|
I have my database and the executable in Dropbox and my key file elsewhere. I don't know how you could have managed to delete your database without realizing it, unless perhaps you didn't actually save it? As for the password requirements, you can get very specific with the generator in terms of length ad what it includes: upper-case, lower-case, digits, minus, underline, space, special, brackets, and even whatever "High ANSI characters" are. You can also save various generator profiles so you can have one for like "short dumb password", one for "20 character everything", and so on.
|
#
?
Jul 12, 2016 18:47
|
|
|
|
| # ? May 22, 2024 12:13 |
|
|
hooah posted:I have my database and the executable in Dropbox and my key file elsewhere. I don't know how you could have managed to delete your database without realizing it, unless perhaps you didn't actually save it? As for the password requirements, you can get very specific with the generator in terms of length ad what it includes: upper-case, lower-case, digits, minus, underline, space, special, brackets, and even whatever "High ANSI characters" are. You can also save various generator profiles so you can have one for like "short dumb password", one for "20 character everything", and so on. I'd like to get into these rules some more because I know some other sites have pretty tough policies. I think the big killer was having repeated characters, but it never outright stated which policy my password attempts violated. It allowed passwords between 8 and 32 characters. It required at least a number. It claimed to also need a symbol, but it ultimately did not. I know there was something like a wizard, and I set a lot of those rules, but there wasn't anything for repeated characters.
|
|
#
?
Jul 12, 2016 20:19
|
|
|
Rocko Bonaparte posted:I'd like to get into these rules some more because I know some other sites have pretty tough policies. I think the big killer was having repeated characters, but it never outright stated which policy my password attempts violated. It allowed passwords between 8 and 32 characters. It required at least a number. It claimed to also need a symbol, but it ultimately did not. I know there was something like a wizard, and I set a lot of those rules, but there wasn't anything for repeated characters. Just generate a random password and then modify it so it fulfills the website requirements. Much simpler than trying to come up with a rule that produces compatible passwords, when it might affect only that one site.
|
|
#
?
Jul 12, 2016 20:38
|
|
|
Generator - > Advanced - > 'Character must appear at most once'
|
|
#
?
Jul 12, 2016 23:47
|
|
|
You might just start out testing it on not-important websites with lax password requirements, like somewhere that'll take a 16 or 20-character alphanumeric, repeats be damned. Learning the intricacies of password generation can come later.
|
|
#
?
Jul 13, 2016 02:11
|
|
|
fourwood posted:You might just start out testing it on not-important websites with lax password requirements, like somewhere that'll take a 16 or 20-character alphanumeric, repeats be damned. Learning the intricacies of password generation can come later. Hell, start with saving your existing passwords, by using one of the Keepass browser plugins that ask you when you login somewhere, and also automatically fill password fields when you go to a site with a saved password. Once you've done that you can start migrating to more secure passwords. And don't forget to clear your browser's password saving feature once you got everything in Keepass, the browser's thing is incredibly insecure.
|
|
#
?
Jul 13, 2016 17:24
|
|
|
I've had a hell of a time lately with various accounts of mine getting broken into. Over the span of a month, my spotify account was accessed twice. My Playstation Network account was accessed and the person locked me out of it. I lost my Blizzard account the same way. In the span of an hour, Dropbox emailed me six times for password reset links. Today, Facebook emailed me a password reset link as well. The best part of all this is that all my passwords are randomized through LastPass. I can understand this being a problem if I used password123 on all my accounts on the internet, but I dont. I've done multiple virus scans which come up clean. I don't know what else to do. I'm more security conscious than my friends who use the same password for everything, yet it seems like im under constant attack with periodic successful breaches. How do I fix this goons 
buglord fucked around with this message at 00:22 on Jul 16, 2016 |
|
#
?
Jul 16, 2016 00:19
|
|
|
Avocados posted:I've had a hell of a time lately with various accounts of mine getting broken into. Over the span of a month, my spotify account was accessed twice. My Playstation Network account was accessed and the person locked me out of it. I lost my Blizzard account the same way. In the span of an hour, Dropbox emailed me six times for password reset links. Today, Facebook emailed me a password reset link as well. Is it possible someone got hold of your LastPass account? There have been a number of security breaches in LastPass itself in the last year. That's why in the OP (well, in the 2nd post), it's recommended to use KeePass or 1Password instead of LastPass.
|
|
#
?
