MSE guide discussion - 60 seconds on password managers

rmg1

debitcardmayhem wrote: »

Invisible ink and Alzheimers for you then;)

Alzheimers? Don't remember hearing about that one :rotfl:

Code

I sense we're unlikely to agree, so this will be my last post on (these specific) points - happy to discuss other principles if anyone wants.

esuhl wrote: »

Err... I don't use a password manager. :cool:

Not in name, but you use an application to encrypt your credentials on your computer. That's exactly what lastpass does. You've also not explained what you do when you need your credentials but you aren't in front of your PC.

What I'm struggling to understand is why you believe that, having gone to the trouble of setting up different credentials on every service, consolidating them all into one place doesn't increase your risk.

esuhl wrote: »

You're suggesting that malware might upload my VeraCrypt volume to a Dropbox account...? Unlikely! .... That wasn't discomfort; it was utter bafflement as to why you are so interested in my perfectly adequate system for storing passwords. Especially when you don't have a good system yourself.

No, I'm suggesting that it's interesting that you trust your system enough to store your credentials in it, but not enough that you'd actually test it. Perhaps it's because you recognise that even though the major encryption algorithms have been publicly tested, the application you use may have errors or vulnerabilities in the code. Just like Truecrypt did, which Veracrypt is based on.

No system is perfect, but mine provides significantly more protection using non-duplicated credentials without the need to "write them down" anywhere.

esuhl wrote: »

Do I really need to explain why sharing passwords (even in an encrypted form) isn't a good idea? ... There's always a trade-off between security and practicality. ... You also need to consider the "worst-case scenario"

I've condensed this quote, but I think you may have misunderstood my posts. The purpose of doing a risk assessment, as I've described, is to define your residual risks and your acceptance of those (the "trade off", as you put it).

Simply focusing on the "worst case scenario" in isolation doesn't actually provide a meaningful assessment. Any corporate risk expert (not even IT experts) will tell you that risk is a function of Probability and Impact. This is why companies have risk tolerance policies, and consultancies like PWC make a fortune from helping them do risk assessments.

If the "worst case scenario" (highest impact) actually has a Probability of "rare", then you may choose to accept it.

Using my previous example, my bank's online banking system might get compromised by some organised crime hackers, and my accounts might be drained (a Tesco bank type scenario). This risk is "worst case" or "critical impact", because I've lost all my money. However the Probability is rare, because of the way banking systems are set up (off topic).

My risk tolerance says that even though it's critical, it's rare. I can mitigate the risk by not using online banking, but that's not practical. So I choose to accept the risk, because it's within my tolerance.

I might spread my bank accounts around a couple of institutions to move the risk from critical down to severe, but otherwise I accept it.

Approaching it in this way is exactly how massive corporate orgs manage their risks.

esuhl wrote: »

And don't forget, every time you use a password, you risk revealing it to the world. Malware is much more likely to intercept a password you've typed into a website than once stored in an encrypted volume.

I assume you don't actually mean "intercept" as in "sniff it off the wire", as any site that requires credentials for access to PII will be via HTTPS. So unless malware has compromised a device downstream, and performs an MITM attack, malware is not at all "more likely" to intercept anything.

In fact in this scenario, malware on your PC is a far higher risk. And in your case, you've consolidated all your credentials into one text file. Keylogger that takes screenshots might cause you an issue there, or ransomware that encrypts your disk and denies you access to your credentials.

esuhl wrote: »

Do you feel a sense of discomfort every time you enter a password, knowing that malware on your PC could be transmitting it to parties unknown...?

Not really, because I performed a risk assessment and I'm happy with my controls and residual risks.

I hope this discussion has been useful to someone, and I'll leave it there.

securityguy

"Not really, because I performed a risk assessment and I'm happy with my controls and residual risks."

As am I. It just reached a different conclusion to you, perhaps because other controls I use are different, or because my risk appetite is different.

esuhl

Code wrote: »

Not in name, but you use an application to encrypt your credentials on your computer. That's exactly what lastpass does.

