[ 3 / biz / cgl / ck / diy / fa / g / ic / jp / lit / sci / tg / vr / vt ] [ index / top / reports / report a bug ] [ 4plebs / archived.moe / rbt ]

Due to resource constraints, /g/ and /tg/ will no longer be archived or available. Other archivers continue to archive these boards.Become a Patron!

/g/ - Technology

View post   

[ Toggle deleted replies ]
File: 17 KB, 580x386, splash-100030679-large.jpg [View same] [iqdb] [saucenao] [google] [report]
48511825 No.48511825 [Reply] [Original] [archived.moe] [rbt]


We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, jedoch, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.
We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.
Dennoch, we are taking additional measures to ensure that your data remains secure, and users will be notified via email. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.
If you have a weak master password or if you have reused your master password on any other website, bitte update it immediately. Dann replace the passwords on those other websites.
Because encrypted user data was not taken, you do not need to change your passwords on sites stored in your LastPass vault. Selbstverständlich, we also recommend enabling multifactor authentication for added protection for your LastPass account.

>storing your passes in le cloud

even writing them down on post-its and putting them on your screen is more secure lmao

>> No.48511842

Who ever used that service was stupid to begin with anyway.

>> No.48511862

>passes and everything stoled
>we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed.

>> No.48511887

>what is PR
that's what they always say to keep their customers from leaving the sinking ship

>> No.48511909
File: 3.22 MB, 10000x10000, 1428261151053.jpg [View same] [iqdb] [saucenao] [google] [report]

lmao thats what you get for not using keepass

>> No.48511935

>writing them down on post-its

Dude, I actually did this for all my passwords at home after a shitload of malware scared me at age 8. I haven't had a single fucking problem since

>> No.48511966


>> No.48512023

Meanwhile my brain™ remains unhacked.

>> No.48512029

I can't be arsed to carry around a database file and connect my phone/usb stick whenever I need to quickly check a password.
I rather simply use my phone to check the multifactor pass and be done with it.


>> No.48512044

What's up with the random bits of german littered in the message?

>> No.48512063

what kind of passwords do you need at all times on your phone?

>> No.48512066

I just migrated a week ago from Lastpass to "pass", the Unix password manager.

Close one.

>> No.48512070

Try using passwords you can recall from memory then.

>> No.48512091

For now, anon. Who knows what the future holds. Computers first, then people's minds. Why do you think all these companies are developing technology that predicts human behavior?

>> No.48512096

Why would I waste my time with that ?
Current method clearly works and is safe.
I can easily recall from memory my lastpass password and if my phone gets stolen I have bigger issues to worry about than some shitty passwords.

>> No.48512110

>using software with no active development

>> No.48512126
File: 66 KB, 512x512, keepassx.png [View same] [iqdb] [saucenao] [google] [report]

enjoy your LostPass

>> No.48512130

>using a Web password keeper

You deserved it

>> No.48512134


>> No.48512138

I am not surprised at all.

>> No.48512151

If you do what you're supposed to and have unique passwords for every account you have, all with 16+ characters, lower and uppercase, numbers, special characters, etc. then it's extremely difficult to remember *all* of them. Yes, most of us remember the passwords for the 8 accounts we use at least once a month, but for everything else you have to either write them down or store them in an encrypted file.

Another thing one could do is only store memory joggers so you're not storing the password in its entirety.

>> No.48512161

KeePass is the way to go. Open source with gorillion of plugins.

>> No.48512434

Why the FUCK would you store all your passwords on some tiny company's servers?!

>> No.48512471

kek these kind of shitposts are literally the reason I still come here

>> No.48512506

This is why I use keepass and manually paste my passwords, how fucking lazy can you be?

>> No.48512512
File: 132 KB, 686x686, this deschanel.jpg [View same] [iqdb] [saucenao] [google] [report]

Golden post.
I don't understand what everyone is discussing in this thread anyway.

>> No.48512571

>putting all of your passwords in one basket
>putting your passwords anywhere outside of your own mind
I would only purposely not remember them if there was a chance I'd be tortured for them.

>> No.48512583 [DELETED] 

I could change my password but I'm too lazy and I have less than a dollar in the internet banking.

>> No.48512622

I don't understand why any halfway intelligent person would put all their passwords in one place, and why that place would be on the internet.

Hell, why not just buy a little notebook and write them down in there? Less likely for someone to break into your house and steal that notebook.

>> No.48512668

>I just migrated a week ago from Lastpass to "pass", the Unix password manager.
>Close one.

Look at this retard... he doesn't even understand this whoever hacked them has been stealing passwords for years and they just recently discovered it and are now admitting it.

>> No.48512727
File: 63 KB, 1446x1096, 1431814884201.png [View same] [iqdb] [saucenao] [google] [report]

I'm not even slightly surprised. Where are my KeePass bros at?

>> No.48512766
File: 20 KB, 398x409, 1429734188457.jpg [View same] [iqdb] [saucenao] [google] [report]

>I've been using the same password with just slight variations since my first ever internet account when I was like 5 on nickelodeon.com

>> No.48512814

This is funny, as I just installed LastPass, added an account, then uninstalled it. I just don't trust password managers, and now I see this. Lol. Old school text file within an encrypted container for me

>> No.48512823
File: 62 KB, 1000x787, brain.jpg [View same] [iqdb] [saucenao] [google] [report]

There's this super reliable password manager that's been around for millions of years, and the best part is that it's hackproof.

>> No.48512844
File: 93 KB, 2000x500, LostPass.png [View same] [iqdb] [saucenao] [google] [report]


>> No.48512848
File: 84 KB, 171x208, 1363292532771.png [View same] [iqdb] [saucenao] [google] [report]

>not just using the same password for everything

>> No.48512934

i bet it's 1234

>> No.48512945

Why would anyone store passwords on some cloud service? Retarded normies got what they deserved, heh.

>> No.48512954


Actually, it's quite vulnerable to both social engineering and crowbar-based decryption.

>> No.48512959

Too bad its storage system is variable up the ass.

>> No.48512970

that's what lastpass users get for being lazy and trusting their credentials to a third party

>> No.48512976

The bottom part looks disgusting.

