Account Security Reminder 2015

[Luke]

Just make sure your name isn't "Kaseem" and your password isnt "Kaseem" 

[Exterminator]

Password managers are actually fairly secure; mainly one like last pass where the encryption key is never uploaded nor stored on the client. If you understand the fundamentals of public key cryptography then it'd make more sense. Breaking the encryptions, mainly with 10,000 password iterations would take at least a year of work for even the most advanced of mainframes. NSA broke the keyspace in partnership with a University as a demonstration; it took two datacenters along with a supercomputer 4 months to do it. So if you change the master password at least once a month; you're golden and change all other passwords at least every 30/90 days (1 month/ 3 months). Granted you follow all other precautions such as a two factor authentication, re-authentication strategy, etc. As with two factor authentication; even if the key is broken you'd steel need another origin to break and since as I recommended Google Authenticator; it isn't subject-able to common attacks that could bypass the TFA method.

If you use the manager just as is; without additional security measures then sure it'll only protect against site-specific targeting of passwords but not really a broad scale. But if you use it logically and with the additional security measures in place then you have a fairly trustworthy system.

It doesn't matter if you've got the most burglar proof castle in history if your home door's unlocked.

It is useless to argue about hacking into the password manager and decrypting your passwords. Equally ridiculous as breaking into a bank to get into your safe deposit box. A much easier way would usually be to just steal your key.

Similarly you can have the most secure password manager in the world, but in the end it's still got one master password. There isn't a big difference between using a password manager and using the same password on every site, since you need to compromise his password once to get access to all his logins.

The simple fact is that the chances of getting your password on your bank's site or getting the password you enter into lastpass is the same, as it's the same mechanism. You can install a keylogger on the target's PC, look over his shoulder or anything else. Now that you have his master password, you have all his passwords without ever having to read a single paragraph about cryptography.

You can increase your safety with other measure like buying lastpass's 55$ yubikey but that still doesn't mean you're not safe. You're more safe, sure. But compromising the yubikey isn't too hard either. You can look over someone's shoulder then pickpocket their yubikey. By the time they've managed to block the ubikey you've had more than enough time to change passwords and do some serious damage. Let alone the fact that if he has access to your email, you can fill in the blanks yourself..

Using your own passwords is better than using a single password for every site (And a password manager does indeed mean the same password since you only need ONE password). Changing your master password every 30/60/90 days won't help, it takes 30 minutes to cause very serious damage.

[Johan_S]

123456. 

[Pandalink]

I don't think password managers for people like you Philip, since you seem to have your shit together. They're better for people like sony executives who have all their passwords on the internet as Password1.

Basically at least the single point of failure password isn't stored online. All of your examples involve the physical presence of another person at your workstation.

[Murt]

Just make sure your name isn't "Kaseem" and your password isnt "Kaseem" 

Now were you definitely funny. Just make sure you know your friends fairly before trusting them completely. They might be stabbing you in the back at some point.

Just a friendly advice above, nothing else.

[Devin]

Philip I wish you had put half of the effort you put into your posts here into ARUN.

[Luke]

Now were you definitely funny. Just make sure you know your friends fairly before trusting them completely. They might be stabbing you in the back at some point.

Just a friendly advice above, nothing else.

Yeah agreed entirely.

[Marcel]

Philip I wish you had put half of the effort you put into your posts here into ARUN.

Post-of-the-day award right here

[Gimli]

Meanwhile on xkcd.com




Much MUCH better than having random.org generate a random 6 char password...

EDIT: then again, this doesn't account for dictionary attacks :|

[Teddy]

First things first, you're never entirely safe. EVER. Any account, and server, and service, any site can be breached with the right skill set and the right determination. Any key, and encryption can also be broken with time and again determination.

Secondly, if done right you can equal the chances of someone getting any one of your passwords to that of getting your master password. In addition to master password, you'd need access to a physical device. Which sure, for a majority of people is totally fine as the biggest threat to account security is a REMOTE attacker not someone around you; for those exceptions sure they have a bit of compromised security unless they have additional security measures on the physical device for two factor authentication; allowing them to notice the device is missing and activate some sort of contingency (e.g remotely formatting the device, or simply going on to LP and changing the master password and resetting the two factor lock).

Clearly, we can go back and forth all week with this. The simple truth is password managers are only secure if you take appropriate precautions, are protecting against a remote threat, and have a minimal technical expertise to understand the concepts. Why don't we just agree to disagree.

[Exterminator]

First things first, you're never entirely safe. EVER. Any account, and server, and service, any site can be breached with the right skill set and the right determination. Any key, and encryption can also be broken with time and again determination.