Not exactly. I understand that Lastpass does all sorts of things, like automatically entering login details on web forms, and uploading your passwords to a publicly-accessible server.

If I was a hacker wanting to get people's passwords, it would be a lot more profitable for me to spend my time trying to crack or exploit Lastpass or its browser add-ons than it would for me to gain physical access to someone's PC and crack a Veracrypt container, not knowing whether or not it is even likely to contain any passwords at all.

Code wrote: »

You've also not explained what you do when you need your credentials but you aren't in front of your PC.

I don't need any login credentials when I'm not at my PC. This is another good way to improve security -- by only logging in to sites on machines that I control, I reduce the risk of entering my details on a compromised device.

Code wrote: »

What I'm struggling to understand is why you believe that, having gone to the trouble of setting up different credentials on every service, consolidating them all into one place doesn't increase your risk.

It significantly reduces my risk, since my previous alternative was using easy-to-remember passwords. With several dozen logins, the only way to do this is to make the passwords similar, so there are fewer variations to recall. This makes the passwords more easily guessable if others are known.

What I can't understand is how you can remember dozens of unique passwords. Especially if you are changing them regularly, which you should certainly be doing to increase security.

Code wrote: »

No, I'm suggesting that it's interesting that you trust your system enough to store your credentials in it, but not enough that you'd actually test it. Perhaps it's because you recognise that even though the major encryption algorithms have been publicly tested, the application you use may have errors or vulnerabilities in the code. Just like Truecrypt did, which Veracrypt is based on.

I'm perfectly happy for my system to be tested. Go ahead and try to obtain one of my passwords! Why on earth would I want to help you by providing the encrypted volume?! You might as well just ask for the passwords!

Code wrote: »

No system is perfect, but mine provides significantly more protection using non-duplicated credentials without the need to "write them down" anywhere.

I disagree, because you're relying on your limited memory. You can only memorise so many login details, and far fewer if you're changing your passwords regularly.

Code wrote: »

I've condensed this quote, but I think you may have misunderstood my posts. The purpose of doing a risk assessment, as I've described, is to define your residual risks and your acceptance of those (the "trade off", as you put it).

Simply focusing on the "worst case scenario" in isolation doesn't actually provide a meaningful assessment. Any corporate risk expert (not even IT experts) will tell you that risk is a function of Probability and Impact. This is why companies have risk tolerance policies, and consultancies like PWC make a fortune from helping them do risk assessments.

If the "worst case scenario" (highest impact) actually has a Probability of "rare", then you may choose to accept it.

Using my previous example, my bank's online banking system might get compromised by some organised crime hackers, and my accounts might be drained (a Tesco bank type scenario). This risk is "worst case" or "critical impact", because I've lost all my money. However the Probability is rare, because of the way banking systems are set up (off topic).

My risk tolerance says that even though it's critical, it's rare. I can mitigate the risk by not using online banking, but that's not practical. So I choose to accept the risk, because it's within my tolerance.

I might spread my bank accounts around a couple of institutions to move the risk from critical down to severe, but otherwise I accept it.

Approaching it in this way is exactly how massive corporate orgs manage their risks.

Fair enough. Good point. I think it's still useful to consider the "worst case scenario" so you're aware of it, though.

Code wrote: »

I assume you don't actually mean "intercept" as in "sniff it off the wire", as any site that requires credentials for access to PII will be via HTTPS. So unless malware has compromised a device downstream, and performs an MITM attack, malware is not at all "more likely" to intercept anything.

In fact in this scenario, malware on your PC is a far higher risk. And in your case, you've consolidated all your credentials into one text file. Keylogger that takes screenshots might cause you an issue there, or ransomware that encrypts your disk and denies you access to your credentials.

By "intercept", I literally mean "intercept at any point". I was specifically thinking of malware installed on the local PC that could access the contents of the encrypted container when I have mounted it in unencrypted form. So, yes -- keyloggers, screen grabbers, etc. But ransomware is irrelevant. I have backups.

