the master password to your password manager.
So on the overall, if you used seperate passwords then you would only risk the loss from that single website which is compromised. On the other hand, if you use a password manager, you now have the same risk of getting your password stolen, as getting it stolen is not in any way in the hands of the password manager but owes to external factors (Keylogging, social engineering or just peeping over the shoulder). So all in all, password managers are the most retarded inventions that have managed to stick around. What's more is that people keep using (And recommending) password managers without ever actually thinking of how secure they are. This gives them a false sense of security which might even make them more lenient in their safety, putting them at even more risk.
Please stop recommending password managers. They are just a fancy excuse to have the same password for 30 different sites.
Edit: Not to mention the fact that with password managers you also lose another factor of security. Instead of trying to hack into your password manager the attacker could also try to hack into your email. Using security questions most likely but there are plenty of other ways too. If they did get access to your email they would be able to reset all your passwords but important ones like Banks wouldn't let them reset the password with reset emails. If you can recover the password manager's password (Even if the password manager sends a hint instead of a reset email, you can still use the hint to drastically increase your chances) then you can get also get into the target's banks and other things the banks were smart enough to prevent resetting for this very reason. Not to mention the fact that it's much much easier to just get your master password and then your bank accounts directly.
-
Password Managers work on the basis that having a single point of failure (the manager) is better than having multiple points of failure across the internet. If you use the same password for like 10 different things, then they are ALL points of failure for each other.
At the end of the day there is always going to be a single point of failure unless you have a pretty complex system or an extroadinarily good memory, and even then email reset systems introduce a single point of failure that you can't get rid of.
The best method is to have a system only you can understand with a key list of modifiers kept somewhere safe (but in such a way that the list itself isn't useful to anyone but you).
-
Password managers are not safe at all.. You have bank accounts, credit cards and everything else up there, and your passwords are random so i doubt that you remember every single one of them (If you did, that would defeat the purpose of the password manager anyway).
I'll try to make a formal definition of the assumption here,
So, the assumption made here is that instead of logging onto x different sites from y different devices (Assuming that using another operating system on the save device qualifies as a separate device), you are less at risk by using a password manager rather than using different passwords for different sites.
But here's the thing, this would imply that using your own x passwords instead of a password manager is less safe. Which would then imply that at least one of your x passwords can be compromised. Yet, by using a password manager that password won't be compromised. But how will you authenticate to the password manager?
Afaik, lastpass does not permit you to login without a master password. This means that you still had to enter your master password on that device.
So if the device has a keylogger, instead of getting your password for your bank, it has your master password, with your password for everything instead. If someone looked over your shoulder to see you type in the password to your bank, he has now seen you type in the master password to your password manager.
So on the overall, if you used seperate passwords then you would only risk the loss from that single website which is compromised. On the other hand, if you use a password manager, you now have the same risk of getting your password stolen, as getting it stolen is not in any way in the hands of the password manager but owes to external factors (Keylogging, social engineering or just peeping over the shoulder). So all in all, password managers are the most retarded inventions that have managed to stick around. What's more is that people keep using (And recommending) password managers without ever actually thinking of how secure they are. This gives them a false sense of security which might even make them more lenient in their safety, putting them at even more risk.
Please stop recommending password managers. They are just a fancy excuse to have the same password for 30 different sites.
use a YubiKey together with LastPass, and you'll be pretty darn safe. https://lastpass.com/yubico/
-
use a YubiKey together with LastPass, and you'll be pretty darn safe. https://lastpass.com/yubico/
Irl friend/thief steals yubikey > Now they can steal a lot more than just your speaker and your TV.
Break up with ex > She takes your clothes and your bank balance.
Also, plant a virus on the target's computer > The virus can then steal the yubikey signatures and emulate the key to login wherever the hacker wants. Not to mention the fact that even a kid can easily open an invisible browser and do any transactions from that computer.
No matter how safe you make password managers, they are still less safe than just using your head and using proper passwords on different sites. Not to mention you save 50$. If you know anything about risk economy you'd know that given the risk of your accounts being hacked are nearly zero (And are multiplied a lot by using a password manager) you still save quite a bit of money.
-
Philip, how do you remember ~70 unique passwords?
-
Irl friend/thief steals yubikey > Now they can steal a lot more than just your speaker and your TV.
Break up with ex > She takes your clothes and your bank balance.
Also, plant a virus on the target's computer > The virus can then steal the yubikey signatures and emulate the key to login wherever the hacker wants. Not to mention the fact that even a kid can easily open an invisible browser and do any transactions from that computer.
No matter how safe you make password managers, they are still less safe than just using your head and using proper passwords on different sites. Not to mention you save 50$. If you know anything about risk economy you'd know that given the risk of your accounts being hacked are nearly zero (And are multiplied a lot by using a password manager) you still save quite a bit of money.
