Password Security Catch-All Thread [2015-06-16: Update your LastPass master password]

Just to bring it on home, Dreamhost's FTP/SSH password DB has been stolen though one of the commenters says it may not have been breached DH reset all FTP/SSH passwords anyway.

Eezy_Bordone wrote:

Just to bring it on home, Dreamhost's FTP/SSH password DB has been stolen though one of the commenters says it may not have been breached DH reset all FTP/SSH passwords anyway.

Not directly related to this, as this breach involves FTP/SSH passwords and not the web panel ones, but a Dreamhost engineer confessed on HackerNews that Dreamhost's panel passwords aren't hashed, but rather are stored via symmetric encryption (after another poster had commented on receiving passwords in plain text via password reset emails before).

Fortunately, this doesn't apply to the current breach, but the breach plus that little factoid makes me seriously wonder if Dreamhost is sufficiently security conscious to continue recommending to people wanting a shared host.

Anyone who's storing passwords as plaintext (which is what a reversible hash really is), in this day and age, is being grossly negligent. I think we'd be equally negligent to recommend them, knowing that's their practice.

Talk about your first world problems. I forgot the passphrase to public/private key I created two years ago and have to generate a new one to proliferate. That's going in my KeePass.

Note: This is a cross-post from the "Recommend me a Non-Gaming Podcast" thread, but I think people watching this thread might be interested:

The Risky Business podcast is back from a holiday break. A relatively short podcast about information and software security fails in the news and interviews with security researchers and company spokespeople. It's pretty awesome if you're into computer or network security. Also, one host is Aussie and the other is from New Zealand, so their accents are particularly delightful.

Warning, there is a non-zero chance that if you download this in the clear you may be put on the FBI's watch list.

Don't do this. Please...

IMAGE(http://mthruf.files.wordpress.com/2012/02/job-fails-identity-theft-password-notebook.jpg)

trueheart78 wrote:

Don't do this. Please...

IMAGE(http://mthruf.files.wordpress.com/2012/02/job-fails-identity-theft-password-notebook.jpg)

Letting people write down their passwords is seldom a big security issue. Sure, you probably wouldn't choose a book with "PASSWORDS IN HERE" on the front but it typically encourages people to use longer passwords and to use different passwords across sites. Also if they keep their password list with their computer if someone malicious finds it then security is a bit of a moot point as your malicious individual has physical access to the machine.

Writing down passwords > weak, re-used memorized passwords.

The booklet's cover is... unfortunate... but a little Moleskine notebook would be fine.

Yeah, writing all your passwords into a little book is a HELL of a lot more secure than using weak passwords.

Ideally, you want strong ones that are all different and that you can remember, but not everyone is blessed with that kind of memory. An encrypted password store is the next best bet. But if that's too technical, ye olde notebook is a decent solution.

Forgive me if this has already been answered. If I use a program like Keepass, and then use randomly generated passwords for, say, my Gmail, GWJ, World of Warcraft and so on, how will I access those services on other computers? Do I need to keep a copy of the password database on me at all times? Obviously memorizing long, randomly generated strings is not really an option, and that's the whole point of Keepass in the first place.

My biggest concern was the "HEY THIS IS WHERE ALL MY PASSWORDS R KEPT" print on the front.

I understand people can't remember 20 digit passwords as well as others, that's fine. But a neon sign about where they're kept? Unless that's stored in a locked device, I'd be highly against it.

Rallick wrote:

Forgive me if this has already been answered. If I use a program like Keepass, and then use randomly generated passwords for, say, my Gmail, GWJ, World of Warcraft and so on, how will I access those services on other computers? Do I need to keep a copy of the password database on me at all times? Obviously memorizing long, randomly generated strings is not really an option, and that's the whole point of Keepass in the first place.

KeePass users often use Dropbox as a way to make their password database available to themselves on other machines. (1Password actually bakes the host-on-your-Dropbox-account feature into the app).

Then there are the cloud hosted services like LastPass, in which your encrypted database is hosted on their servers, which naturally you can get to from any Internet-enabled system.