>> No.48512987

Having a secure password is just a placebo effect.
Your data is NOT encrypted or "secured" with that password. Its just a way your identity can be verified so that a session can be created.

Its like having a expensive lock on your door but the thief can still get in through the window or just bust the door down.

> Fuck the free world

>> No.48512988

Writing down your passwords is literally the safest option. Not even joking.

>> No.48512998
File: 26 KB, 499x499, fucking frog.jpg [View same] [iqdb] [saucenao] [google] [report]

mine is: file extension + 2 numbers + some random profession in caps

for example rar82JANNY

Easy to come up with and to remember

>> No.48513023
File: 91 KB, 740x601, password_strength.png [View same] [iqdb] [saucenao] [google] [report]


>> No.48513041


>> No.48513055

I just jam my head on the keyboard when i need a password

>> No.48513063

>Using hardware to store passwords
Glorious unhackable wetware master race.

>> No.48513067

Do you want me to explain what entropy is?

>> No.48513077

But you're wrong.

>> No.48513097

He's not. Telling someone you don't trust all your passwords is idiocy.

>> No.48513100

>not using keepass
>not using owncloud to sync everything

>> No.48513115

You realize the passwords are encrypted locally?

>> No.48513116


>> No.48513125

Master passwords not compromised, therefore password databases not compromised. No big deal. l2encryption

>> No.48513129

Yes he is. The passwords are not stored in the cloud.

>> No.48513142

But still, change master password anyway just to be safe.

>> No.48513165

I also use verses from the bible


>> No.48513174

enjoy your dictionary attack

>> No.48513180

You can use spaces

>> No.48513208

Do you have any idea what a dictionary attack even is?
Do you have any fucking clue what you're even talking about?

>> No.48513213

Hackers are just atheists

>> No.48513219

See >>48513023 idiot

>> No.48513237
File: 216 KB, 180x180, 1431299575525.gif [View same] [iqdb] [saucenao] [google] [report]

>saving your passwords online

>> No.48513257

How secure is the Firefox password manager ?
Do I need to end my life ?

>> No.48513259

its not the same if its a passage from a book m8

>> No.48513262

>Company I work at started using this
>Everybody converts to it
>Isn't locking all our information behind one password accessible on the web a bad idea?
>No it's super secure lol le-password manager xDDD

Well I can't say I didn't think this was a stupid idea.

>> No.48513264
File: 35 KB, 377x527, 1432172871240.jpg [View same] [iqdb] [saucenao] [google] [report]


>> No.48513267

Max Kek!

>> No.48513274


>> No.48513288

then it's not a dictionary attack m8

Yeah, encrypted locally. With a password you send to them during registration.

>> No.48513290
File: 94 KB, 275x305, thrn.png [View same] [iqdb] [saucenao] [google] [report]

Good for storing passwords on random shit sites.

Thanks for letting me know /g/

>> No.48513292

*yawn* salted hashes, good luck with that.

>> No.48513311

>Do I need to end my life ?
There is never bad time for that.

>> No.48513321

Completely fucking unsafe.

>> No.48513323

And this is why I use KeePass since I can store the databse where I want it to.

>> No.48513353

You don't ever send your master password to Lastpass. You hash your password salted with your username locally and authenticate with that hash.

>> No.48513357

Terrible, yes.

>> No.48513396
File: 1.17 MB, 282x200, Don+t+worry+anon+you+cant+get+pregnant+if+someone+ejaculates+_248e7a6f42706af8565349b73b2e89a2.gif [View same] [iqdb] [saucenao] [google] [report]

every single shill lostpass shill on /g should die in a fiery death

>> No.48513413

They didn't even email their users about it. They announced it over Twitter, linking to a blog post. I signed up with Lastpass because it was suggested on /g/. Is there a better alternative? Don't say your brain because I feel like the best password is the one you can't remember.

>> No.48513433

>I signed up with Lastpass because it was suggested on /g/.
By fucking who?

>> No.48513440


Only retards need password managers to have strong, different passwords for everything and to be able to remember them. Protip: use the initials of the thing you're making a password for as part of the password.

>> No.48513464

Nigga everyone here was calling it a botnet every time it was shilled, should've listened.

>> No.48513472

Stop using password managers you fucking retard. Every single one of them gets compromised eventually

>> No.48513478

closed source software? pfft, all those NSA backdoors. no thanks

>> No.48513503
File: 16 KB, 360x233, jfmsu.jpg [View same] [iqdb] [saucenao] [google] [report]


>> No.48513525

I doubt the NSA gives a rats ass about my Google and Microsoft accounts.

>> No.48513572

Launch codes I'd imagine

>> No.48513599


i'll take alcohol for $200, alex.

>> No.48513603

1) Don't trust Javascript encryption
2) You are entering your master password on their webpage. Any Lastpass employee/NSA changes the webpage to send them what you type, and you're owned. Can't trust a website.

>> No.48513640

In Firefox you enter the password in the add-on pop-up

>> No.48513676

Consider your threat model.

You're not going to defend yourself against the NSA and maintain even a semblance of convenience.

LastPass is not designed for people who want or need absolute, total security against nationstate-level entities. It's a tool to protect against basic hacker attacks.

>> No.48513751

yep, even bot herders get rekt

>> No.48513830

>How secure is the Firefox password manager ?
>Do I need to end my life ?
Firefox encodes passwords with base64 only and save it in profile folder. In case you enable master password in preferences then it will encrypt passwords with your key

>> No.48513841
File: 37 KB, 1039x851, 2015-06-15 14_27_15-LastPass Service Interruptions _ The LastPass Blog.png [View same] [iqdb] [saucenao] [google] [report]

This might be related to why they were experience interruptions

>> No.48513870

>storing password in the "cloud"
Full retard

>> No.48513998

I store my keepass kdbxon dropbox

how fucked am I?

>> No.48514073

unless you sync it, it is perfectly secure. firefox encrypts passwords with Triple-DES, and as you run GNU/Linux anyway and have your hard disk fully encrypted, and run a properly hardened firefox with ublock, https everywhere and noscript, and have all plugins disabled by default, you are pretty much safe.

