Please refrain from posting animated GIFs, memes, joke videos and so on in discussions other than those in the off topic area.

Dismiss this message to confirm your acceptance of this additional forum term of use.
You must be 16 or over to participate in the Brickset Forum. Please read the announcements and rules before you join.

Aaaaaaaaaaaaaaaaarrrrrggggghhhhhhhh!!!!

BooTheMightyHamsterBooTheMightyHamster Northern edge of London, just before the dragons...Member Posts: 981
I've been a member of a videogaming website for 13 years, and in that time I've only ever had to log back in once, and that's because I logged myself out by mistake.
I get the 'Howdy Stranger...' message from the Brickset forum about 3 times a month, and I'm ready to reformat the server with an axe!!!!

GRRRRRRRRRR!!!!!!!

(Rant over) 
bobabricks

Comments

  • tecjamtecjam Germany / SwitzerlandMember Posts: 255
    edited November 2015


    https://lastpass.com/ handles all my password malarky

    Cookies with a 13+ years expiration date surely are not the way to go ;)
  • HuwHuw Brickset Towers, Hampshire, UKAdministrator Posts: 5,847
    That looks like a useful tool, might give it a go.
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    edited November 2015
    Wait! There are still people on the internet not using lastpass?  How on earth do you stop your head exploding, or do you just use the same password for everything?
  • BobflipBobflip Member Posts: 371
    I don't use it, I use different passwords for the each of the high-risk things like GMail, PayPal and eBay, and then the same password for most other things (with variations to account for different format requirements).

    Would feel a bit weird having one site know all my passwords while I don't! I like being able to log into things from other people's computers or public access points without having to ask if I can install extra software. Also feels like in the event of LastPass suddenly going away, access to everything would be blocked.

    As for head-explosion prevention, checking each site's 'auto-login' and 'stay logged in' options help a bit!
  • tecjamtecjam Germany / SwitzerlandMember Posts: 255
    Bobflip said:
    I don't use it, I use different passwords for the each of the high-risk things like GMail, PayPal and eBay, and then the same password for most other things (with variations to account for different format requirements).

    Would feel a bit weird having one site know all my passwords while I don't! I like being able to log into things from other people's computers or public access points without having to ask if I can install extra software. Also feels like in the event of LastPass suddenly going away, access to everything would be blocked.

    As for head-explosion prevention, checking each site's 'auto-login' and 'stay logged in' options help a bit!

    While it does allow you to create random passwords with the built in pw generator, it does not mean you can't use easy to remember passwords so you can still login from a different computer without lastpass.

    It merely warns you that you have the same passwords for more than 1 site or easy to guess passwords and it recommends you change them for obvious security reasons. However, you do not have to.

    I would recommend it for the autologin feature alone, so as soon as you browse to a site, it will auto log you in so you don't have to. Plus it also has Android support, which is nice on the 'go'.

    I clear my cache & cookies more often than I change my underwear, so the 'remember me' login option is utterly useless to me.

    btw: I am not affiliated with lastpass ;)
  • TigerMothTigerMoth Member Posts: 2,343
    tecjam said:

    I would recommend it for the autologin feature alone, so as soon as you browse to a site, it will auto log you in so you don't have to. Plus it also has Android support, which is nice on the 'go'.
    Autologin on an Android device is suicidal.

    Storing passwords on a web site, encrypted or not, is probably also suicidal.

    Storing sensitive information on a server in a different country is ill-advised.
    madforLEGOaldredd
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    So it isn't an extra piece of software, you can login and check your vault anywhere for a start.  I just remember about three passwords.  My actual computer, my bank, and my lastpass.
    So yup everything is stored on lastpass, but that as a site (they would have you believe at least) is more secure than most of the indivdual sites and infinitely better than using the same password everywhere.  Lastpass can also auto change passwords, so in the event of a massive hack I could change everything within a few minutes.
    Lastly, using auto complete is the least advisable thing on the internet.  Assuming someone had physical possession of any of your devices they would be able to access everything.  As it is for myself, they would not only have to steal my laptop but know my lastpass master password, which they wouldn't.
    I guess the questions is are you more likely to have your phone stolen and then them have access to your facebook, email, banking etc.  Or is a site with your details going to be taken down by a huge hack carried out by a specialised person/team.  I put my money on the former, hence using lastpass. (I also have one of those remote phone wipey things, but to be honest the damage would have been done by the time I noticed I hadn't just left it in the car.)