Rallick wrote:

Forgive me if this has already been answered. If I use a program like Keepass, and then use randomly generated passwords for, say, my Gmail, GWJ, World of Warcraft and so on, how will I access those services on other computers? Do I need to keep a copy of the password database on me at all times? Obviously memorizing long, randomly generated strings is not really an option, and that's the whole point of Keepass in the first place.

Yeah you need access to the password database file and a keepass executable whenever you want to get passwords out of it. I keep both on a USB keyring with my keys. If you don't want to do that the LastPass solution allows you to keep all your passwords in THE CLOUD.

trueheart78 wrote:

My biggest concern was the "HEY THIS IS WHERE ALL MY PASSWORDS R KEPT" print on the front.

I understand people can't remember 20 digit passwords as well as others, that's fine. But a neon sign about where they're kept? Unless that's stored in a locked device, I'd be highly against it.

I doubt it matters all that much really. A motivated malicious person will work out that the piece of paper with strings of random characters in your desk drawer is your list of passwords whether or not it has 'PASSWORDS HERE" written on it.

Nice piece about using passphrases and their (non) randomness
http://www.lightbluetouchpaper.org/2...

*Legion* wrote:
Rallick wrote:

Forgive me if this has already been answered. If I use a program like Keepass, and then use randomly generated passwords for, say, my Gmail, GWJ, World of Warcraft and so on, how will I access those services on other computers? Do I need to keep a copy of the password database on me at all times? Obviously memorizing long, randomly generated strings is not really an option, and that's the whole point of Keepass in the first place.

KeePass users often use Dropbox as a way to make their password database available to themselves on other machines. (1Password actually bakes the host-on-your-Dropbox-account feature into the app).

Then there are the cloud hosted services like LastPass, in which your encrypted database is hosted on their servers, which naturally you can get to from any Internet-enabled system.

this.

Turns out that the dropbox client in linux works pretty well. And you can apt-get install keepass2 on ubuntu, which lets you just click on the kdbx file directly. It's just using mono to run it, but the deb file sets up all the stuff for you. In a prior ubuntu, I could just run keepass.exe directly, but they broke that for me in a recent update.

The key is to use a special gmail password that you can remember. Turn on 2 factor auth. And then you have access to any password on the go, since most sites have a "forgot you password" option sent to your email.

DanB wrote:

Yeah you need access to the password database file and a keepass executable whenever you want to get passwords out of it. I keep both on a USB keyring with my keys. If you don't want to do that the LastPass solution allows you to keep all your passwords in THE CLOUD.

I finally got around to getting myself a USB drive (a nice Corsair USB 3.0 waterproof / drop-proof one). This executable you are talking about, is that just the one in the directory where Keepass was installed? Can I copy it and use it on another pc without having to install it?

55,000 Twitter account passwords leaked.

That link also links to Pastebins that show all 55,000 of the username/password pairs.

Looking at the list, a lot of them seem to be 8-character random passwords following a similar character set (no special chars, mixed case plus at least 1 number).

Then a lot of the other ones I saw were entirely numeric.

Don't know if any of that means anything, just interesting.

My account didn't make the list, but I changed my password anyway.

Rallick wrote:
DanB wrote:

Yeah you need access to the password database file and a keepass executable whenever you want to get passwords out of it. I keep both on a USB keyring with my keys. If you don't want to do that the LastPass solution allows you to keep all your passwords in THE CLOUD.

I finally got around to getting myself a USB drive (a nice Corsair USB 3.0 waterproof / drop-proof one). This executable you are talking about, is that just the one in the directory where Keepass was installed? Can I copy it and use it on another pc without having to install it?

Yes, keepass is portable.

I got an email from Irrational Games a few hours ago... heck, I'll just paste it here:

Irrational Games email wrote:

Hello there!

The Irrational Games Forum migration is now complete. There's just one last step that you need to take before you can start posting again!

For security reasons, we can't migrate your encrypted password along with your user ID, so you will need to reset it. In order to successfully login to the new 2K Games forum, you'll need to create a new password. As a reminder, your new password should include a minimum of 6-8 characters (we recommend a combination of alpha-numeric).

You can change your password here:
http://forums.2kgames.com/login.php?...

For your convenience, here's a direct link to the newly migrated forum: http://forums.2kgames.com/

We'll see you on the new boards soon!

