chrishoffman at August 30th, 2013 06:40 — #1
Originally published at: http://www.howtogeek.com/171236/why-you-should-worry-whenever-a-services-password-database-is-leaked/
The reality is that password database compromises are a concern. However, if you use unique passwords everywhere, you shouldn’t need to worry too much.
cambo at August 30th, 2013 07:15 — #2
LastPass makes this very, very easy to do. I have no idea what the passwords for my various services even is. With the password generator, it will come up with a new, complex one each time. LastPass also has plugins for Dolphin and Firefox browsers on Android- so they can be securely accessed from your phone/tablets as well.
I don't work for LastPass, I am a paying customer, however.
wandersfar at August 30th, 2013 10:22 — #3
I have to say, after all the Snowden leaks came out about how practically every online service has been compromised by the NSA, my confidence in any sort of online password service (LastPass included) has plummeted.
So I do it manually. Well, semi-manually. One of DuckDuckGo’s many bangs is a password generator:
!pw strong 32
That’ll generate a strong (+digits, +specials) 32 character password. You can specify weak if you just want letters, or leave out strong/weak (!pw 32) for alphanumeric. And obviously you can lower the number if your account doesn’t allow super-long passwords.
I then store my passwords in an AHK script as website-specific hotstrings that are triggered when I enter a secondary password. I realize this is somewhat paranoid, but I figure now I have two layers of protection—someone would need to know not only my secondary password, but also be running my script (i.e., have physical access to my computer) in which case they probably would have access to all my data anyway.
ETA: An example for anyone interested; this works for any site in Firefox. I don’t use Chrome (because Google) so you’ll have to look up the ahk_class for that yourself.
#IfWinActive NameOfWebsite ahk_class MozillaWindowClass
With this hotstring, just type puppiesarecute! into the site you’ve named under IfWinActive, and the text will be automatically replaced with your username, a tab, your real password, and then enter will be hit for you so you log in immediately.
(Remember to escape all #, ^, ! and + with braces otherwise AHK will send Win, Ctrl, Alt and Shift modifiers instead.)
cambo at August 30th, 2013 10:48 — #4
If you're worried about the NSA and any regular sites you visit, rest assured. They don't need your username and password to gain access.
binaryphile at August 30th, 2013 11:10 — #5
Cambo's got it right. You can lock it up tight with a high-entropy password and 2-factor authentication. The NSA just walks in the door at Google and has them put your email on a USB stick, lickety-split.
Just kidding about the USB stick, but you get the picture.
Even if the service keeps your data encrypted and doesn't claim to take your key (like lastpass), the fact is, you're still running their software and trusting what they say it does. If Lavabit can be compelled to close down because they won't lie to their customers, you can count on other businesses lying to you so they don't have to do the same.
Open-source, peer-to-peer technologies are the only thing you can trust, and that's if you compile it yourself and vet the code somehow.
Personally, I just take reasonable precautions and wait for the next election to make this an issue for the electorate. We have to change the government, there's no other way in this day and age.
And I'm not part of the tin-foil hat crowd, but I'm thinking they may have been more right than we knew.
Pardon me, I'm getting a transmission on my tooth...
wandersfar at August 30th, 2013 12:14 — #6
Oh, I have no delusions that my security would keep out anyone really determined to get my data, least of all the NSA, but my philosophy is: Why make it easy for them?
Cloud services like LastPass put all your security eggs in one basket. A basket you don’t even control. No thanks, I’ll roll my own.
As for Google, I quit using their services about four years ago, soon after DuckDuckGo came out. DDG has bangs, zero-click info, and actually gives a crap about your privacy.
And up until a month ago, I was a very happy Lavabit user. I’d be interested to know if any Lavabit refugees have found a good alternative. Right now I’m without a personal email and just use throwaway accounts when I have to.
cambo at August 30th, 2013 12:29 — #7
They're able to spy on just about anything anywhere without you knowing- you think you have some power to make it difficult?? The NSA is not the first, and not the last organization that will be able to do this.
Really, 99% of the population has absolutely nothing to worry about anyway.
I'm not sure you've read the whitepapers about how LastPass hashes work.
wandersfar at August 30th, 2013 12:50 — #8
Of course I do. Everyone does. We can all take small steps to make life more difficult for hackers, both private and state-sponsored.