Jul 16, 2016 07:06
|
|
|
Avocados posted:I've had a hell of a time lately with various accounts of mine getting broken into. Over the span of a month, my spotify account was accessed twice. My Playstation Network account was accessed and the person locked me out of it. I lost my Blizzard account the same way. In the span of an hour, Dropbox emailed me six times for password reset links. Today, Facebook emailed me a password reset link as well. The reset links imply they have access to one or more of your email accounts and are trying to intercept the reset links (ditto for changing details on you), or someone is just loving with you. You should be using 2FA on everything you mention above. If you don't use it on LP that's a very, very bad idea and possibly the source of your woes. You need to just start eliminating vectors: - compromised email account - compromised PC (flatten and reinstall, don't just scan for issues) - compromised LP (use keepass/1pass) - change master, enable 2FA - some credentials are in a breach somewhere - change them - compromised network (e.g. bad actor on a corporate network using SSL interception - rare) - compromised user (you!) - you were possibly phished - you were possibly skimmed entering credentials on a machine you don't control - you may ignore security cert issues - you share credentials around partners or practice no practical security around a partner that doesn't trust you
|
|
#
?
Jul 16, 2016 10:54
|
|
|
Is 2FA through text messages decent (or at least reasonably better than no 2FA at all)? Since one of my breaches a few weeks back I turned it on everywhere I could. It looks like it gets as technical as carrying a little USB token thing around on a keychain. But that might seem overkill, or at least potentially useless if there some other real obvious leak going on. I really, really hate the idea of nuking and paving my computer(s), since I just did that a month ago. But it seems like thats going to be the starting point for everything else to matter. Thinking out loud here: I'll start with nuking my PC and Mac, stop using LastPass and migrate over to 1Password and generate new passwords, enable 2FA on 1Pass, then try to avoid any poor behavior in the future (logging into LastPass on a university computer), which I guess falls under compromised network? Despite these attacks from all directions, my super important critical-to-financial-livelihood accounts haven't been screwed with yet. Or they have but I just don't know it yet  .
|
|
#
?
Jul 16, 2016 11:25
|
|
|
2FA over SMS is fine, but google auth is easier and works on most (all?) phones made in the last 3-4 years. Why did you nuke the machine a month ago; roughly the time you report the issues starting? How did you do it? You didn't happen to  an ISO?With the level of issues you are having I would start from the ground floor with 1password/keepass on a clean system and keep a tight eye on what you are installing from where. Both of these offer safe and secure ways to use them on machines that you don't own, though neither are completely immune to keyloggers. They will however not be as vulnerable as lastpass, whose whole core design will forever be vulnerable to clever phishing attacks; something similar to this could be left on public browsers to devastating effect. Their mitigations won't be of much help in these cases, as you would be expecting to authorise a new machine. Until you have a handle on whats happening you can always do your banking on a Live CD.
|
|
#
?
Jul 17, 2016 02:15
|
|
|
Khablam posted:Why did you nuke the machine a month ago; roughly the time you report the issues starting? How did you do it? You didn't happen to Khablam posted:They will however not be as vulnerable as lastpass, whose whole core design will forever be vulnerable to clever phishing attacks  .
|
|
#
?
Jul 17, 2016 07:02
|
|
|
Keep in mind that while yes you should enable 2FA everywhere, someone who is determined in getting access to an account of your could just as well buy a new SIM and SE your mobile carrier to transfer your account details over to it. It has happened with someone using Verizon. So yeah. SMS 2FA is far from bulletproof.
|
|
#
?
Jul 17, 2016 07:37
|
|
|
Migrating everything from LastPass to 1Password is a hassle, but at least all the major passwords have been ported/refreshed over. Now its just down to services/websites I only use one in a blue moon or don't care about. Since adopting 1Password i've switched from SMS 2FA to the little built-in code generators, so theres a little more peace of mind. As far as browsers go, what are add ons I can use that increase the safety of my browsing (Safari on my Macbook, Firefox on desktop PC)? . I have uBlock installed on both. Not sure what else to do. NoScript/NoJavaScript any good?
|
|
#
?
Jul 18, 2016 00:27
|
|
|
Having migrated from Lastpass to 1Password recently, it wasn't that tedious or annoying. 1Password is quite flexible.
|
|
#
?
Jul 18, 2016 04:31
|
|
|
Avocados posted:As far as browsers go, what are add ons I can use that increase the safety of my browsing (Safari on my Macbook, Firefox on desktop PC)? . I have uBlock installed on both. Not sure what else to do. NoScript/NoJavaScript any good? - set plugins to 'ask to activate' - disable third party cookies - enable DNT, not that any sites actually pay attention to it - HTTPS Everywhere - Privacy Badger - RefControl
|
|
#
?