>> No.48514330


And easy to bruteforce

>> No.48514352


>> No.48514624

>>storing your passes in le cloud
Indeed idiotic. Especially if you use services like lastpass. I have to admit I keep a readonly keepass database on onedrive though. I doubt anyone will crack it though since I have a 30+ character master password.

>> No.48514647

>I doubt anyone will give a shit about my porn passwords to crack it

>> No.48514675

No biggie.
It will take hackers time to break the encryption that is assuming they got the encrypted data. So just change your master password and also cycle all passwords stored in the next few days.

>> No.48514718

Also, they don't have the archives, just the password hashes and salts with the email addresses.
Even if nobody changed their passwords, the attackers would still have a very hard time getting the archives with just that.

After changing the master password (an therefore re-encrypting the archive), all they have (minus the email) is completely useless.

But of course that's assuming that the guys at LastPass aren't lying.

>> No.48514746


>On an NVIDIA GTX Titan X, which is currently the fastest GPU for password cracking, an attacker would only be able to make fewer than 10 guesses per second for a single password hash. That is proper slow! Even weak passwords are fairly secure with that level of protection (unless you’re using an absurdly weak password.) And this doesn’t even account for the number of client-side iterations, which is user-configurable. The default is 5,000 iterations, so at a minimum we’re looking at 105,000 iterations. I actually have mine set to 65,000 iterations, so that’s a total of 165,000 iterations protecting my Diceware passphrase. So no, I’m definitely not sweating this breach. I don’t even feel compelled to change my master password.

>fewer than 10 guesses per second
Nigga fucking pls, I ain't even going to change my fucking master password with that shit. I already do 150,000 iterations client side, I had no idea they did another 100,000 on the server side. Plus I have a 72-character password.

I'll see you faggots when the sun explodes.

>> No.48514760

>muh faceshit passwords etc
At least you can try to make it difficult for identity thieves.

>> No.48514774

They didn't even get the password databases themselves, just your master password and e-mail. So if you have 2FA enabled and/or a strong master password, you don't have shit to worry about.

Change your master password if you feel the need to, but they didn't even get the password databases themselves to perform offline attacks.

>> No.48514798

>an attacker would only be able to make fewer than 10 guesses per second for a single password hash
That sounds like some grade A bullshit right there. I have a feeling that a titan x accelerated brute force program can do more than 10 guesses per second. Not that it would matter anyway unless you use a password shorter than 12 characters.

>> No.48514803

I know but I always assume the worst so I will change passwords in the next few days just to be sure.

>> No.48514815

Did you even read the article you retard?

10 guesses per second because of the PBKDF2 iterations, which is the precise point of hash iterations.

I swear you fag/g/ots are the most technically illiterate board on 4chan.

>> No.48514839

>implying doing thousand iterations is somehow something new
You and that shithead probably barely knows how to turn on a computer judging by your poor judgement of choosing a service like lastpass.

>> No.48514857

gtfo shilly bastard

>> No.48514870

Right, yes, the man who Ars goes to because he runs his own security firm and is an expert in password cracking is an idiot and you clearly know more than him.

Tell me more baseless assumptions, oh idiot of idiots.

>> No.48514882
File: 92 KB, 1023x868, 1432509614466.jpg [View same] [iqdb] [saucenao] [google] [report]

love lastpass
if my accounts get compromised so be it
oh no my reddit, pornbb, fitnesspall, ... got compromised what an end of the world
comfort is just too great

>> No.48514888

I have my passwords on a small sheet of paper with service name:password in my wallet.
Works fine since years.

>> No.48514899
File: 72 KB, 790x730, IMG_20150615_154531.png [View same] [iqdb] [saucenao] [google] [report]

>> No.48514951

I bet you believe Bruce Schneider is an authority on how to secure your computer too. I did some research which you apparently didn't because you are retarded. Elcomsoft claims to be able to test 20,000 p/s on ATI Radeon HD 5970 in 2010 on PBKDF2 with 20000 iterations.

>but muh less than 10 passwords a second

>> No.48514973

lastpass is shit but those tits are incredible

>> No.48514976

>Elcomsoft claims to be able to test 20,000 p/s on ATI Radeon HD 5970 in 2010 on PBKDF2 with 20000 iterations.
And the hash was...?

You know PBKDF2 is not a hash algorithm in and of itself, right? What were they using? SHA1? MD5? Because this uses SHA-256, which is a slow hash algo.

>> No.48515001

Oh, and also, 20,000 iterations is significantly less than the 105,000 minimum iterations that Lastpass performs, so with that combined with the possibility of a different algo in and of itself pretty much negates any point you thought you were making.

Unless you'd actually like to prove him wrong. You know, besides being a faggot who thinks he knows more.

>> No.48515032

They didn't last very long tho

>> No.48515102


>> No.48515116

Well the hashing algorithm uses SHA-256 that elcomsoft wrote a brute force program for. So that would be 4k p/s on an ancient graphics card. But I guess your precious "security" expert wrote a javascript implementation or something.

>> No.48515121

They got saggy lately

>> No.48515203

>implying anything less than billions of guesses per second will ever crack a single password

>> No.48515266

topkek, Im still gonna use it and I wont even change my master password because I only saved unimportant shit in my lastpass vault.

>> No.48515304

>implying that somehow makes the less than 10 password guesses a second true
I think we all get it that you, Ars technica and the "security" expert are fucking retarded beyond help. It's ok. It's time to stop posting. I know it's a panic reaction to losing all your passwords because someone just MiTM the fuck out of lastpass.

>> No.48515342

We've been through that already, it's not "HAPPENING" and it's especially not "HAPPENING" for anyone with half a brain and two-pass verification.

>> No.48515346

Where does it say anything about the hashing algorithm that's used?



>> No.48515363

>someone just MiTM the fuck out of lastpass.
But...that's not what happened. Can you read? Can you into English?

>> No.48515370

I'm not the other guy you were talking to, faggot.

