Password Security Catch-All Thread

Arise!!!

Can any security gurus out there tell me if I'm missing anything with regard to my Chrome security? I have a work desktop, laptop and Surface that I use this on. I basically want to have a clean browser every session, but automatically log into websites as I visit them for convenience.

Here's what I am doing:
1. Set Chrome to 'Keep local data only until you quit your browser'
2. Set Chrome not to 'Enable Autofill' or 'Store Passwords'
3. Set Chrome not to run in the background when closed.
4. Use the plugin Click & Clean to clear everything (cookies, cache, history, etc) from Chrome on exit. (Chrome is set not to run in the background)
5. Use the LastPass plugin to auto-prompt for my password when Chrome launches
6. Login to LastPass using two-factor auth
7. Set LastPass to auto-fill and auto-login to most of my sites (excluding banking, corporate, and a few others)

Thoughts? I realize step 7 is the dicey one, but if I've shut down Chrome on a pc using this method there should be no cookies, history, etc for someone to hack into correct? This seems like a reasonable compromise to storing personal info on hardware I do not own.

You should also consider enabling Chrome's "click to play" for plugins:

Content settings > Plugins > "Let me choose when to run plugin content".

Change your Tumblr Password. And LinkedIn.

Personal information from more than 65m Tumblr accounts has been discovered for sale on the darknet.

Tumblr disclosed the leak, which it says took place in early 2013, this month, but had not previously acknowledged the scale of the database that was compromised.

The database includes email addresses and passwords, but the latter are heavily protected: Tumblr salted and hashed the passwords, a procedure which renders it practically impossible to restore the passwords to a useable state. It has since turned up for sale on darknet marketplace The Real Deal, with a sale price of just $150, according to Motherboard’s Lorenzo Franceschi-Bicchierai.

I'm going to link to this again: https://haveibeenpwned.com/

I updated my LinkedIn when that got talked about recently, but now seems a good time to just go ahead and auto change as many passwords as I can anyway.

Gawd bless LastPass.

Stop using KeePass:

CVE-2016-5119: MitM Attack against KeePass 2’s Update Check

The updater runs over HTTP, is trivially attackable with MiTM, and the dev isn't going to fix it because he'll lose ad revenue.

Seriously.

Or...

Until the version check has been switched to HTTPS update notifications should be taken with a grain of salt. To be on the safe side, new releases should be downloaded only directly from Keepass’s secured Sourceforge page: https://sourceforge.net/projects/kee...

You can work around it, but the devs are prioritizing their ad revenue over your safety.

What happens the next time there's a security problem where they might lose revenue?

edit: also, Sourceforge links aren't really HTTPS. They start that way, but the actual download is unencrypted. Look at the download link on the HTTPS page.

I just did this earlier today. Sourceforge is slimy as f*ck.

second edit: also consider that this is security software. It needs to be secure by default.

Eh. I'm not vulnerable to this particular issue because I have updates turned off and I don't use browser integration or anything.

But it might be time to think about switching to KeePassX.

In other news, TeamViewer might have been hacked from the inside and used to steal clients' data and even money from PayPal accounts. Secure passwords and 2FA were useless in this case.

TeamViewer is super popular isn't it?

Yeah I have only been with KeepassX

I know people are up in arms since LastPass was bought out by LogMeIn, but it seems to have continued on its development path just fine. It can be a bit quirky in how it interacts with sites at times, but it's overall very useful.

Hacked TeamViewer would be scary.

For the longest time I've used StickyPassword - and more recently LastPass in an attempt to switch, so far unsuccessfully. Anyone know how StickyPassword compares to the alternatives in terms of security - should I try harder to get rid of it?

https://www.stickypassword.com/
(not using cloud option)

Robear wrote:

I know people are up in arms since LastPass was bought out by LogMeIn, but it seems to have continued on its development path just fine. It can be a bit quirky in how it interacts with sites at times, but it's overall very useful.

Yeah, I found out about Lastpass here in this thread and I'm glad I did. Totally worth the $12/yr for the premium.

wanderingtaoist wrote:

In other news, TeamViewer might have been hacked from the inside and used to steal clients' data and even money from PayPal accounts. Secure passwords and 2FA were useless in this case.