I imagine the most likely form of malware attack would be from automated programs that extract login details and store them in a database. As I mentioned above, I imagine that password managers (PMs) would be targetted by these automated tools. A program that could successfully extract login details from a PM could be used on multiple PCs with no human intervention.

On the other hand, with my non-standard, unformatted text file in an encrypted container, a human would probably need to examine keylogger or screengrab details in order to be able to extract login credentials.

But I'm fascinated by the idea that you think that my locally-stored encrypted volume is vulnerable, whereas HTTPS connections are completely unbreakable!

Code wrote: »

Not really, because I performed a risk assessment and I'm happy with my controls and residual risks.

Ditto.

kelda_shelton

Question for you all..


A few months ago there was a thread about - morbid I know - storing financial and household information for loved ones should you die and they need to have a list of e.g. who is your utility provider, where your savings are etc etc.


Of course these days most of these things are online and need passwords.


Someone on that thread - which I cannot for the life of me find now - noted that they use a password manager which would give access to your account to predetermined people - should they request access to it (using a predetermined link) and you did not respond within a defined time e.g. 1 month / 2 months.


What that would mean is if you die, your chosen people would after say 2 months, have access to your online accounts to close them down etc etc.


Does anyone know which password manager this is?

RumRat

That would be 'Lastpass'.........See HERE.

EdwardB

Well I use a password manager, but it is much more than that.

At my last count it was storing close to 2500 passwords, I have so many because I manage client web assets, I create them then I share them into an account on the password manager site.

Each password is different, so if a site gets hacked it can't try that password on any other site.

This is a password it just generated

Wu@twJ5@SaS7Wp

But I never have to remember that because when I go to a site, it enters the username and password for me and I can even have it log in too.

I could also do it the other way around, start to register on a forum, enter a username, enter a password and the password manager will offer to save that password.

One thing that I find useful is that it remembers the URL of each site, so it can act as a kind of bookmark manager.

An essential feature for me is the profile management, I can enter the profile of a client and go create them 50 accounts on 50 sites, now I do have software that can do that for around 500 sites, but for small clients I use the password manager.

Most people use the profile manager to store say a husband and wife's details, you can store your credit card details in there too and it can put your expiry date. I do not use it for that purpose.

It has a secure notes facility which I find very useful, not all passwords are browser based.

If you already have your passwords in your browser they are not secure, there are some websites that take ads which take you to sites that can suck those right out, luckily the password manager can do the same and then delete them from the browser.

The password and data are stored in an encrypted vault, there is a copy online and one on your devices, they can be backed up onto an encrypted USB key, you can also use your mobile as part of a two factor authentication as well as a USB device.

Now for those that have their tiers or write things down, you say a piece of paper can't be hacked, er yes it can, you enter your password into eBay, then it gets hacked. You enter your password into yahoo mail, it also gets hacked. You enter your password into something important, like TalkTalk, it gets hacked.

Now the password manager will not prevent these hacks but it WILL prevent the cross site hacking.

Now I never give my actual mothers maiden name, in fact I never give the same name twice, how do I remember whay name I gave? It is in a profile in the password manager.

I never give my actual date of birth or year or month, again I store it in the profile.

So let's roll this out

TalkTalk were hacked, they stored the date of birth and say a tier3 password. They also had the mobile number of clients. The hackers went out and bought ten £1 sims from Tesco for different network providers. They then transferred the number of the victim to one of the sims, the original phone of the SIM lost service. Next the hacker called the bank from what is the customers number, they said they lost their cash card and they asked if they could have £300 sent to a cash machine in the high street. The bank does a bit of security checking, the hacker has all the info from TalkTalk data and is able pass. An SMS is sent with a code, he goes to the cash machine and uses the mobile to take the cash out.

He then rinses and repeats for the other 9 sims.

Now if the victim has used random data for the bank and for TalkTalk then the hacker would have failed.