If you think anybody who didn't use "1234" as their master password is going to be compromised by this hack, you're fucking retarded or a shill

>> No.48515511

>tfw my boss is an asshat and forced me to put all passwords into LastPass, even the domain admin
>tfw he left and I immediately changed them and told his boss never to use LastPass ever again or shit would happen.
>tfw shit did happen.

no sysadmin should feel this smug

>> No.48515560

>mfw I use lastpass
>mfw I did not even read because I don't care

>> No.48515576
File: 49 KB, 720x720, smuggysmug.jpg [View same] [iqdb] [saucenao] [google] [report]

>mfw I would fire you for not being a "team-player"

>> No.48515626

>try it out once years ago
>didn't like it compared to keypass
>forget if I purged my data or not
I fucked up.

>> No.48515642

Ayy lmao

>> No.48515651

I'm currently the only IT employee for a 100 person company, and honestly I could use the vacation.

>> No.48515655

>Says the tripfag


>> No.48515660


>> No.48515662

if your password was long enough, this hack doesn't change anything, at all.

>> No.48515691

Pretty much the exact reason anyone who could rub two brain cells together didn't use that shit

>> No.48515934

Say my password was


How screwed am I?

>> No.48515941

>if your password was long enough,

How long?

>> No.48515980

Looks decent.

>> No.48516005

so, the best way to make a password is to put four random words together?

>> No.48516028

What is worse?

> putting your passwords in a third party app
> putting your passwords in le cl0uld


> both


>> No.48516073


AFAIK make them as long as possible, and have as much capitals, punctuation and numbers as you can remember in it.

Mine follows >>48515934 format. In fact, it's the same length

>> No.48516091

Yeah, better than all the alternatives.

>> No.48516099

>Lastpass got hacked
so what? you can have my lastpass vault. implying any of you weeaboos could crack it.

>> No.48516106

No, the point is that you don't need punctuations.

>> No.48516114

100% LEGIT

btw, the best password is "[email protected]", I saw in the news!

>> No.48516130

Assuming it's totally random and with high entropy, even something as short as 16 characters would do ya just fine. Something like aJFW5^193xHp$WOR would be effectively uncrackable with the hashing algorithms that they use.

I have a 77-character password (again, totally random, so it's looks like this ED0vFq9kK2&[email protected]%mGLdAyhxz14msj3ec23P^@TZlZWK43AMj%9FiooJv%Gs0$!dR#^j08zzAQd) and 150,000 iterations on the client side, combined with 100,000 iterations on the server side.

I'll be dead for centuries before something that long and randomized is cracked.

>> No.48516142


This is an incredibly poor explanation of password encryption and password "hacking"

correcthorsebatterystaple is a fairly secure password purely from its length, but a lot of websites (inexplicably) have a length limit. That's 25 characters, which is well above the 16 limit a lot of websites use now.
Assuming you put together 4 4 character length words, that's still very insecure.

Theoretically it should be more secure to simply make a very long password, but that's not how password cracking works. Dictionary based passwords produce very reliable and consistent hash data as well as being very easy to brute force because it's not hard to take a list of the 10,000 most common english words and force check against them up to 16 characters. That's trivial for a half decent server farm, which any serious cracker group is going to have access to

Even throwing in one capital letter and an $ will increase password security infinitesimally because now they're cracking total gibberish, instead of dictionary based length passwords.

XKCD is full of smart stuff, but it's also grossly incorrect a whole fucking lot.

>> No.48516143


>> No.48516156


I just received an E-Mail then

>> No.48516190
File: 37 KB, 630x470, 1345358712114.jpg [View same] [iqdb] [saucenao] [google] [report]

>I signed up with Lastpass because it was suggested on /g/
At least I know where my retard boss got this platform from.
Hooo-ly shit.


>> No.48516212

The security of Lastpass comes from the fact that data on their servers is fucking encrypted
I wish the hackers good fucking luck

>> No.48516216

>people chat and share images on Facebook/Whatsapp on a daily basis
>panic when Lastpass gets hacked which doesnt even matter since their vaults are uncrackable unless the user had a retarded password

>> No.48516279

nice damage control, Lastpass employees

>> No.48516296

You stupid fa/g/gots,

"Use a password manager"
"kek Lastpass masterrace"
"why remember 20 different passwords"
yeah, now what you pleb fucking cunts. Too pleb to remember more than 3 different phrases and now your shit is obsolete. You'll never know if your pass has been swiped or you're too autistic for anyone to care about your private data.

"Hurr they didn't crack any encrypted passwords, hurrr im still safe hurrr"
if a password manager got their server compromised, why would you trust them to keep your password safe, you mouth breathing fucktard, this is probably them handing over their master keys to FBI and throwing out this bullshit excuse.

If you continue to use them after this, you don't belong anywhere near a computer, let alone the power to vote or wipe your own ass. faggit.

>> No.48516316

>people chat and share images on Facebook/Whatsapp on a daily basis
Yes. This is Social Media.
>panic when Lastpass gets hacked which doesnt even matter since their vaults are uncrackable unless the user had a retarded password
It's a fucking SECURITY company letting their server get breached, this is literally their job and they failed too hard.

>> No.48516328

I suddenly have last pass premium.

>> No.48516346

after all this autistic talk, you still can't crack my passwords.. even if you did, well have fun with my useless and unimportant forum passwords.

>> No.48516350

Reminder they got the encrypted master passwords.
If you got a shitty master password you should change it. That's the only attack they can do right now.

>> No.48516356

you sound awfully mad

>> No.48516375

No one wants your password faggot.
The fact you use a centralized password manager tells me there is no experience or thought in your shitty life that will quietly go unnoticed, because you'll shout it at the top of your lungs to anyone within ear shot, you desperate beta cuck.

>> No.48516392

>trusting a security company so easily hacked that nothing else was compromised.
use your head anon.

>> No.48516395

>still using the same passwords from years ago

>> No.48516420

Let's say for shit's and giggles that they got everything on me from the servers. What's the damage here really?
It's all encrypted so they got gibberish.
My password is over 20 characters long with letters, numbers and special characters. I wish them good luck.
The e-mail leaks are annoying though, I'm expecting even more spam, first time being mt gox.

