-
Want to remove ads? Register an account and login to see fewer ads, and become a Supporting Member to remove almost all ads.
PSA: Don't use third-party apps and services, period.
- Thread starter camalaio
- Start date
Excellent info. I posted this earlier about AES-256, but it's worth repeating as not everyone understands the technology used by the Federal Gov't (among others) on the most secure networks.
From a Brute-Force attack standpoint:
"Fifty supercomputers that could check a billion billion (10 to the 18) AES keys per second (if such a device could ever be made) would, in theory, require about 3×10 to the 51 years to exhaust the 256-bit key space."
I'm imagining a homeowner who puts a steel door on his house with seventeen locks and a bar across the door, and then the burglar breaks a window and burgles the house. Once it's more difficult to pick the lock than to break a window, a better lock serves no further purpose. From the descriptions above, LastPass is like a reinforced steel door on a glass house. For people who cannot remember several difficult and unique passwords, it sounds convenient.
I'm certainly what you'd consider an "advanced" user. I use LastPass (any solid password manager is good, though). Because it allows me to use a different password for every login- website, ssh, private key passphrases, etc. This way any one site I use being of low quality and losing their auth database and having used poor hashing techniques doesn't risk compromising any other credential I have on any other item that requires a password.
My LastPass account also requires 2FA, and the password I use is a strong phrase with whitespace and punctuation that is dictionary simple but brute force difficult. Anybody that thinks they're keeping secure passwords in their mind for multiple endpoints is fooling themself.
Dan203
Active Member
Which brings us back around to the OP. If you want to trust a 3rd party site with your Tesla credentials or not is up to you, but don't not do it because you're using that same user/password combo on other sites. Don't use the same user/password combo on ANY site. Use something like LastPass and create a unique password for every site.
As for your Tesla credentials.... that API key gives that service a lot of power over your car so make sure you trust the site you give access to. Even if you use the advanced option to generate your own token and not given them your user/password directly you're still giving them the power to do anything the Tesla app can do, including locating, unlocking and driving the car.
As for your Tesla credentials.... that API key gives that service a lot of power over your car so make sure you trust the site you give access to. Even if you use the advanced option to generate your own token and not given them your user/password directly you're still giving them the power to do anything the Tesla app can do, including locating, unlocking and driving the car.
You can also generate a token that gives no control of the vehicle and only offers read-only access to the API's data. Which is exactly what I've done. The only way to send a command to make my car do something is from my Tesla app, or if you're Tesla.
Dan203
Active Member
SDRick
Active Member
To those in the security world my main question is:
Why when I log in to a site I only get a few attempts to get it right before being locked out or delayed but in the examples above hackers get 1000’s of attempts per second?
...and few others:
Would the insertion of a nefarious keystroke logger thwart password\security efforts?
Mosts apps I use don’t seem important to me from a security standpoint. Should I care much if someone has or can guess my Shazam, weather app, bar code scanner or even a forum password if it can be hacked with brute strength anyway?
Is using Googles built in password manager good enough for all but the most critical sites like email or banking?
Why when I log in to a site I only get a few attempts to get it right before being locked out or delayed but in the examples above hackers get 1000’s of attempts per second?
...and few others:
Would the insertion of a nefarious keystroke logger thwart password\security efforts?
Mosts apps I use don’t seem important to me from a security standpoint. Should I care much if someone has or can guess my Shazam, weather app, bar code scanner or even a forum password if it can be hacked with brute strength anyway?
Is using Googles built in password manager good enough for all but the most critical sites like email or banking?
Last edited:
Dan203
Active Member
If a hacker steals the database they can attempt to crack it as many times as they want. If they have to use the login page on a website the backend code can limit attempts.
A keystroke logger captures anything you type, so it would be vey possible for one to pick up your master password. I personally set up a fingerprint scanner on my PC that I can use instead of having to type the password all the time. So that wouldn’t work for that setup.
The problem isn’t how secure those sites are, the problem is when you reuse the same password on multiple sites. If one get hacked then all the sudden the hacker has an email and password you used on a bunch of other sites. And if they gain access to your email you’re screwed because they can just reset all your passwords.
The password managers built into all 3 major browsers have been hacked. They aren’t safe at all.
A keystroke logger captures anything you type, so it would be vey possible for one to pick up your master password. I personally set up a fingerprint scanner on my PC that I can use instead of having to type the password all the time. So that wouldn’t work for that setup.
The problem isn’t how secure those sites are, the problem is when you reuse the same password on multiple sites. If one get hacked then all the sudden the hacker has an email and password you used on a bunch of other sites. And if they gain access to your email you’re screwed because they can just reset all your passwords.
The password managers built into all 3 major browsers have been hacked. They aren’t safe at all.
This is only sort of true. Some of the "hacks" involved requiring you to go to a specially crafted site that embedded the site you actually wanted to go to, and capturing the login for the second site by the first site. Not exactly what you'd call a common or transparent vector. Other "hacks" involved being able to collect the automatic password reset link from a site's URL value (they all encrypt that field now), and I believe another of the hacks was the ability to fetch unencrypted notes data.