Those who think email is not secure, Google the Friday Afternoon Fraud, email is used to converse with Solicitors in the sale of a house.

They do not even need your Yahoo password because they hacked the structure of Yahoo cookies and and were able to get in by creating the cookie manually. Once they are in your account they can change settings, so you do not get mail or some mail. They can then give the Solicitor their bank account for the money transfer, it is then transfered to thousands of mule accounts, by monday it is long gone.

Mostly they will just collect your email via a Gmail account, they will have it store all email but also create a rule for certain keywords, like died, inheritence, bank, 20- (the first part of a Barclays sort code).

Also bear in mind, if you control the email account you can do password resets on other accounts.

When they hacked eBay they got addresses, they were able to order stuff online using the pay later option or a stolen card, then arrange a delivery time and park outside the house, they then try the house on some pretext to see if anyone is in. When they see the courier drive up they got out their car, walked up the drive with a box or a letter, they pretend to look busy, then they say to the courier, I am just going out, "your not from ebay are you, oh I have been waiting all morning for that, nearly missed you."

We have seen how TalkTalk has some of their routers hacked using command line tools, so they can add remote access then send something from your broadband connection.

The real power comes when hackers buy this data and merge it, they construct the identity and then blague it.

They can open accounts on gambling sites, run up bills on a mobile account in your name.

Now the Password Manager will not protect you from everything, there are some things you can do, for example if you go through authentication and they ask for your mothers maiden name as a password, have it set to "I certainly do" or "that is fine, I was not expecting it" or any phrase, so that if someone is listening to you they think you are in conversation and do not hear you say the password.

Of course the password managers are targets but I would rather have them and their reputation than a piece of paper or 30 tiers.

Your password manager needs to be kept secure, you need a very long and complex password, at least two long words with mixed case, spelt with at least one O replaced 0 and one i replaced with a 1, an a with a 4, then use two random numbers between the words and at the end with two meta characters. It can still be easy to remember but take a billion years to guess

It would take a computer about 1 octillion years to guess

Bl00dyStr0ngPassword97&*

It would take a computer about 511 septillion years to guess

PleaseDoNotStealMyStuff45

The password manager is set to clear passwords from clipboard so many seconds after use.

It can not just save passwords, you can "save all entered data" this even saves hidden fields and choice fields.

You can of course search the vault and even have it automatically change passwords.

There are a plethora of preferences that enable you to make it work the way you want it.

One feature I like is to have it NOT share state with other browsers, so I can be using a California client's password manager in Chrome on a VPN while using my own password manager in Firefox or other browser.

You can share a login with another password manager user without giving the actual password, of course this would still enable them to request a new password once they were in, but still useful.

Now you can do what you like but I would rather have my password manager ANY day than any of the other suggestions thus far.

esuhl

EdwardB wrote: »

Your password manager needs to be kept secure, you need a very long and complex password, at least two long words with mixed case, spelt with at least one O replaced 0 and one i replaced with a 1, an a with a 4,...

There's literally no point in using leet character substitution. It's trivially easy for a dictionary attack to include leet spellings, and it's such a common technique that any password cracking tools will be aware of it.

EdwardB

esuhl wrote: »

There's literally no point in using leet character substitution. It's trivially easy for a dictionary attack to include leet spellings, and it's such a common technique that any password cracking tools will be aware of it.

I get that but it is not the number substitution but the combination of all that I said, hence the number of years to crack.

Senjo

I used to keep my passwords in a Word doc. Some passwords were used on more than 1 site. Some were not very secure as I had set them up years ago before hacking came into the news. I hadn't got around to changing those or I just had not visited the site in a long time.
About a year ago I tried out 1Password free version, which was OK but limited the number of sites unless you paid for it.
I am now using LastPass free version which I am very happy with and prefer it to 1Password. It makes it easy to generate a secure password and you can save notes about an account or website. You can also do a 'security challenge' in it where it tells you if you have duplicate or not very secure passwords so that you can rectify them.
I have not found any downsides to the free version as yet.