>> No.48516423

before you worry about lastpass, you should start worrying about all online services of which at least 30% probably still save their password as clear text and hire PHP kids with no or little experience.

>> No.48516429

>all they have is my reddit password kek
These are the people who were/are defending Lastpass and other password cloud storage services.

>> No.48516435



>> No.48516437

>It's all encrypted so they got gibberish.
says who? Lastpass?

>> No.48516447
File: 34 KB, 960x540, ht_emoji_passcode_mm_150615_16x9_992.jpg [View same] [iqdb] [saucenao] [google] [report]

What is /g/'s opinions on Emojis being used for passwords?


>> No.48516448

So which keepass version is elite? 1 or 2.

>> No.48516466

absolutely this. If I'm to use a password manager, I use one that doesn't require online services like keepass.

>> No.48516490

The extension does the encryption, and that's open source.
Read up on it before being retarded.

>> No.48516647

>put your trust into this 3rd party open source encryption im a fucking idiot
no thanks.

>> No.48516730

Way too easy to crack. Assuming there are 50 different emojis, there's no limit to using the same emoji multiple times, and there's a limit of 4 emoji per password...

50 * 50 * 50 * 50 = 6,250,000

But, there's 26 alphabetic characters, 10 numerals, and about 14 special characters, meaning about 50 different options per character.

That'd be the same as allowing a 4 character password.

Emoji strings would need ridiculous lengths to be able to be crack-proof, but then it'd be difficult to remember 10 emojis, each of which encompass a single "idea", like smiling happy, man running, pink sunglasses, sun overcast by clouds, etc.

4 characters could be remembered as easily as "easy". The 4 characters are one idea.

You would only be able to fix it by having 10,000+ emoji for a 4 emoji password, which would make it excessively difficult to find the alligator emoji you used amongst the 30 different alligator emoji that exist.

10,000 ^ 4 = 10,000,000,000,000,000 or 10 quadrillion.

Compare that to ~50 different characters (alpha, numeric, special) in a 25 character long password.

50 ^ 25 = 2.98023223876953125 x 10^42

Emojis only are a terrible idea.

Now if you can put emojis INLINE with regular characters in a password, that would be AWESOME.

>> No.48516785

>Now if you can put emojis INLINE with regular characters in a password, that would be AWESOME.
It's called having special characters in your password, except you can remove some entropy because you can treat 2 characters as 1, being an emoticon.

>> No.48516787

I bet people here use chromes password syncing

>> No.48516810

haha this is why I don't use lastpass. Just use vim through gpg

>> No.48516822


How dumb do you have to be?

>> No.48516835
File: 1.94 MB, 180x230, 1434228387069.gif [View same] [iqdb] [saucenao] [google] [report]

Wait.. people actually kept private information on a cloud-based password service?

Please tell me you only used it for throway-accounts and such?

>> No.48517104
File: 34 KB, 323x311, 1431031139212.jpg [View same] [iqdb] [saucenao] [google] [report]

>mfw ppl still defend this

>> No.48517213

ITT: retards who don't know how encryption works

>> No.48517271


One trip to Nirsoft will reclaim those passwords

If you use browser password saving you're gonna have a bad time

>> No.48517336

As if anybody outside of /g/ gives a fuck what you autists think of their product

>> No.48517403

So you roll your own encryption since you think only retards use 3rd party encryption programs? Ok, have fun with that

>> No.48517417

ITT: retards who use their browsers password manager and have no idea why they're 1000x worse off

>> No.48517501

ITT: retards with blind faith that a company of 30 people, 19 of which are women, can develop a secure, uncrackable closed source product without fundamental weaknesses.

not the first time they got hacked either.

>> No.48517662

>closed source product
Every piece of code on the client side is open source. Their servers only do the syncing and storage of encrypted data + some metadata like email.
Are you retarded?

>> No.48517676

Never used Lastpass.

Is keepass just an offline version?

>> No.48517700

give link to source code of their various browser extensions please. I'm waiting.

>> No.48517738

I usually invent a word and use it as my pass. Been using the same password for the past 15 years.

>> No.48517955

Ugh... I'm a sysadmin. Our company has a LastPass Enterprise account. They use it for everything, including production passwords. This was in place before I started there, obviously.

I fucking hate it. The interface is goddamn atrocious, full of infuriating bugs, and the browser addons are completely broken. Last time I went in there to get a password, I had to authenticate FOUR GODDAMN TIMES. Don't ever try to use it for distributing files, that was a fucking DISASTER (again, not my idea).

In the few months I've been there, I had already suggested we move to something else. Twice. At least now I may have some leverage. Tomorrow I'll be researching a sane alternative.

Unfortunately, we have contracts with the government, so we're going to have to file an incident report. That's going to be a colossal pain in the ass.

>> No.48517959


>> No.48517991

that's just the cli-version. waiting on the source code for their

- linux
- windows
- mac
- android
- firefoxOS
- iOS
- Blackberry
etc extensions. don't leave me waiting, anon-kun~

>> No.48518016

what's the point of using this stupid shit?
they're deserved everything coming on their way the moment they trusting their private shit on someone else computer.

>> No.48518106

what is encryption

>> No.48518144

doesn't really matter if your stuff can be compromised.

>> No.48518162

don't you know how encryption works, anon?

>> No.48518219

If you store your passwords in your brain: it's more likely that you will forget them than LastPass being properly cracked.

If you store your passwords in a local password manager: it's more likely that you will have insufficient backups and lose access to them through hardware failure or theft than LastPass being properly cracked.

That said, I don't use LastPass anymore because I don't want to pay the subscription necessary to use it on my phone. Now I use KeePass but this leaves me with a strange dilemma: I have my database on Dropbox, but my Dropbox password is in the database, meaning that if I lose both my laptop and phone I will not have a local copy of the database and thus will not be able to access my Dropbox account. Need to fix this.

>> No.48518251

Doesn't dropbox have one time use passwords?

Put that in a safety deposit box.

Alternatively, just put a database with only the dropbox password in a safety deposit box.

>> No.48518273

this anon gets it

>> No.48518330

>free software

>> No.48519392

Lol, you have no idea what you're talking about bro, stop screaming from atop of mount stupid.