    TheBigLegoskikiki180703snowhitieklatu003
  • madforLEGOmadforLEGO USMember Posts: 8,135
    IMO anything is hack-able, especially sites that store passwords for other sites. I would think that is a treasure that many hackers are trying to get into, if they have not already that is.
    And sure theoretically you will get some notice right away that the site has been compromised. I mean it only took Target like 30 days, or something like that, to realize their site was compromised.
    And yeah you can use it to change your passwords, unless of course the hackers put something in the system undetectable that monitors the changes you make. Not sure why you would trust a site that just lost all of your passwords to then change all of your passwords anyway.
    All in all, call it paranoia, but I will never store any passwords on any such site nor would I use autocomplete on anything: PC, Mobile device, tablet, whatever.
    TheBigLegoskikiki180703aldredd
  • TigerMothTigerMoth Member Posts: 2,343
    MattsWhat said:

    So yup everything is stored on lastpass, but that as a site (they would have you believe at least) is more secure than most of the indivdual sites
    It had better be - it would also be a very big target.
    MattsWhat said:

    Lastly, using auto complete is the least advisable thing on the internet.

    Who said anything about autocomplete?
    MattsWhat said:

    Assuming someone had physical possession of any of your devices they would be able to access everything.  As it is for myself, they would not only have to steal my laptop but know my lastpass master password, which they wouldn't.
    People sometimes think that encryption and password-protection is the answer to everything - it isn't. It just makes life harder for the bad guys.

    And encryption on Android probably solves even less.

    Be careful out there.
  • paul_mertonpaul_merton UKMember Posts: 2,765
    TigerMoth said:
    MattsWhat said:

    So yup everything is stored on lastpass, but that as a site (they would have you believe at least) is more secure than most of the indivdual sites
    It had better be - it would also be a very big target.
    And indeed, not too long ago...
    https://blog.lastpass.com/2015/06/lastpass-security-notice.html/ 
  • sklambsklamb speaker of American EnglishMember Posts: 455

    Why should I have to worry about having a strong password for a forum like this one, as opposed to a bank, PayPal, or credit card site? (This is actually a semi-serious question.)

    andhe
  • TigerMothTigerMoth Member Posts: 2,343
    sklamb said:

    Why should I have to worry about having a strong password for a forum like this one, as opposed to a bank, PayPal, or credit card site? (This is actually a semi-serious question.)

    We know then state in which you live from your profile. How much have you revealed about yourself in your posts? Have you talked about your car or family or neighbourhood or habits? Is your username connected to you, directly or indirectly? So we might know a few things about you - probably more than you'd guess.

    You've probably done the same elsewhere, perhaps somewhere a little, only a little, more important. Perhaps it can be linked - it doesn't have to be a solid connection. There are plenty of sites that provide other information - as a service. So maybe we know even more about you. Go back to the beginning of this paragraph.

    The more you know, the more you can find out or guess.

    Then what happens if  someone impersonates you, using that information? I don't know; I don't want to know. I suspect you don't either. What could you do with a p.m? Are your Facebook or Twitter accounts linked? Maybe they could be used to start the process over again on a friend, with potentially more information (because they trust you) and with more serious results. Perhaps "you" would sell them a LEGO set, but because they're your friend, you arrange a meeting somewhere that you'd never dream of meeting a stranger to hand over the goodies. Why wouldn't you meet a stranger there? Oops!