The real vulnerabilities of these tools has historically been not scrambling and then clearing the clipboard contents, and not scrambling / randomizing their own internal stack space. As far as I know they've all addressed those issues, which prevent other privileged apps from scanning memory space and finding the in-RAM data structures.
These apps are vastly more secure than using crappy passwords, or attempting to be clever and only coming up with what is an easily cracked crappy password that's hard to remember.
Dan203
Active Member
It's been a while since I looked at this. Good to know they're improving the internal password managers. People are more likely to use these things if they're built right into the browser.
Hackers DONT get any different treatment from you when attempting logon. But if they can steal the has of your password they can sit down and try to crack the hash locally on their own computers without touching the web site at all. Such an attack requires significant computational power, however, especially when the hashes follow best practices. Sadly, not all do. Also, there are various attack methods that, while not allowing a hacker to crack an individual password any faster, do allow them to attempt attacks across a large set of password hacks simultaneously. So while it might take 1 million years to crack one specific password, they can crack some of the passwords from a set of 1 million in a few months.
Totally agreed. I still don't use the internal ones, because systems like 1Password, and LastPass have a longer history, better track record, multi-device support, and I can use them to track much more than just browser logons. Things like PGP and SSH key passphrases, for example, are pretty handy features.
I nominate this for understatement of the year. A late but solid entry.
Can someone tell me how I as a user would interact with LastPass? Let's say I have LastPass in my browser or on my tablet and I want to log in to my bank. Right now I would enter my user name and password. If I'm on a new device I'd get a text on my phone with an authentication code. Otherwise I'd be logged in. How would this process work with LP? Would I still type my my user name and then my long master password into a LastPass pop-up window?
They say everything is stored locally but accessible from any device. If I have LP on two different browsers on my desktop computer and the app on my phone and my tablet, I take it they communicate with each other, but if everything is stored locally, how do those LP-generated individual passwords get from my computer to my phone and tablet?
What about a forum that normally I'm automatically logged into? Would I still be logged in automatically, or would LP require my master password every time?
I went on their web site and looked through "How it works" and there's a bunch of jargon about how it protects data, but I couldn't find anything about the user experience.
Thanks.
They say everything is stored locally but accessible from any device. If I have LP on two different browsers on my desktop computer and the app on my phone and my tablet, I take it they communicate with each other, but if everything is stored locally, how do those LP-generated individual passwords get from my computer to my phone and tablet?
What about a forum that normally I'm automatically logged into? Would I still be logged in automatically, or would LP require my master password every time?
I went on their web site and looked through "How it works" and there's a bunch of jargon about how it protects data, but I couldn't find anything about the user experience.
Thanks.
You log into LastPass with your master password on your computer (or other device) and your website passwords are downloaded to your computer or device. When you go to a website, LastPass will auto-fill the username and PW for that site. If you have 2FA setup for a particular website, you will then still get that push to complete the login from that website.
If you are on a forum, like this one, and choose to remain logged in, then LastPass won't need to log you in again. It's only when you log out of LastPass that you need to enter your master password again.
SDRick
Active Member
How are these typically stolen?
Even if stolen, and you use the browsers built in password manager or have the same simple password for all noncritical sites (using a noncritical email account) and unique passwords for critical, the risk seems small, or am I being naïve?
No that's good security practice .. but keep that password manager password complex .. you dont want ANYONE cracking that. And they are stolen by hackers who break into a company and access the password hash database en masse .. its the thing you are always reading about.
First off I want to say you should NEVER EVER have auto-fill enabled EVER. That's begging for something malicious to happen, turn it off.
Your LastPass (or 1Password, or any other) data is stored in LastPass' cloud service. Your client downloads an encrypted blob of data and decrypts it locally at your device. So your data is never sent unencrypted to anywhere. Every device must do its own decryption and encryption of any changes that need to be sent to the cloud.
The lastpass client can be (should be) set up to use a 2FA when logging in, and you can choose to authorize a device for 30 days so it doesn't ask every time. Whatever sites you use should also be configured to use 2FA so that even if someone broke into your password manager, they'd still need to unlock your mobile device, or physically possess your second factor token or recovery codes.
Your LastPass (or 1Password, or any other) data is stored in LastPass' cloud service. Your client downloads an encrypted blob of data and decrypts it locally at your device. So your data is never sent unencrypted to anywhere. Every device must do its own decryption and encryption of any changes that need to be sent to the cloud.
The lastpass client can be (should be) set up to use a 2FA when logging in, and you can choose to authorize a device for 30 days so it doesn't ask every time. Whatever sites you use should also be configured to use 2FA so that even if someone broke into your password manager, they'd still need to unlock your mobile device, or physically possess your second factor token or recovery codes.
Nothing wrong with having auto-fill enabled for LastPass, that’s the whole point of it. The UN/PW are presented from your computer or device. Or are you talking about a different kind of auto-fill?
Similar threads