The comic is pretty clear if you know what entrpy is and what it says is logically sound.

>> No.48519635

now we know why level3 and equinix have been slow as fuck recently.

>> No.48521264

ITT: /g/ pretends that they were right all along as they uninstall LastPass

Hindsight is 20/20.

>> No.48521463

He later corrected it. It's 10kH/s.

>> No.48521473

That's the point, it DOES matter retard.
The the whole point of encryption.

>> No.48521558

>using a proprietary cloud software for storing your passwords

>I don't care about NSA, I just want "good enough security" that doesn't constrict muh convenience
>end up getting no security at all, cause that is what eventually always happens when you try to tradeoff security for convenience

>> No.48521583

That is what you get for becoming one with the botnet.

>> No.48521640

>Robert Siciliano, an online safety expert to Intel Security, said the idea is a step in the right direction for password security.
>"Photos as passwords are a strong alternative to simple username and password," he said. "But we can't stop there. New developments in facial recognition will inevitably replace all current methods."
Emoji passwords are no different than character passwords.
Facial recognition is a _Bad_ idea. Biometrics cannot, and absolutely must not, be used to authenticate an identity. For authentication, you need something that can be independently chosen, changed, and rotated. Also, if your face is your password, then everyone who looks at you knows your password.

>Now if you can put emojis INLINE with regular characters in a password, that would be AWESOME.
It's called Unicode. Just allow the password input field to accept UTF-8 passwords.

>> No.48521643

While storing your pass elsewhere is surely a bad idea, having a bad password and reusing it is even worse. Most sites don't salt your hashes and some even store your passwords in plaintext. Even if service like a lastpass gets haxed you are safer than with your 12 symbol low entropy pass(and if you have less than 12 just kill yourselves, every rainbow table has your pass by now).

>> No.48522241
File: 1.45 MB, 960x792, bunch of females heartily entertained.png [View same] [iqdb] [saucenao] [google] [report]

I always recommended keepass/keepassx.
There was always some fag recommending Lastpass.
I showed that they had bad security issues in the past
"But they are secure now"

You want something cross platform? Keepass/keepassx.
You don't want to carry your password database around? Put it in your favourite ownCloud or non-free variants (dropbox it's fine too, it's a totally encrypted file)

I was totally expecting for Lastpass to be pwnd again.

>> No.48522270


>except it was yahoo, remember when people bothered with those fucks?

>> No.48522858

This is literally propaganda by hackers trying to get you to input passwords that are crackable by dictionary attack and rainbow tables.

Don't fucking do this, make a password out of nothing but simple words, are you retarded?

I bet "correcthorsebatterystaple" and millions of other 4-word combinations is in every rainbow table for every password-cracking system in existence since this comic came out

>> No.48523095

This isn't about the NSA, it could be a rogue employee or a hacker taking your passwords.

Yeah, to access the database, you do. Then, click "Security challenge" or whatever it's called. It'll ask you again to log in, this time not through the extension, but through typing your email and master password on their webpage. How is that secure?
And then, it somehow calculates how secure your master password is, and how secure all your other passwords are, and tells you which percentile of their userbase you're in when it comes to password strength. How in the fuck are they able to calculate that?
Even if they weren't actually accessing your passwords directly to calculate this, they absolutely, positively could by changing their code server-side, and you wouldn't know.

Anyone who trusts this service is dumb.

>> No.48523108

BTW, their website doesn't address any of these concerns.
They're either malevolent or incompetent.

>> No.48523141

i use it every day. i'm not even changing my master password : - )

>> No.48523351

Can't you just use a KeePass database that holds only your (generated) LastPass master password with 2FA and have the best of both worlds?

>> No.48523364

should i switch to keepass from using lastpass forever

>> No.48523395

the GPU clusters are working, should've used bcrypt

>> No.48523529

1Password masterrace

>> No.48523600

Holy shit, who builds a password manager that stores data online. A program like this should always be local, this design is legitimately retarded.

>> No.48523725

>I'm going to upload all my passwords to some other guy's computer.

>I'm going to upload all my passwords to the cloud.

One is the latest fad, the other thing is obviously dumb as fuck.

Both are the same.

>> No.48525538

Is 1password any good?

>> No.48525650

Muh cloud

Wouldn't be such a bad idea if the information was encrypted locally, and the third party was only there to host the encrypted data, having no part in the decryption and handling no decrypted data at all.

This is not the case. The United States Government has the legal authority to intercept decrypted data as it's processed. Not the biggest deal for amerifats, but for euros who work in businesses and such, the US government can intercept the decrypted data as it's decrypted in the servers and use the passwords to steal business secrets, government secrets, and generally anything they want.

>> No.48525798

>I can't remember passwords because I am literally retarded

You deserve this

>> No.48525833

Here's a password I use:

Here's another:


Now try remembering dozens of passwords like that, all unique.

The reason they're so short is becaus

>> No.48525874

So they have a hashed password of mine that they will never crack, and even if they do I still have 2 factor auth.

I don't see this as an issue really, don't even tempted to change my master password.

>> No.48525899

>Wouldn't be such a bad idea if the information was encrypted locally, and the third party was only there to host the encrypted data
that's literally what LastPass does

>> No.48525915

Yeah, using their software. Using their encryption.

>> No.48525919

>online password manager

>> No.48525926

Which can be and has been audited many times

>> No.48525957


>> No.48525988

Then my opinion of lastpass changes.
I still don't like the browser integration though.
Browser integration seems like a easy target for interception.

>> No.48526012

Yes the addon where it autofills is a potential security issue, but that's up to the user.

The data is encrypted and decrypted locally using a key that LastPass never receives on their servers.

>> No.48526109

>I'll just put all of my eggs in this basket I have no control over.
Serves people right if they get an assfucking from this.

>> No.48526528

Hey Keepass bros

Is there any way I can integrate Keepass to Firefox about as nicely as Lastpass? Would be good if it worked on Linux too.

>> No.48526633

Why would you want to? Might as well keep them all in a plain text file.

>> No.48526705

How so? Are you implying browser integration is somehow unsafe?