Thief steals YubiKey -> deauth YubiKey, passwords safe. Thief steals password -> still needs YubiKey.
-
I find the process to use programs very long for stuff like this. I use passwords that are easy to remember that I see everyday. An example might be I have a lamp next to me so my password would be something like 1amp1997
-
Philip, how do you remember ~70 unique passwords?
Simple, keep the passwords in a manner that they can be kept safely.
I like to start with a phrase and just mutate it from there, so a password would become ILoveHorses.jump > IL0v3H0rs3s.pumj > 1L0v3H0r$3$>pUmJ. Now you only have to remember the phrase, which is much easier to remember. In general it's nice to have any two different phrases. Kaze and you both have already pointed towards the idea.
Thief steals YubiKey -> deauth YubiKey, passwords safe. Thief steals password -> still needs YubiKey.
You're asleep/Went out/Whatever > Thief broke in, took the ubikey and already wiped your bank balance a long time before you even found out.
-
You're asleep/Went out/Whatever > Thief broke in, took the ubikey and already wiped your bank balance a long time before you even found out.
One will not simply break in to a house of an Argonath player, steal his yubikey, crack his master password and then clean his bank account.
-
One will not simply break in to a house of an Argonath player, steal his yubikey, crack his master password and then clean his bank account.
What's so special about Argonath players?
Also stealing his yubikey is pretty straightforward. There is no reason whatsoever that a thief wouldn't try to take a giant pot of gold if he has the option to do it pretty safely. Except this time instead of a heavy pot of gold, it's a tiny pendrive/sd card.
-
What's so special about Argonath players?
Also stealing his yubikey is pretty straightforward. There is no reason whatsoever that a thief wouldn't try to take a giant pot of gold if he has the option to do it pretty safely. Except this time instead of a heavy pot of gold, it's a tiny pendrive/sd card.
If someone would even know how this would work, I doubt he'll break in to someones house to steal that, as he would also know he'd need his master key and needs to do this fast enough to not get caught. Most banks do not allow transactions over a certain amount, so you should be rather safe.
I am not saying that I find the lastpass stuff a smart idea, but I rather think that you ideology of 'stealing it' has a few flaws in it.
-
If someone would even know how this would work, I doubt he'll break in to someones house to steal that, as he would also know he'd need his master key and needs to do this fast enough to not get caught. Most banks do not allow transactions over a certain amount, so you should be rather safe.
I am not saying that I find the lastpass stuff a smart idea, but I rather think that you ideology of 'stealing it' has a few flaws in it.
Stealing it was just an example. I was just gonna post the part about jacking the signature (Or if you fail to do that, you can just use the virus you already have on the victim's computer to fire up an invisible browser on it and do your transactions from the victim's computer itself) but i figured that i should give a few more examples. Either way though, a friend could easily peep over your shoulders as you enter your master password and then steal your key.
Similarly, your girlfriend could easily find out your master password and take the yubikey with her when she leaves you. You can call your bank and a few other sites to have your account blocked but i doubt that you can just call them and they'll block it within seconds. By the time that you're done getting even one of your accounts blocked she has had more than enough time to swipe your bank and cards for the maximum limit.
These are just a few examples. I can think of many more where it still wouldn't be safe. Not to mention the fact that no matter the software you're running, just being smart about your passwords still beats it.
-
I find the process to use programs very long for stuff like this. I use passwords that are easy to remember that I see everyday. An example might be I have a lamp next to me so my password would be something like 1amp1997
b4rb13leg1995
-
Password managers are actually fairly secure; mainly one like last pass where the encryption key is never uploaded nor stored on the client. If you understand the fundamentals of public key cryptography then it'd make more sense. Breaking the encryptions, mainly with 10,000 password iterations would take at least a year of work for even the most advanced of mainframes. NSA broke the keyspace in partnership with a University as a demonstration; it took two datacenters along with a supercomputer 4 months to do it. So if you change the master password at least once a month; you're golden and change all other passwords at least every 30/90 days (1 month/ 3 months). Granted you follow all other precautions such as a two factor authentication, re-authentication strategy, etc. As with two factor authentication; even if the key is broken you'd steel need another origin to break and since as I recommended Google Authenticator; it isn't subject-able to common attacks that could bypass the TFA method.
If you use the manager just as is; without additional security measures then sure it'll only protect against site-specific targeting of passwords but not really a broad scale. But if you use it logically and with the additional security measures in place then you have a fairly trustworthy system.