    A bit far fetched? The last bit, maybe. Maybe not. However, the thing about security, online or otherwise, is not what you can think of that somebody can do but what they can think of that you don't. Have a look at a few scams that have been perpetrated, and the chances are that it wouldn't be too long before you found one that would never have crossed your mind. Finding one that would have caught you out may take a while longer, but that's not the point.
  • sklambsklamb speaker of American EnglishMember Posts: 455
    TigerMoth said:

    However, the thing about security, online or otherwise, is not what you can think of that somebody can do but what they can think of that you don't.
    Very true. Thank you!
  • tecjamtecjam Germany / SwitzerlandMember Posts: 255

    All in all, call it paranoia, but I will never store any passwords on any such site nor would I use autocomplete on anything: PC, Mobile device, tablet, whatever.
    You have them written on a piece on paper in your purse instead?

    Each to their own, but personally I would rather use lastpass than google chrome or firefox sync or foxmarks / xmarks.

    If you really want to be safe, log off now and never use the internet again, never throw away any letters before shredding them and close your bank account and store your cash under your bed.
  • kiki180703kiki180703 Montreal, CanadaMember Posts: 968
    edited November 2015
    ^ But if you store your money under your bed, if someone sneaks into your house and steals your cash, you'll be broke and you'll not be able to buy lego :) Also, if your put your money in a safe, you'll need remember a passcode :D
  • TigerMothTigerMoth Member Posts: 2,343
    tecjam said:

    All in all, call it paranoia, but I will never store any passwords on any such site nor would I use autocomplete on anything: PC, Mobile device, tablet, whatever.
    Each to their own, but personally I would rather use lastpass than google chrome or firefox sync or foxmarks / xmarks.
    I think you missed the bit about "any such site".
    tecjam said:

    You have them written on a piece on paper in your purse instead?
    That depends on what you write.

    What does "Bank 1: 8-72" tell you? Perhaps it tells you something about your account with "Bank 1". It would take you an awfully long time to make the jump to the password being "atotmwtsinel28". Actually that's a bit simple - it could do with some mixed case and symbols but I'm trying to keep things reasonably clear.

    WTF? Simple. They're the initial letters of the 8th (from the "8") and 9th lines of Wordsworth's "I wandered lonely as a cloud". (And twinkle on the milky way, they stretched in never-ending line.) The number's a bit weak, again for simplicity, being the complement of the "72". You can key other passwords off the same poem, or a different one. Not a poet? I'm sure you'll think of something.

    Of course you don't have to be  as explicit as that - anything you write just has to mean something to you.
    tecjam said:

    If you really want to be safe, log off now never use the internet again, never throw away any letters before shredding them and close your bank account and store your cash under your bed.
    It never ceases to amaze me how predictable this is. Somebody comes up with a piece of software that they think solves a problem. For most software, the only concern is whether it does what you want - add up the numbers; print the graph; whatever. With security software, there's another concern - whether somebody else can get it do what you don't want, because that's its real purpose.

    When somebody points out a loophole, nine times out of ten the response is not to say "I hadn't thought of that", but some sort of ridicule, "that's crazy - nobody would ever do that", or facetious comment, "if you really want to be safe don't use the Internet". It's as if people have to defend a mistake.

    Do what you like. There aren't many people who are particularly bothered about whether you are hacked or scammed - it's your problem not theirs. But hacks and scams are a bit like not being able to prove a negative - you don't know whether you're vulnerable until it's happened. Anybody who tells you about any loophole, however unlikely it may seem, is doing you a favour, as becomes apparent the following day when it happens for real. Or, in the case of lastpass, five months ago.,

    And, when it comes to hackers, lightning does strike twice. Three times. More. Each successive strike tends to be harder than the time before because it's seen that there are weaknesses and there's also a challenge to do better.
  • aldreddaldredd United KingdomMember Posts: 203
    Wouldn't use something like lastpass myself - the thought of all my passwords on an uncontrolled server on foreign territory - the US at that - scares the kack out of me.

