Thread: Password managers.
View Single Post
Old 05-08-2017, 17:30   #13
Qtx
CF's Worst Nightmare
 
Join Date: May 2012
Location: Probably outside the M25
Services: Sky Fibre Unlimited 40/10
Posts: 3,473
Qtx has a bronzed appealQtx has a bronzed appeal
Qtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appealQtx has a bronzed appeal
Re: Password managers.
Quote:
Originally Posted by pip08456 View Post
I've been using LastPass for a few years now. They got hacked a couple of years ago but due the the encription no-ones passwords were comprimised.


They got hacked at one point and encrypted passwords stolen. That was probably less of an issue than:

1) the problems with their browser extensions (which fill in the passwords for you) that actually meant anyone running a website could completely pwn your computer. Remote code execution.

2) again an extension/addon issue which allowed any website to read your unencrypted password for any site they wanted. Basically it tricked the addon in to thinking you was on the site the password was for.

Both extremely bad issues and as with ANY software, it's unknown if there are other issues waiting to be found.

In reply to original poster....TL;DR Use Lastpass or Keepass2/KeepassX. Lastpass has prettiest interface and less hassle auto password entry. Keepass has not such a great interface and the way it inputs passwords is a bit of a hack on windows if I remember rightly. might not be everyones cup of tea. Keepass you can keep locally off the cloud if you want or sync to something like dropbox or manually if you want to use the passwords elsewhere too. Ignore 1Password.

At least having different passwords for different sites is a good start but you should let the password manager generate a secure password for you.
I'm paranoid through 'being involved in security' and penetrated enough systems and decrypted enough databases which has scared me enough to never want to store anything on the cloud, so would never use Lastpass, but for the average person it's an ok choice. I would recommend it to family as an easy choice, if I had not set them up other options.

Saying all that about LastPass...the other password managers, especially ones where your passwords are stored locally on your computer have another issues. Once you enter your master password to decrypt your password database, the decrypted passwords are in memory. Even though some try and make it difficult to just read the passwords straight from memory, it can be done and there are public/private tools to do so.

You already need to be infected by something to do that though. Whereas RAT's or traditional malware may have keyloggers or read your browser when you login to get passwords for the sites you visit, having a password manager open could potentially mean someone could read the memory and get ALL your passwords, even for sites you have not visited since infection. The chances of this happening are slim. Unless you are a journalist or something that the NSA/GCHQ's of the world are targeting, you shouldn't really worry. A determined hacker targeting you for whatever reason and is aware enough to read the process's, spot the password manager and then know about the tools to read the memory, is possible but again slim.

There is more of a chance that the sites you visit will get compromised and your username/passwords stolen from those, than your password manager.
Last edited by Qtx; 05-08-2017 at 18:14.
Qtx is offline   Reply With Quote