Thread replies: 76
Thread images: 12
Thread images: 12
File: lastpass.png (13KB, 440x280px) Image search:
[Google]
13KB, 440x280px
>LastPass unpatched zero-day vulnerability gives hackers access to your account
>A dangerous, previously unknown security vulnerability has been discovered in LastPass which permits attackers to remotely compromise user accounts.
http://www.zdnet.com/article/lastpass-zero-day-vulnerability-remotely-compromises-user-accounts/
https://twitter.com/taviso/status/758074702589853696
>>
>>55778857
> to your account
> There are literally niggers who give away their passwords to a third party
ISHYGDDT
>>
who /keepass/ here
>>
File: keepass.png (36KB, 512x512px) Image search:
[Google]
36KB, 512x512px
>>55778857
I switched to KeePass a few years ago. Though, never use a password manger for important accounts like your main email and banking. Also, if possible, activate 2-step verification on your main email and banking accounts.
Here's my KeePass setup...
ON DESKTOP
>Keepass2 Pro Edition (pc program)
http://keepass.info/download.html
>Google Sync Plugin-2x (syncs my saved database stored on google drive)
https://sourceforge.net/projects/kp-googlesync/files/
>KeeFox (firefox addon)
https://addons.mozilla.org/en-US/firefox/addon/keefox/
ON ANDROID
>Keepass2Android Password Safe
https://play.google.com/store/apps/details?id=keepass2android.keepass2android&hl=en
>>
File: Screen Shot 2016-07-27 at 10.06.19 PM.png (270KB, 1190x1028px) Image search:
[Google]
270KB, 1190x1028px
>>55778857
>>
>Using password managers at all
You deserved to get ya shit hacked
>>
>>55779238
I use a password manager for all my shit sites. it's a good way to sign up for some shithole site you're not going to use often, yet have your password manger remember your logon creds for the future should you return to the site.
I would never use a password manger for my sensitive accounts.
>>
>>55778857
And kids, this is why you don't store all your passwords in the cloud.
>>
We fucking told you that trusting your passwords with a third party was a stupid fucking idea
>>
>>55779318
Why can't you just use your browser's built in password manager?
>>
>>55779353
Because my browsers password manager doesnt provide smartphone sross syncying, which is why I use KeePass.
KeePass allows me to cross-sync passwords from my desktop and smartphone apps.
>>
>>55779351
>>55779353
>>55779353
Based Tavis is going to make LastPass secure though
>>
Read the report. You're only vulnerable if you go to dodgy sites. The bug only applies to the auto-fill extension. Basically if the site is "fakedomain.com/domain.com/index.php" it will auto-fill your password for domain.com there. My understanding, anyway.
>>
>>55779381
>Syncing via cloud
Oh boy.
>>
File: 1436728415895.jpg (41KB, 604x499px)
41KB, 604x499px
>>55779381
>storing confidential password on your phone
>>
>>55779447
How does the autofill extensions on lastpass work? Do they automatically enter your username and password on the fields without any input from you? Would they do that automatically if the fields are on iframes/adds? Because if they do you could easily set up fake adds that get the passwords for major sites.
But then again the crossing section of a Venn diagram of people who use lastpass and the people who don't have addblockers isn't going to be very massive.
>>
Not a problem with 2 step auth
>>
>lostpass does it again
TOP KEK
>>
>>55779024
Right here.
Been golden for 6 years now with absolutely no complaints.
I told you stupid motherfuckers not to use this last pass cloud shit, but they just didn't fucking listen.
>>
>>55778857
>>55779400
>>55779381
>storing passwords in the cloud meme
You deserve getting hacked.
>>
>>55779097
Same here, minus the Google Sync Plugin.
I make my own keepass backups to my server.
>>
>>55779593
I'm not super knowledgeable, but yes, this is my understanding. I'm not bringing up that point as a general talking point about its security or lack thereof, but rather to demonstrate that if you're not an idiot who doesn't fall for phishing attempts and doesn't go to "untrusted" sites (e.g. twitter.com is not gonna have URLs like twitter.com/bankofamerica.com/) I think you should be okay.
I stopped using lastpass a while ago and deleted my account but reading this kind of freaked me out until I read the report, so I thought I'd share my understanding of it.
>>
File: retard.jpg (40KB, 346x450px) Image search:
[Google]
40KB, 346x450px
>putting ALL my most important and sensitive logins in a centralized, third party company is definitely a great idea
>>
>>55779353
That would be a bad idea. Any functionality other than loading and displaying webpages is just an afterthought hacked in that's not actually meant to be used seriously.
>>
>>55780046
It's an encrypted container that you have the password for.
I bet you still save passwords in your browser or use the same password for each site.
>>
File: Windows-10[1].png (3MB, 1920x1080px) Image search:
[Google]
![Windows-10[1].png](https://cdn.4archive.org/g/image/1469/629/1469629014169.png "Windows-10[1]")
3MB, 1920x1080px
>Using cloud based password storage
>>
>>55778857
Keepass / keepassx is the only way and keepass is getting audited
>>
>>55780601
ikr
I actually laughed out loud
>>
>>55778857
It probably is a client-end issue.
Which means you have to pown FF or the browser (not hard to do).
>>
>>55780577
>what is KeePass(X)
>>
Who the fuck is this Travis?
>>
>using any third party internet-based password system
it's like you're asking for your passwords to get stolen
>>
I just use Enpass. It does have cloud storage, but instead of using theirs you can use something like Drive or Dropbox. P nice
>>
>>55780719
What's the point.
