I note RFF is powered by vBulletin.
FYI in case it impacts the forum and members.
https://nakedsecurity.sophos.com/2015/11/04/vbulletin-enforces-password-reset-after-website-attack/
FYI in case it impacts the forum and members.
https://nakedsecurity.sophos.com/2015/11/04/vbulletin-enforces-password-reset-after-website-attack/
photomoof
Fischli & Weiss Sculpture
Hacking vBulletin, what do you get?
Most of us on the RFF don't even have real names, no SS or financial info. Still a PITA.
Most of us on the RFF don't even have real names, no SS or financial info. Still a PITA.
majid
Fazal Majid
Passwords that are reused on other, more sensitive sites, if they are easy enough to crack. Not sure if vBulletin uses phpass salted hashed passwords, which are harder to brute-force.
willie_901
Veteran
There are seemingly endless possibilities for nefarious activities for platforms with well-know (publicized problems).
majid's example is the most obvious threat. If you use your RFF password on other sites, it would be prudent to change it here and on the other sites as well.
majid's example is the most obvious threat. If you use your RFF password on other sites, it would be prudent to change it here and on the other sites as well.
photomoof
Fischli & Weiss Sculpture
Jim-st
Well-known
Anyone use 1Password?
I purchased it a while back, after the Adobe hack, but never got round to installing it. It looks quite complicated, and I wonder if maybe it's just as vulnerable as any other web resource seems to be
Anyone use it: if so how have you found it?
Anyone think it's worth avoiding: if so, why?
I purchased it a while back, after the Adobe hack, but never got round to installing it. It looks quite complicated, and I wonder if maybe it's just as vulnerable as any other web resource seems to be
Anyone use it: if so how have you found it?
Anyone think it's worth avoiding: if so, why?
oftheherd
Veteran
Unfortunately, if a hacker can get to a hash of a password, a brute force attack is an easy solution with today's cracking programs and equipment, and doesn't take but hours, not the days or months of yesteryear.
Changing passwords often is the only helpful solution.
Tompas
Wannabe Künstler
I didn't want to spend money on a password managing application, and more important, I don't trust closed source software in general and especially not for sensitive stuff like passwords.
So I use MacPass, https://github.com/mstarke/MacPass
Works, source code is available, and costs nothing. For OS X only, though. (But for Windows there are equivalent applications. MacPass is "a native OS X port of KeePass".)
willie_901
Veteran
I use 1Password.
I use it on two Mac's and two iOS devices. It will sync to iCloud reliably and quickly. It will use the thumbprint functionality in iOS. 1Password also runs on Windows and Android OS. I have no experience with these platforms.
I strongly recommend it. It is not that complicated. Unfortunately most web sites don't support 100% of 1PAssword's automated abilities. The copy/paste functionality means manual use is not difficult.
The only disadvantage is the time it takes resetting the usernames and passwords for all your accounts. This is tedious yet unavoidable considering the risk associated with weak passwords or using the same username and password for all accounts.
All IT systems and Apps are vulnerable in some way. However, if you use the longest PW a particular log-in site supports, the password would be rather inconvenient to decrypt (although government agencies could eventually decrypt it). Criminals will go for lower hanging fruit.
Here are some examples of passwords randomly generated by 1Password - RX8obkZDRuoekGdkQ4fFYBGY and sW=uiDhdf8MB;?pDqDJp3R%F.
The most vulnerable aspect of 1Password is the master password one selects to open the App. This has to be long and easily to remember, but not obvious and easy to type. One strategy is to use two short unrelated phrases like - pancakestastegreatPorschesarefast.
photomoof
Fischli & Weiss Sculpture
Those long passwords really are not necessary. This cartoon, kind of summarizes the reality.
sevo
Fokutorendaburando
That strategy works for passwords as well, and is much superior to cryptic passwords like the above, as the latter are near impossible to memorize or enter manually, at least if you choose a length equivalent to a safe passphrase.
ChrisLivsey
Veteran
But many sites require numbers and punctuation to be in the password and limit the length so phrases, although I agree can be safe, are not available.
photomoof
Fischli & Weiss Sculpture
They mean well, thinking is, "what could a few capitals and number hurt?"