Secondly, if done right you can equal the chances of someone getting any one of your passwords to that of getting your master password. In addition to master password, you'd need access to a physical device. Which sure, for a majority of people is totally fine as the biggest threat to account security is a REMOTE attacker not someone around you; for those exceptions sure they have a bit of compromised security unless they have additional security measures on the physical device for two factor authentication; allowing them to notice the device is missing and activate some sort of contingency (e.g remotely formatting the device, or simply going on to LP and changing the master password and resetting the two factor lock).

Clearly, we can go back and forth all week with this. The simple truth is password managers are only secure if you take appropriate precautions, are protecting against a remote threat, and have a minimal technical expertise to understand the concepts. Why don't we just agree to disagree.

You're never safe, that's correct. Safety comes from taking a variety of measures, each of which increase your probability of remaining safe.  To choose an option that saves you from one kind of an attack but leaves you completely vulnerable to another is ridiculous to say the least.

The system provides great protection against any remote attacks, that's a given. But in return for that they do indeed open you up to almost complete physical obliteration. If someone manages to hack into your account remotely, they have several ways to do it, phishing, social engineering or implanting a virus to name a few. If they implant a virus they can get the yubikey's OTP signature and use it to log in, after keylogging your computer and getting your password, which would mean you're not safe from remote attacks either. Not to mention the fact that you're still open to the risk that anybody who knows you IRL can get your master password, it's not too hard. After that they can do anything from pickpocket you to break into your house (If they're short on cash and know you've got 30,000$ in your bank account, they're gonna break in..). That's assuming you don't have anybody close to you who can just lift it while you're sleeping for the night eg. A soon to be ex gf.

By using a password manager, you don't safeguard yourself against any kind of a virus attack. Hence the only way where the password manager protects you is in the case of something like phishing or social engineering, which you can avoid yourself if you just use your head. Further, the increased risk from a bruteforce attack is almost negligible, even if we assume the attacker carries out dictionary attacks he won't be able to try all the combinations even if he has the best military computer in existence. That is assuming the system doesn't ask him for a captcha after the third failure (And you can't exactly use a billion proxies either..) At maximum he eliminates barely a tenth of the operations, which is just an order of magnitude less.
Further, since you're now protected from phishing attacks you have paid the cost for it in the form of getting screwed over, bad. If someone from your real life manages to get your yubikey (And obviously the master password) they have the ability to do any kind of damage they want.

So on the overall it is a tradeoff of risk between a phishing attack and a real life felony. You reduce the risk that faceboook.com can get your password, and in return you accept the risk that a robber/thief/girlfriend can clear out everything you own. The probability for the latter may be low, but the profit (Or technically, loss) is infinite utility. While if you're careful, you'd never enter your details on a phishing website and hence have near zero risk whatsoever of anything that the password manager protects you from.

But yeah, let's agree to disagree.

[Pandalink]

Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.

I think in that situation you're just kinda screwed.

[Exterminator]

Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.

I think in that situation you're just kinda screwed.

In that case they would have only one password, not every password to everything you have.

Plus, if you're signing in front of some random stranger the odds are a hundred to one that you're signing into facebook and not your bank account. If they see your facebook password they can't use that to break into your bank.

[Teddy]

Equally though, if that person wanted to take your money they could easily over-the-shoulder take any single specific password anyway, like a bank password.

I think in that situation you're just kinda screwed.

Who logs into a bank account in a public place easily noticeable? That's just stupidity and you deserve to get screwed. You don't even need to see them type in the password. There is software to analyze video and detect keypress' from virtually any angle.

[Exterminator]

Who logs into a bank account in a public place easily noticeable? That's just stupidity and you deserve to get screwed. You don't even need to see them type in the password. There is software to analyze video and detect keypress' from virtually any angle.

You don't even need that. A few years ago police in my city busted a gang where they simply went to an internet cafe in the morning and stuck a small device below the keyboard. At night they'd return and take out the device. The device obviously was a vibration detector.

Most internet cafes used a very small range of keyboards (Usually just that old same 4$ iBall keyboard), they'd make a mental note of which keyboard they saw and if they didn't already have it, they'd go to a computer shop and buy that keyboard. They used automated software to compare the vibrations from pressing different keys to the vibrations detected by the device, allowing them to recover the exact keystrokes. This means that you don't even need to install keyloggers or security cameras (Which is much harder than just putting a tiny 1cm radius disk below the keyboard), just using an unknown keyboard is enough.

And that happened in India. You can only imagine what kind of devices would be floating around in countries where they don't teach you programming on 20 years old compilers.