So I head on over to forums.2kgames.com and submit a lost password request for my email address. That results in an email sent to me containing a unique link to click to reset my password, and this mind-boggling statement:

2K Games Forums email wrote:

When you visit that page, your password will be reset, and the new password will be emailed to you.

And yes, indeed, as soon as I clicked the link I received another email, with both my username and a new randomly-generated password. Fortunately the system didn't email my NEW new randomly-generated password once I LastPass'd the site.

Boardgame Geek was also possibly hacked. Reset your passwords there.

160,000 username/passwords from militarysingles.com have been leaked. The site was hashing passwords with MD5 (weak) and without salting. Weak hash + no salt to make repeated passwords have different hashes = 93% of the password list was decrypted in 24 seconds.

*Legion* wrote:

160,000 username/passwords from militarysingles.com have been leaked. The site was hashing passwords with MD5 (weak) and without salting. Weak hash + no salt to make repeated passwords have different hashes = 93% of the password list was decrypted in 24 seconds.

Edit the response to include unique salts and I'm with you. I've seen a lot of implementations where the same salt is used for all passwords, which while more secure than not using a salt, is still reasonably trivial to crack.

still reasonably trivial to crack.

It weakens the encryption because identical passwords will have identical hashes, so if you do crack a password, you may get several accounts. But it doesn't make it trivial. Whether the attacker knows the salt or not, cracking an individual password will take about the same amount of time.... it's just that non-randomized salt can give bigger payoffs for time invested.

Where it's actually trivial is when there are precomputed rainbow tables, but if you use any salt at all, whether fixed or per-password, there shouldn't be any that will work.

edit: after thinking about it a minute, I realized that a salt that the attacker doesn't know would have the effect of increasing password complexity for cracking. (unless, of course, they get lucky, and happen into a hash collision.) But if they're into the system far enough to get a fixed salt, they'll normally be able to extract the algorithm for a per-password one. I suppose in the case where they've breached the database, and you've (foolishly) stored the salt in the database, but they have no other access to the code or the filesystem, a fixed salt would be weaker than a changing one. But that's a pretty narrow case.

As a provider, you should still use per-password salts, just in case -- it's easy, and even a little bit more security is worthwhile -- but a fixed salt is only just a little weaker.

Sigh. Fortunately, I didn't use that service, but sigh, anyway.

I wish there was some way to know if a company was doing security correctly before trusting them with personal information.

A major breach has occurred with LinkedIn.

A password hash list consisting of 6.5 million entries has been leaked.

It is suspected that this is the complete list of password hashes for the LinkedIn service.

The hashes are straight-up SHA1, unsalted.

I can confirm that my password's SHA1 hash is in the list, and my password is a randomly generated 30-some long string of characters, and is used only on LinkedIn.

*Legion* wrote:

A major breach has occurred with LinkedIn.

A password hash list consisting of 6.5 million entries has been leaked.

It is suspected that this is the complete list of password hashes for the LinkedIn service.

The hashes are straight-up SHA1, unsalted.

I can confirm that my password's SHA1 hash is in the list, and my password is a randomly generated 30-some long string of characters, and is used only on LinkedIn.

I didn't bother to check the hash of my pass but i've changed my password.

Password was changed after seeing it pop up on Twitter. Also fun: informing your users of such hacks, and hearing the "I have to change another password?" groan.

For anyone that does try to check their hash, one thing to note is what's said in the top comment in the HackerNews page I linked to.

Many of the hashes have the first few characters replaced with zeros. This is suspected as being an indicator of hashes that the hackers have decrypted, as many of them correspond with trivially weak passwords.

So, if you're searching for a hash, leave out your hash's first 5 characters and then do the search. You'll either find a match with the first 5 characters still intact, or with those characters replaced with 00000.

My hash remained intact. Apparently about 3.5 million of the 6.5 million have been zero'd, suggesting over half the list has been decrypted.

How would I go about finding what the hash is for my password?

Tanglebones wrote:

How would I go about finding what the hash is for my password?

$ echo -n 'my-password' | sha1sum

Or find a website that takes input and spits out the SHA1 hash of whatever you paste in.