photomoof
Fischli & Weiss Sculpture
30 years ago getting money was tough (experience in Spain), now with Skype and the internet it is easy, unless you lock yourself out with crazy passwords you can't remember.
While 1password does have an iOS version, is it in the cloud, or on one's device? I personally don't like passwords written down anywhere, when money is involved.
majid
Fazal Majid
A company that makes password managers is also a fat, juicy target for hackers. LastPass was hacked and some of its databases compromised. Even the NSA could not keep its top-secret documents secure, and RSA, the company eponymous with security, had the master key for its SecurID tokens stolen. I would not take a vendor's self-interested assertions that "we are secure, trust us" at face value.
In the case of 1Password, the key extension algorithm they use (PBKDF2) is not state of the art (scrypt or Argon2 would be preferable). They use AES-256-CBC, which is way out of date (Google won't even accept it as a valid cipher for HTTP/2 in Chrome). None of that inspires confidence, and that's even before the fact they have no independent security audit of their software.
I don't have access to vBulletin source code, but web searches suggest use a fairly bad md5(md5(password) + salt) hash scheme. On paper the dual D700 GPUs on my Mac Pro should be able to try about 18 Billion password combinations per second using something like hashcat, so it would be able to brute-force any 8-character password in about 4 hours.
Dan
Let's Sway
Majid,
Your knowledge in this subject greatly impresses me! It also makes the whole idea of personal security sound like a hopeless oxymoron. This thread encouraged me to do more searching last night to specifically compare LastPass and 1Password in order to ramp up my own password game. After reading numerous reviews and forum threads both these software solutions were highly recommended and I was leaning towards LastPass but now, after reading your thoughts....:bang: I mean, if the NSA can be hacked, what's the point?
willie_901
Veteran
It supports iOS and Android devices. It syncs one of three ways – DropBox, iCloud or using your home/office WiFi network. The latter does not involve the Cloud. The only way to sync between OS X, iOS and Android is via the internal non-Cloud option.
One of the main liabilities for on-stite hacking are written passwords people hide (usually on a Post-It) someplace.
As majid points out, short passwords are trivial to decript. However he did not mention the computational time increases exponentially as the password becomes longer. This is exactly the reason why password management Apps are valuable.
Here's a link to see how password length affects decryption time. Obviously you don't enter one of your actual passwords, just one with a similar number of characters.
willie_901
Veteran
First, there are many ways besides password hacking to gain unauthorized access. The most common is human engineering. The Verizon 2015 Data Breach Investigations Report shows nine methods dominate IT security problems. This report is a collaboration with the Secret Service (wire fraud) and several European security agencies.
Second, the bad people will not waste time on decrypting passwords that require days, weeks, months or even years of CPU time when there is an abundance of passwords they can decrypt in minutes. Obviously, if they decide to target you for a specific reason then they will get in. I will speculate you are not a valuable target compared to the NSA.
Dan
Let's Sway
[QUOTEI will speculate you are not a valuable target compared to the NSA.[/QUOTE]
How presumptuous of you, sir!
How presumptuous of you, sir!
sevo
Fokutorendaburando
Or passphrases - which share the length respectively bit depth, and can nonetheless be memorized.
majid
Fazal Majid
It's just the result of reading for a work-related project last week, so still fresh in my mind. All non-brain-dead password systems will use a so-called hash function to secure your password. A good hash function is one that is one-way, i.e. you can't invert the order of operations to find the password from its hash. That said, some hash functions commonly used were not meant to secure passwords, and are too easy to calculate. That means brute-force attempts to guess every possible password can run at high-speed on fast CPUs, on the massively parallel supercomputers-within-our-computers that are called graphics cards, or on cloud services like Amazon web services. Good hash functions are designed to be slow and expensive to calculate, to raise the cost of brute-force, while not imposing too large a burden on legitimate site operators.