Jul 18, 2016 23:13
|
|
|
I also use the Disconnect plugin. I don't know if using it and Privacy Badger at the same time helps any, but it doesn't hurt. Except that those plus my adblocker means that whenever part of a page doesn't work, I have no clue which plugins are blocking it.
|
|
#
?
Jul 19, 2016 05:58
|
|
|
Carbon dioxide posted:I also use the Disconnect plugin. I don't know if using it and Privacy Badger at the same time helps any, but it doesn't hurt. Except that those plus my adblocker means that whenever part of a page doesn't work, I have no clue which plugins are blocking it. Disconnect's blocking lists are already part of uBlock Origin.
|
|
#
?
Jul 21, 2016 02:42
|
|
Whizbang posted:Disconnect's blocking lists are already part of uBlock Origin. I was under the impression it did some other things too. Is uBlock Origin just a superset of Disconnect then?
|
|
|
#
?
Jul 21, 2016 03:13
|
|
|
Segmentation Fault posted:I was under the impression it did some other things too. Is uBlock Origin just a superset of Disconnect then? I don't know whether there's any overlap between the uBlock and Disconnect filters but you can enable a whole bunch of different third-party filters, including Disconnect, in the uBlock Origin add-on settings: 
|
|
#
?
Jul 21, 2016 15:44
|
|
|
Probably posted elsewhere, but Tavis took a 'quick look' at lastpass and it's deeply problematic: https://twitter.com/taviso/status/758074702589853696 This on top of some amateur-hour bugs in how the plugin works: https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/ (yes that's really making garbage URLs you can post anywhere be seen as valid for LP's auto-type, goddamn) Trusting any passwords to lastpass would be a very poor decision at this juncture.
|
|
#
?
Jul 27, 2016 16:55
|
|
|
I nuked my Lastpass account last night (I kept it around just in case I forgot to port any important things to 1Password). I ported the few remaining websites that I had forgotten about, and then deleted the whole thing. Prior to that, I kept getting emails that there were login attempts from Eastern Europe. For the half month or so that I've been using 1Password, I haven't had any breaches so far, which is already a better track record than Lastpass this year.
|
|
#
?
Aug 5, 2016 05:06
|
|
|
What's good standard practice for dealing with external media? I keep getting given hard drives I know have been left lying around in places like China by people whom the authorities have every reason to monitor. Professional and personal reasons (one of them has my wedding video  ) mean I need to eventually access the data on these things but I've been trying to put off plugging them into my machines for too long now.Also, what're people's thoughts on 1password's new online hosting offerings?
|
|
#
?
Aug 6, 2016 13:08
|
|
|
Great Enoch posted:What's good standard practice for dealing with external media? I keep getting given hard drives I know have been left lying around in places like China by people whom the authorities have every reason to monitor. Professional and personal reasons (one of them has my wedding video If the drive is sketchy, use it on a machine you should tag as "brown" and copy files manually. The brown machine should not run Windows just to reduce attack surface and you should never access the drives with a privileged account. Copy the contents of said drive to a known good drive and then you've lessen the chances of being screwed over. It's not perfect but it's the easiest. I have no opinion on 1Password's setup however.
|
|
#
?
Aug 6, 2016 19:03
|
|
|
OSI bean dip posted:If the drive is sketchy, use it on a machine you should tag as "brown" and copy files manually. The brown machine should not run Windows just to reduce attack surface and you should never access the drives with a privileged account. You might also do the copy booted into an os running from an optical disk and don't connect to a network after you access the suspect volumes.
|
|
#
?
Aug 6, 2016 19:52
|
|
|
Great Enoch posted:Also, what're people's thoughts on 1password's new online hosting offerings? 1Password for Teams is abso-loving-lutely amazing. We use it at work to manage all of our team shared password and box information and things like that, and it is a godsend. 1Password for Familias is also pretty cool; my wife and I use it. We'd love to get our parents involved, but they have been dragging their feet for whatever reason. We haven't really gotten a chance to take advantage of its features because our children are too young for it to matter right now, but it's still decent enough to use.
|
|
#
?
Aug 7, 2016 01:29
|
|
|
Great Enoch posted:What's good standard practice for dealing with external media? I keep getting given hard drives I know have been left lying around in places like China by people whom the authorities have every reason to monitor. Professional and personal reasons (one of them has my wedding video how did your wedding video end up on a third world dissident's hard drive?
|
|
#
?
