Password Security Catch-All Thread

Has anyone had issues with 2FA for iCloud on multiple devices? I have two iPhones and an iPad. I've tried enabling twice, but it never works on the iPad.

It's such a pain to disable once you turn it on, that I'm loathe to ever try it again.

Heads-up LastPass users: there's some kinda exploit... thing... in (at least) the Chrome extension

They're withholding details at this juncture so as not to encourage abuse of the exploit, despite its sophistication (code for complexity/obscurity?). Fix is being prepped, but they say in the meantime not to rely on the extension, use the vault directly to access sites/passwords.

Wow, that is scary. Hopefully it's just the Chrome extension.

If there's a risk, why did I not hear about it from LastPass? If there's an exploit serious enough that users should avoid using the Chrome extension, why are they not telling LastPass users who don't regularly read technical forums (I'm guess that's most users)? Is this kind of nondisclosure common and I've just been living in blissful ignorance?

Can anyone comment what the Google and Microsoft two-factor experiences are like when using multiple mobile devices and browsers?

Do you have to constantly re-authenticate on mobile devices? I'm ok doing that in Chrome desktop once a day. What about simply logging in to Windows 10 at home?

Also, does either service work with third-party authentication apps or do you have to use Google's and Microsoft's own apps?

PaladinTom wrote:

Can anyone comment what the Google and Microsoft two-factor experiences are like when using multiple mobile devices and browsers?

Do you have to constantly re-authenticate on mobile devices? I'm ok doing that in Chrome desktop once a day. What about simply logging in to Windows 10 at home?

Also, does either service work with third-party authentication apps or do you have to use Google's and Microsoft's own apps?

I use Google's Authenticator app, and let Microsoft text me. I don't know if there are other options beyond their apps or SMS. You can mark any device as trusted so you don't have to re-authenticate each time (if you don't want to). Basically, the extra step of 2FA is negligible and infrequent, in these and any other cases IME. This is across three computers (home OS X partition, home W10 partition, work computer) and two mobile devices (phone and tablet).

PaladinTom wrote:

Can anyone comment what the Google and Microsoft two-factor experiences are like when using multiple mobile devices and browsers?

Do you have to constantly re-authenticate on mobile devices? I'm ok doing that in Chrome desktop once a day. What about simply logging in to Windows 10 at home?

Also, does either service work with third-party authentication apps or do you have to use Google's and Microsoft's own apps?

for google if you mark a device as trusted when you log in you only have to do the 2FA thing the very first time you log in on that device. If you clear your credentials on the device later it will ask you to do the 2FA thing again

BushPilot wrote:

If there's a risk, why did I not hear about it from LastPass? If there's an exploit serious enough that users should avoid using the Chrome extension, why are they not telling LastPass users who don't regularly read technical forums (I'm guess that's most users)? Is this kind of nondisclosure common and I've just been living in blissful ignorance?

+1000! I just confirmed that I have Security Notifications (via email) enabled, yet, heard nothing. The fact that I have to rely on their twitter accounts (or this forum ) to find this out is asinine.

brouhaha wrote:
BushPilot wrote:

If there's a risk, why did I not hear about it from LastPass? If there's an exploit serious enough that users should avoid using the Chrome extension, why are they not telling LastPass users who don't regularly read technical forums (I'm guess that's most users)? Is this kind of nondisclosure common and I've just been living in blissful ignorance?

+1000! I just confirmed that I have Security Notifications (via email) enabled, yet, heard nothing. The fact that I have to rely on their twitter accounts (or this forum ) to find this out is asinine.

Lastpass also posted it on their blog (I'm not a lastpass user, so I stumbled across it via other means). Anyway, they have now fixed the issue with the chrome extension and deployed an update.

They have posted a technical analysis on their blog if that interests anyone: https://blog.lastpass.com/2017/03/se...

So I've enabled two-factor on my Apple, Microsoft, and Google accounts. Previously I've only enabled Steam, TeamViewer, and LastPass.

  • With iOS 10.3 I was finally able to authorize my iPad Pro 9.7. Until this update I was never able to authorize it after several failed attempts.
  • The Microsoft iOS authenticator app is quite nice as it supports notifications like LastPass. Since I've enabled it though, I've gotten several pop ups to authorize that are seemingly random. I'm hoping it's just apps or systems I've not gotten around to instead of someone having hacked my account a long time ago.
  • The Google iOS authenticator is barebones. Since it did not even support notifications, I disabled it and set up Google with the LastPass authenticator instead. Once nice feature of LastPass is that if you are using the Chrome extension and login to Google it will throw a notification up on your phone. At least Google allows 3rd party apps.