The only difference is that Lastpass allows you to sync the encrypted container between devices.
The company that makes LastPass doesn't have access to that container.
>>
I don't see why anyone would use a program like this.
Why cant you just remember a password.
Why use a middleman that could be hacked, exploited or taken over. Why tell them all your passwords?
>>
>>55779097
Can you import already existed passwords from firefox to this thingy?
>>
my firefox developer edition running on xubuntu on lenovo thinkpad x201 doesn't have this problem.
>>
>>55780834
>Why tell them all your passwords?
Again you don't. You only send them the encrypted database. They only send you the encrypted database. ALL encrypt/decrypt happens locally on your PC. This is no doubt a client-side vulnerability and as that surely KeePass could also be affected in its own way. No body checks up keepass' plugins either. I bet my ass some of then are also vulnerable.
>>
>>55779640
This, if you have 2FA you are fine.
>>
>>55780826
>one of their release/update channels get breached
>attacker sends decrypted database contents to a server they control
It can, and probably will happen at some point
>>
>>55780870
jesus christ, your firefox looks like shit bulgbro
>>
I use Passwordmaker.
Basically it generates a unique password based on url+master password. You keep the master password in your head. if the url changes you can just enter the old url+master password to get the password. url's rarely change though unless they are warez/hacker/torrent sites though.
In order for a hacker to get in using your password they would 1. need to know you are using Passwordmaker and 2, know your master password. You can also set passwordmaker to generate longer more complex passwords. I think there is a means to set it up for if a url changes too but I have not looked into that as I have never needed it. Only Passwordmaker and the server you are logging into (hopefully salted and encrypted at their end) should theoretically know what the password is.
I don't understand why more peoplle do not use it. All this cloud based password storage is really shitty. The only use I can find for it is for passwords for offline stuff or shitty Cloud based logins that don't actually show a url in a browser.
>>
>>55779024
keepassx FTW
>>55779967
same
>>
>>55781092
Oh and it's free.
>>
>>55778857
lol I only store password hints(incomplete) there
>>
>>55780881
So all it takes is one password and all your paswords are gone?
>>
>dropbox folder containing encrypted archive
>all passwords in text files in encrypted archive
>only download and extract the encrypted archive on PC's I trust, using software I trust
best of both worlds
>>
>>55781079
That's just what Linux is like.
>>
File: 1467673285483.jpg (63KB, 250x323px) Image search:
[Google]
63KB, 250x323px
>tfw I have been using a simple note in google keep for all my passwords for years without any issues
>>
>>55779975
>>storing passwords in the cloud meme
+1
>>
>>55781128
Yes as with any other password manager.
>>
hey guys i have a better solution
pen and paper
>>
https://passwordmaker.org/
/thread
>>
>>55781224
>anyone who can get past the pin and tumbler lock on your front door, or hell, anyone who can pick up a rock, can get all your important credentials
well that sounds safe as fuck.
>>
custom password grid for each site FTW
>>
>>55781245
outside of the world of international espionage I can't imagine any would be robber combing through my house for fucking passwords of all things
>>
>>55781079
1. i wouldn't give a shit about how my browser looks. i only care about convenience while browsing a webpage.
2. it looks good to me.
>>
>>
>>55781305
>outside of the world of international espionage I can't imagine any would be robber combing through my house for fucking passwords of all things
>angry girlfriend finds all your login deets, changes all your passwords, clears out your bank account and flies to Fiji
It's exaggeration of course, but writing down your passwords is security error #2 or 3
>>
>>55779238
This.I just use encypted txts with the name of sites and the belonging account name + password in it.
Shit is easy.
>>
>>55781386
might wanna consider something like pass for easier management
same principle applies
https://www.passwordstore.org/
>>
>>55781348
>angry girlfriend
>ANY girlfriend
yeah...
>>
>>55781394
OH shit.Didn't know something like this existed.Thanks.
>>
>>55781348
same principle applies from password managers, you don't ever record main email or bank credentials anywhere
>>
>>55780112
[citation needed]
>>
>there are people in the year of our lord 2016 who still have dementia
>>
>>55780881
This is why i am against plugins if they are not audited.
>>
File: 1467986951540.gif (33KB, 420x413px) Image search:
[Google]
33KB, 420x413px
lastpass is too comfy to leave
but i want to cry when reading things like this
https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/
>>
>>55781432
>same principle applies from password managers, you don't ever record main email or bank credentials anywhere
Storing them encrypted on an airgapped computer is as safe as is going to be practical. It's not particularly unsafe; it offers fairly good protection from digital as well as physical compromise.
>>
I just bought a year of LastPass Premium.
>>
>>55780834
>Why cant you just remember a password.
I hope you aren't suggesting that I use the same password everywhere. Because that would just as bad as using a third party cloud based password manager.
I do remember the password to my keepass database. However that is pretty much the only password I remember.
>>
>>55781073
Didn't it already happen?
>>
If you'd been paying attention /g/ has been saying use keepass over lastpass for ages.
>>
>>55781892
Always do the opposite of what /g/ says.
>>
File: 1455580326491.png (247KB, 432x313px) Image search:
[Google]
247KB, 432x313px
>not using a note book with all your passwords
>using third party services for securing your accounts
>>
>>55780859
yes you can
file > import > firefox
Thread posts: 76
Thread images: 12
Thread images: 12