Not having to copy shit from other programs and paste to login forms is the exact reason I've been using Lastpass for now. Probably will keep using if there's no alternative that's actually convenient.

>> No.48526727

http://keefox.org/ is what you're looking for.

>> No.48526770

Thanks anon. I couldn't get it to work the last time I tried so I'll give it another go if it's the go-to answer.

>> No.48526979

>years ago

You fucked up by using the same passwords forever.

>> No.48527047

All the anti lastpass folks are windows people though

>> No.48527103

On the subject of phrase-based passwords: does capitalization affect entropy for a sentence taken from a book sans punctuation? What length is secure enough for a master password?

>> No.48527144

Memorize stuff from plays (which is fairly simple due to rhythm and tone) and you'll easily have 60+ character phrases. Caps should help with entropy.

>> No.48527168

>my reddit
>20 hours ago
>no one calling him out
Fuck, summer /g/ is the biggest shithole on this site.

>> No.48527233

You seem to be having trouble memorizing the meanings of some words, here you go:


indefinitely or exceedingly small; minute:
infinitesimal vessels in the circulatory system.

immeasurably small; less than an assignable quantity:
to an infinitesimal degree.

There, now I'm sure you won't make that stupid mistake again. Now, will you?

>> No.48527538

Assuming you're not retarded with passwords, the only way to penetrate lastpass is to have access to the machine.

Somebody will use this breach to get into your account if you used the same password elsewhere and hackers managed to breach those systems and get your password.

>> No.48528130
File: 6 KB, 250x164, 9ETIHex_1_.jpg [View same] [iqdb] [saucenao] [google] [report]

>using a web based password manager

>> No.48528164

>not having easy access to yourpasswords
>implying hackers got into any of the user password vaults

>> No.48529328

I use the same fucking 8 letter and 2 numbers password for everything since 10 years ago, and nothing happened yet.

>> No.48529843

>easy access to your passwords

just write your shit down.

>> No.48529894

Just finished switching from LastPass to KeePass 2 + KeeFox (Linux). Browser integration isn't as good as LastPass but it's not horrible.

>> No.48529936

Everything that is important has two-factor authentication anyway so I don't care.

>> No.48529988
File: 2.71 MB, 255x191, 1407527021253.gif [View same] [iqdb] [saucenao] [google] [report]

>not writing long passwords on a piece of paper and stuffing it somewhere

>> No.48529990

This announcement honestly made me laugh really fucking hard. Just to be clear, the users uploaded their passwords to a third party's computer (the cloud) and are surprised someone compromised that third party's computer?

You have to be a fucking idiot.

lol, like it wasn't a target to begin with?

>> No.48530008

>stuffing it somewhere
up your ass I bet.

>> No.48530024

Convenience beats security, every time. This is tech 101

>> No.48530049


Up your mothers while she told me her son used a "service" for his passwords.

I should stop because a lot of people poke in there.

>> No.48530079

Just to be clear, users submit their passwords to a third party's computer (the cloud) everytime they want to login to a site and are surprised someone compromised that third party's computer?

You have to be a fucking idiot.

lol, like it wasn't a target to begin with?

>> No.48530081

>the users uploaded their passwords to a third party's computer
No, they uploaded encrypted data to the servers.

>> No.48530208

I keep my KeyPass database on Google Drive. Seems sane enough with a good master password.

>> No.48531320



>> No.48532568

Anyone know of an alternative with just as good autofill and autologin? I tried keepass but both of those features were shit. Is there any way to make them better? The only reason I use lastpass is for those two things

>> No.48533988


>> No.48534133
File: 19 KB, 303x326, 1407114736766.jpg [View same] [iqdb] [saucenao] [google] [report]


>> No.48534788


Don't be ludicrous.
Varied passwords through LastPass is significantly safer than two hundred accounts with variations of 'ihavenoimagination001.'
I would much rather set my family up with this, your hated compromise, than leave them with nothing.

>> No.48534813

They one hundred percent emailed people.

>> No.48534827


>> No.48534843

Looks like somebody doesn't know what iterations are or what PBKDF2-SHA256 does

>> No.48534848
File: 48 KB, 970x582, don't fall asleep on the train.jpg [View same] [iqdb] [saucenao] [google] [report]

Don't worry buddy we'll be in there soon.

>> No.48534882

>storing passwords electronically AT ALL
>not just writing them down

Holy shit it's like you're asking for it

>> No.48534931
File: 32 KB, 218x265, 1363077173703.jpg [View same] [iqdb] [saucenao] [google] [report]

>write once read never

>> No.48534944

Why the fuck do you people need a password manager? Just compute bcrypt(secret + service name)

>> No.48535082

Exactly my thoughts.

>> No.48535122

So tell me /g/, how am I supposed to have a different password for every account, each one easy enough to remember, and hard enough for a computer to guess?

>> No.48535192

You don't. Everybody here who pretends like they do are just reusing the same password over and over.

>> No.48535206
File: 549 KB, 1280x749, pep.png [View same] [iqdb] [saucenao] [google] [report]

>hashed + salt with 100k passes
Thats actually pretty good.
Insufficient for 2015, but still far better than what I expected (plaintext)

>> No.48535238


pwdhash masterrace reporting in.

>> No.48535310

I just want you to know that you are precious and the posts that reply to you are cancer

>> No.48535347

>it's not hard to take a list of the 10,000 most common english words and force check against them up to 16 characters. That's trivial for a half decent server farm, which any serious cracker group is going to have access to
Somebody doesn't understand how exponential scaling works

>> No.48535356

Not at all. With so many passes it's basically impossible to crack it.