Aug 9, 2016 21:11
|
|
|
Great Enoch posted:Also, what're people's thoughts on 1password's new online hosting offerings? Their offering 6 months free if you go the website and click the banner at the top. I signed up a couple of days ago and I can't comment on the security but I'm not really impressed with the software integration, you need to use the beta software for windows and clicking on some of the features gave me a message saying this hasn't been implemented yet meaning they probably shouldn't be charging for it. Also their doesn't seem to be an easy way to merge any existing vaults to there online service other than going through everything individually. Not surprising that these online features are just kind of tacked on given how long they spent actively arguing against implementing there own online syncing. All in all I think I may switch to keepass from lastpass. I don't really need to access all my passwords from my phone and for the occasional ones for work any reason why I shouldn't just use an encrypted note in ios?
|
|
#
?
Aug 9, 2016 23:51
|
|
|
So for the past decade, I've been using McAfee subscription antivirus since I haven't had to pay for it. However, I just can't loving deal with it anymore obliterating all my available memory and generally causing my laptop to perform like poo poo. I know McAfee generally sucks, according to things I've read, but my patience has just run out. I don't mind spending a few dollars per year (I think McAfee is like $50/year), but I'm open to suggestions on a viable replacement that won't cause the entire system to slow down to a crawl while it takes literally all godamn day to "search for updates" and/or randomly scan for hours at a time.
|
|
#
?
Aug 10, 2016 14:33
|
|
|
Doronin posted:So for the past decade, I've been using McAfee subscription antivirus since I haven't had to pay for it. However, I just can't loving deal with it anymore obliterating all my available memory and generally causing my laptop to perform like poo poo. I know McAfee generally sucks, according to things I've read, but my patience has just run out. Just use windows defender if you want AV.
|
|
#
?
Aug 10, 2016 15:22
|
|
|
Loving Africa Chaps posted:Just use windows defender if you want AV. There is no need to spend money on AV so this is relatively good advice.
|
|
#
?
Aug 10, 2016 16:08
|
|
|
Loving Africa Chaps posted:Just use windows defender if you want AV. Good stuff. But I suspect I want to keep my malware protection, too. Would Defender take care of that, too?
|
|
#
?
Aug 10, 2016 17:33
|
|
|
Doronin posted:Good stuff. But I suspect I want to keep my malware protection, too. Would Defender take care of that, too? Read the OP.
|
|
#
?
Aug 10, 2016 17:41
|
|
|
OSI bean dip posted:Read the OP. Speaking of the OP, any chance you'll be adding to it in the near term? Would love to see your thoughts on networking and firewalls.
|
|
#
?
Aug 10, 2016 21:09
|
|
|
Annual Prophet posted:Speaking of the OP, any chance you'll be adding to it in the near term? Would love to see your thoughts on networking and firewalls. That's what I asked! I do networking for a living so I was curious to hear OSI's input on home equipment.
|
|
#
?
Aug 10, 2016 22:46
|
|
|
Added some stuff on firewalls as per your request. Software firewalls are overall garbage and are only there to really make noise about a connection being made. They're even easier than AV to disable and are unlikely to prevent a compromise. Hardware firewalls for home are useless and you should just disable a few things and use good hygiene when it comes to network use.
|
|
#
?
Aug 10, 2016 23:52
|
|
|
Might want to add a bit about restricting administrative access (HTTP, SSH, etc.) on the device so that it can only be administered via your internal network. Heaps of garbage devices have that enabled by default and it's how they get owned.
|
|
#
?
Aug 11, 2016 03:02
|
|
|
cheese-cube posted:Might want to add a bit about restricting administrative access (HTTP, SSH, etc.) on the device so that it can only be administered via your internal network. Heaps of garbage devices have that enabled by default and it's how they get owned. Good point. Will add that.
|
|
#
?
Aug 11, 2016 04:31
|
|
|
The 1.0 (first complete) version of a tool called Unchecky has been released. I've not tested it myself so I cannot vouch for the tool being safe, but it seems to have positive reviews. It's a little program that runs as a background service on Windows systems, recognizes a crapload of installers that try to bundle malware, annoying browser toolbars, and similar poo poo with their programs, and automatically unchecks the boxes that cause those programs to be installed. That way, the chance of accidentally installing that nonsense is reduced. I'm sure it's not a 100% solution, those installers get updated as well, so you still need to be careful. And running yet another service on your computer might slow it down. But it sounds like it could be helpful for your digitally challenged neighbour who needs a full computer reset each month because their computer has bonzibuddy and a million browser toolbars yet again. So apparently quite a few of support people install it on any computer they run into to save them work later. Can someone who knows more about this than me take a look and confirm/deny whether Unchecky is good? https://unchecky.com/
|
|
#
?
Aug 21, 2016 18:45
|
|
|
|
| # ? May 22, 2024 12:13 |
|
|
How does 1Password's web access differ from LastPass?
|
|
#
?
Aug 21, 2016 19:27
|
|