Not reusing passwords, choosing strong, long passwords over weak ones, storing them locally versus online, and choosing HTTPS over HTTP when available won’t keep out everyone, but it will slow them down. I lock my doors at night even though I know any lock could be forced—same principle.
This is absolutely the wrong attitude to have. “If you have nothing to hide, why should you care about your privacy?” It’s that mindset that enabled these organizations to overstep their bounds in the first place.
You’re right, I haven’t. I saw “cloud storage” and ran screaming. I flirted with KeePass for a while but ultimately found AHK more appealing.
cambo at August 30th, 2013 13:01 — #9
I do agree with most of what you're suggesting for the average hacker, however the issue comes back to access in general.
You locking your front door is all well and good, however the NSA simply lifts the roof off - no password needed.
There's not much you can do to "protect" yourself against government-sponsored agencies like the NSA. They have an infinite number of highly sophisticated systems and engineers that you'll never hear about, and oodles of money and time. The only thing that can be done are legal challenges- however what you're suggesting is ideal for those rogue hackers and script kiddies that consistently try to knock on your front door. And by "you", I mean the sites you use. They're not interested in tapping your home computer- there's simply no value.
wandersfar at August 30th, 2013 13:33 — #10
Right, and like I said earlier, I have no delusions that anything I do would keep out someone with the resources, knowledge and influence of an organization such as the NSA. My concern is that because these backdoors were created for one organization, they could easily be created for another entity, and just as Google, Apple, Microsoft, Yahoo et al failed to inform the public when they bent over for the NSA, they are unlikely to do so if similarly pressured in the future. Also, the mere fact that these backdoors exist means that their systems are inherently less secure, leaving them vulnerable to future paths of attack by private hackers as well.
Thus it is better to avoid cloud storage of sensitive data (such as passwords) whenever possible.
That said, I am something of a hypocrite because I do have a Dropbox account that I’m unwilling to give up, even though I know they are a part of PRISM. I just don’t store anything in there that I don’t expect everyone in the world would be able to see—same way I view most online services nowadays, unfortunately. There were only two I felt good about and Lavabit’s dead now.
Yes, I am fully aware how uninteresting I am, thanks for pointing it out, Cambo.
The thing is, I don’t want to live in a society where privacy isn’t a given, where it has to be “justified,” where “as long as you have nothing to hide” is the prevailing norm. And not so much for my own sake, but because it makes it nigh impossible for the really interesting people (like whistleblowers and the Guardian staff) to do their jobs, and that should be important to all of us.
voodookobra at September 4th, 2013 16:14 — #11
So let me get this straight: You don't trust LastPass's code on your local computer, so you instead trust a third party to do it all for you?
If you want security, download KeePass's source code, verify the GPG signature, read the entire source code (even manually retyping it into a new directory to make sure you don't miss anything if you have to), compile it for your OS, and keep the .kdbx file on an encrypted USB drive that you keep on your keychain (with your car keys, etc).
Security in depth, after all.
voodookobra at September 4th, 2013 16:18 — #12
“Our password database was stolen yesterday. But don’t worry — your passwords are completely safe.” We regularly see statements like this one online, but should we really take these assurances at face value?
Statements like that are the reason why FLCracker exist: http://pastebin.com/AWtCrSKv
FLCracker is a PHP script that attempts to crack a sample of hashes and salts by iterating through the 10,000 most common passwords. Just because you salted the passwords doesn't mean a hacker can't break any of them. Humans will always be the weakest link when it comes to security.
nsdcars5 at September 5th, 2013 12:42 — #13
I see what you mean. Though why people would keep insults as passwords is beyond my brain capacity.
wandersfar at September 12th, 2013 13:02 — #14
Generating random passwords from a search engine is hardly letting “a third party do it all” for me.
It just eliminates the need for another program to actually create the passwords. I can refresh DDG as many times as I like to find a password, and then copy one to use it in a script for some arbitrary site. There would be no way of DDG (if that’s the entity you don’t trust) knowing which password I eventually selected and which site I associated it with. Where is the security flaw?
As I said earlier, I looked at KeePass before, but just as I prefer not to use another program just to create passwords, I prefer not to use another program just to store passwords. I’m already running AHK for other scripts, so it’s trivially easy to use it for this purpose as well.