    I use variations of a base password. All 'important' sites use a unique password, with 2-step authentication enabled where available (google, microsoft, facebook to name a few).
    That said, because I have a few accounts where I wanted / had to pick a unique password, but don't log in often enough to always remember it, I do stick these into a KeePass file - which is an open-source program which creates an encrypted container file you store locally rather than on a server.
    http://keepass.info/

  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    Is there a thread at the moment that hasn't been derailed into a really off-topic conversation? This one about internet security is pretty closely related to the original post compared to some.  But anyway, to answer some people questions...

    Yup Lastpass was a target of hacking, no real surprise there.  Presumably the informaton they give is correct and actually nothing much was taken, and not all passwords for all users (the holy grail for a hacker presumably).  I also refer to my original comment where I said I don't keep banking stuff in my vault anyway.

    I didn't mean auto complete, I meant auto-login as someone before me had recommended - my bad.

    And to the 'keep it on paper with some weird code on it' people... what if your wallet gets stolen along with all your passwords.  You won't ever be able to log into anything again.  Unless you make copies and keep them everywhere just in case of a burglary or fire etc.  Then they are in so many places you may as well store them centrally on a web server anyway.  If you really want to make it impossible you can store notes on lastpass instead of passwords.  You could write your complicated poem password generator statements on Lastpass and make yourself invulnerable to attack - mwahahaha!. (Except if you were taken hostage and tortured for your password of course... now how to prevent that...)
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    edited November 2015
    ^I edited for too long and it wouldn't let me add these changes (no need to read it all again - I will bold the changes):

    Is there a thread at the moment that hasn't been derailed into a really off-topic conversation? This one about internet security is pretty closely related to the original post compared to some.  But anyway, to answer some people questions...

    Yup Lastpass was a target of hacking, no real surprise there.  Presumably the informaton they give is correct and actually nothing much was taken, and not all passwords for all users (the holy grail for a hacker presumably).  I also refer to my original comment where I said I don't keep banking stuff in my vault anyway.

    I didn't mean auto complete, I meant auto-login as someone before me had recommended - my bad.  One of the biggest flaws of using this is on a portable device with wireless on while you are out and about.  Devices like this (tablets, phones, laptops etc.) continually try to join networks with familiar names and check in on sites such as facebook, emails etc - anything with auto-login enabled.  So I sit in the middle of town broadcasting a network called 'Work Wireless' or whatever, your computer joins and I can harvest any auto-login information in the time it takes you to walk out of range.

    Variations of a base password would be checked by a computer in seconds, I used to do this as it meant I could remember them easily, but changing the odd capital letter or adding a number will be the first thing any hacker tries once they have one of your passwords.  You could argue that this undermines the security of the more complicated password by having a simple to crack version of it out there on the internet.

    And to the 'keep it on paper with some weird code on it' people... what if your wallet gets stolen along with all your passwords.  You won't ever be able to log into anything again.  Unless you make copies and keep them everywhere just in case of a burglary or fire etc.  Then they are in so many places you may as well store them centrally on a web server anyway.  If you really want to make it impossible you can store notes on lastpass instead of passwords.  You could write your complicated poem password generator statements on Lastpass and make yourself invulnerable to attack - mwahahaha!. (Except if you were taken hostage and tortured for your password of course... now how to prevent that...)

    It is safer to not use the internet, but then I can't order new tinfoil hats as easily.  And buying them in person makes me feel weird.

  • paul_mertonpaul_merton UKMember Posts: 2,765
    The best password strategy is to not tell everyone what your password strategy is.
    eggshenkiki180703sklambmadforLEGOandhe
  • TigerMothTigerMoth Member Posts: 2,343
    MattsWhat said:

    I didn't mean auto complete, I meant auto-login as someone before me had recommended - my bad.
    Hmmm. However, auto anything is bad. "Auto" means anything you can do somebody else can do.
    MattsWhat said:

    Variations of a base password would be checked by a computer in seconds, I used to do this as it meant I could remember them easily, but changing the odd capital letter or adding a number will be the first thing any hacker tries once they have one of your passwords.
    Er no. Variations on a base password are as complicated as a whole new password. "CaT26" is a variation of "73DOg" and yet appears completely unconnected - just don't make the variation trivial. But, anyway, don't use real words.
    MattsWhat said:

    And to the 'keep it on paper with some weird code on it' people... what if your wallet gets stolen along with all your passwords.
    That's a trite argument. There's a whole bunch of things that'll cause you major grief if you lose them. Er, like keys. People know this and take appropriate precautions.