Uh oh. I'm wondering if I should uninstall teamviewer.

And uninstalled. I used Teamviewer to log in and set up Windows RDC. I then logged in via RDC and uninstalled Teamviewer

Malor wrote:

You can work around it, but the devs are prioritizing their ad revenue over your safety.

What happens the next time there's a security problem where they might lose revenue?

edit: also, Sourceforge links aren't really HTTPS. They start that way, but the actual download is unencrypted. Look at the download link on the HTTPS page.

I just did this earlier today. Sourceforge is slimy as f*ck.

second edit: also consider that this is security software. It needs to be secure by default.

Then don't use SF. Ninite provides downloads for KeePass.

shoptroll wrote:

Then don't use SF. Ninite provides downloads for KeePass.

Security software needs to be secure by default. You should never, never need to take extra steps to make security software actually be secure.

They're refusing to fix this glaring, horrible hole because they'll lose ad revenue.

This is fake security software. Use it at your peril.

Any LastPass users vexed by it trying to auto login when you pull up the site from the extension? Some of the sites I have saved don't exactly have clean links to the login page, or LastPass does something weird when it submits the login and I end up with an error. I've tried disabling just about every "AutoLogin" setting there is, and I can't seem to make it stop doing that. I could easily stop pulling up the pages from the extension, but that doesn't feel like a true solution. Just wondering if others knew of this and if there was a fix.

Bubs14 wrote:

Any LastPass users vexed by it trying to auto login when you pull up the site from the extension? Some of the sites I have saved don't exactly have clean links to the login page, or LastPass does something weird when it submits the login and I end up with an error. I've tried disabling just about every "AutoLogin" setting there is, and I can't seem to make it stop doing that. I could easily stop pulling up the pages from the extension, but that doesn't feel like a true solution. Just wondering if others knew of this and if there was a fix.

I haven't noticed it, but the clean links problem comes from saving the site on the login or account setup page. I usually shorten the url down to just the www . sitename . com and leave off anything after that and they work fine.

I've noticed the stupid site saver saving the registration page, I'm doing what I can to prevent that from happening (although the Save Site dialog is way dumber now than it was before, which is annoying). But some sites I don't think can log in from the front page (not to name specifics, one's a health insurance site and the other is an investment site, might have to do with enhanced security/confidentiality and/or session timeouts), which sort of puts me back to square one.

It's time once again to play that game you all know and love: Change All Your Passwords.

Hack Brief: Yahoo Breach Hits Half a Billion Users. That's billion with a "b" folks.

I know I have a Yahoo account, but I can't think of the last time I used it, or if it's linked to anything else of note. Supposedly, the passwords that were breached were hashed.

Heh. And now my strategy of using a password manager to store not just the password for my almost entirely unused Yahoo email, but also the randomly-generated answers for the security questions pays off. Why yes, I can change my mother's maiden name.

(Though in reality what I did was turn them off and set up two-factor authentication. Fortunately Yahoo implemented that.)

Yahoo? Yahoo. Now there's a site I've not heard in a long, long time. I haven't gone to Yahoo since, oh, since before I forgot I had a Flickr account.

Gremlin wrote:

Heh. And now my strategy of using a password manager to store not just the password for my almost entirely unused Yahoo email, but also the randomly-generated answers for the security questions pays off. Why yes, I can change my mother's maiden name.

Yep. Right there with you.

My poor mom. High school must have been tough with a name like Jill hGrudb+"5X@:yfndgsg63GIva.

Gravey wrote:

Yahoo? Yahoo. Now there's a site I've not heard in a long, long time. I haven't gone to Yahoo since, oh, since before I forgot I had a Flickr account.

I need to find another picture host site after my Flickr Pro acct runs out. They keep changing Flickr and no one there seems to know what they're doing.

Holy crap the Yahoo breach was 2014!!

I just assumed yahoo was permanently hacked. It seems like there is always some relative that ends up having to make a new account after their yahoo address sends "Enlarge you P@nis" emails to everyone in their address book.