ColSebastianMoran
( IRL Richard Karash )
Here are some important and effective steps for personal security:
- Use a different password for every web site. So one hack doesn't expose you to risks elsewhere.
- Use a password manager program to make that practical. I use 1Password.
- Make up fictitious answers to the security questions and keep notes. Who ever thought "mother's maiden" would be a good security question.
In addition, I recommend:
- Remove Flash and Java from your system
- To visit web sites requiring Flash, install Google Chrome browser which updates Flash continuously and runs it in a "sandbox."
I see a couple of comments above about 1Password. I think it's about as secure as you can get. And, I think it's well worth the effort
Head Bartender, it's important that you change your password at the vBulletin site.
Keep safe, everyone!
- Use a different password for every web site. So one hack doesn't expose you to risks elsewhere.
- Use a password manager program to make that practical. I use 1Password.
- Make up fictitious answers to the security questions and keep notes. Who ever thought "mother's maiden" would be a good security question.
In addition, I recommend:
- Remove Flash and Java from your system
- To visit web sites requiring Flash, install Google Chrome browser which updates Flash continuously and runs it in a "sandbox."
I see a couple of comments above about 1Password. I think it's about as secure as you can get. And, I think it's well worth the effort
Head Bartender, it's important that you change your password at the vBulletin site.
Keep safe, everyone!
ColSebastianMoran
( IRL Richard Karash )
Those long passwords really are not necessary. This cartoon, kind of summarizes the reality.
That cartoon is right on the mark. Any dictionary word, even with numeric substitutions, is weak.
I let 1Password make up most passwords (random strings). Or I make up my own random strings including upper and lower case, numbers, and anything else the site requires, and let 1Password keep track.
Phrases like "CorrectHorseBatteryStaple" are strong passwords (not in anyone's dictionary).
photomoof
Fischli & Weiss Sculpture
And if you are on vacation, and have just lost everything into a canal in Venice, you will be glad you can remember the password to your bank, when you all you have left is your wife's iPhone.
sevo
Fokutorendaburando
In these cases I tend to complain about their password validator - demanding numbers and punctuation means that they don't use any of the current libraries (which calculate the bit depth of the password), but some massively outdated or home-grown password check.
Jim-st
Well-known
Thanks Willie, and ColSebastian: I'm logged in here now with a new 1Password-generated password, and yes, it was a bit laborious setting it up, but I'll just proceed on an ad hoc basis and try to cover those sites where I'd be most to someone finding financial info on me as a priority.
It'll take a while, but I'll persevere. It's something I shoulda done long ago!
My bank (like most, I think) probably has one of the weakest login-security systems around, so it will be interesting to see how 1Password goes with it
willie_901
Veteran
The cartoon is completely irrelevant.
The goal is not to create zero risk. The goal is to reduce risk by many orders of magnitude.
The whole point of 1Password and similar Apps is one does not have to remember any passwords. The App remembers them for you.
You only have to remember a single password... the password that opens the App. On some devices some of these Apps can opened using a thumbprint.
It is a mild inconvenience to copy and paste the long, each unique, difficult to memorize password into each web-site's log-in form. Reducing risk is rarely convenient.
As I pointed out earlier, even the strongest 1Password can be decrypted by people with access to state-of-the-art technologies. Criminals and vandals prefer to take advantage of accounts they can compromise with much less effort and cost.
The goal is not to create zero risk. The goal is to reduce risk by many orders of magnitude.
The whole point of 1Password and similar Apps is one does not have to remember any passwords. The App remembers them for you.
You only have to remember a single password... the password that opens the App. On some devices some of these Apps can opened using a thumbprint.
It is a mild inconvenience to copy and paste the long, each unique, difficult to memorize password into each web-site's log-in form. Reducing risk is rarely convenient.
As I pointed out earlier, even the strongest 1Password can be decrypted by people with access to state-of-the-art technologies. Criminals and vandals prefer to take advantage of accounts they can compromise with much less effort and cost.
willie_901
Veteran
So how is this different than 30 years ago if you lost everything in a canal?