    That "appropriate" is important, because you have to make a decision based on the circumstances. You know that a piece of metal will open a lock; you know that not having it means you won't open it. So you keep a spare somewhere. You make sure that nobody else is able to get or make a copy. By understanding the basic principles, you know what to do. So stick to what you understand.

    A web server, belonging to someone else, in another country, governed by foreign laws, perhaps using some sort of encryption, perhaps not, isn't something that's understood by most people. Your bank account is probably protected by legislation designed to ensure that it is "safe", and yet you want to put the key to that account somewhere that is completely unregulated?

    A piece of paper? They might be a bit primitive, but people understand pieces of paper, although they might need a few hints so it doesn't became that auto-login of earlier. They'll understand those hints too.

    Technology isn't the answer to everything.
    The best password strategy is to not tell everyone what your password strategy is.
    That's far too simple.
  • madforLEGOmadforLEGO USMember Posts: 8,135
    tecjam said:

    All in all, call it paranoia, but I will never store any passwords on any such site nor would I use autocomplete on anything: PC, Mobile device, tablet, whatever.
    You have them written on a piece on paper in your purse instead?

    Each to their own, but personally I would rather use lastpass than google chrome or firefox sync or foxmarks / xmarks.

    If you really want to be safe, log off now and never use the internet again, never throw away any letters before shredding them and close your bank account and store your cash under your bed.
    Heh, funny, 'purse', cute remark. Refusing to use autocomplete or storing passwords on some 3rd party site does not make someone afraid of the internet, banks, or the world. Just cautious, which maybe more people should be in the world. You can keep your confidential and sensitive passwords on a third party site that can lose them without knowing or possibly caring to tell you immediately, that's your decision.

    The best password strategy is to not tell everyone what your password strategy is.

    Exactly. I have a system for storing passwords, and it does not rely on a 3rd party site to do it, nor does it rely on any paper.

  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    The best password strategy is to not tell everyone what your password strategy is.
    The first rule of password strategy is don't talk about password strategy.  The second rule is don't poo poo other peoples strategies as it causes arguments apparently
    kiki180703
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    TigerMoth said:


    And to the 'keep it on paper with some weird code on it' people... what if your wallet gets stolen along with all your passwords.
    That's a trite argument. There's a whole bunch of things that'll cause you major grief if you lose them. Er, like keys. People know this and take appropriate precautions.
    Ah yes, but the problem with passwords is they are interlinked, unlike keys.
    If my password change email is sent to an email account that I also lost the password to I am screwed.  And unless I set up some other useful way of getting in to the account in advance I'm stuck.  Whereas keys, cards etc I can get someone after the event to help me out.
  • TigerMothTigerMoth Member Posts: 2,343
    MattsWhat said:
    The best password strategy is to not tell everyone what your password strategy is.
    The first rule of password strategy is don't talk about password strategy.  The second rule is don't poo poo other peoples strategies as it causes arguments apparently
    The only person who wants to argue about password strategy is you. I made a simple, and commonly recommended, suggestion, nothing more. It isn't one that I use - if there's one poet I can't quote, it's Wordsworth - nor would I discuss any strategy that I might have.
    MattsWhat said:

    Ah yes, but the problem with passwords is they are interlinked, unlike keys.If my password change email is sent to an email account that I also lost the password to I am screwed.  And unless I set up some other useful way of getting in to the account in advance I'm stuck.  Whereas keys, cards etc I can get someone after the event to help me out.
    You really like inventing problems and then only applying them where it suits you, don't you? You want me to lose things that you think are critical, but that doesn't apply to you losing a website, either because it ceases to exist or because it falls into somebody else's control. That's not possible is it - except that the company was bought out last month so your data is already controlled by someone else.

