|
Before I used a password manager my system was to use a random password for pretty much everything except email and resetting every time I needed to log in.
|
#
?
Mar 11, 2017 12:22
|
|
|
|
| # ? May 17, 2024 19:03 |
|
|
spankmeister posted:Before I used a password manager my system was to use a random password for pretty much everything except email and resetting every time I needed to log in. 
|
|
#
?
Mar 11, 2017 12:23
|
|
|
What are people's thoughts on simply using browser password storage + a master password? That's presumably the same as using an external dedicated password manager since the password database is encrypted.
|
|
#
?
Mar 11, 2017 13:10
|
|
|
Chalks posted:What are people's thoughts on simply using browser password storage + a master password? That's presumably the same as using an external dedicated password manager since the password database is encrypted.
|
|
#
?
Mar 11, 2017 13:20
|
|
|
cinci zoo sniper posted:please tell me you didn't have to regularly log onto more than a couple websites It was mostly fine because a lot of sites were cookied. Or things like skype and steam or w/e that you only log in once per device usually. For stuff that I had to log in more frequently (bank, government etc) I just remembered the password.
|
|
#
?
Mar 11, 2017 13:57
|
|
|
Chalks posted:What are people's thoughts on simply using browser password storage + a master password? That's presumably the same as using an external dedicated password manager since the password database is encrypted. i just let my browser remember my passwords since i think the realistic threat model is more "some skiddie breaks radium's code and gets my password" and less "ve haf vays of makink you talk, mr. bond"
|
|
#
?
Mar 11, 2017 14:09
|
|
|
Wheany posted:i just let my browser remember my passwords since i think the realistic threat model is more "some skiddie breaks radium's code and gets my password" and less "ve haf vays of makink you talk, mr. bond" Yeah, I do the same - with 2fa for anything I give a poo poo about.
|
|
#
?
Mar 11, 2017 14:24
|
|
|
i just like having passwords follow me from one computer to the next, because when you're using 4 different machines plus a phone, eventually they're gonna disagree on which browser has the right set of passwords and that's annoying
|
|
#
?
Mar 11, 2017 15:03
|
|
|
anyone use the Firefox sync feature? supposedly it works the same as a good password manager, where mozilla can't look at your data, but i never investigated it fully 
|
|
#
?
Mar 11, 2017 15:50
|
|
|
Lutha Mahtin posted:anyone use the Firefox sync feature? supposedly it works the same as a good password manager, where mozilla can't look at your data, but i never investigated it fully
|
|
#
?
Mar 11, 2017 15:51
|
|
|
hey sec thread how easy would it be to make a USB "charging" station that compromises every device that gets plugged into it because this is what I assume every USB port charging station is
|
|
#
?
Mar 11, 2017 16:45
|
|
|
bump_fn posted:hey sec thread how easy would it be to make a USB "charging" station that compromises every device that gets plugged into it because this is what I assume every USB port charging station is i think the difficulty level would depend a lot on how long you wanted it to be effective. if it was something you set up at a big event with lots of people walking around, where it's only active for a few hours/days, that wouldn't be super hard. but if you wanted it to be active long-term, you'd need some way to keep it updated with new vulnerabilities
|
|
#
?
Mar 11, 2017 16:50
|
|
|
bump_fn posted:hey sec thread how easy would it be to make a USB "charging" station that compromises every device that gets plugged into it because this is what I assume every USB port charging station is there's been one set up in the hall at defcon for the last few years
|
|
#
?
Mar 11, 2017 16:57
|
|
|
fishmech posted:That's about making sure your users with the Worst Passwords have to change. lol if you think this will somehow make them choose good passwords. you have made someone change password to Password1 congrats. last.fm stands out most in my mind for this since it's a service i use a throwaway dont care password for. idgaf if someone manages to steal my scrobblin creds, surreptitiously auth to my account, and fill my listening history with hours of bieber. if someone does bother to do that id be more amused than anything.
|
|
#
?
Mar 11, 2017 17:09
|
|
|
anatoliy pltkrvkay posted:last.fm stands out most in my mind for this since it's a service i use a throwaway dont care password for. idgaf if someone manages to steal my scrobblin creds, surreptitiously auth to my account, and fill my listening history with hours of bieber. "someone"
|
|
#
?
Mar 12, 2017 01:03
|
|
|
Lutha Mahtin posted:anyone use the Firefox sync feature? supposedly it works the same as a good password manager, where mozilla can't look at your data, but i never investigated it fully I can tell you that it used to generate a random key that required an existing device to participate in authorizing a new device but then they changed it to just use the password https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-security-model/ it's probably fine if you use a good password? oh amazing, they have conflicting documentation up for both versions https://support.mozilla.org/t5/Sync-and-Save/How-do-I-add-a-device-to-Firefox-Sync/ta-p/21091 https://support.mozilla.org/t5/Sync-and-Save/How-do-I-set-up-Sync-on-my-computer/ta-p/21417
|
|
#
?
Mar 12, 2017 01:32
|
|
|
both versions still work - if you have a legacy account it still works, and you're not required to upgrade. not sure if you can still add new devices to it though the new version is because people kept forgetting their master keys and there's no way for mozilla to recover people's password like that, so they just have a password now. people ruin everything
|
|
#
?
Mar 12, 2017 01:49
|
|
|
cinci zoo sniper posted:i used to be like that before reading this thread - cool poo poo password for important things, and a few disposables for the rest i used to do that too and my main disposable from back then was only 8 characters and is now in rockyou.txt and someone's been systematically compromising all my old accounts that i don't use anymore and sending all my contacts spam thanks, stupid young me 
|
|
#
?