-
Just make sure your name isn't "Kaseem" and your password isnt "Kaseem" :lol:
-
Password managers are actually fairly secure; mainly one like last pass where the encryption key is never uploaded nor stored on the client. If you understand the fundamentals of public key cryptography then it'd make more sense. Breaking the encryptions, mainly with 10,000 password iterations would take at least a year of work for even the most advanced of mainframes. NSA broke the keyspace in partnership with a University as a demonstration; it took two datacenters along with a supercomputer 4 months to do it. So if you change the master password at least once a month; you're golden and change all other passwords at least every 30/90 days (1 month/ 3 months). Granted you follow all other precautions such as a two factor authentication, re-authentication strategy, etc. As with two factor authentication; even if the key is broken you'd steel need another origin to break and since as I recommended Google Authenticator; it isn't subject-able to common attacks that could bypass the TFA method.
If you use the manager just as is; without additional security measures then sure it'll only protect against site-specific targeting of passwords but not really a broad scale. But if you use it logically and with the additional security measures in place then you have a fairly trustworthy system.
It doesn't matter if you've got the most burglar proof castle in history if your home door's unlocked.
It is useless to argue about hacking into the password manager and decrypting your passwords. Equally ridiculous as breaking into a bank to get into your safe deposit box. A much easier way would usually be to just steal your key.
Similarly you can have the most secure password manager in the world, but in the end it's still got one master password. There isn't a big difference between using a password manager and using the same password on every site, since you need to compromise his password once to get access to all his logins.
The simple fact is that the chances of getting your password on your bank's site or getting the password you enter into lastpass is the same, as it's the same mechanism. You can install a keylogger on the target's PC, look over his shoulder or anything else. Now that you have his master password, you have all his passwords without ever having to read a single paragraph about cryptography.
You can increase your safety with other measure like buying lastpass's 55$ yubikey but that still doesn't mean you're not safe. You're more safe, sure. But compromising the yubikey isn't too hard either. You can look over someone's shoulder then pickpocket their yubikey. By the time they've managed to block the ubikey you've had more than enough time to change passwords and do some serious damage. Let alone the fact that if he has access to your email, you can fill in the blanks yourself..
Using your own passwords is better than using a single password for every site (And a password manager does indeed mean the same password since you only need ONE password). Changing your master password every 30/60/90 days won't help, it takes 30 minutes to cause very serious damage.
-
123456. :v:
-
I don't think password managers for people like you Philip, since you seem to have your shit together. They're better for people like sony executives who have all their passwords on the internet as Password1.
Basically at least the single point of failure password isn't stored online. All of your examples involve the physical presence of another person at your workstation.
-
Just make sure your name isn't "Kaseem" and your password isnt "Kaseem" :lol:
Now were you definitely funny. Just make sure you know your friends fairly before trusting them completely. They might be stabbing you in the back at some point.
Just a friendly advice above, nothing else.
-
Philip I wish you had put half of the effort you put into your posts here into ARUN.
-
Now were you definitely funny. Just make sure you know your friends fairly before trusting them completely. They might be stabbing you in the back at some point.
Just a friendly advice above, nothing else.
Yeah agreed entirely.
-
Philip I wish you had put half of the effort you put into your posts here into ARUN.
Post-of-the-day award right here :rofl:
-
Meanwhile on xkcd.com
(http://imgs.xkcd.com/comics/password_strength.png)
Much MUCH better than having random.org generate a random 6 char password...
EDIT: then again, this doesn't account for dictionary attacks :|
-
First things first, you're never entirely safe. EVER. Any account, and server, and service, any site can be breached with the right skill set and the right determination. Any key, and encryption can also be broken with time and again determination.
Secondly, if done right you can equal the chances of someone getting any one of your passwords to that of getting your master password. In addition to master password, you'd need access to a physical device. Which sure, for a majority of people is totally fine as the biggest threat to account security is a REMOTE attacker not someone around you; for those exceptions sure they have a bit of compromised security unless they have additional security measures on the physical device for two factor authentication; allowing them to notice the device is missing and activate some sort of contingency (e.g remotely formatting the device, or simply going on to LP and changing the master password and resetting the two factor lock).
Clearly, we can go back and forth all week with this. The simple truth is password managers are only secure if you take appropriate precautions, are protecting against a remote threat, and have a minimal technical expertise to understand the concepts. Why don't we just agree to disagree.
-
First things first, you're never entirely safe. EVER. Any account, and server, and service, any site can be breached with the right skill set and the right determination. Any key, and encryption can also be broken with time and again determination.
Secondly, if done right you can equal the chances of someone getting any one of your passwords to that of getting your master password. In addition to master password, you'd need access to a physical device. Which sure, for a majority of people is totally fine as the biggest threat to account security is a REMOTE attacker not someone around you; for those exceptions sure they have a bit of compromised security unless they have additional security measures on the physical device for two factor authentication; allowing them to notice the device is missing and activate some sort of contingency (e.g remotely formatting the device, or simply going on to LP and changing the master password and resetting the two factor lock).