    No matter. You take precautions - appropriate precautions. You don't rely on a single piece of paper that you might lose so that you  end up with a swathe of email accounts you can't access.

    As for LastPass, you only have to read the link, not even follow it.

    https://securityintelligence.com/news/lastpass-gets-a-failing-grade-from-researchers-who-say-passwords-could-be-exposed/

    I've seen dozens of these things, and dozens of people claiming they're the best thing since sliced bread. None of them ever are. They're simply tools. Like all tools, they do some things, but not others. They all have limitations and problems. Introducing problems, particularly those which you can neither control nor understand, in relation to your security, is folly.

    As I said before, it's not what you can think of that somebody can do but what they can think of that you don't. You can't weigh up good opinion against bad and pick the majority view. If one person finds a flaw, it doesn't matter if a thousand others can't.
    madforLEGOkiki180703dougts
  • SumoLegoSumoLego New YorkMember Posts: 7,928
    I decided to lock my computer in a file cabinet.
    kiki180703MattsWhatsnowhitieandhe
  • MattsWhatMattsWhat Studley, UKMember Posts: 1,639
    TigerMoth said:
    MattsWhat said:
    The best password strategy is to not tell everyone what your password strategy is.
    The first rule of password strategy is don't talk about password strategy.  The second rule is don't poo poo other peoples strategies as it causes arguments apparently
    The only person who wants to argue about password strategy is you. I made a simple, and commonly recommended, suggestion, nothing more. It isn't one that I use - if there's one poet I can't quote, it's Wordsworth - nor would I discuss any strategy that I might have.
    erm.. it takes two to tango. And I'm wandering off now to spount unwanted opinions on another thread.
  • tecjamtecjam Germany / SwitzerlandMember Posts: 255
    edited November 2015
    I guess it comes down to a few things:

    a) How likely is it that my PC/Mac/Android/IOS device is hacked? How likely is it a keylogger is then installed that will steal my login infos from all sites I frequent?

    b) How many different passwords do I use across the internet and how complex are these? How likely is it that any of the sites I am registered at are compromised and data is stolen, including the passwords I may be using elsewhere?
    As a user you do not know anything about the security of a site. Even a site using 256 bit SSL encryption may not use a salt or even hash your passwords before storing them in their database (the amount of sites I've seen using plaintext for storing passwords alone is shocking to say the least!). And even if MD5 hashing is used for example, there are plenty of rainbow tables out there to run a compare against.

    c) How many of these compromised sites will actually let the public know they have been hacked? (in theory they all should, but most will probably not as it will not be in their favour or give their service a bad reputation - even Sony didn't know it was hacked until the data was posted for everyone to see).

    d) How much of a target am I personally? Is there a reason they could be targeting me specifically? (hello Jennifer Lawrence!)

    e) In case of a data breach how fast can I act and re-secure, have I got all my eggs in one basket?


    In todays cyber world, one should presume that sooner or later ones details will be hacked one way or another. So it is not 'how do I not get hacked' but more of a 'how fast can I react if the inevitable does happen and how well have I prepared for this worst case"?


    And as for posting Lastpass security issues as scaremongering one should really actually read the link it refers to: http://www.martinvigo.com/even-the-lastpass-will-be-stolen-deal-with-it/ and read the conclusion the authors have written.