It may be inevitable that all password managers get hacked eventually, but I still haven't seen a report of 1Password getting hacked, so I'm once again very thankful that my co-worker convinced to switch to it from LastPass about 2 years ago.

@meatman, Do you find it easier to use? I like Lastpass but just started using it last year. I'll look it up but is there a transfer tool to bring over your lastpass passes to 1password?

My wife and I use 1Password as well, and it is pretty easy to use for us, mostly just use the browser plugins.

I am not sure how 1Password would be hacked as they do not store your passwords or have any cloud syncing themselves. Your password vault is local and any syncing is done over dropbox, so there is not a central target. For it to be hacked it would be someone getting something onto your local machine or hacking into your dropbox, at least from what I understand.

LeapingGnome wrote:

My wife and I use 1Password as well, and it is pretty easy to use for us, mostly just use the browser plugins.

I am not sure how 1Password would be hacked as they do not store your passwords or have any cloud syncing themselves. Your password vault is local and any syncing is done over dropbox, so there is not a central target. For it to be hacked it would be someone getting something onto your local machine or hacking into your dropbox, at least from what I understand.

1password actually does have it's own cloud service to store your vaults - it comes with the subscription option. The standalone version doesn't use it, which allows the syncing to things like Dropbox. Are you on the sub, or the stand alone version?

groan wrote:

@meatman, Do you find it easier to use? I like Lastpass but just started using it last year. I'll look it up but is there a transfer tool to bring over your lastpass passes to 1password?

Transfer instructions here.

As far as ease of use, once I got familiar with 1Password, it was more or less as easy as LastPass. 90% of the time, I just use the browser extension. So I just right-click on the input field, click 1Password, then click the name of the website at the top of the following pop-up, and it automagically fills in my credentials and submits them. I don't even have to click the "Sign/Log in" button.

The other 10% of the time is when I'm away from home using my phone, in which case I sign into the app with my master password. Then I find the website in which I'm wanting to log in, tap the copy icon, then paste the password into the website's field.

LeapingGnome wrote:

I am not sure how 1Password would be hacked as they do not store your passwords or have any cloud syncing themselves. Your password vault is local and any syncing is done over dropbox, so there is not a central target. For it to be hacked it would be someone getting something onto your local machine or hacking into your dropbox, at least from what I understand.

A service getting "hacked" and exposing your encrypted vault is not the primary threat to be concerned about. You should essentially consider your vault exposed already. If you put it on the cloud, or transfer it over the wire, it's out there. It's been exposed to sniffing and traffic capture. What makes the vault secure is the encryption that protects it and the amount of time and resources it would take to break that encryption. Restricting access to your encrypted vault is an additional layer of security, but it is not the fundamental security of the thing. Encryption that stands up to attack is what makes a password vault a password vault.

The threat to be concerned about is compromise on the client end - ways that an attacker can access the vault that has been unencrypted on your system and residing in memory. This can be a bad/infected client update, or, like in the LastPass example linked earlier on this page, it can be JavaScript taking advantage of an exploit in the browser extension to gain access to data in the unencrypted vault. This is the scary scenario, and in this regard, 1Password is not materially safer than LastPass or any of the other alternatives. A bad update served up by a compromised host, or malicious JavaScript on a phishing page or served up in a banner ad exploiting the browser extension, is the same scenario for any of these products.

In order to be measurably more secure than what you get from a LastPass or other cloud-hosting vault service, you would need to take steps which are considerably more drastic than just switching to a different password vault product. You would probably need to not use browser extensions at all, for starters. You also would need to throw out the idea of hitting an Update button (or accepting auto-updates) to fetch the latest version of your password manager. You would need to use a tool in which every update to the tool is researched and verified by 3rd party auditors, and for which updates are extremely painstakingly and inconveniently managed to try and avoid the possibility of ever accepting a compromised update (even checksums and digital package signing are not foolproof).

In short, absent a serious deficiency on any of their parts (which isn't something to rule out, of course), bouncing from one password vault to another is mostly just changing seats within the same security ballpark. Moving to something significantly more secure involves using something that is significantly less convenient.

*Legion* wrote:

bouncing from one password vault to another is mostly just changing seats within the same security ballpark. Moving to something significantly more secure involves using something that is significantly less convenient.