Clearly, we can go back and forth all week with this. The simple truth is password managers are only secure if you take appropriate precautions, are protecting against a remote threat, and have a minimal technical expertise to understand the concepts. Why don't we just agree to disagree.
You're never safe, that's correct. Safety comes from taking a variety of measures, each of which increase your probability of remaining safe. To choose an option that saves you from one kind of an attack but leaves you completely vulnerable to another is ridiculous to say the least.
The system provides great protection against any remote attacks, that's a given. But in return for that they do indeed open you up to almost complete physical obliteration. If someone manages to hack into your account remotely, they have several ways to do it, phishing, social engineering or implanting a virus to name a few. If they implant a virus they can get the yubikey's OTP signature and use it to log in, after keylogging your computer and getting your password, which would mean you're not safe from remote attacks either. Not to mention the fact that you're still open to the risk that anybody who knows you IRL can get your master password, it's not too hard. After that they can do anything from pickpocket you to break into your house (If they're short on cash and know you've got 30,000$ in your bank account, they're gonna break in..). That's assuming you don't have anybody close to you who can just lift it while you're sleeping for the night eg. A soon to be ex gf.
By using a password manager, you don't safeguard yourself against any kind of a virus attack. Hence the only way where the password manager protects you is in the case of something like phishing or social engineering, which you can avoid yourself if you just use your head. Further, the increased risk from a bruteforce attack is almost negligible, even if we assume the attacker carries out dictionary attacks he won't be able to try all the combinations even if he has the best military computer in existence. That is assuming the system doesn't ask him for a captcha after the third failure (And you can't exactly use a billion proxies either..) At maximum he eliminates barely a tenth of the operations, which is just an order of magnitude less.
Further, since you're now protected from phishing attacks you have paid the cost for it in the form of getting screwed over, bad. If someone from your real life manages to get your yubikey (And obviously the master password) they have the ability to do any kind of damage they want.
So on the overall it is a tradeoff of risk between a phishing attack and a real life felony. You reduce the risk that faceboook.com can get your password, and in return you accept the risk that a robber/thief/girlfriend can clear out everything you own. The probability for the latter may be low, but the profit (Or technically, loss) is infinite utility. While if you're careful, you'd never enter your details on a phishing website and hence have near zero risk whatsoever of anything that the password manager protects you from.
But yeah, let's agree to disagree.
-
Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.
I think in that situation you're just kinda screwed.
-
Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.
I think in that situation you're just kinda screwed.
In that case they would have only one password, not every password to everything you have.
Plus, if you're signing in front of some random stranger the odds are a hundred to one that you're signing into facebook and not your bank account. If they see your facebook password they can't use that to break into your bank.
-
Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.
I think in that situation you're just kinda screwed.
Who logs into a bank account in a public place easily noticeable? That's just stupidity and you deserve to get screwed. You don't even need to see them type in the password. There is software to analyze video and detect keypress' from virtually any angle.
-
Who logs into a bank account in a public place easily noticeable? That's just stupidity and you deserve to get screwed. You don't even need to see them type in the password. There is software to analyze video and detect keypress' from virtually any angle.
You don't even need that. A few years ago police in my city busted a gang where they simply went to an internet cafe in the morning and stuck a small device below the keyboard. At night they'd return and take out the device. The device obviously was a vibration detector.
Most internet cafes used a very small range of keyboards (Usually just that old same 4$ iBall keyboard), they'd make a mental note of which keyboard they saw and if they didn't already have it, they'd go to a computer shop and buy that keyboard. They used automated software to compare the vibrations from pressing different keys to the vibrations detected by the device, allowing them to recover the exact keystrokes. This means that you don't even need to install keyloggers or security cameras (Which is much harder than just putting a tiny 1cm radius disk below the keyboard), just using an unknown keyboard is enough.
And that happened in India. You can only imagine what kind of devices would be floating around in countries where they don't teach you programming on 20 years old compilers.
-
Who logs into a bank account in a public place easily noticeable?
Who said anything about a public place? I was referring to the "rogue roommate" scenario. A random stranger with your master pass means nothing without the actual key file.
-
A random stranger with your master pass means nothing without the actual key file.
This is true.
Who said anything about a public place?
I guess I misunderstood.
-
I don't even use a password manager anyway, even though I objectively understand the advantages I just don't like the idea. :rolleyes:
-
It took me a long time to warm up to the idea; since using it tho I cannot say I've been disappointed. I of course use the additional security layers and have contingency for the event something does go wrong.