    If you want to post scaremongering links against hacks, please at least post them for all data breaches reported so far - which includes the NHS / Ebay / Evernote / Adobe / Sony / Steam / JP Morgan Chase / T-Mobile / AOL / Visa / LinkedIn / LastFM / Heartland / US Military / AT&T / RBS Worldpay and many more ...

    http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/


    MattsWhatkiki180703
  • TigerMothTigerMoth Member Posts: 2,343
    tecjam said:

    If you want to post scaremongering links against hacks, please at least post them for all data breaches reported so far - which includes the NHS / Ebay / Evernote / Adobe / Sony / Steam / JP Morgan Chase / T-Mobile / AOL / Visa / LinkedIn / LastFM / Heartland / US Military / AT&T / RBS Worldpay and many more ...
    I didn't, but notwithstanding that, why should a poster  need to provide such a list? Plenty of big names are hacked, but nobody is advocating giving them a list of all, most, or even just some of your passwords to other sites.

    I'll come back to what I said in the first place:

    Storing passwords on a web site, encrypted or not, is probably also suicidal.

    Any web site can be hacked, and many are. Any information they have may then be made available to anybody, and has been. It doesn't really matter whether LastPass has been hacked or not, the above, in italics, remains true. The same applies to any similar software, whether that company has been hacked or not.

    Talking about other companies that have been hacked is totally and utterly irrelevant.

    There is little to be gained from saying something isn't safe when it is; there is everything to be gained from saying something is safe when it isn't.
    madforLEGOkiki180703
  • tecjamtecjam Germany / SwitzerlandMember Posts: 255
    ermmm ..yes, you did, but you also recommended people didn't actually read it, but just read the links URL as it already says it all?!

    One could argue that a site that is designed to store peoples data (and many a companies) is likely to be more secure than you storing your data on your own synology owncloud or in a notepad document encrypted with truecrypt on your desktop or using your own crypting language that uses the bible or a song lyric to get the letters for your password or a piece of paper with really bad handwriting only the writer can read.

    A company whose business-model is to secure data using hundred-thousand rounds of encryption on each password & salt and whose main investment will be in infrastructure security, software security and vigorous security checks is for me likely to me a better option.

    No one claimed it is 100% safe, nothing is 100% certain apart from death.

    Alone the lengths a hacker would have to go through to be able to extract and make the data usable from such a service is a lot slimmer than you clicking a dodgy link and loading some infected javascript - the article I refer to above says exactly this in their conclusion.

    No one is telling you to use lastpass, but I for one like what it offers for free, also the abilty to quickly change all your passwords incase of a breach.

    And of course the NSA already has all our data, so one would simply need to hack them.
  • TigerMothTigerMoth Member Posts: 2,343
    tecjam said:

    ermmm ..yes, you did, but you also recommended people didn't actually read it, but just read the links URL as it already says it all?!
    No. That link is to a critique of the software itself. They mention the hack but simply describe it as "a complicating factor", without saying anything more about it.

    If you want to start following links from links from links then you'll cover the complete white hat community and therefore, as requested, cover hacks made against virtually any significant web site - including, I imagine, all those you named.
    tecjam said:

    One could argue that a site that is designed to store peoples data (and many a companies) is likely to be more secure than you storing your data on your own synology owncloud or in a notepad document encrypted with truecrypt on your desktop or using your own crypting language that uses the bible or a song lyric to get the letters for your password or a piece of paper with really bad handwriting only the writer can read.
    First off, I wouldn't advocate using TrueCrypt. In fact, neither have they for about 18 months. From their own page at SourceForge:

    WARNING: Using TrueCrypt is not secure as it may contain unfixed security issues

    The software is only still available so that people can migrate to something else. Personally, I think it's a shame.

    Secondly, how much data do you think has been stolen from web sites that you listed, compared to how much has been stolen from individuals using any of the methods you've outlined?
    tecjam said:

    No one is telling you to use lastpass, but I for one like what it offers for free, also the abilty to quickly change all your passwords incase of a breach.
    Me? I think you must realise that would be an uphill struggle. However, there are plenty of people who see recommendations for all sorts software and think it addresses all their concerns. In fact, there is another side to the story, and other solutions. Uncontested recommendations are unfair to those people.
Sign In or Register to comment.
Recent discussions Categories Privacy Policy