QFT.

Moving to something significantly more secure involves using something that is significantly less convenient.

What I do is to use GPG on a Linux box, and copy and paste individual passwords from the clipboard. I'm vulnerable to keyboard sniffers this way, or to having the Linux box root-level compromised, but there are many many other attack vectors that won't work.

For my use case, this works quite well. I have a set of sites that I use regularly, for which I allow browser cookies, and thus don't have to log in very often. (like GWJ, which is about once a month.) Nearly all other passworded sites are once-a-month visits or less, and popping over to my terminal window, typing a command, a password, and then copy/pasting, is not a major time investment, and offers a reasonable degree of safety.

Downside: you need a terminal program, a Linux machine, and at least a little expertise. Note that a Raspberry Pi is a perfectly acceptable remote Linux machine for this purpose.

edit: just make sure to do backups of both your keys and your encrypted text file or files. A local VM running rsync can do a very nice job, and if you've got enough RAM in the machine, you'll barely even notice a VM running.

athros wrote:
LeapingGnome wrote:

My wife and I use 1Password as well, and it is pretty easy to use for us, mostly just use the browser plugins.

I am not sure how 1Password would be hacked as they do not store your passwords or have any cloud syncing themselves. Your password vault is local and any syncing is done over dropbox, so there is not a central target. For it to be hacked it would be someone getting something onto your local machine or hacking into your dropbox, at least from what I understand.

1password actually does have it's own cloud service to store your vaults - it comes with the subscription option. The standalone version doesn't use it, which allows the syncing to things like Dropbox. Are you on the sub, or the stand alone version?

Ah I did not know that. I am on standalone, that is all they had when I bought I think and I generally avoid any software subscriptions.

Have I Been Pwned adding a billion new records, taken from a couple of lists with unknown sources.

Epic Games emailed me this link because my email was on the list. I have used the same lazy password for years with a lot of low level sites ... not any more.

Thanks, that's a very good resource. It looks like a few accounts of mine were hacked, but nothing I cared very much about, and I *probably* didn't give those sites sensitive info.

That confirms for me, yet again, why you shouldn't give websites and MMOs your birthdate; I just use a consistent lie. (although I'm not certain I started lying before I set up my LOTRO account, which was a long time ago, so it's possible the real thing escaped into the wild.)

Malor wrote:

Thanks, that's a very good resource. It looks like a few accounts of mine were hacked, but nothing I cared very much about, and I *probably* didn't give those sites sensitive info.

That confirms for me, yet again, why you shouldn't give websites and MMOs your birthdate; I just use a consistent lie. (although I'm not certain I started lying before I set up my LOTRO account, which was a long time ago, so it's possible the real thing escaped into the wild.)

I have a consistent set of lies for the stupid remember your password security questions that some sites force you to fill out.

Also, that site linked by redherring was interesting if only because it took me down memory lane. Trillian, flashflashRevolution, last.fm...

Moderately interesting man-in-the-middle attack for 2FA
https://boingboing.net/2017/06/22/se...

DanB wrote:

Moderately interesting man-in-the-middle attack for 2FA
https://boingboing.net/2017/06/22/se...

That's pretty clever, actually. Right up there with the old social media-based attack of asking everyone to post what their porn star name would be.

merphle wrote:
DanB wrote:

Moderately interesting man-in-the-middle attack for 2FA
https://boingboing.net/2017/06/22/se...

That's pretty clever, actually. Right up there with the old social media-based attack of asking everyone to post what their porn star name would be.

Old??

Those go whipping through my Facebook feed through all my friends at least once or twice a week.

merphle wrote:
DanB wrote:

Moderately interesting man-in-the-middle attack for 2FA
https://boingboing.net/2017/06/22/se...

That's pretty clever, actually. Right up there with the old social media-based attack of asking everyone to post what their porn star name would be.

And another reason why security questions are stupid. As well as your super strong password being only as strong as someone looking up your mothers maiden name.

I live in wait for the day when someone asks me over the phone to answer one of my security questions, and I get to read them a 60+ character string of random ASCII.

And they better sit there through the whole damn thing, because this is my security we're talking about!

*Legion* wrote:

I live in wait for the day when someone asks me over the phone to answer one of my security questions, and I get to read them a 60+ character string of random ASCII.

And they better sit there through the whole damn thing, because this is my security we're talking about!

"Thank you, sir. The verification form on our side only stores the first 8 characters of your security answer, so you can stop reciting it."