>> No.48535454

Then how the fuck is anyone actually secure? Keypass is nice, but if someone ever needs to access a password on a computer they don't own, unless they have a universal password or cloud solution they're fucked. xkcd's solution works for a small number of passwords but once you go past ten, remembering them all and what site each is for becomes nigh impossible. Writing them down is just asking for them to get stolen, especially if you need to take it somewhere. Putting them in a plain text has the same problem keypass does, and also is completely unencrypted. Using a universal password is a bad idea because if one website you use gets hacked, all your accounts are fucked. Lastpass doesn't work because it can be hacked, other internet options don't work because they can be hacked. I can see keypass/some encryption algorithm being a perfect system if the only computers you need to have access to passwords on are ones that you own, and this description probably fits a lot of /g/, but a lot of people who work with computers do need easier access to those passwords. If you don't store you passwords somewhere, unless you're a savant, there is no way you use more than a small handful of passwords, in which case you are no more secure than anyone else. /g/ needs to stop acting so self righteous about security because chances are, you aren't very secure yourself.

>> No.48535475

>Assuming you put together 4 4 character length words, that's still very insecure.
Since I was curious, I did some numbers: First, I opened up /usr/share/dict/words and counted how many combinations there are of 4 words you can make that are at total length 16 or lower.

The answer is 1976889363026176.

Let's put this into perspective, from “worst case scenario” to “best case scenario”. (Note: by “time to brute force”, I mean the time it would take to go through all possibilities, not the average time it would take to crack)

>Worst case
The password is hashed using MD5 or some other very bad and cheap algorithm, the attacker has a server farm full of GPUs. Hash rate: 100 Gh/s. Time to brute force: 5.4 hours

>Less bad case
The password is hashed using SHA-256 or some more modern algorithm, the attacker has a single workstation full of GPUs. Hash rate: 10 Gh/s. Time to brute force: 55 hours

>Medium case
The password is hashed using PBDKF2 or similar, with an average difficulty setting. The attacker has a single strong GPU. Hash rate: 200 kh/s. Time to brute force: 313 years

>Good case
The password is hashed using scrypt or another expensive function, with a higher difficult setting. The attacker is running a few strong CPUs. Hash rate: 1 kh/s. Time to brute force: 62,686 years.

>Best case
The password is being cracked remotely, over the network. The attacker has a few powerful internet connections. Attempt rate: 100/s. Time to brute force: about 1 million years.

So as you can see, even this weak password would require extremely unfavorable circumstances to crack. If you're picking a password for your password manager, for example, you have all the luxury of using a strong function like scrypt.

And this is with 16 letters and only 4 words per password, (even if the length was significantly shorter than 16)

>> No.48535488

I think he's being serious, though.

>> No.48535499

Underrated post.

>> No.48535512

Why the fuck do you keep saying that KeyPass is exclusive to computers that you own??? They have a portable version. You could store your database secure on the internet in the case that your USB drive crashes. Along with the master key for your database you can also require a key file, which you can pull from the internet as well from any computer. This easily seems like the best solution I've seen anywhere, especially since if you self host the database you won't be explicitly target like something like LastPass would. With this solution you would at most have to remember 3 or 4 main good passwords to keep the rest secure and that is not a hard feat.

>> No.48535667

Out of curiosity, I tried seeing what the number would be if you just keeped picking random words until you arrived at a length of 16 (even if you had to pad up the rest with one-character words like ‘a’ or ‘I’).

This brings the total number of combinations to 856162097954799333776120, which is a whopping 10^8 increase over the number in the other post. (Meaning that even in the very very worst case scenario it would still take you well over 200,000 years to crack)

(For the interested: at length 24, it's 878709470437809349735971468283961271 - an insane 12 orders of magnitude above the previous figure)

>> No.48535951

Nobody is secure. Everybody just wants to feel superior to others, so they pretend they're secure.

>> No.48535965

>hosting your key along with the database

>> No.48536007

>Lastpass doesn't work because it can be hacked

saying lastpass doesn't work because they were just hacked is like saying you need to change the locks on your car because somebody found your vin number

>> No.48536011

What's wrong with this?

>> No.48536016

I didn't say just hacked I said it can be hacked.

>> No.48536061

M8, read this. If you do that your passwords are doomed.


>> No.48536083

underrated posts

>> No.48536100

How can I delete passwords from Firefox?

>> No.48536113

You're not supposed to create pwds like that.

Just use dumb shit like
>[email protected] @ minu73
>[email protected]
>[email protected]@ttery

A hard to remember pwd for a human doesn't imply that it's hard to brute force and dumb pwds can be extremely long to brute force

Or just use the same pwd and just change the last few characters for each site

>> No.48536159

Agreed, I was a dumbass

>> No.48536234

Oh no. Now they can spend hundreds of days trying to crack my ridiculously hard passwords so that they can gain access to my 4chan Gold and PornHub accounts. Whatever shall I do.

>> No.48536505
File: 77 KB, 500x500, 1429060570216.png [View same] [iqdb] [saucenao] [google] [report]

>combinator attack
So if I have a dictionary containing the words 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t, u, v, w, x, y and z I could use this to crack hashes of alphanumeric passwords of any length, because combinator attacks are somehow magic?

>> No.48536649

You could if you have enough time. It sounds like you didn't even read the article though.

>> No.48536667

>if you have enough time
Yeah, I think 550 years are more than enough time for me to accept the risk vs effort required.

>> No.48536770

>tried login in on a new device
No mail telling me someone is trying to login with wrong password, not even after several tries.
>finally manage to log in
No new mail telling me someone logged in or even a mail with 2FA.
>have to use phone with app for 2FA
Thats stupid, whats wrong with sending a code to your email? Or a text message? Fuck having to use an app that i have never heard about or had to use before.

Its worse than i thought, fucking hell. This company cant be serious?

>> No.48536832
File: 3 KB, 366x226, ExponentiallyIncreasingFunction_1000.gif [View same] [iqdb] [saucenao] [google] [report]

>You could if you have enough time
No shit.

Most of the article talks about short (< 12 characters) passwords or ones that consist of a word from a dictionary, or some other kind of predictable patterns. Most of this shouldn't be too surprising to you. There are only like two sentences about passwords with an english-word dictionary as alphabet, and they seem to assume that you'd use few words and a small dictionary. Even Hashcat's combinator attack that they link to only deals with combinations of two words, and for a good reason.

>> No.48537212

>trusting cloud password storage
ayy lmao

>> No.48537220

holy shit my sides

Name (leave empty)
Comment (leave empty)
Password [?]Password used for file deletion.