Mar 12, 2017 01:53
|
|
|
Truga posted:both versions still work - if you have a legacy account it still works, and you're not required to upgrade. not sure if you can still add new devices to it though i've got a recovery key from back when i used firefox. it's like 25 characters long
|
|
#
?
Mar 12, 2017 01:56
|
|
|
"hey remember that skype account you made like over a decade ago as gokufan69420? no? well good luck figuring out which one it is when you start getting "lol u got hacked" messages from your friends"
|
|
#
?
Mar 12, 2017 01:57
|
|
|
just make sure to always use a phone number you have access to when you set up something for account recovery i have an old gmail account i've pretty much lost
|
|
#
?
Mar 12, 2017 01:59
|
|
|
ate all the Oreos posted:"hey remember that skype account you made like over a decade ago as gokufan69420? no? well good luck figuring out which one it is when you start getting "lol u got hacked" messages from your friends" That's actually exactly what happened to me recently. The account recovery steps involved listing what your last payment was and listing people on your contact list, for an account that I last touched a decade ago. Unsurprisingly, I was unable to recover it.
|
|
#
?
Mar 12, 2017 03:10
|
|
|
OSI bean dip posted:just make sure to always use a phone number you have access to when you set up something for account recovery i had written off an old gmail account that I left tied to a phone number I no longer had, but it turns out you can answer some questions about usage (how old is your account, how often did you send emails, name some addresses you emailed) and have support give you access somehow I guessed right enough which on one hand was shocking (it was a 10+ year old account and mostly a throwaway for signing up for unimportant websites) but on the other hand google probably has some cache of evidence linking me to it 
|
|
#
?
Mar 12, 2017 03:52
|
|
|
quote:The Canada Revenue Agency took its online services down at 1 p.m. Friday afternoon, after discovering an issue during website maintenance on Thursday night. guessing it was the struts vulnerability but who knows
|
|
#
?
Mar 12, 2017 08:21
|
|
|
I have a login for a top-5 global bank that allows me to process international funds transfers (on behalf of my clients) worth millions of dollars. It has 2FA which is in the form of a little authenticator with a keypad they mailed to me. I log into their website and then it prompts me to enter an 8 number challenge code into the device. It then gives me an alpha-numeric response to type into the website. Then I have a personal password. Over the past few months I've discovered the website re-uses challenge codes. And not just like the same one after 60 days... I will often get the same code several times a week. There appear to be a max of 10 codes or so. Then the authenticator will give the same response to the same challenge code. It isn't salted based on the time or date or anything. This has resulted in me memorizing the codes (I login and out multiple times a day) so I don't need to use the authenticator anymore.
|
|
#
?
Mar 12, 2017 15:36
|
|
|
Zero One posted:I have a login for a top-5 global bank that allows me to process international funds transfers (on behalf of my clients) worth millions of dollars. 5
|
|
#
?
Mar 12, 2017 15:49
|
|
|
I'd bet HSBC? I recall them having a lovely mouse-based PIN entry system 8 years ago when I had one of their credit cards.
|
|
#
?
Mar 12, 2017 15:55
|
|
|
Zero One posted:I have a login for a top-5 global bank that allows me to process international funds transfers (on behalf of my clients) worth millions of dollars. Depressing but not surprising
|
|
#
?
Mar 12, 2017 15:58
|
|
|
bobfather posted:I'd bet HSBC? I recall them having a lovely mouse-based PIN entry system 8 years ago when I had one of their credit cards. It's Citi. Not sure why I felt the need to protect them (to be clear I don't work for them, they are just a vendor for us). edit: This isn't their personal banking. This is their commercial finance side. Zero One fucked around with this message at 16:44 on Mar 12, 2017 |
|
#
?
Mar 12, 2017 16:01
|
|
|
Zero One posted:It's lovely
|
|
#
?
Mar 12, 2017 16:52
|
|
|
Zero One posted:It's Citi. i want to know how unique each authenticator is 
|
|
#
?
Mar 12, 2017 18:41
|
|
|
citi was the one who let you bring up anyones account as long as you logged in a-ok so I'm not shocked they don't get it
|
|
#
?
Mar 12, 2017 18:54
|
|
|
DuckConference posted:guessing it was the struts vulnerability but who knows when heartbleed hit a week before the filing deadline they took down e-filing temporarily and then extended the tax deadline by a month, i guess they'll do the same if they don't have e-filing back promptly the CRA is ok 
|
|
#
?
Mar 12, 2017 19:09
|
|
|
fisting by many posted:when heartbleed hit a week before the filing deadline they took down e-filing temporarily and then extended the tax deadline by a month, i guess they'll do the same if they don't have e-filing back promptly yeah  I want to check my refund status though
|
|
#
?
Mar 12, 2017 19:15
|
|
|
Zero One posted:There appear to be a max of 10 codes or so. sounds like someone finally implemented 10 factor auth
|
|
#
?
Mar 12, 2017 19:33
|
|
|
https://twitter.com/eorden/status/823924775177322497
|
|
#
?
Mar 12, 2017 19:50
|
|
|
I'm shocked, shocked, that Signal can't close the analog hole.
|
|
#
?
Mar 12, 2017 19:56
|
|
|
What if someone takes a picture of the screen with another camera? yes yes I know, Android has FLAG_SECURE and on iOS you can require a screen touch to view content
|
|
#
?
Mar 12, 2017 19:59
|
|
|
Weird. I wonder when Signal allowed for screenshots because it used to block attempts.
|
|
#
?
Mar 12, 2017 20:04
|
|
|
|
| # ? May 17, 2024 19:03 |
|
|
OSI bean dip posted:Weird. I wonder when Signal allowed for screenshots because it used to block attempts. willing to bet enough users were like "hey i can't screenshot this hilarious thing someone sent me to post it to twitter" that they decided to change it
|
|
#
?
Mar 12, 2017 20:20
|
|