No, but you need to start with a realistic assessment of risks. Most of us don't need to worry about the NSA or the Mafia trying to crack our passwords (they have simpler means to do so). We have to worry about sloppy site security and being caught in the dragnet of automated password guessing.
The first step is to identify which passwords matter and which ones don't. If your RFF account gets hacked, the consequences are less dire than if its's your online banking. It's thus worth less time and effort spent securing. Pick secure passwords (use punctuation, not just alphanumerics, and don't use dictionary words or names). Don't reuse passwords for anything that matters. You should also definitely turn on two-factor authentication on anything that matters (and consider switching to more security-conscious providers if they don't offer 2FA):
https://twofactorauth.org/
One other thing worth mentioning: most sites will allow you to reset a lost password by email. If your email itself is compromised, it doesn't matter how strong your passwords are, and most ISPs or webmail providers have shockingly poor security - their poorly paid and trained customer service reps can easily be fooled ("socially engineered") into giving the keys to your email to a smooth-tongued stranger:
http://krebsonsecurity.com/2014/09/we-take-your-privacy-and-security-seriously/
I was referring to Edward Snowden, of course. He didn't hack the NSA, he just (ab)used privileges he had as a contract sysadmin, and convinced people there to give him their passwords (clearly the NSA didn't use 2FA for internal use, tsk, tsk). If there is one place on Earth that should be paranoid about security, it is the NSA, and the fact they failed at it shows no one is immune. Similar with the RSA SecurID hack - those keys are used by most large corporations to guard access to their IT, and the vendor couldn't even protect its own security, when that is their core business.
That's why I take an extremely jaundiced view of alleged security solutions. When a vendor like AgileBits makes excessively optimistic (i.e. hubristic) claims about the security of its 1Password software, my BS detectors red-line, and I automatically assume they are either liars, or worse so incompetent that they don't realize the extent of their incompetence (the Dunning-Kruger effect). In short: I would not trust either 1Password or LastPass. If you use Mac OS X or iOS, or Google Chrome, or Firefox, you have perfectly decent password-management and sync functionality built-in (at least for non-critical sites like RFF), why would you want to add a third-party vendor making unsubstantiated claims about the security of their solution?
majid
Fazal Majid
And of course endpoint security, which is probably the biggest risk for most people. If your computer was infected by malware, you can assume there is a keylogger capturing your passwords. This is primarily a concern for Windows users, but there is no fundamental reason why Macs should be immune either, and Apple has been very complacent with security vulnerabilities that have been reported its way. iOS is significantly stronger than desktop OSes, as long as you don't jailbreak it.
photomoof
Fischli & Weiss Sculpture
Apple simply does not publicly react to every report, but they issue security updates quite often. There have been reports of a remote jailbreak, but personally I doubt its veracity. Macs are immune unless you disable security in your preferences, but because of companies who refuse to play well with Apple like Adobe, users are in theory vulnerable.
Adobe forces one to load software that Apple considers a security risk at the highest settings (only load apps from the app store). Adobe flash and the like, which are not in the app store, and are used as a disguise for malware, are just plain stupid. There is nothing on the web I need flash to run.
At this point I keep nothing on my phone, and it bricks if you try passwords.
IMO keeping passwords involving large sums of money anywhere is crazy. Keep it in your head. If you die, and your executor really needs to get in, there are well established methods.
willie_901
Veteran
There is no such thing as a "security solution". There are only risk reduction strategies.
Dan
Let's Sway
Thank you for taking the time to respond and further educate me, it is quite appreciated. Because of what you further explained, I'm re-evaluating my desire for a PWM since I only have one truly sensitive site to 'protect' (my bank's) and it has a two-stage authentication sign-in. That password only exists in my memory and I'm comfortable leaving it there. Having no smart phone enables me to have less security issues to worry about and like you pointed out, OS X and Chrome are most likely enough for any non-sensitive site like RRF.
The link for tricking customer support into giving away a password via email will make for interesting reading, no doubt.